Intrusion Detection Should Be a Function, Not a Product

by John Pescatore,

Richard Stiennon,

and Anthony Allan,

Gartner Research

A Flood of Questions

In “Hype Cycle for Information Security, 2003“, Gartner stated that “intrusion detection systems are a market failure. Vendors are now hyping intrusion prevention systems, which also have stalled. The functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities.” Although this statement was supported by recent research, it generated a barrage of questions from Gartner clients.

Should I simply not try to detect network intrusions?

You should continue to detect intrusions. However, you shouldn’t invest in stand-alone, network-based intrusion detection systems (IDSs). Network-based IDSs suffer from two major shortcomings:

• Too many “false alarms” occur. Without extensive, continual tuning, network-based IDSs generate thousands of alerts for every actual attack detected.
• They don’t work at wire speeds. Most network-based IDS products don’t detect attacks in real time, and they can’t handle the high speeds of internal networks.

The first shortcoming has caused enterprises to abandon their IDS investments, outsource monitoring to managed security service providers or invest in security management products to plow through false alarms to detect actionable events. The second shortcoming means that the IDS is purely reactive – it detects attacks that have already hit their targets by the time security staff responds to the alarm.

Have IDS vendors improved IDS accuracy and performance?

IDS vendors have slightly improved false-alarm performance compared to first-generation systems. However, a fundamental flaw exists in IDS vendors saying that they have solved the false-alarm problem and can run at wire speeds. If they can detect real attacks with high accuracy, and do so at wire speeds, why just sound the alarm – why not block the attack?

Although the false alarm and performance problems primarily have been associated with network-based IDSs, host-based IDSs also must move toward “more blocking, less alarming.”

Should I block network attacks if, by doing so, I risk disrupting legitimate traffic?

The two most widely used security products are firewalls and anti-virus products. Both block attacks. Because network-based IDSs have terrible reputations for producing false alarms, enterprises likely will not believe that their IDS products will start blocking attacks. However, by 2006, most enterprises will perform intrusion detection as part of firewall processing with next-generation firewalls.

The three classes of events are the following:

• High-confidence normal traffic – allow to pass
• High-confidence attack traffic – block
• Unidentified traffic – log or alarm (intrusion detection)

Firewalls already perform this type of processing, although mostly at the network protocol level. Web application firewalls and other deep-packet-inspection-based products have begun to perform this processing at the application level. There have been enough advances in algorithms and high-speed network security processors to enable next-generation firewalls to perform network intrusion detection and blocking at all layers of the protocol stack. Mature products will ship in 2005.

If I depend on the firewall for intrusion detection, isn’t that like saying that automobiles don’t need car alarms because the locks will keep out thieves?

If car alarms went off 10 times per minute and only issued real alarms two hours after the car was actually stolen, then we would say that car alarms were a market failure. IDSs must improve their performance to be useful. If performance improves, IDSs can be used to block attacks. Firewalls will absorb the functionality.

Should I use an IDS on internal networks to detect attacks that don’t come through the firewall?

Most internal attacks consist of authorized users taking unauthorized actions or otherwise abusing their privileges. Network-based IDS systems don’t detect this type of activity. Network IDS sensors can detect internal hacking events, but these comprise less than 5 percent of the “insider” problem.

IDSs can be useful on internal networks to discover “rogue” servers, or servers that have suspiciously changed their behavior. However, the cost of configuring internal networks with IDS sensors is not much higher than placing in-line firewalls at the same points. As the technology matures, the performance and pricing of next-generation firewalls will allow internal intrusion detection to be performed as part of network zoning efforts that can greatly reduce the impact of worms and other blended attacks.

Using firewalls to deny or allow application-level connections will require many rules on the firewall. Are firewall performance and security degraded when rule sets get large and complex?

Enterprises require extensive tuning of the network-based IDSs to use them effectively. These tuning actions are essentially security policy rules that determine what is allowed or denied (where denial means issuing an alarm), similar to what a firewall does. Therefore, any application-level security approach will require more rules than simple network-protocol-based security controls.

Next-generation firewalls can implement complex rule sets at wire speeds. Leading products will provide user interface and management capabilities to support enterprise security needs.

What should I do with my current or near-term IDS deployments before next-generation firewalls are available?

• Abandon plans for “IDS everywhere” deployments. Use your IDS investments to focus on trust boundaries (directly inside firewalls) and LAN segments that house high-value servers.
• Purchase security management products – see “CIO Update: Gartner’s IT Security Management Magic Quadrant Lacks a Leader,” – to perform IDS alarm data reduction and correlation to firewall and vulnerability assessment logs, or outsource IDS monitoring to managed security service providers.
• Redirect network-based IDS funding to host-based intrusion prevention on high-value servers, and to automated vulnerability assessment and remediation processes and products.

Gartner has published a new report that includes material on intrusion detection and prevention, “Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture.” The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today’s hottest IT topics. For information about buying the report or others in the Executive Report Series, go to www.gartner.com/executivereports.