Realistic Expectations for Intrusion Detection Systems

Contact:http://www.packetnexus.com 

This is a multi-part message in MIME format.

------_=_NextPart_001_01C0B0C1.C890F940
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_002_01C0B0C1.C890F940"


------_=_NextPart_002_01C0B0C1.C890F940
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Realistic Expectations for Intrusion Detection Systems=20
by Richard Wiens =20
last updated March 19, 2001=20

Intrusion detection forms an increasingly important segment of the
security technology market. While intrusion detection systems were,
until recently, both expensive and difficult to maintain, they have
become more affordable. With the arrival of less expensive off-the-shelf
solutions, IDSs are becoming a more common feature of security regimens.

The emergence of IDSs causes some security commentators to see them as a
panacea, solving all of the complex and diverse threats to network
security. However, as does any weapon in the security arsenal, an IDS
has limited capabilities. To expect too much of an IDS places the user's
network at risk. This article will discuss reasonable expectations of
Intrusion Detection Systems (IDSs). Its purpose is to help users and
potential users realize the increasing importance of intrusion detection
in all organizations, while also pointing out the realistic outcomes to
be expected from current IDS products. The discussion will also discuss
future trends in IDS development.=20
Realistic Expectations of Intrusion Detection Systems=20
Intrusion detection is considered by many to be the logical complement
to network firewalls, thus extending the security management
capabilities of system administrators to include security audit,
monitoring, attack recognition and response. The following real-world
examples point up the concrete tasks that IDSs can be expected to
perform efficiently, ensuring increased real security protection.=20
IDSs monitor the Internet to detect possible attacks=20
Monitoring the Internet for potential attack is both time-consuming and
tedious. By performing the ongoing task of monitoring the Internet to
detect possible attacks, intrusion detection systems allow security
personnel to accomplish other essential security functions. However, IDS
vendors include extensive attack signature databases against which they
match information from the user's system. Vendors have expert staffs
that monitor the Internet and other sources for new attack tools and
techniques. They then use this information to develop new signatures
that are provided to customers, thereby enabling network administrators
to keep up-to-date without expending valuable time and monetary
resources.=20
IDSs help organizations to develop and implement an effective security
policy.=20
Many intrusion detection systems offer security policy tools that help
to define and implement the security policy of the organization. All
organizations should have a security policy in place. This policy should
clearly dictate from the CEO level the security priorities of the
organization and define a procedure for what happens when an intrusion
is suspected. An effective security policy should consider the
following: operating systems, services (web servers, e-mail servers, and
databases), network IDSs, firewalls, and the network management platform
(such as OpenView). IDSs should be included as part of the overall
security policy of an organization: they help to enforce the security
policy by detecting prohibited traffic and/or activities, and they play
an active role