That was the question recently asked by a fellow security professional on the LinkedIn Security Leaders Group.
I’m not usually very excited about posting on LinkedIn Discussion Groups. On top of that, I don’t even have the time to blog anything on my own site. However, I could not resist to write a comment on that discussion about what the best IDS system is. Not when I read the following comment:
Actually the idea of an IDS system has been obsolete for a few years now. Given the latest events in the security area, there are plenty of traffic anomalies far more advanced than relatively-simple signatures out there to deal with.
The best approach nowadays is the IPS (Intrusion Prevention Systems) which would not only detect and inform IT management of the attack events but will also apply the necessary countermeasures to them. Most important of all, this must happen at wire-speed with ASIC-based systems.
Ok, I understand that IPS vendors and resellers have the right to claim what they want, but saying that “the idea of an IDS system has been obsolete for a few years now” is simply too much for me.
Just in case you are not registered with LinkedIn, the following is the comment I’ve just added to that discussion:
I respect everyone’s comments and views, but obviously some of the above are clearly biased. It’s not the first time we hear comments like “actually the idea of an IDS system has been obsolete for a few years now”.
Back in 2003, Gartner analyst Richard Stiennon stated, “IDSs have failed to provide value relative to its costs and will be obsolete by 2005″. Well, although I understand that claim (keep reading), many security analysts will tell you that IDS is very much alive and recent findings like those covered in the “Verizon Business 2008 Data Breach Investigations Report” support this (see http://securityblog.verizonbusiness.com/2008/06/10/2008-data-breach-investigations-report).
First thing to know is that IPS and IDS are different things and that they fit in different layers of the Defense In-Depth strategy and in different phases of the well known Assessment-Prevention-Detection-Reaction loop. IPS devices are meant for intrusion prevention and always run “inline”, very much like firewalls, whilst IDSs (whether network or host based) are passive solutions obviously designed for intrusion detection. Both technologies are complementary and should be part of a holistic security strategy. In many scenarios you will not be able to prevent and stop all attacks with a 100% accuracy. Thus, when prevention fails, what else is left? Detection and then reaction.
However, an IDS is not that different to an IPS from a technology point of view. Take Snort as an example, which is the most widely deployed intrusion detection solution in the world and actively used by large organisations like DARPA, GSA, NIST, NSA as well as the US Armed Forces. Get Snort running in inline-mode with active-response enabled and you have an IPS. Same product but different configuration sitting in a different place on your network. So take and IDS, put it inline and get a third party to manage it and there you have your IPS. Now you understand why most vendors will tell you that IDS is dead.
However, I can understand why many people still claim that IDS is dead. Many fail to understand that an IDS is not a “Plug and Play” device. The state of the art of IDS has not yet evolved to a point where they can be plugged and work accurately right out of the box, and it won’t be for a while. It is imperative to have a trained and competent analyst (or team of analysts) tunning, updating, examining and investigating the output from the IDS. Do you have the resources to do that? Well, that should be part of the cost analysis of implementing any IDS/IPS solution. Now, with many IPS devices a big chunk of that work can be externalised on a third-party, namely Managed Security Services Providers (MSSP).
As far as what solution is right for your site, it is a decision that depends on your site configuration, your team skills, your network bandwidth, your budget, organisation’s risk appetite, just to name a few. I would suggest to combine both IPS and IDS solutions, implementing them in different parts of your network as part of a comprehensive Defense in Depth strategy.
Finally, I recommend you have a look at open-source solutions like Snort, Bro (not all IDS are signature-based only) or even more advanced NSM solutions like Sguil (I really like this one), Hex, etc… See if you have the necessary skills and resources to implement and maintain them, as it won’t be easy. Otherwise hire a specialist to help you out with the implementation if you decide to go down that route.
As of commercial IPS solutions I have a very good feedback from Juniper devices. Also check with your firewall vendor, as integrating firewall and IPS management under the same console makes sense.
Feel free to flame me if I’m wrong.