Rapid Changes in the Marketplace | Inside Network Perimeter Security (2nd Edition)

Until 2004, intrusion prevention was primarily hype. As recently as June 11, 2003, when the famous Gartner "IDS Is Dead" report was released, following its advice to give up on your IDS and trust in the latest generation of "intrusion prevention" firewalls was almost impossible because the IPS products were still too immature and firewalls were not sufficiently advanced to run within internal networks in a blind and unprotected manner. Although the criticisms of IDS were certainly truethey have a high false-positive rate and can be bandwidth challengedthat did not support the conclusion of investing in a better firewall.

However, no one can deny that this paper was the nexus of a lot of change, especially in the IDS industry. The most positive effect was a significant improvement in false-positive handling. NFR started working on a network intrusion prevention system (NIPS); SoureFire ditched Snorty the pig and became Realtime Network Awareness (RNA), a passive sensor and visualization tool company in terms of primary internal focus. Symantec and Enterasys were quick to point out the Gartner report was simplistic; you really should buy both an IDS and an IPS, and you should buy both from them. And, of course, every firewall vendor, no matter how lame, immediately found a way to get intrusion prevention onto its home page somehow. The entire industry reformed itself in a year's time, but not always for the better.

The Classic Response to the Gartner "IDS Is Dead" Report

The Gartner report stirred up a considerable amount of anger, and there were some pretty steamy postings on newsgroups. My favorite is the tongue-in-cheek reply by the Chief Technology Officer of the intrusion detection company NFR (who now also has an IPS):

"How about the demise of current generation industry analysts by 2005. Reason? Excessive false positives and lack of corporate value. They will be supplanted next-gen analysts who will deliver outrageous claims with no loss of performance. After all, if you can make stuff up, why bother with thoughtful analysis. :-)

Andre Yee, NFR Security, Inc."

You can view Andre's report at http://seclists.org/lists/focus-ids/2003/Jun/0184.html.

The biggest problem with the "IDS Is Dead" report is that it ignores the value of sensors. We would never ask a pilot to fly in visual blackout conditions without instrumentation, nor would we ask a CFO to run a company's finances without up-to-date, validated financial information. If you agree with these examples, would you ask the Chief Security Officer of an organization with high-value intellectual property assets to turn off or minimize his IDS sensors? Scarcely a week after the Gartner report, The SANS Institute was receiving email from people being asked by senior management if they should still be running their IDS systems.

Today, we have an industry where everyone has a product labeled "intrusion prevention." However, there is no definition of what intrusion prevention is. It is no longer just hype; there are some powerful trends afoot, even though the functionality provided by industry products varies significantly. Therefore, as we work our way through the chapter, we will classify the products into two major groups:

Network intrusion prevention systems (NIPS) Devices that sit on the network and help prevent intrusions
Host-based intrusion prevention systems (HIPS) Software that runs on a host system and helps prevent intrusions