A network without adequate security is a liability. From the ever-present threat of worms and viruses that can compromise network hosts to the potential for data leaks, the risk is far greater than the savings in resources and workhours saved by not protecting the network.
What's more, if your company does business with the government, you can throw legal accountability into the liability mix. That's because the Government Information Security Reform Act of 2000 required that government agencies manage information system security and its documentation. Then the Federal Information Security Management Act of 2002 (FISMA), part of the Homeland Security bill, made GISRA's security provisions permanent. The upshot: Agencies must protect information from unlawful access, ensure the continued operation of information processing assets, and provide documentation and information that can be used to prosecute those who compromise security. It's the law.
Given these strict guidelines, network administrators are now forced to grapple with a bewildering assortment of tools to ensure they know exactly what is moving through their networks. For government agencies and contractors -- as well as many prudent corporations without governmental ties -- the toolset generally comprises some combination of IDS (intrusion detection systems), IPS (intrusion prevention systems), and the requisite network forensics tools as critical foundations for a secure IT infrastructure. IDS, IPS, and network forensics systems are designed to detect unauthorized network access attempts, block those attempts that have been identified as illegitimate, and keep records of where the attempts came from. It is hard to imagine a secure network meeting FISMA requirements without relying on one or more of these anti-intrusion mechanisms.
Though the array of network forensics and analysis tools may seem endless, only a few need be implemented to gain significant insight into the network as a whole. As a practical matter, network admins will likely choose between an IDS and an IDP for defense at the network edge (see "A Dollop of Detection or a Dose of Prevention?"). IDS systems have come under fire recently for their passive operation, whereas IDP solutions are viewed as much more intrusive, because they must be implemented inline on a network segment. But either solution will provide a granular view of the security of the network.
To round out the defense team and to prepare for the very real possibility of a network intrusion, you'll also need a forensic system. Don't confuse a network forensics system with a network analyzer. The former runs continuously and focuses on issues such as archiving and analyzing data streams to provide an audit trail of network activity, packet payloads and all, to be used in civil or criminal cases. The latter, an essential component in any network toolkit, troubleshoots network problems, but does not monitor security. You can expect to pull out a network analyzer when problems occur, whether to determine why an application isn’t working right or to ferret out the cause of overall network performance issues. But forensics systems and network analyzers aren't an either/or proposition; you will often deploy them in tandem. Besides, government compliance strongly suggests you employ forensics; good common network sense says you'll need analyzers as well.
Keeping Intruders Out