CNET también está disponible en español.

Ir a español

Don't show this again


Holy security wars

Analyst Jon Oltsik says zealots are waging war for no reason in the field of information security. Intrusion detection and intrusion prevention, he says, work best in tandem.

What is with the technology industry's propensity for fighting religious wars over products and technologies? It seems that there are always new battles being fought, as fanatics unfurl their banners to declare that Linux will overtake Windows, that asynchronous transfer mode is dead or that the world is moving to Internet Protocol telephony. These debates stir passion and serve as fodder for lively conversations at trade shows.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

But besides their entertainment value, religious wars are invariably unproductive and only confound users.

Along those lines, consider the classic religious war now dividing the field of information security, where proponents are squaring off over the merits of intrusion detection systems (IDSes) versus intrusion prevention systems (IPSes).

The struggle has been especially fierce since mid-2003, when a group of industry experts declared that IDSes would be killed off by the evolving superiority of IPS systems. Rather than clearing the air, this proclamation only added to general confusion. That led users to delay purchases, leave networks inadequately protected and suffer through abundant attacks.

Let's set the record straight.

IPS devices act as security checkpoints. Packets receive some basic screening at the gateway but are interrogated far more aggressively by the addition of an IPS. The device isn't looking for every potential security threat. Rather, it's looking for known problems and blatantly suspicious behavior.

Packets that violate protocols or contain malicious payloads get terminated--no questions asked. To perform this task, IPS devices take an active role in the security infrastructure. They sit in line on corporate networks, making decisions about packets like routers and switches do.

People who take a dogmatic position on technology issues probably aren't helping their employer.
IDS devices live a more passive existence, something along the lines of a security camera. A security camera may pinpoint illegal activity, but it depends on human beings to foil the intruders. IDS devices provide a similar function by sitting offline and monitoring packets as they go by. When an IDS sees anything that looks at all suspicious, it sounds the alarm. Then, it is up to a security administrator to review the alert and take appropriate action.

Now, here comes the religious-war part. IPS bigots say today's threats need immediate attention and that IDSes are simply too passive to prevent attacks. They go on to say that IDS devices are also too paranoid. IDSes spit out thousands of false-positive alerts, they say, leaving the responsibility of finding the threat-related needles among the security alert haystacks to overburdened security personnel.

Hello? These devices are called intrusion detection systems because they were designed to detect, not prevent, malicious activity. Security cameras don't magically change into pitbulls when a thief appears. As for false-positive alerts, IDSes were engineered to be obsessive. Too many false positives, you say? Fine, tune the system. Every environment is different, so you can't rely on default settings. This takes some work, but last time I checked, system tuning always does.

IDS zealots have their own brand of passionate rhetoric. They say IPS devices can slow the network, act as a single point of failure or block legitimate traffic. These objections have roots of legitimacy but are no longer true. Today's IPS systems are built on top of lightning-fast components to keep up with almost any network. To maintain availability, IPS devices can be clustered for high-availability protection, and once again, system tuning is the key to blocking malicious code while waving legitimate traffic through.

IDS and IPS devices actually work best in tandem. The IPS device blocks known hostile code, while the IDS provides another set of eyes into real-time and historical security events. In other words, this isn't an "either...or" decision; implementing both IDS and IPS devices offers the highest level of security protection.

Companies make decisions based on business needs, and people who take a dogmatic position on technology issues probably aren't helping their employer. All they're doing is recruiting foot soldiers for a self-serving technology jihad.