Security Spotlight: Is IDS Really Dead?
In a recent report from Gartner Inc., the organization declared that intrusion detection systems, or IDS, could be obsolete by 2005. Rather than wasting time and money implementing systems that monitor systems and networks to look for and report on signs of potential, impending, or actual attack, Gartner instead recommends that organizations use firewalls or other technologies that block such attacks.
These startling revelations appeared in a recent “Information Security Hype Cycle” from Gartner, that also included the following points as well:
- Intrusion detection has not delivered tangible value commensurate to its costs.
- Users report that IDS systems generate too many false positives.
- Users report that IDS systems generate copious log data that administrators must reduce and analyze through brute force and ad hoc tools to diagnose and identify attack signatures.
- Most IDS systems cannot monitor network activity at speeds higher than 600 Mbps (in a world where Gigabit or faster technologies are increasingly common, this limits application and protection).
By way of countering IDS, Gartner claims that firewalls that operate at networking and application layers will ultimately replace intrusion detection and prevention systems by the end of 2005.
Reaction in the marketplace has been mixed. While some large enterprises and organizations agree with Gartner’s findings, others do not agree that more powerful, so-called “deep packet inspection” firewalls can completely replace IDS. Other security experts countered Gartner’s claims by observing that security is a profoundly layered process—well described in the literature as “defense in depth”—where IPSec, transport layer security (TLS), firewalls, and virus detection all play important roles and function at various layers in a comprehensive defense model. From this perspective, IDS is an ongoing observation of network and system health and integrity that provides feedback about how well other layers are performing and that is the only workable technology around that can catch signs of attack inside firewall boundaries.
Other experts say that Gartner’s sensational claim misses the point of IDS because its job is not to block or manage traffic in any way, but rather to analyze traffic and behavior to look for signs of potential or actual pathology. Although IDS is subject to limitations and does make extra work for administrators and security professionals, an emerging consensus is that IDS is the best technology for quality and security control in active, complex IT environments and thus is not likely to become obsolete for the foreseeable future.
Whatever your viewpoint on the subject, this report has certainly made for some interesting dialog in the trade press and other professional news outlets. A follow-up story that responds to and rebuts the Gartner Report makes a great counterpoint to the original story.