What Do Readers Think? Check out our e-poll results on security technologies.

With all this industry buzz, growth and money, you might think that IDS products are ready for prime time. In reality, the technology can be useful, but it's still far from mature. There are problems with signature-release timeliness. Few products can manage large amounts of data, and those that can have a tendency to overwhelm their operators. Cisco Systems and Enterasys Networks are the only providers building extremely scalable solutions. Vendors have begun addressing aggregation issues, but few have products that are useful in correlating data for high-level decision-making. (Will the situation improve anytime soon? See "The Future of IDS").

You will, however, benefit from a successful deployment. IDSes can offer a granular level of detail not achieved by basic perimeter devices and can let you keep a tighter watch on critical machines. IDSes can serve as early warning systems on impending attacks and even reduce the response times to successful attacks. They can also generate enough attack-trending data to torque the head of even the most smug CIO. Much of the activity on the Internet is truly terrifying, and today's IDSes can give you a pathway to tangible reports.

Smart IT managers in large enterprises will use NIDSes (network IDSes) to help them identify trends, basic attacks, weak systems on their networks and rogue users. Today's NIDS products generally won't stop intruders, but they can certainly help catch novice hackers and identify enterprise hot spots.

Our objective was to go beyond basic testing by using these systems to monitor and protect an enterprise-class environment. It seemed like a simple goal: Monitor the network, spot attackers and intruders, and try to stop or contain them. Unfortunately, simple was never part of the equation. We ran our IDSnet like a production network, and we have the scars to prove it. Sensors blew up. Consoles crashed. Databases got corrupted. Connectivity problems and synchronization issues hounded us. Hardware failed. Periods of information chaos and waves of rebooting hell ensued.

Bruisernet Setup Click here to enlarge

In the end, after we got to know the products intimately, it became obvious that intrusion detection is not a fire-and-forget technology. These systems require manpower to deploy, manpower to monitor and manpower to maintain. Managers take note: If you're budgeting for an IDS deployment, don't forget the human-resources aspect -- the right people are needed if the effort is to be successful (see "How We Tested Intrusion-Detection Systems"). In addition, organizations should understand how their IDS deployments are going to affect other aspects of IT. Is there a plan to integrate security operations with network operations? What happens when you spot something that appears to be a successful attack? Are there competent people to investigate security issues once they are identified?

There are even some non-IT issues that should be addressed, such as potential violations of privacy laws or possible breaches of HR policies. While deploying a NIDS device may seem cut and dry from a policy perspective, enabling signatures that log day-trading or job-searching activities may be more invasive then your organization is willing to tolerate. It might be wise to have a brief chat with the legal team before setting sail into dangerous waters (For more on privacy laws, see "Monitoring and Privacy: Is Your Head Still in the Sand?").

A Long, Strange Trip

During our six months of testing we attempted to address some of these process issues. The route we chose was to serve as an extension of DePaul's network team. By using the products to identify critical attacks, we were able to pass incident information to the network team, which in turn contacted systems administration teams for further investigation. While this strategy worked for us, it might not work for your organization. These are process issues that have very little to do with the actual technology but will certainly affect anyone looking to deploy an IDS solution. For these and many other reasons, we strongly recommend that large organizations launch an IDS pilot program before an enterprisewide deployment. Not only will a pilot program help flush out the technical issues, it will aid in discovering process flaws as well.