Variable detection and prevention is only way to let users in and keep intruders out, says Phil Cracknell
Intrusion detection software (IDS) first made a serious impression on the European security market in the late 1990s. As with vulnerability scanning products, how good it was depended on where it got its database from and how often it was updated.
IDS then languished for a few years with little variation. Improvements in alerting, refinements in detecting false positives and more enterprise scalability were the notable developments.
Then industry whispers started to question what benefit could be derived from knowing you had been attacked. It was better than having no system at all, but surely advanced notification was better? From this realisation, intrusion prevention software (IPS) was born.
IDS also faced problems as network switches became more advanced and more popular. Broadcast traffic ceased and network-based intrusion detection was now difficult, with port-spanning or mirroring of traffic the only solution. Host-based IDS was a simpler and easier to manage option.
IPS faces similar challenges, but progress should be quicker because the lessons learned from network IDS apply directly to network IPS.
Last year saw the first systems being developed. A step up from IDS, IPS presented the same challenges: how was it updated and who did the research? But of more concern was a new challenge: what if the IPS blocked a valid user?
Both IDS and IPS technologies present users with implementation, management and configuration issues. The question is, are they productive?
When I implemented IDS in 1998 on a live banking internet connection, it detected more than 100 attacks every day. But on closer examination 96 of these were false positives caused by a variety of non-attack communications. The system still faced four real attacks a day, but replace IDS with IPS and you would deny access to 96 valid users.
A good IPS would block only what it was absolutely certain was an attack - and that means allowing suspect but uncertain traffic through. That could prove to be a management headache - I would find it hard to convince senior management of the benefits at the moment.
My vision is for systems to revert to IDS principles for uncertain attacks and trigger an alert instead. The alert system should include escalation mechanisms that can intelligently promote suspect attacks to a higher level of notification or even prevention.
For clear, sustained attacks, blocking traffic is the order of the day. But responses are configurable and so suspect traffic can be delayed, diverted or simply trigger an alert. Variable response incorporating IDS and IPS is the future, and it has to have a new name:intrusion management software (IMS). You heard it here first.
Phil Cracknell is chief technology officer at IT security supplier NetSurity
This was first published in February 2005