Intrusion-detection systems are the focus of a lot of time and attention these days. Many companies are deploying them without regard to which IDS best meets their needs. Your question shows that you don't want to just fill in a check box saying that you have IDS but instead want to deploy the right solution. First off, IDS come in two general flavors -- host based and network based. I'll address your question on the network-based IDS product side, since it gets so much attention these days.
Unfortunately, the quick answer to your question is, "It depends." You see, different IDS products meet different needs. If you are on a limited budget but want a good amount of technical flexibility and the means to define your own attack signatures, go for the open source Snort tool (www.snort.org). If you like Snort, but want more support or are restricted from buying an open source tool (as some companies sadly are), you should check out the commercialized Snort offerings of Source Fire (www.sourcefire.com).
If you are looking for a good product that offers excellent detection capabilities and technical depth, you should check out the Enterasys Dragon (http://www.enterasys.com/ids/). Another worthy product is the Network Flight Recorder (www.nfr.com). Finally, if you are looking for a very shrink-wrapped tool, look into the ISS RealSecure product.
My bottom-line recommendation is that you spend some time piloting IDS using the freeware Snort tool in your environment. As you get used to network-based IDS using this free tool, you'll better understand your particular requirements and can spend the dollars on a commercial solution (or stay with the free Snort). That way, you learn for less and can make an educated decision on your product needs.
For more information on this topic, visit these other SearchSecurity.com resources:
Online Event Transcript: Intrusion detection with Ed Yakabovicz
Best Web Links: Intrusion detection
Featured Topic: Intrusion-detection systems
This was first published in April 2002