Everything you need to know about IDSes

By Joel M. Snyder
Network World, 04/08/02

Original article from Network World web site

I've spent the past few months immersed in intrusion-detection systems and have learned more than I really wanted to know about them. In case you're wondering if you need an IDS, here are some points to keep in mind:

  • An IDS is only as good as its configuration. In order to tell whether something is amiss, an IDS needs to know everything about your network. For example, if you have Web servers running on Port 80 and Port 8008 on your network, you'd better tell your IDS, or it's not going to look in the right places. IDSes need to know not only where the server is running, but also which software it's running and even which version, in some cases. IDSes behave very differently if you're running Microsoft's Internet Information Server than Netscape's server. Be prepared to perform a thorough audit of your network before you turn the IDS on.

  • IDSes are dumb. You have to tell them everything or you'll be supersaturated with false positive alerts. Even if you do tell them everything, you'll still find IDSes are always one step or two behind the latest attack. IDS products on the market don't use artificial intelligence or neural networks; they look for patterns that match known problems. If any of the popular attacks is changed by a single octet, the IDS may be unable to detect it. Make sure your IDS vendor has a plan for keeping your attack signatures updated constantly.

  • You need to know a lot of details. When evaluating IDSes, you need to know the different ways in which they operate. Stateful matching, context matching, protocol anomaly, pattern searching - all these terms have to be second nature when you're selecting a product. And not all IDSes perform the same function to the same level of detail. If you haven't learned the ins and outs of TCP/IP yet, be ready for a new education.

  • Be prepared to spend a lot of time - and money. Whether you purchase a fully configured IDS or roll out your own with the freeware Snort, be prepared to spend time and money getting the IDS configured and installed. IDSes also take a lot of time to manage and administer on a daily basis. Every IDS vendor seeks to reduce false positive reports, but you're going to go through a lot of them before you get your IDS tuned.

  • The PR wars are in full swing. Even though the product niche is small and relatively new, products are already suffering from feature-creep. Even features that look useful at first, such as active attack evasion, seem less than perfect when you examine them closely. Be sure to evaluate the risks and rewards of some of these newer features.

    Don't get me wrong - IDS products have a definite place in corporate networks. Just don't expect them to be easy.

  • Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz.