Increased complexity of networks, access to the Internet, and computer literacy have necessitated that network security vendors offer users a technology for detecting network breaches. Begun in the 1980s as a series of government projects, intrusion detection software quickly matured and crossed over to the commercial market. By February 2000 there were numerous commercial IDS offered as part of a layered security approach.
Intrusion detection systems monitor, detect and respond to unauthorized network activity. In order to do this, IDS use policies to define certain events that will trigger an alert if detected. While some IDS only issue an alert, there are systems that respond automatically by logging off the perpetrator, disabling the user account, or launching scripts. IDS tools act as a complement to firewalls. They allow for the complete supervision of networks and ensure that there will be information available to help determine the nature of the security incident and its source.
According to GFI CEO Nick Galea, "As part of an organization's security practices and policies, it is important for companies to be aware, in real time, of unauthorized access and/or any attempts of this, be it from internal or external sources. It is essential for administrators to have a product in place that immediately notifies them in cases of critical network events as they occur, as this enables them to take immediate action."
Types of Attacks
There are three types of network attacks. In a reconnaissance attack or scan, the intruder will find out as much about the system as possible. In an exploits attack, the intruder takes advantage of bugs or vulnerabilities in order to gain access to the system. In a denial of service (DoS) attack, the intruder vandalizes the system so that it becomes unavailable to legitimate users.
Many network incidents inside the network occur by error, attempts of authorized users to go beyond their authorization, and disgruntled employees. However, attacks do come from outside the network. These attacks generally take the form of denial-of-service attacks.
While IDS can be used in conjunction with firewalls, a firewall regulates and controls the flow of information into and out of a network and attempts to prevent an intruder from entering a network. Prevention is also what an intrusion prevention system provides, since instead of just reporting incidents while or after they occur, an IPS has software that attempts to prevent the incident from occurring.
IDS vs IPS
Five years ago, there were many IDS vendors and products, and the market flourished. Now, due to spin-offs, mergers and acquisitions, there are fewer IDS vendors. The growing trend is migration toward the more sophisticated intrusion prevention systems, which provide prevention as well as detection in one system or device.
The increased popularity of IPShas raised some controversy regarding whether IDS are still important. Robert Geiger, senior director of products development for Network Security Solutions at Symantec, said, "Symantec recommends that IDS be part of a total security architecture. Enterprises want to block (or protect against) many threats but still will want to record and report on threats they do not block automatically. Thus, there will always be a place for IDS."
Attendees at the 2004 InfoSecurity Conference & Exhibits in New York City supported this statement. According to a senior vice president at JPMorgan Chase, "The demise of IDS has been exaggerated. Right now, changing over to IPS is unfeasible, inefficient and not very cost-effective for many companies that already have IDS and other security products."
An IT director at New York University Medical Center agreed, saying, "If a company has already invested time and money in an IDS that works well and is integrated with their other security products, they'll want to keep the existing IDS because it's part of the security system that they've already cost-justified and implemented. Even with the increasing security awareness, it's hard to cost justify getting rid of existing security that works and replacing it with a better mousetrap, especially in a tight economy."