The death knell for intrusion detection is getting louder. Tired of doing full-time monitoring and fending off alerts that 99 times out of 100 mean nothing, enterprises have been ready to shove these expensive network-monitoring products off the proverbial cliff.
Research firm Gartner Inc. provided another nudge Wednesday when it declared IDS will be obsolete by 2005.
Instead, Gartner recommends that businesses invest their security dollars on firewalls that block attacks, rather than alert administrators to them.
"The underlying problem with IDS is that enterprises are investing in technology to detect intrusions on a network. This implies they are doing something wrong and letting those attacks in," said Gartner vice president of research Richard Stiennon. "Enterprises investing money to alert them when the next SQL Slammer worm arrives is a waste of money."
According to Gartner's Information Security Hype Cycle, intrusion detection has failed to deliver value relative to its costs. Enterprises have been quick to decry IDS for the plethora of false positives it generates, for the voluminous amounts of log data administrators have to pore over and for its inability to monitor at speeds of more than 600 Mbps.
Gartner said firewalls that work both on the network and application levels will supplant intrusion detection and intrusion-prevention systems within two years.
"Firewalls will be reborn as an effective network defense," Stiennon said. "The key is not more sensors and more management. Investments there don't lead to a more secure profile. Enterprises should migrate to a protective network environment, rather than detect everything that happens."
Stiennon pointed to content switches from vendors like F5 Networks and Radware Ltd., and to Web application defense products and firewalls that monitor at wire speed, from vendors like NetContinuum Inc., Fortinet Inc. and TippingPoint Technologies, as those that will prevail.
"Firewalls are the most effective defense against cyberintruders on the network, and they are becoming increasingly better at blocking network-based attacks," Stiennon said. "To be considered as a challenger, visionary or leader, a vendor must have both network-level and application-level firewall capabilities in an integrated product. Vendors that have only one or the other will be niche players."
Meanwhile, Stiennon said, there is a place for monitoring and detection.
"That place is in wireless LANs, where you detect malicious activities, and that means that someone is in your parking lot or conference room trying to get access to your network," he said. "That way, you can deploy someone quickly to stop them.
"Another place is at the application layer, where you can monitor and alert based on the actions of authorized users."