Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Along those lines, consider the classic religious war now dividing the field of information security, where proponents are squaring off over the merits of intrusion detection systems (IDSes) versus intrusion prevention systems (IPSes).
The struggle has been especially fierce since mid-2003, when a group of industry experts declared that IDSes would be killed off by the evolving superiority of IPS systems. Rather than clearing the air, this proclamation only added to general confusion. That led users to delay purchases, leave networks inadequately protected and suffer through abundant attacks.
Let's set the record straight.
IPS devices act as security checkpoints. Packets receive some basic screening at the gateway but are interrogated far more aggressively by the addition of an IPS. The device isn't looking for every potential security threat. Rather, it's looking for known problems and blatantly suspicious behavior.
Packets that violate protocols or contain malicious payloads get terminated--no questions asked. To perform this task, IPS devices take an active role in the security infrastructure. They sit in line on corporate networks, making decisions about packets like routers and switches do.
People who take a dogmatic position on technology issues probably aren't helping their employer.
Now, here comes the religious-war part. IPS bigots say today's threats need immediate attention and that IDSes are simply too passive to prevent attacks. They go on to say that IDS devices are also too paranoid. IDSes spit out thousands of false-positive alerts, they say, leaving the responsibility of finding the threat-related needles among the security alert haystacks to overburdened security personnel.
Hello? These devices are called intrusion detection systems because they were designed to detect, not prevent, malicious activity. Security cameras don't magically change into pitbulls when a thief appears. As for false-positive alerts, IDSes were engineered to be obsessive. Too many false positives, you say? Fine, tune the system. Every environment is different, so you can't rely on default settings. This takes some work, but last time I checked, system tuning always does.
IDS zealots have their own brand of passionate rhetoric. They say IPS devices can slow the network, act as a single point of failure or block legitimate traffic. These objections have roots of legitimacy but are no longer true. Today's IPS systems are built on top of lightning-fast components to keep up with almost any network. To maintain availability, IPS devices can be clustered for high-availability protection, and once again, system tuning is the key to blocking malicious code while waving legitimate traffic through.
IDS and IPS devices actually work best in tandem. The IPS device blocks known hostile code, while the IDS provides another set of eyes into real-time and historical security events. In other words, this isn't an "either...or" decision; implementing both IDS and IPS devices offers the highest level of security protection.
Companies make decisions based on business needs, and people who take a dogmatic position on technology issues probably aren't helping their employer. All they're doing is recruiting foot soldiers for a self-serving technology jihad.
Biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
Besides everyone who is even remotely connected to the security industry knows that the real jihad is with/being led by Symbiot (http://www.symbiot.com).
IDS Vs. IPS has nothing on Local 2600 Vs. the Global Fortune 2000! :)
While those IT Security-savvy pros who work with IDS/IPS technologies understand the difference, it's rare that a Sr. Management CxO-type voices their requirements in such a straight-forward manner (such as "please build me an I[DP]S system that catches all of the bad guys trying to attack our network")
More often than not, it takes a measured sense of what the enterprise, as a whole, requires to effectively integrate an IDS/IPS system into a layered-defense approach.
However, given the fact that most IDS/IPS systems are over-hyped as being the "throw-away-your-firewalls-we-have-the-answer" approach, most Sr. Execs walk away from too many trade shows with the thought of "gotta-get-me-one-o'-them-things" instead of "I'll ask my Sr. IT managers to evaluate our current need for something like that".
'Tis a sad but true state of affairs we're in.
As IT Security Professionals, it's up to us to help Sr. Management make informed decisions by providing them with an insight that they might not otherwise have.
...my 0.02