Intrusion detection systems can work, but they require time and money

BY D.F. TWENEY

ARKANSAS STATE UNIVERSITY is asking for trouble. The school is in the midst of a major network upgrade that will eventually bring gigabit-speed network capacity to every dorm room and office on campus—making the network a tempting playground for hackers, says Greg Williamson, associate director of information and technology services at the Jonesboro, Ark., university.

For Williamson, a network intrusion detection system (IDS) from Cisco is the key to staying on top of the network—and its potential abuses. Whenever any one of these IDS components spots a potential security threat—a virus, say, or an impending hacker attack—it notifies a central management console. If the threat is serious enough, the system automatically pages IT staff, who can deal with the attack by shutting off access, reconfiguring systems, and even identifying a hacker’s dorm room and calling campus security.

IDS—What Is It?
Like Arkansas State, many organizations are finding that firewalls, antivirus software and user authentication policies aren’t enough to keep networks safe. That explains the growing market for intrusion detection technology from established vendors such as Cisco Systems, Enterasys Networks and Internet Security Systems; new players including IntruVert, OneSecure and Recourse Technologies (Recourse was recently purchased by Symantec); and even the open-source IDS known as Snort.

In its simplest form, an intrusion detection system identifies and records potential security threats—such as someone scanning server ports or making repeated attempts to log in using random passwords. As such, it’s not a replacement for other security measures. “An IDS is like the video camera in a convenience store or a bank,” says Stuart McClure, president and CTO of security consultancy Foundstone in Mission Viejo, Calif. A video camera doesn’t replace the locks on the door or the safe, but if someone breaks through those security measures, the camera provides a record that can help nab the perpetrators and buttress the security system against future attacks.

Intrusion detection systems work in a number of ways. A network-based IDS relies on network sensors that monitor packets as they go by. Typically, a network-based IDS comprises sensors at network entry points (alongside a firewall, for instance) or at the boundaries between subnets with different security levels (such as between your LAN and your data center).

A host-based IDS, by contrast, monitors activity on specific servers or mainframe hosts by keeping an eye on the integrity of critical files, or by monitoring specific operating system events (such as suspicious error messages or unusual server processes).

Similar to virus scanners, network- and host-based IDS solutions also frequently make use of signature scanning, looking for unique data fingerprints that identify certain types of attacks.


Most intrusion detection systems err on the side of caution.

The weakness of this approach is that signatures must be constantly updated to keep pace with the ever-evolving techniques of hackers. To address this shortcoming, some intrusion detection systems look for any network activity that lies outside a certain prescribed range of “safe” activities, an approach known as anomaly detection.

The problem with all intrusion detection systems is that they are not, and probably never will be, plug-and-play. Unlike firewalls, most intrusion detection systems require considerable technical smarts to set up and configure properly.

But the biggest management problem is the alarms. Every IDS, by its nature, generates alarms whenever it detects something that looks like suspicious activity. But every network is different, and computers aren’t very good at telling the difference between, say, the “I Love You” e-mail virus and an e-mail message from your systems administrator that is merely warning you about the virus. As a result, most intrusion detection systems err on the side of caution. Consequently, they generate lots of false alarms—as many as thousands per day in extreme cases.

“There’s a tendency by IDS vendors to show that their products work,” says Lloyd Hession, chief security officer for Radianz, a New York City-based provider of IP network services to the financial industry. Hapless IT managers are then faced with a “massive overload of information,” Hession says. Every one of those alarms is potentially something that your security staff will have to evaluate to determine whether it’s a legitimate use of your network or a hostile attack.

Over time, the staff that monitors your IDS will learn both how to sort real attacks from false alarms as well as how to tune the IDS to reduce false alarms. Arkansas State’s Williamson says his staff initially got paged by their IDS 30 to 40 times per day, but after the system had been running for a few months, the number dropped to just two or three per day. “It can take six months to tune an IDS to the point where you’ve eliminated false positives,” says Michael Rasmussen, director of research in information security for Cambridge, Mass.-based Giga Information Group.

The Vendor Hype
Naturally, IDS vendors aren’t sitting still. Relatively new IDS companies, such as OneSecure and Intruvert, are combining signature- and anomaly-based intrusion detection techniques to increase the intelligence of their systems and even block attacks as they happen, rather than simply alerting the IT staff to the presence of attacks. Other vendors, such as ForeScout, use statistical analysis of your network’s normal traffic to automatically identify anomalous packets—a sort of self-tuning IDS. Still others, such as TippingPoint Technologies and Sourcefire, are throwing hardware at the problem, by building very fast, optimized IDS appliances that can analyze network traffic at much higher speeds (and with more complicated signature detection algorithms) than ordinary servers running IDS software can. Finally, the market leaders, including ISS and Cisco, continue to hone their offerings to improve manageability and the intelligence of their network sensors.

But all those advances won’t eliminate the need for human intervention. “I don’t think organizations are willing to take the risk and liability of having a tool make [the decisions] for them,” says Julia H. Allen, a senior member of the technical staff in the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. “There’s always going to be some human oversight in that process.”

Others agree. “Intrusion detection is extremely high maintenance,” says Bruce Larson, a system vice president and director of special network operations for San Diego-based SAIC International (he designs and deploys network security architectures for SAIC clients, including several government agencies and utilities). He estimates that you need at least one full-time network engineer to monitor and tune an IDS—or about $150,000 in fully loaded annual salary costs.

One alternative: Outsource IDS management to a managed services company such as Counterpane Internet Security, whose employees will screen IDS alarms and forward only the most significant alerts to your IT staff, in return for monthly fees of $7,000 to $12,000.

How to Make IDS Work
But outsourced or not, intrusion detection systems are expensive: Appliances can run to $15,000 or more apiece; full-blown systems may cost $100,000 or more. Add staffing support, and an IDS represents a significant investment (not to mention a management headache). That’s one reason the IDS market is still so much smaller than the firewall market, according to Jeff Wilson, executive director at San Jose, Calif.-based Infonetics, a market researcher and consultancy. The other is that it’s so hard to manage: “The IDS market isn’t that useful yet, and you have to sort through mounds of data to get anything useful out of it,” he says.

On the other hand, if you have valuable assets to protect, you may have no option but to deploy an IDS. Auditors often require IDS technology before they will certify a company’s network as being adequately secured, particularly in highly regulated industries such as financial services and health care. Apart from regulatory requirements, deciding whether to buy an IDS is a matter of risk analysis. “You have to look at the whole solution space and ask, What am I trying to protect, what do I need, and what can I afford?” says CERT’s Allen.

But deploying an IDS is no cakewalk. According to Rasmussen, most company’s IDS deployments are doomed from the start. “Only one in four IDS implementations has any chance of success, and only one in 10 will be truly successful,” says Rasmussen, citing issues around the problem of false positives, lack of adequate staffing and the failure of many organizations to put their IDS in the context of an overall security management process.

In other words, your IDS is merely one tool among many for securing your network. Layering multiple security


“The IDS is only as good as the people watching the IDS. ”

-STUART MCCLURE, PRESIDENT AND CTO, FOUNDSTONE

measures together is part of the well-balanced “defense in depth” strategy recommended by many security pros. Allen suggests that IT executives consider adding the following components to their security strategy: network-based intrusion detection sensors, host-based intrusion detection, a central reporting and monitoring console for IDS alerts and other network messages, firewalls, log file analysis and strong user authentication.

The key is making sure that you have adequate processes in place to manage the data generated by your IDS and to respond accordingly. “The IDS is only as good as the people watching the IDS,” says Foundstone’s McClure. “If you’re not going to monitor it, you might as well buy a $50,000 doorstop.” Rasmussen recommends that any IDS implementation should include clear processes for responding to alarms, policies governing network maintenance issues (such as IDS signature updates and operating system patches) and continued education of your network security staff.

Rasmussen also recommends starting small, with one or two IDS sensors at critical points on your network. That will make your IDS deployment small enough to be manageable, and give your network engineers time to learn the system and to tune it without getting swamped by thousands of alarms.

For his part, Williamson chose to test Arkansas State’s IDS in midspring, when network traffic was low, giving his engineers several months to get settled before activity picked up again when classes began in the fall. And he’s already starting to think of other uses for the IDS. They can adjust it to look for almost any type of network abuse, such as prohibited file-trading software. “If you wanted to, you could shut almost anything down,” says Williamson. Not that he’s taking such a draconian approach to network management—but the IDS is a powerful lens with which to keep an eye on network problems, and that is clearly a reassuring thought.


Freelance Writer D.F. Tweney (dylan@tweney.com) covers business technology and the Internet.

Link: Who’s on Your Network?

Link broken? Try the Wayback Machine.