Sales of IDS software licenses are expected to soar as users adopt the technology. Pitfalls remain in installation and management.
By Garry Kranz
Enterprises pondering intrusion-detection technologies as part of an
overall security strategy may want to take their cue from Forsyth
Institute. Twice during 2001, the Boston-based nonprofit research
organization suffered system outages caused by hackers. It also was
infected, like many other enterprises, with the NIMDA virus. "During
a period of four weeks over the summer, I think we experienced
network downtime of about 15 to 20 hours," said Doug Hanson,
executive director of information systems.
The service interruptions meant employees weren't able to retrieve
e-mail and other online services, but also raised concerns that
important information might be at risk. After re-evaluating its
security posture, Forsyth decided to add intrusion-detection tools to
provide another buffer of protection. In September, it implemented an
intrusion-detection technology product provided and remotely managed
by SecureWorks Inc. of Atlanta, Ga. Since then, Hanson said, "we have
not experienced any network downtime and the virus attacks have
stopped."
To install or not to install
Intrusion detection is a security-management system for computers and
networks, consisting of special software and sophisticated network
sensors. These systems, sometimes called IDS, usually are sold as a
package and used to monitor network activity. Information being
transmitted across computer networks is gathered and analyzed to
detect -- and where possible, prevent -- potential security breaches.
There are two basic types of intrusion detection: network-based and
host-based. Network-based systems examine each packet of information,
looking for protocol anomalies and known virus signatures. Host-based
systems, which are used for individual machines as opposed to
networks, read log files, look for inadvisable settings or passwords
and other potential policy violations.
Intrusion detection picks up where firewalls leave off. It can be
especially critical for enterprises that rely heavily on the Internet
to conduct business, said John Pescatore, research director for
Gartner Group in Stamford, Conn. "Firewalls do a good job of keeping
the 'bad guys' out. Once you start using inbound connections, like
e-business or remote access, you poke holes in that firewall.
Intrusion detection is a way to make sure that only the 'good guys'
remotely access your network."
The chief advantage of network-based systems is that IDS software
doesn't have to be installed on every server, as is the case with
host-based systems, said Pescatore. "Software installation on
individual machines can be horrendously expensive, but keeping the
software live, or running constantly, is even more costly."
When alarms have sounded
It's not unheard of for enterprises to cobble together intrusion
detection using network- and host-based systems in conjunction.
"Generally our advice is to start with network-based IDS at the trust
boundaries, like your connections to the Internet or connections to
business partners," said Pescatore. "The biggest reason (to start
small) is that it takes a lot of work to monitor intrusion detection,
especially when you first get started."
Indeed, adding intrusion detection can be like "getting a Christmas
puppy," said Pete Lindstrom, director of security strategies for
Hurwitz Group of Framingham, Mass. "It sounds like a wonderful idea,
until you go and visit your in-laws and you come back to find it's
peed in the corner and torn up your couch."
Adding intrusion detection may necessitate hiring new IT
professionals and almost certainly will require loads of
administrative attention. "Intrusion detection requires care and
feeding. You have to watch it," added Lindstrom.
The biggest management headache is separating true threats from false
alarms. This is similar to a smoke detector that sounds an alarm even
when there is no fire. Eventually, you'll either turn it off or
ignore it altogether. "It's the same with IDS. If it's signaling an
intrusion and it turns out that's just the way your system works
normally, then it's going to cause you a lot of work just finding the
false alarms," Pescatore said.
Your IT staff may have to tune intrusion-detection sensors several
times to reject false alarms. Also, should you later make changes to
your network, such as moving to Windows NT from NetWare, the tuning
will change and have to be reset.
Not one size fits all
"The first thing I would be concerned with is where I need intrusion
detection: Do I need it at the application level or at the network
level? Am I worried about what's happening inside, or simply at the
edge of my network?," said Eric Hemmendinger, an information security
analyst with Aberdeen Group of Boston.
Despite the administrative costs and management burden, sales of IDS
software licenses suggest the technology is gaining steam with users.
Gartner Dataquest says U.S. licensing revenue will grow 32% in 2002
to $249 million. By 2004, revenue is forecast to approach $358
million in the U.S.
Costs for these systems can vary wildly, which can make it difficult
to get hard-and-fast pricing variables for matching comparable
products. A handful of large vendors -- Computer Associates, ISS,
Symantec Corp., Network Associates -- provide customized IDS, mostly
to larger enterprises. Small to midsize enterprises frequently turn
to off-the-shelf applications. "You have some companies like ISS --
all they sell is intrusion detection. They can't really discount very
steeply," said Pescatore. "You have (other) companies like Cisco,
which sells many things, and they could decide, 'Hey, we're selling
this company $10 million of switching equipment, we'll give them a
big discount on intrusion detection.' So it's not unusual to see a
range of two to one in pricing."
Regardless of your company's size, it's important to first do a
security audit to assess your network's vulnerabilities, said
Lindstrom. "You need to know what information you want to protect and
the network paths people use to access that data. Then you need to
deploy your resources to protect the data."
Garry Kranz is a freelance business and technology writer based in
Richmond, Va.
MORE INFORMATION ON THIS TOPIC:
__________________________________
>> Go to searchSecurity for additional resources on intrusion
detection at http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281928,00.html
>> Visit searchSystemsManagement for more information on securing
your network and servers at http://searchsystemsmanagement.techtarget.com/bestWebLinks/0,289521,sid20_tax288450,00.html.
___________________________________
SPONSORED BY: EMC
IS YOUR BUSINESS PROTECTED?
See Industry-Leading Business Continuity Software in Action
Make your business safer and more productive-every day of the year.
Watch our online demos and learn how to protect your information
through real-time, remote data mirroring. You'll also discover how to
work more productively and lower IT costs with software solutions
that enable you to:
* reduce backup time
* test applications and speed application development
* load data warehouses and more
>>View the EMC business continuity software demos at http://ad.doubleclick.net/clk;3910850;5058249;k?http://www.emc.com/techtarget/v20/index.html.
