« Message is the center | Main | Jeremy Epstein on Governance »



IDS is dead if an enterprise only uses it as a historical tool or as an attempt at forensics from a network point of view. This is a huge mistake that many companies made. They invested millions in an IDS system, and dedicated FTEs to this technology. IDS is not dead if it is used instead as an IPS that is application aware.

The "wow" factor wears off pretty quickly with IDS. At first it's cool to see the attacks that it finds. "There's a port scan!" "Wow Welchia version 39!" But pretty soon you start to scratch your head wonder why you can't do something about all this malicious traffic, and malicious code.

IDSs tend to fizzle out into nothing more than weekly reports about what latest virus hit your company last week, or how many million times old malware like Sasser and Welchia knocked on your Internet door. Hardly worth spending millions on.

BTW funny to see Ranum make a comment like that. His original stab at IDS came with NFR. Network Flight Recorder was intended as a forensics tool, not an IDS. A technology partner actually created some of the first IDS signatures for it, and they then bought that technology and officially offered under the NFR flagship. So actually I would say that IDS the way Ranum originally envisioned it back in the late 90s was and is DOA.

I think if you look at the industry, there are certain key players and technologies that have merged IPS with their firewall technology to secure both networks, and applications. This approach is much more successful. Since companies are reluctant to perform code reviews, they are forced to address these risks from a network perspective either through internal audit requirements, or something like PCI 1.1. Keep in mind though that the "network" is not limited to layer 3 and layer 4 (unless you are a networker, and you probably think router ACLs are just dandy).

The "network" must include what is being delivered in the payload, and now must understand Web Services.

BTW IMO the Gartner reports are usually a joke anyways. These are the guys that consistently rate Cisco products in the "upper quadrants."

The comments to this entry are closed.