Intrusion Detection System Customers

Let us consider typical groups of customers that require intrusion detection systems. This will help you in forming a list of criteria to use to make the right choice for yourself. Since each group has its own specific requirements for intrusion detection systems, which can differ significantly, this is an effective exercise. For example, if you are representing a small company with just a single Internet connection that is to be protected by the intrusion detection system, mechanisms based on the centralized management of remote sensors are of little or no value to you. For a large company, on the other hand, this system may be one of the most important.

We can classify IDS customers into the following categories.

Small companies that have no remote affiliates or departments
Mid-size and large companies whose affiliates and departments are geographically distributed all over the country
Large international companies that are geographically distributed all over the world
Internet providers
Information security service providers (outsourcing companies)

It is also necessary to mention that in some countries, special requirements exist, which demand that security systems used in governmental, military, or other organizations be certified according to predefined rules. Quite often, this requirement is the key one, which has priority when choosing an intrusion detection system. Even the most efficient intrusion detection system can be rejected just because it fails to meet this requirement.

Small Companies

This category is the most typical among intrusion detection system customers. It includes small banks, IT firms, local governmental organizations, universities, etc. The distinguishing features of groups in this category are: a single point of connection to the Internet, a small number of hosts within a LAN, and the centralized management of all resources.

Large Companies with Remote Affiliates

Customers in this category usually have at least one remote affiliate located either in the same city as the headquarters or in another (Fig. 9.1). In this situation, the affiliate or department can manage its resources in-house, or resource management can be run centrally from headquarters. In some cases, remote affiliates located in isolated parts of the country might not have personnel qualified to carry out this task.

click to expand
Fig. 9.1. A large company with remote affiliates

International Corporations

The conditions for international corporations are quite similar to those for large companies (Fig. 9.2), with the following two exceptions. First, the corporation might include several subsidiary bodies joined into a united whole. These subsidiary bodies may have quite different or even contradictory security requirements. Second, international corporations differ from large companies in that their offices are distributed all over the world. This, of course, significantly influences the intrusion detection infrastructure. For example, as was already mentioned, most intrusion detection systems provide cryptographic protection for interaction between sensors and the console. However, the use of encryption in different countries faces different restrictions, and must be in accordance with the various laws and regulations.

click to expand
Fig. 9.2. An international corporation

Internet Service Providers

Internet Service Providers (ISPs), in contrast to the categories of companies above, operate mainly with the resources (including, of course, traffic) of their clients, rather than their own. This has a definite impact on the methods they must use when working with intrusion detection systems. Internet Service Providers, in contrast to end-users, handle a very large number of network connections and a very large number of users. Therefore, most current intrusion detection systems are not effective for them, since, as we already saw, network systems are oriented towards attacks targeting a single network segment or "listening" on several ports at switches and routers. ISPs normally have hundreds or even thousands of these switches. Beside this, the high speed of connection does not allow the provider to control all traffic. It does not make sense for ISPs to use a system that protects only some of its users and provides no protection for the remainder. Thus, an ISP will be forced either to purchase an intrusion detection system for each segment (switch), which is prohibitively expensive, or attempt to solve the problem of detecting intrusions and reacting to them using other methods. One such method is an IDS integrated into the network hardware (for example, RealSecure for Nokia or Cisco Catalyst 6500 IDS Module).

Service Providers

This option is a combination of an end user and an Internet Service Provider. Service Providers control the traffic of specific users, but at the same time, an outsourcer company centrally manages the IDS. End users rely on the outsourcing, since they require outside help when it comes to security mechanisms and technologies. Certainly, the help necessary depends on the degree of importance of the user's data and on the end user's sense of security. These services are becoming quite common. Most end users do not want to deal with the hassles caused by an intrusion detection system. It would be much easier for them to have such a system as part of a complex solution for ensuring network information security provided by an external organization and supported 24 hours a day, 7 days a week. A reliable intrusion detection system must be easy to use, and it must be designed in such a way that a technician can operate it. Currently, however, data analysis and developing responses still require a certain level of expertise. The lack of these protection skills prevents most organizations from ensuring security at a high technical level. Consequently, it is likely that more and more organizations will rely on outsourcing in the network security area. Various aspects of using services provided by outsourcing companies will be covered in greater detail later in this chapter.