Tip

Don't bank on IDS

If someone malicious gets into your 400 system, you're in a pickle, especially if you don't know who it is -- or even that the person has penetrated your operation. One way to attempt to find out this vital information is through an Intrusion Detection System. But while many security professionals will tout IDS as the silver bullet of intrusions, don't believe it.

There is no single product, technique or mechanism that can serve as the end-all-be-all security solution. There are so many aspects to consider when implementing security, from logical/technical controls to administrative and physical, that it is impossible for a single entity to meet the demands. That's why most seasoned security professionals say that the only silver bullet in security is not having a security policy and the beast it kills is your organization.

OK, back to the topic at hand: IDS. Intrusion Detection Systems have been hyped as the way to automatically and intelligently monitor your network for intrusion attempts and malicious attacks. Unfortunately, the technology behind IDS just isn't up to snuff to backup such a claim. And I've found proof to back that up.

An article in NetworkWorldFusion from June 2002 presents the findings of three independent security consultants who tested eight "top of the line" IDS products against the traffic at an ISP. Their findings are that every single IDS product performed dismally. Many of the products crashed on themselves by producing an over-abundance of false alarms. Most of the products completely failed to recognize real attacks when they occurred. And all of the products were so complex to configure that human error and understanding became a serious issue.

The article is quite lengthy, and it goes into good detail about the configuration of the test environment and the lengths the authors went to in order to grant the IDS products as fair a chance as possible. They concluded that while IDS isn't exactly plug-in-play, it does show promise. IDS may be useful in some organizations, but extensive time is needed to train and configure the product for your specific IT environment. Even after three months of intensive tuning, all of the products in the test continued to produce an unwieldy level of false alarms.

The "Crying wolf: False alarms hide attacks" article can be found at: http://www.nwfusion.com/techinsider/2002/0624security1.html.


James Michael Stewart is a writer and researcher at Lanwrights.com.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: Tips, tutorials and more.

Search400's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400 Featured Topic: Secure your iSeries


This was first published in August 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.