Wednesday, October 15, 2003

IDS Review Addresses Issues That Matter

Too many reviews of intrusion detection systems (IDS) focus on the pretty colors, blinking red lights, and other worthless aspects of popular products. A new reviewJoel Snyder, David Newman and Rodney Thayer of five IDS products is a breath of fresh air. First, they have a clue:

"Gartner's analysis, unfortunately, is based on a profound misunderstanding of what network IDSs are good for and who should use them. Many network managers, and the analysts at Gartner, have put network IDS in the same bucket as firewalls: a technology designed to protect network assets. But it doesn't go there. A network IDS is to the security analyst what a protocol analyzer is to a network manager: a tool to look into a network and understand what is going on, security-wise. Lumping network IDS and firewalls together, or even network IDS and intrusion-prevention systems (IPS) together, is no more appropriate than considering 100M bit/sec switches and protocol analyzers together."

Second, their review focuses on real tasks by presenting scenarios, like "What happened to Paul?", a Windows 2000 system deployed as a sacrificial lamb. Third, they have a sense of what is important when doing monitoring:

"This test also exposed a problem common to all the products (except Barbedwire) - you can't see the offending packets. You never get to check the signatures to see if they are generating false positives."

The major downside is that only five IDS were tested, and Sourcefire wasn't included. The reviewers explain they didn't review Snort as an open source product because "Snort, like many complex open source tools, requires the security analyst to also be a system integrator: pick operating system, hardware, multiple applications, and bring them all together into a high-performance network IDS. Reviewing Snort would require us to play system integrator to start to capture the possibilities surrounding the popular detection engine."

No comments: