Sunday, September 07, 2003

Anton Chuvakin submitted a post alerting me to an article by Gartner gadflies John Pescatore, Richard Stiennon, and Anthony Allan. From the article:

"You should continue to detect intrusions. However, you shouldn't invest in stand-alone, network-based intrusion detection systems (IDSs)... by 2006, most enterprises will perform intrusion detection as part of firewall processing with next-generation firewalls... There have been enough advances in algorithms and high-speed network security processors to enable next-generation firewalls to perform network intrusion detection and blocking at all layers of the protocol stack. Mature products will ship in 2005... Purchase security management products - see "CIO Update: Gartner's IT Security Management Magic Quadrant Lacks a Leader," - to perform IDS alarm data reduction and correlation to firewall and vulnerability assessment logs, or outsource IDS monitoring to managed security service providers... Gartner has published a new report that includes material on intrusion detection and prevention, "Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture."

My advocacy of Network Security Monitoring makes me agree that "stand-alone" NIDS aren't sufficient. However, Gartner's logic makes no sense. Essentially they are saying firewalls shipping in 2005 or 2006 will be sufficiently advanced to perform the IDS detection functions of today. In 2 or 3 years IDS will also have advanced, so what's the difference? The bottom line is Gartner continues to make waves in order to sell their pricey reports to scared CIOs facing regulatory and customer pressure.

No comments: