Network Computingwww.networkcomputing.com

The term intrusion detection is quickly attaining buzzword status--media and marketing vendors toss the phrase around at will. We've seen everything from Web log parsers to asset-management products pawned off as intrusion detection. Our advice? If you're considering an intrusion-detection investment, be sure you know what you're getting before you make the financial commitment. For clarity's sake, we define intrusion-detection products as applications that actively monitor operating systems and network traffic for attacks and security breaches.

The overwhelming advantage of using intrusion-detection products is that they give administrators a real-time view of what is really transpiring on the network. Without active monitoring, many sites are flying blind. Few people check their system logs, and those who do usually aren't looking at them in real time. Worse, very few organizations have secure logging mechanisms in place--if a host is compromised at a root or administrator level it is wide open to log-cleansing techniques. You then face a slew of potential nightmares, with little knowledge of how intruders got in, what they did or how far they got.

Intrusion-detection systems can give administrators a leg up in this battle. By keeping an eye on targeted systems and networks, these products can identify, in real time, when an attack is taking place. This gives the administrator the opportunity to react to the attacks, or possibly even stop them--it's much better than receiving a 4 a.m. phone call saying the Web site looks a little different. In many cases the cost of an intrusion-detection system can be justified for its forensic value alone. If a system is compromised and the logs are tainted, intrusion-detection system logs may save administrators days of digging.

There are two approaches to intrusion-detection technology: host-based systems, which use agents, and network-based systems, which use passive monitors. Host-based systems are deployed in the same manner as virus scanners or network management solutions--some sort of agent is installed on all servers and a management console is used for reporting.

Network-based systems are a bit different. They are designed using a sensor-console architecture, and usually are completely passive. Network-based systems sniff the wire comparing live traffic patterns to internal lists of attack signatures. Both are capable of reacting when an attack is identified.

Each approach has strengths and weaknesses. Network-based systems are unobtrusive and are platform-independent. They can be deployed with little or no impact on production networks. However, network-based systems have some big hurdles to overcome. For example, the technology is based on the sensor's ability to see all network traffic. This makes life in a switched environment very difficult because you must use port mirroring. Most network-based systems can't handle a saturated 100-Mbps line, much less gigabit speeds.

Host-based systems don't have bandwidth issues, but they can only recognize attacks performed on machines running their agents. If you have servers that are running on an unsupported operating system, you are right back where you started. However, host-based systems offer a few extra services beyond those of network-based systems, including binary integrity checking, log parsing and illegal process shutdown.

Finally, a universal problem for both host- and network-based solutions is that most intrusion-detection systems look for known attack types. With the exception of ODS Networks' CMDS, which performs some statistical profiling (operational-based intrusion detection) of network activity, if the system doesn't have a predefined signature for the attack, it won't catch it. In a sense, intrusion-detection systems share the same limitations as vulnerability-assessment tools--they can be breached by newer attacks that aren't in their internal database. In addition, they fail to detect more advanced attacks. If you don't keep up with current alerts and hotfixes, the systems will be disadvantaged.

There has been a fair amount of change in the time since our most recent tests of network-based intrusion detection (see "ISS RealSecure Pushes Past Newer IDS Players" at www.networkcomputing.com/1010/1010r1.html). Cisco Systems is shipping some customized builds of IOS with integrated intrusion-detection technology. NFR has overcome some of its shortcomings with specific operating systems by creating an NFR network appliance. Axent Technologies completely overhauled its network-based product, now known as NetProwler, in a much improved revision. And Network Security Wizard's Dragon, a newcomer, holds some promise of being able to keep up at very high speeds (greater than 100 Mbps) while still maintaining a simple architecture.

Intrusion-detection systems are fine additions to the security arsenal, but they will not win the war for you. If you have high-availability or high-profile networks, the technology could be very valuable. If you're still struggling with policy, procedures and host lockdowns, hold off on intrusion detection and cover the basics first.

--Greg Shipley