Money slated for intrusion detection should be invested in firewalls, according to research firm Gartner, Inc. Gartner claims its Information Security Hype Cycle released in June shows that intrusion detection system (IDS) technology does not add an additional layer of security as promised by vendors. The company charges that in many cases, IDS implementation has proven to be costly and an ineffective investment.
Gartner recommends that enterprises redirect the money they would have spent on IDS toward defense applications such as those offered by thought-leading firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product.
“Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled,” noted Richard Stiennon, Gartner research vice president, in a company announcement. “Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities.”
According to the Gartner Information Security Hype Cycle research, IDSs create false positives and negatives resulting in a taxing incident-response process and an increased burden on the IS organization by requiring constant monitoring. Another downfall cited is an inability to monitor traffic at transmission rates greater than 600 megabits per second.
“Firewalls are the most-effective defense against cyberintruders on the network, and they are becoming increasingly better at blocking network-based attacks,” said Stiennon. “To be considered as a challenger, visionary or leader, a vendor must have both network-level and application-level firewall capabilities in an integrated product. Vendors that have only one or the other will be niche players.”
But just firewalls as we have known them are not the answer and to recommend them could be misleading, counters Ric Walford, sales engineer for Advanced Technology Solutions at Network Associates Inc. in Canada.
Walford admits that “there is some truth that [for] IDSs as we know them, their useful life is coming to an end.” However, he adds that it is just a matter of naming “whether you call the successor product a firewall taking on the functionality of IDSs moving into the prevention side of the business or whether you take an IDS product and call it an IPS, an intrusion prevention product.”
He notes the traditional IDSs are often for PC-based platforms with standard operating systems or Linux operating systems and driven by general purpose processors. “They are fairly simplistic in terms of rules they can apply and therein lies some of the problems in terms of the number of false alerts that they get. With a traditional IDS, it is not unreasonable that you would get 20,000 alerts in a day. Many customers we talk to have that kind of issue. The problem is how do you sort through 20,000 alerts in a day and figure out the ones that are real?”
According to Walford, there is a new series of technologies geared around deep packet extension. “Some of that technology can exist in a firewall and some in what we would call next generation IDS.”
He also counters that while the role be