Network Computingwww.networkcomputing.com

Many put their trust in firewalls, which can fall woefully short. Some rely on the system administrator's ability to "lock down" essential servers. Others turn to predefined security policies and procedures, but ignore the gaps left by evolving technologies. A select few have the insight to wed policies and procedures with technology-based security solutions.

For most organizations, a combination of these approaches can address a fairly comprehensive set of vulnerabilities. However, they still miss some facets of network security: timely incident ID, event correlation, secure audit trails for forensic analysis and automated response. This is where intrusion-detection systems (IDS) show their value.

The vision is appealing: a deployed set of distributed systems that spot, identify and alert security administrators to active attacks in real time. Unfortunately, it's easier to dream about than to implement. Current IDS products are valuable tools, but they do not deliver on the marketing hype that frequently surrounds them. We first tested network-based IDS earlier this year (see "ISS RealSecure Pushes Past Newer IDS Players," www.networkcomputing.com/1010/1010r1.html) without looking at their host-based counterparts. This time, we piled on host- and network-based systems: Axent Technologies' Intruder Alert and NetProwler, Cisco Systems'

Cisco Secure Intrusion Detection System/NetRanger, CyberSafe's Centrax 2.2, Internet Security Systems' RealSecure 3.2, Network Flight Recorder's NFR Intrusion Detection Appliance 4.0, Network Ice's BlackIce Defender and Enterprise Icepac 1.0, and Network Security Wizards' Dragon IDS.

Network vs. Host
The host- versus network-based intrusion-detection strategy debate has raged for years. The consensus is now moving toward a unified approach combining the two technologies. But so far, ISS is the only one to pull off this integration with any real success.

Network-based IDS products are built on the wiretapping concept: A sensor-like device tries to examine every frame that goes by. These sensors apply predefined rule sets or attack "signatures" to the captured frames to identify hostile traffic. Essentially, network-based IDS sensors are glorified packet-sniffers with built-in smarts.

The network-based intrusion-detection approach has its share of problems. For starters, it doesn't scale well. Network-based IDS has struggled to keep up at 100 Mbps; now, gigabit speeds are creeping into the enterprise, leaving others in the dust. And network-based systems are based on predefined attack signatures--signatures that will always be a step behind the latest underground exploits. Worse, the IDS vendors haven't caught up with all known attacks, and signature updates are a far cry from the timeliness the antivirus community enjoys.

Still, network-based systems enjoy a few advantages. Perhaps their greatest asset is stealth: Network-based systems can be deployed in a nonintrusive manner, with no effect on existing systems or infrastructure. And most network-based systems are OS-independent: Deployed network-based intrusion-detection sensors will listen for all attacks, regardless of the destination OS type.

In contrast, the host-based systems primarily work off system, audit and event logs. Rather than identify bizarre packets running rampant on the wire, the host-based approach aims to identify known patterns of local or remote users doing things they shouldn't be.

Vendors pushing the host-based model face problems, too. A significant hurdle, similar to that of any agent-based product, is portability. BlackIce and similar products run only on Win32-based platforms, and though some of the other host-based systems support a broader range of platforms, your favorite OS may not be on the list.

Although we found many of these IDS offerings incredibly useful, the hope of turning them loose on your network and having them take control is a pipe dream. Do these products detect most known attack patterns? Not by a long shot. Should they serve as your primary or even secondary line of defense? Absolutely not. Were we able to get by them undetected? Yes, in many cases. The technology is somewhere between moderately useful and highly recommended. That said, it's also true that IDS has come a long way, and it merits serious consideration.

In the end, there is no "best" solution. We gave RealSecure our Editor's Choice award because it performed the best overall in our tests, but Dragon and the NFR IDA perform a number of tricks RealSecure can't. Centrax may be the easiest to deploy, but BlackIce has some network-based checks that Centrax won't do. NetRanger will stay up in environments that will cause NetProwler to crash, but NetProwler has some features no other products offer.

Evaluate your network's needs and capabilities. If you can't draw on in-house Unix expertise, don't try Dragon. If you want a high level of customization, NFR may fit the bill. Define your goals, expertise and limitations, and your decision will be much easier.