COMMENTARY--They may not be perfect, but intrusion detection systems should be a part of your enterprise security arsenal.

Many of you will have read the review in last month's Technology & Business: "Intrusion Detection: Caught in its Own Web?" It opened with a rather cynical analogy: "There is something uniquely serene, hunters will tell you, about the thrill of the chase. It's about quietly tracking some elusive piece of fauna, piecing together faint clues to figure out which direction it's gone, the lying in wait until it comes within range... Now imagine the deer stalking you--running in a circle to double back behind you, then ransacking your 4WD, deflating your tyres and drinking your beer while you chase its tracks in an entirely different direction..."

By coincidence, this issue came out about the same time as we held a series of seminars on intrusion detection systems (IDS), which was about the same time that the Blaster worm claimed a fair few corporate victims. In fact, many people who couldn't make it apologised later and blamed the worm for upsetting their schedule. Including some that received a warning at 3am--from their IDS box or via our 24x7 security management service--who decided the problem could be dealt with later.

This really brings me to my point, which is that IDS can be a useful technology, despite its share of critics. I agree that IDS is not the easiest of technologies. It's not the typical "plug and play" appliance. It does require tuning and 24x7 management (unless you're only concerned about attacks that occur from 9am-5pm). They do generate a lot of data--how much depends on how they are "tuned". They can't necessarily resolve a problem without intervention (although some of the intrusion prevention systems can shut down ports or react to changes in network traffic). However, the data they provide--and their ability to identify traffic anomalies and threats--make this a technology well worth deploying as part of a complete security solution.

A single managed customer IDS in our Global NetCentre typically produces over 1,000,000 events every month, which are translated into 650 alerts and 2-3 escalations that require a response. One of the drivers of our managed security service--and security management in general--is the requirement to have 24x7 monitoring, the skills to identify real threats from false positives, and processes to respond to threats. Conversely, an IDS that is set-up and tuned correctly recognises potential attacks early (many that firewalls legitimatelyallow through their rulebase), provides information on suggested remediation of detected threats, and records attacks for offline analysis. It also catches internal hacking and misuse of IT resources.

A Gartner report in June 2003 predicted that high rates of false alarms, the need for 24x7 management, a taxing incident-response process, and an inability to scan network traffic at more than 600Mbps would render the technology obsolete by 2005. In reply, Martin Roesch, Founder & CTO, Sourcefire (and author of Snort) stated: "Perhaps Gartner really believe that layers of more intelligent firewalls will be able to defeat every attack against a network, across all the platforms on that network and never be wrong... I share no such hopes."

Late last year, IDC revealed research that found IDSes to be the fastest growing segment of the security hardware market, with a compound annual growth rate of 48 percent from 2001-2006 (albeit from a very small base). A recent survey we conducted supports this, with the majority of respondents already having IDS or planning to implement the technology in the next six months. Only 25 percent of respondents stated they had no IDS and no plans to implement this technology.

I'll defy the critics on this one: whether you have the in-house expertise to monitor an IDS or you outsource this function, it should be part of the enterprise security arsenal. And if alarms bells ring at 3am, it may be worth checking before turning the device off and going back to bed!

Oliver Descoeudres is marketing manager at network IP/Internet network infrastructure builder and solutions provider NetStar Australia. He can be contacted at marketing@netstarnetworks.com or on 02 9805 9759.

Subscribe now to Australian Technology & Business magazine.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.