Tom Newton, Product Manager at SmoothWall (www.smoothwall.net), says:

Due to the diverse nature of business operations and the multitude of service provision needs which need to be satisfied, it is increasingly difficult to provide a “catch all” solution which provides a single point of complete coverage for all security aspects for these services.
In each circumstance the security solution needs to be tailored to specifics of each service provided, whether it be spam filtering and phishing prevention for email or inappropriate content and exploit prevention for web browsing, the technical challenge of security provision is unique to each domain.

Intrusion detection, prevention and reaction is a useful tool in any IT infrastructure, as the very nature of the security solution means it is able to provide a modest security coverage in many areas of service provision. The name “intrusion” forms understated impressions over the actual capability of the this tool, as it is not just about stopping unwanted access to systems.

The intrusion detection aspect provides administrators the ability to customise detection of nearly any traffic being transmitted on their network, from specific protocols and applications to individual hosts, or ultimately the contents of TCP/IP streams and packets, in any direction. Providing the ability to know about not only persistent external threats, but also internal malicious activity, for example from hosts on the network which have already been compromised or exploited, or even employees who are breaking corporate policy by trying to use a instant messaging protocol or trying to establish peer-to-peer downloads.

Inspecting traffic in this detail provides a large and detailed picture of the activity on a network, giving administrators reporting facilities which other service specific security solutions are not able to. When installed in the correct location on the network, such as a gateway or backbone router, this facility is expanded from not only detection and reporting of network traffic but also actual control of the traffic. The intrusion prevention and reaction aspect allows packets from new or already initiated connections to be dropped, preventing them from reaching their destination. This power allows administrators to control traffic which meets certain customisable criteria, and act or react accordingly. For example if there is an obvious pattern of malicious intent found in a http request destined for your web server or “DELETE *” to your db server, your gateway IDP system simply discards the nasties. In a similar vein if there are persistent failed login attempts from the same address to a server on your network, an intrusion reaction system would firewall off any future connection attempts for xhours, mitigating any potential future malicious activity from the persistent threat.

Where is your money best spent?

Costs are normally dictated in a linear fashion by installation size, as there are only so much traffic the a single IDS sensor can analyse. IDS requires amalgamating network flow to single sensors for analysis, so networking hardware is required to provide the aggregation in the form of packet forwarding, port mirroring or taps. IDP cannot provide the most effective coverage unless it receives the contents of an entire conversation between networked nodes. Ultimately this means investing in networking infrastructure which supports aggregation in some form, and enough IDP “sensors” to provide complete coverage of the networked services and the clients that consume them.