Holy security wars
Analyst Jon Oltsik says zealots are waging war for no reason in the field of information security. Intrusion detection and intrusion prevention, he says, work best in tandem.
Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section. | ||||
Along those lines, consider the classic religious war now dividing the field of information security, where proponents are squaring off over the merits of intrusion detection systems (IDSes) versus intrusion prevention systems (IPSes).
The struggle has been especially fierce since mid-2003, when a group of industry experts declared that IDSes would be killed off by the evolving superiority of IPS systems. Rather than clearing the air, this proclamation only added to general confusion. That led users to delay purchases, leave networks inadequately protected and suffer through abundant attacks.
Let's set the record straight.
IPS devices act as security checkpoints. Packets receive some basic screening at the gateway but are interrogated far more aggressively by the addition of an IPS. The device isn't looking for every potential security threat. Rather, it's looking for known problems and blatantly suspicious behavior.
Packets that violate protocols or contain malicious payloads get terminated--no questions asked. To perform this task, IPS devices take an active role in the security infrastructure. They sit in line on corporate networks, making decisions about packets like routers and switches do.
People who take a dogmatic position on technology issues probably aren't helping their employer. |
Now, here comes the religious-war part. IPS bigots say today's threats need immediate attention and that IDSes are simply too passive to prevent attacks. They go on to say that IDS devices are also too paranoid. IDSes spit out thousands of false-positive alerts, they say, leaving the responsibility of finding the threat-related needles among the security alert haystacks to overburdened security personnel.
Hello? These devices are called intrusion detection systems because they were designed to detect, not prevent, malicious activity. Security cameras don't magically change into pitbulls when a thief appears. As for false-positive alerts, IDSes were engineered to be obsessive. Too many false positives, you say? Fine, tune the system. Every environment is different, so you can't rely on default settings. This takes some work, but last time I checked, system tuning always does.
IDS zealots have their own brand of passionate rhetoric. They say IPS devices can slow the network, act as a single point of failure or block legitimate traffic. These objections have roots of legitimacy but are no longer true. Today's IPS systems are built on top of lightning-fast components to keep up with almost any network. To maintain availability, IPS devices can be clustered for high-availability protection, and once again, system tuning is the key to blocking malicious code while waving legitimate traffic through.
IDS and IPS devices actually work best in tandem. The IPS device blocks known hostile code, while the IDS provides another set of eyes into real-time and historical security events. In other words, this isn't an "either...or" decision; implementing both IDS and IPS devices offers the highest level of security protection.
Companies make decisions based on business needs, and people who take a dogmatic position on technology issues probably aren't helping their employer. All they're doing is recruiting foot soldiers for a self-serving technology jihad.