Intrusion detection is a necessary layer in a defense-in-depth strategy, as well as a vital component in forensic investigations, according to several security administrators and IT managers responding to a report last week by research firm Gartner Inc., which declared IDS would be obsolete by 2005.
Gartner recommended that enterprises stop investing in intrusion detection in favor of firewalls that block attacks by doing deep packet inspections at the network and application levels.
"The underlying problem with IDS is that enterprises are investing in technology to detect intrusions on a network. This implies they are doing something wrong and letting those attacks in," said Gartner vice president of research Richard Stiennon. "Enterprises investing money to alert them when the next SQL Slammer worm arrives is a waste of money."
While some users saw some merit in Gartner's declaration, most were adamant that IDS isn't going anywhere in the near future.
"Security is a process, not a plug-in, and using multiple layers in the process has long been regarded as more effective than just one tool," said Walt Howard, a system administrator at the electrical and computing engineering research facility at the University of Alberta. "IPsec is a layer. TLS [transport layer security] is a layer. Firewalls are a layer. Virus detection on the mail server is a layer, but [it] does not replace virus detection on each desktop. And IDS is a layer, providing feedback on how well the other layers are working."
IDS has been dogged by its reputation for producing false positives and negatives, the necessity for 24/7 monitoring and the volumes of log data generated -- all of which require expensive personnel that some enterprises cannot afford. Users, however, point out that the log data can be invaluable to a post-attack investigation. By shutting off IDS, as Gartner recommends, companies would also expose themselves further to internal attacks, which firewalls cannot detect, users said.
Gartner's recommendation of investing in deep-packet inspection firewalls also came under fire from users. In fact, some said that certain IDS tools, like Snort and products from Internet Security Systems, are already doing some prevention, like sending TCP resets to an offending host that terminates packet sessions.
"Gartner's view on IDS is, in my opinion, only valid in the context in which they stated it, i.e., using an IDS to protect your network. Anyone that's using an IDS to block network traffic is, in my opinion, misusing the technology," said Mark S. Velasquez, an administrator with the South Florida Water Management District. "Most IDS's can block network traffic by either issuing TCP resets or via rewriting firewall rules. A firewall is a better tool for protecting your network. Primarily, we use our IDS as a firewall rule/policy validation tool: Is our firewall blocking the traffic we thought we told it to block, and for discovering traffic on our network that we were unaware of."
"I welcome an alternative solution, i.e., a firewall that monitors and blocks unauthorized network and application behavior. But, still, there is a need to monitor and report for behaviors that might be a threat," said Celsio Pablo, assistant general manager of IT at Maduro & Curiel Bank N.V., in Curacao, Netherlands Antilles. "By not doing the latter, a potential hacker can gather enough information to bypass the only security you have, the all-in-one firewall. The risk is high with a one-layer solution."
Marty Roesch, author of Snort and chief technology officer of Sourcefire Inc., the company that sells commercial versions of the open-source IDS, said Gartner's proclamation of obsolescence for IDS is counterintuitive.
"The firewall technology Gartner is proposing, this utopian vision they are selling, is not ready for prime time," Roesch said. "They are talking about all these ASIC-based vendors providing a miracle cure. Access control [deep-inspection packet firewalls] is important, but so is monitoring [IDS]. A properly configured IDS has great value, and [Gartner] seems to be ignoring the facts. I don't think they have talked to people who have made IDS successful."
Roesch admits to the difficulties associated with IDS, but he warns that following Gartner's recommendations and shutting off intrusion-detection systems is akin to driving down a busy road with your eyes closed. Enterprises that do so will be particularly blind to internal attacks, he said.
"They will lose awareness of the environment in which they are operating," Roesch said. "What's happening inside their infrastructure doesn't go through an access control device. People will be able to do stuff with impunity, and only if something breaks will people notice it."