If someone malicious gets into your 400 system, you're in a pickle, especially if you don't know who it is -- or even that the person has penetrated your operation. One way to attempt to find out this vital information is through an Intrusion Detection System. But while many security professionals will tout IDS as the silver bullet of intrusions, don't believe it.
There is no single product, technique or mechanism that can serve as the end-all-be-all security solution. There are so many aspects to consider when implementing security, from logical/technical controls to administrative and physical, that it is impossible for a single entity to meet the demands. That's why most seasoned security professionals say that the only silver bullet in security is not having a security policy and the beast it kills is your organization.
OK, back to the topic at hand: IDS. Intrusion Detection Systems have been hyped as the way to automatically and intelligently monitor your network for intrusion attempts and malicious attacks. Unfortunately, the technology behind IDS just isn't up to snuff to backup such a claim. And I've found proof to back that up.
An article in NetworkWorldFusion from June 2002 presents the findings of three independent security consultants who tested eight "top of the line" IDS products against the traffic at an ISP. Their findings are that every single IDS product performed dismally. Many of the products crashed on themselves by producing an over-abundance of false alarms. Most of the products completely failed to recognize real attacks when they occurred. And all of the products were so complex to configure that human error and understanding became a serious issue.
The article is quite lengthy, and it goes into good detail about the configuration of the test environment and the lengths the authors went to in order to grant the IDS products as fair a chance as possible. They concluded that while IDS isn't exactly plug-in-play, it does show promise. IDS may be useful in some organizations, but extensive time is needed to train and configure the product for your specific IT environment. Even after three months of intensive tuning, all of the products in the test continued to produce an unwieldy level of false alarms.
The "Crying wolf: False alarms hide attacks" article can be found at: http://www.nwfusion.com/techinsider/2002/0624security1.html.
James Michael Stewart is a writer and researcher at Lanwrights.com.
================================== MORE INFORMATION ON THIS TOPIC ==================================
The Best Web Links: Tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400 Featured Topic: Secure your iSeries
This was first published in August 2002