I think I installed my first IDS back in 2000 and my first IPS in 2002. Back then, we had software- or appliance-based offerings, and we chose to install them either in front or just behind our firewalls for an added level of security. The technologies back then were a bit challenging to deploy and did not offer a wide array of configuration or management options. As these technologies morphed into stateful firewalls and, eventually, unified threat management (UTM)-style products, the traditional intrusion detection/intrusion prevention systems have continued to provide a valuable service in our layered defense/security architectures.
These technologies have evolved to support enterprise-wide deployment models, allowing admins to deliver an added layer of protection across any LAN segments or host systems they wish to protect. So instead of focusing our intrusion technologies strictly at the gateway traffic, we now have technologies that allow us to gather and manage information as it moves around our networks and to mitigate risks wherever they are found.
Through easy-to-use policy tools - allowing admins to create custom rules and threat descriptions - and added technologies, such as sophisticated risk and threat modeling and behavioral analysis, these solutions bring us much closer to protecting our enterprise from zero-day threats. The distributed architectures allow for far greater deployment and protection options, while maintaining a central policy management and log collection.
How we tested
We tested these products by configuring our lab into a three-zone setup inclusive of firewalled internet connection and internal LAN and DMZ, also off a firewalled port. The DMZ consisted of a patched Windows 2003 domain controller and SQL server. The internal LAN consisted of an unpatched Windows XP SP2 PC and a CentOS Linux server. It is important to note that we were not testing the products for their ability to stop various threats. We reviewed the signature- and rule-based and zero-day capabilities to compare features and functions only.
We ran Nessus and NMAP scans against various hosts to generate alerts and log data so that we could evaluate the management, reporting, dash boarding and alerting capabilities. We tested the policy creation and deployment features and reviewed how each product kept its threat and vulnerability databases up to date. Of the five products reviewed, four shipped to us as appliances and one was a software deployment requiring a dedicated Linux server.
We didn't assume these products would be simple to deploy. All of the products we reviewed this month took quite an effort to deploy and configure. These technologies are definitely not plug and play, but what good security product is? Once deployed, all the products delivered graphical tools for configuration and management of the sensors. Some were more intuitive than others. We found vast differences in reporting, dashboarding and alerting. Most of the products had inline and passive modes for monitoring traffic. There were things we liked about each solution we reviewed, which means it will be very important to understand what one really wants in an IDS/IPS solution before deciding which platform to acquire. All the solutions delivered base IDS capabilities. The differentiators came in the form of the IPS capabilities and the technologies used to combat sophisticated and zero-day threats.
The documentation was not quite what we wanted to see from each of the participants. That forced us to use the support options available to us, and those were all very impressive.
The product sets we reviewed were flexible and delivered so many options - from out-of-the-box protection to elaborate, customized policy rules and risk and threat heuristics. If one has the time to evaluate multiple technologies, these are definitely tools that justify a full evaluation to help determine the best solution for the enterprise's needs.