Best intrusion detection systems and network IDS

IDS technology

An intrusion detection system (IDS) analyzes network traffic looking for indications of attacks and malicious intent. A typical IDS installation straddles your firewall and monitors traffic in a promiscuous (undetectable) mode. An IDS maintains a database of known attack profiles, which are commonly referred to as 'rules'. It compares each incoming data packet to this library of rules. When suspicious traffic is detected, that is, when an incoming packet matches a rule, the IDS sounds the alarm, sending notifications that an attack has occurred. Because an IDS analyzes each data packet, attacks embedded in seemingly harmless traffic are readily identified — and that's the value of the technology.

The key benefit of an IDS is its ability to provide notification of an attack in progress, which allows your IT staff to later review attacks and determine what configuration changes should be made to the network to avert similar attacks in the future. The IDS provides 24/7/365 monitoring of virtually all the traffic on the network that moves by it.

These IDS features give your IT staff a tremendous amount of information about network traffic. With sufficient resources, you can examine every suspicious or potentially damaging request. The advanced features that make IDSs so powerful can also make the technology difficult to use. IDSs have a tendency to inundate you with alerts and notifications and produce numerous false alarms, also referred to as false-positives. While an IDS will likely detect and alert you to an attack in progress, such information could be buried under a mountain of false-positive or trivial data. IDS administrators can quickly become desensitized to the sheer volume of data produced by the system, which can have a detrimental effect on their ability to respond to legitimate threats.

To be effective, an IDS must be closely monitored and continually fine-tuned to the usage patterns and vulnerabilities discovered in your environment. Such maintenance typically consumes a fair amount of administrative resources. In fact, the Giga Information Group reports that 75% of IDS implementations fail due to the complexity of their operation. Keep this statistic in mind when evaluating an IDS vendor, and be sure to choose a product, such as StillSecure's Strata Guard (which takes the powerful, open-source Snort®* IDS engine and makes it practical for protecting corporate-scale networks), that can be maintained with your existing IT resources—or consider subscribing to an IDS managed service, such as our ProtectPoint managed security service, where dedicated security experts monitor and manage the IDS system for you around the clock.

Advanced commercial firewall software, Snort, perimeter, chassis, and more

A firewall and anti-virus software are the bare necessities for securing your network. While these measures play a crucial role in perimeter network security, they are incapable of defending against many of today's advanced threats and vulnerabilities. A quick review of basic firewall functionality demonstrates why this is so.

Operating on level 1 of the layered security framework, a commercial firewall acts like a traffic cop. It permits network traffic to pass through based on a number of specific metrics. For example, a request destined for your email server is allowed through; a request addressed to your corporate accounting system is denied.

Usually, traffic destined for your Web server (port 80) or email server (port 25) is granted access. Unless you specify otherwise, a firewall typically blocks all traffic addressed to other locations (i.e., servers, databases, or application servers) on your network, thus protecting those hosts against unauthorized, external access.

It is important to keep in mind that most firewalls do not analyze the contents of the data packets that make up network traffic. The firewall simply allows or prohibits access, in whole, based on the external data packet characteristics — specifically, destination and source IP addresses and ports.

Given this basic functionality, a firewall is powerless to defend against a number of today's sophisticated threats and vulnerabilities, including:

• Attacks embedded in legitimate network traffic — many network attacks are embedded in traffic that the firewall deems permissible. A number of well-known attack types, including Code Red, NIMDA, and the Klez virus gain access to and cripple networks by masquerading as legitimate Web server requests or email traffic.
• Access gained through wireless network segments — On most networks, wireless LAN (WLAN) segments connect inside the firewall, allowing a back door into the network. Wireless access points (WAPs) can be readily exploited by individuals with malicious intent.
• Attacks originating from behind the firewall — A number of common technologies and poor business practices can give rise to attacks that originate from behind the firewall. For example, mobile devices such as laptop computers can be removed from the trusted network segment and connected to untrusted networks, where viruses and vulnerabilities can be introduced. Upon reconnection, these vulnerabilities expose the trusted network to attack.

Other vehicles that can expose your network to attack from behind the firewall include peer-to-peer (P2P) connections, instant messaging transmissions, downloads, and dialup access. Many organizations, for example, still have modem pools, or they outsource the pools and have a T1 connection from the vendor directly to their internal network without security.

* Snort is a registered trademark of Sourcefire, Inc. Latis Networks, Inc. is not affiliated with, connected to, or sponsored by Sourcefire, Inc.