Rethinking IDS

After the Nachi worm hit last year, Joe Granneman, manager of networks and PC services at Rockford Health System, knew it was time for a change. “It only took three infected machines to bring down our dual processor firewall,” he marvels. “Without our Internet connection we couldn’t process claims or do much of anything.”

Earlier that year a DoS attack disabled a VPN concentrator. A network IDS (intrusion detection system) detected the attack and sent an alert, but not before frustrated users -- whom Granneman calls his most reliable SNMP alert -- barraged him with phone calls. Monitoring IDS alerts was also taking up more and more of Granneman’s time. “I came in early before my meetings every day to check the IDS logs, spent my lunchtime inspecting IDS logs on my notebook from the cafeteria, and dialed in constantly over Christmas because of the terrorist threat. Those logs became my bible.”

Granneman’s experience with IDS isn’t unusual. Firewalls are still a necessary first line of defense, but traditional stateful inspection firewalls are only adept at stopping network level attacks, and so are generally helpless in the face of worms and sophisticated application level attacks that exploit open ports such as 80 (http) and 443 (https). Intrusion detection systems use sensors that sit passively on the LAN inspecting traffic for signs of malicious activity. They use a number of signature- and anomaly-based technologies to help detect many application-level attacks, but they generally do not block them (see “Detection meets Prevention,” page 44). By the time the administrator is alerted, it’s often too late to prevent widespread damage.

A fog of false alerts

IDS has also been prone to endless streams of false alerts. “Our IDS was a mess, alerting us on absolutely everything” says a network security specialist at an electric utility, who asked not to be named for security reasons. “In fact, I can’t even remember a single legitimate alert. We never had the time or manpower to monitor it all.”

Selim Nart, network architect for global networking at Vignette, agrees that false alerts are a management headache. “It can take you 20 hours to investigate two hours worth of alerts.”

In fact, the management and performance drawbacks of IDS are so notorious that a Gartner Information Security Hype Cycle report published in June 2003 declared the category a market failure. Instead Gartner recommended that organizations hold off investing in IDS and shift resources to vulnerability scanning, server hardening, and newer, deep-packet inspection firewalls, which are more adept than standard firewalls at detecting and stopping application-level attacks (see "Are your Web apps secure?"). More recently, Gartner recommended new kinds of IPSes (intrusion prevention systems), available from traditional IDS and security vendors such as Internet Security Systems (ISS), Netscreen, and Network Associates, as well as from upstarts such as TippingPoint, StillSecure, and Top Layer.

Unlike IDS, which simply monitors the network and sends out alerts, network IPS sits inline to block attacks as they happen. Host-based IPSes, such as those from Entercept (now part of Network Associates) and Okena (now part of Cisco), sit directly on application servers, intercepting system calls and looking for alterations to critical system files, changes in file permissions, and other signs of attack.