Intrusion-detection systems have become the new darling of the security world. Many security professionals will
tout IDS as the silver bullet to intrusions. Well, don't believe it. Like the mythic werewolf it kills, the existence of the silver bullet is as much a myth. There is no single product, technique or mechanism that can serve as the end-all-be-all security solution. There are so many aspects to consider when implementing security, from logical/technical controls to administrative and physical, that it is impossible for a single entity to meet the demands. That's why most seasoned security professionals say that the only silver bullet in security is not having a security policy, and the beast it kills is your organization.
OK, back to the topic at hand: IDS. Intrusion-detection systems have been hyped as the way to automatically and intelligently monitor your network for intrusion attempts and malicious attacks. Unfortunately, the technology behind IDS just isn't up to snuff to back up such a claim. And I've found proof to back that up.
An article in NetworkWorldFusion from June 2002 presents the findings of three independent security consultants who tested eight "top of the line" IDS products against the traffic at an ISP. Their findings are that every single IDS product performed dismally. Many of the products crashed on themselves by producing an over-abundance of false alarms. Most of the products completely failed to recognize real attacks when they occurred. And all of the products were so complex to configure that human error and understanding became a serious issue.
The article is quite lengthy, and it goes into good detail about the configuration of the test environment and the lengths the authors went to in order to grant the IDS products as fair a chance as possible. They concluded that while IDS isn't exactly plug-and-play, it does show promise. IDS may be useful in some organizations, but extensive time is needed to train and configure the product for your specific IT environment. Even after three months of intensive tuning, all of the products in the test continued to produce an unwieldy level of false alarms.
The "Crying wolf: False alarms hide attacks" article can be found at: http://www.nwfusion.com/techinsider/2002/0624security1.html.
About the author
James Michael Stewart is a writer and researcher at Lanwrights, Inc.