IDS Will Morph, But Won't Die

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Shock waves are still reverberating from the report issued in June by Richard Stiennon, a Gartner vice president, predicting the demise of IDS technology by 2005. Network World, a prominent industry publication, ran a front-page story this week outlining repercussions from the report, including a July meeting at the Pentagon that sounded fairly testy as government personnel and vendors alike ganged up on Stiennon.

As it did in June, however, the whole argument still strikes me as much ado about next to nothing. What the report actually says is this: "Intrusion detection systems are a market failure. Vendors are now hyping intrusion prevention systems, which also have stalled. The functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities."

A Gartner press release issued at the time sums up Stiennon's argument rather well by saying that "IDSs have failed to provide value relative to its costs and will be obsolete by 2005."

"Value relative to its costs" is the operative phrase there. Let's face it, IDSs are expensive to maintain, given it takes serious security expertise to properly tune them.

But Stiennon isn't really arguing that "IDS is dead," as so many press reports have characterized his position. Rather, he's simply saying the IDS function will move to the firewalls, enabling them to perform "deep packet inspection for content and malicious traffic blocking, as well as antivirus activities."

The deep packet inspection firewall sounds an awful lot like an intrusion prevention product -- it not only detects an attack, it stops it. The idea that the IDS function will morph into IPS and ultimately get incorporated into a firewall is a reasonable assumption. The technology landscape if full of examples of once standalone products whose function gets incorporated into some other product over time. The switch/router comes to mind, along with the untold number of features and functions now built into the Windows operating system that used to be sold separately. (See your "Accessories" folder for numerous examples.)

'Trust Boundaries'

A follow-up report that Gartner issued in early August to clarify some of Stiennon's points recommends users abandon near-term plans for "IDS everywhere" deployments and instead focus on "trust boundaries (directly inside firewalls) and LAN segments that house high-value servers." That kind of approach -- focusing the most protection on your most valuable assets -- has always made good security sense.

The follow-up report also recommends that companies redirect security dollars earmarked for IDS to host-based intrusion prevention systems (IPS) for high-value servers and to automated vulnerability assessment and remediation processes and products. It's hard to argue with that strategy, either. An IDS, after all, only alerts you to an event that has already happened. Vulnerability assessment tools enable you to find out which systems might be vulnerable to any given attack, and remediation processes help you fix them.

And, having done a little work with a couple of IPS vendors, my take is their technology is maturing. It is indeed a tough sell to convince a company they can simply turn loose an IPS product to stop every attack it identifies. Mindful of all the false positives their IDSs generate, most users prefer a more cautious approach. Perhaps they allow the IPS to stop an attack that matches the signature of a well-known worm, for instance, but not a new type of attack that hasn't been positively identified. Responsible IPS vendors even recommend that sort of approach.

Over time, as their products get better at identifying new forms of attacks -- and they surely will get better at that -- companies will rightfully have more confidence in allowing them to stop more types of attacks, just as firewalls and antivirus products do every day. To do that, however, means an IPS -- or IPS software incorporated into a "deep inspection firewall" -- can't rely solely on signatures, as firewalls and antivirus products do.

The best approach is to use a mix of technologies: signatures to block well-known forms of attacks and a mix of anomaly detection tools and advanced algorithms to identify packet streams that are likely to be attacks, either because they are outside the norm or closely resemble a known form of attack. The tools can stop traffic when it has high confidence that it is an attack, while alerting on those it merely suspects are attacks. That means you will still need bona-fide security experts to monitor the tool, but far fewer of them. And, as they use the tool and classify various new forms of attacks, the tool will get smarter over time, just as network management systems do.

A number of vendors are at work on or shipping such tools now. Gartner predicts mature products will ship in 2005, but I suspect companies will get real value out of some of them long before that.

Paul Desmond is president of Paul Desmond Editorial Services, an IT publishing firm in Framingham, Mass. He was the founding editor of eSecurityPlanet.com and can be reached at paul@pdedit.com.

Submit a Comment

Loading Comments...