Intrusion detection

Many organizations are finding that firewalls, antivirus software and user authentication policies aren’t enough to keep networks safe, which explains the growing market for intrusion detection technology from established vendors such as Cisco Systems Inc., Enterasys Networks Inc. and Internet Security Systems Inc., and new players including IntruVert Networks Inc. and OneSecure Inc.

The biggest management problem with intrusion detection products is the false alarms. Most ID systems err on the side of caution by default, with the upshot being generation of lots of false alarms. Over time, the staff assigned to monitoring the systems must learn how to sort the serious attacks from the false alarms and “tune” systems to reduce the number of false alarms.

In its simplest form, an intrusion detection system identifies and records potential security threats -such as someone scanning server ports or making repeated attempts to log in using random passwords. As such, it’s not a replacement for other security measures. “An IDS is like the video camera in a convenience store or a bank,” says Stuart McClure, president and CTO of security consultancy Foundstone Inc. in Mission Viejo, Calif. A video camera doesn’t replace the locks on the door or the safe, but if someone breaks through those security measures, the camera provides a record that can help nab the perpetrators and buttress the security system against future attacks.

Intrusion detection systems work in a number of ways. A network-based IDS relies on network sensors that monitor packets as they go by. Typically, a network-based IDS comprises sensors at network entry points (alongside a firewall, for instance) or at the boundaries between subnets with different security levels (such as between your LAN and your data center).

A host-based IDS, by contrast, monitors activity on specific servers or mainframe hosts by keeping an eye on the integrity of critical files, or by monitoring specific operating system events (such as suspicious error messages or unusual server processes).

Similar to virus scanners, network- and host-based IDS solutions also frequently make use of signature scanning, looking for unique data fingerprints that identify certain types of attacks.

The weakness of this approach is that signatures must be constantly updated to keep pace with the ever-evolving techniques of hackers. To address this shortcoming, some intrusion detection systems look for any network activity that lies outside a certain prescribed range of “safe” activities, an approach known as anomaly detection.

The problem with all intrusion detection systems is that they are not, and probably never will be, plug-and-play. Unlike firewalls, most intrusion detection systems require considerable technical smarts to set up and configure properly.

But the biggest management problem is the alarms. Every IDS, by its nature, generates alarms whenever it detects something that looks like suspicious activity. But every network is different, and computers aren’t very good at telling the difference between, say, the “I Love You” e-mail virus and an e-mail message from your systems administrator that is merely warning you about the virus. As a result, most intrusion detection systems err on the side of caution. Consequently, they generate lots of false alarms – as many as thousands per day in extreme cases.

Every one of those alarms is potentially something that your security staff will have to evaluate to determine whether it’s a legitimate use of your network or a hostile attack. Over time, the staff that monitors your IDS will learn both how to sort real attacks from false alarms as well as how to tune the IDS to reduce false alarms.

“Intrusion detection is extremely high maintenance,” says Bruce Larson, a system vice president and director of special network operations for San Diego-based SAIC International (he designs and deploys network security architectures for SAIC clients, including several government agencies and utilities). He estimates that you need at least one full-time network engineer to monitor and tune an IDS – or about US$150,000 in fully loaded annual salary costs.

One alternative: Outsource IDS management to a managed services company such as Counterpane Internet Security Inc., whose employees will screen IDS alarms and forward only the most significant alerts to your IT staff, in return for monthly fees of US$7,000 to US$12,000.

But outsourced or not, intrusion detection systems are expensive: Appliances can run to US$15,000 or more apiece; full-blown systems may cost US$100,000 or more. Add staffing support, and an IDS represents a significant investment (not to mention a management headache).

On the other hand, if you have valuable assets to protect, you may have no option but to deploy an IDS. Auditors often require IDS technology before they will certify a company’s network as being adequately secured, particularly in highly regulated industries such as financial services and health care. Apart from regulatory requirements, deciding whether to buy an IDS is a matter of risk analysis. In other words, your IDS is merely one tool among many for securing your network. Layering multiple security measures together is part of the well-balanced “defense in depth” strategy recommended by many security pros.

Julia H. Allen, a senior member of the technical staff in the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, suggests that IT executives consider adding the following components to their security strategy: network-based intrusion detection sensors, host-based intrusion detection, a central reporting and monitoring console for IDS alerts and other network messages, firewalls, log file analysis and strong user authentication.