Intrusion Detection Users Grapple With Performance, Management Issues
📅 - Intrusion detection systems are hereto stay as an integral part of the network securityinfrastructure. But security solutions vendors mustwork to overcome user skepticism and frustration aboutintrusion detection stemming from poorly performingearly deployments, lack of scalability, anddifficulties in management and data gathering andanalysis.
Those were common themes and opinions voiced at theInstitute for Applied Network Security's recenttwo-day Intrusion Detection Forum held at the MITEndicott House in Dedham, MA. The Institute forApplied Network Security hosted the Forum inpartnership with the New England Chapter of theInformation Systems Security Association (ISSA).Senior information technology professionals from 16publicly traded companies and 17 private firmsparticipated, along with experts from security productand service providers. The combined marketcapitalization of the public companies exceeded $380billion.
"The Forum was a very valuable experience for ourpresenting team," said Mike Paquette, vice presidentof product management at Top Layer Networks(toplayer.com), a manufacturer of network devices thatbalance high-speed traffic over intrusion detectionsystems and defend against denial-of-service attacks. "The IDS is an essential part of what has become the'balanced breakfast' of a complete IP security policy,one that also includes attack mitigation, firewalls,virus protection, and virtual private networks in mostcompanies."
"We learned that the concerns of today's IDS usersstill center around nuts-and-bolts issues. Where isthe best place to put my IDS sensors in the network?How can I make sense of all the data I receive onnetwork traffic and security incidents? How can I besure that what I buy will be fully compatible with myexisting network components and my overall securitypolicy? And what is the total cost includingmanagement time and the return on my investment?"continued Paquette.
In response to IDS user complaints that their sensorsoften ran much more slowly than advertised, TopLayer's chief security officer Joe Magee said, "An IDSsystem that says it will process traffic at 100megabits per second might actually perform at 70 oreven lower if they keep adding attack signatures tolook for. And that's a constant problem -- Code Redhad about six to ten possible signatures. Sub Sevenhad four signatures. The more attack signatures an IDShas to look for, the slower it will run."
"The answer here is a combination of balancing andtuning. Every network is different, and the firstorder of business is to determine what servers orsubnets on the network need protection, and whatattack signatures are associated with those servers.For instance, if you do a lot of e-commerce, you canmirror all of the HTTP flows that come in through therouter to one or more IDS sensors tuned to look foronly the attack signatures associated with webtraffic. The IDS sensors will work much faster andmore thoroughly because they're not chugging throughtheir database looking for every possible intrusion."
"Once you really know your network and itsvulnerabilities, it becomes a matter of determininghow many sensors you need to handle the trafficvolume, placing and configuring the sensors properly,and intelligently distributing the targeted traffic tothem. Existing IDS systems in most cases will performmuch better with this approach."
Forum participants expressed doubts about fullyoutsourcing security functions, although theyrecognized the need for retained, third partyexpertise. They also are seeking improvement in thequality and usability of data generated by IDS logsand other system-monitoring devices. The consensus ofopinion held that using the data to determine what hashappened to an attacked network and why it happened ismore important than gathering information forprosecution of an attack's perpetrator.
The Institute for Applied Network Security willconduct its next Intrusion Detection Forum October17-18 at the Dolce Hamilton Park Conference Facilityin Florham Park, New Jersey.
Those were common themes and opinions voiced at theInstitute for Applied Network Security's recenttwo-day Intrusion Detection Forum held at the MITEndicott House in Dedham, MA. The Institute forApplied Network Security hosted the Forum inpartnership with the New England Chapter of theInformation Systems Security Association (ISSA).Senior information technology professionals from 16publicly traded companies and 17 private firmsparticipated, along with experts from security productand service providers. The combined marketcapitalization of the public companies exceeded $380billion.
"The Forum was a very valuable experience for ourpresenting team," said Mike Paquette, vice presidentof product management at Top Layer Networks(toplayer.com), a manufacturer of network devices thatbalance high-speed traffic over intrusion detectionsystems and defend against denial-of-service attacks. "The IDS is an essential part of what has become the'balanced breakfast' of a complete IP security policy,one that also includes attack mitigation, firewalls,virus protection, and virtual private networks in mostcompanies."
"We learned that the concerns of today's IDS usersstill center around nuts-and-bolts issues. Where isthe best place to put my IDS sensors in the network?How can I make sense of all the data I receive onnetwork traffic and security incidents? How can I besure that what I buy will be fully compatible with myexisting network components and my overall securitypolicy? And what is the total cost includingmanagement time and the return on my investment?"continued Paquette.
In response to IDS user complaints that their sensorsoften ran much more slowly than advertised, TopLayer's chief security officer Joe Magee said, "An IDSsystem that says it will process traffic at 100megabits per second might actually perform at 70 oreven lower if they keep adding attack signatures tolook for. And that's a constant problem -- Code Redhad about six to ten possible signatures. Sub Sevenhad four signatures. The more attack signatures an IDShas to look for, the slower it will run."
"The answer here is a combination of balancing andtuning. Every network is different, and the firstorder of business is to determine what servers orsubnets on the network need protection, and whatattack signatures are associated with those servers.For instance, if you do a lot of e-commerce, you canmirror all of the HTTP flows that come in through therouter to one or more IDS sensors tuned to look foronly the attack signatures associated with webtraffic. The IDS sensors will work much faster andmore thoroughly because they're not chugging throughtheir database looking for every possible intrusion."
"Once you really know your network and itsvulnerabilities, it becomes a matter of determininghow many sensors you need to handle the trafficvolume, placing and configuring the sensors properly,and intelligently distributing the targeted traffic tothem. Existing IDS systems in most cases will performmuch better with this approach."
Forum participants expressed doubts about fullyoutsourcing security functions, although theyrecognized the need for retained, third partyexpertise. They also are seeking improvement in thequality and usability of data generated by IDS logsand other system-monitoring devices. The consensus ofopinion held that using the data to determine what hashappened to an attacked network and why it happened ismore important than gathering information forprosecution of an attack's perpetrator.
The Institute for Applied Network Security willconduct its next Intrusion Detection Forum October17-18 at the Dolce Hamilton Park Conference Facilityin Florham Park, New Jersey.
Reads: 1213 | Category: General | Source: TheWHIR : Web Host Industry Reviews
URL source: http://www.thewhir.com/marketwatch/intrusion828.cfm
Want to add a website news or press release ? Just do it, it's free! Use add web hosting news!