But for small and medium-sized businesses (SMBs) with much smaller networks and thin IT staffs, IDS can seem like a costly luxury. For one, you need on-call staff 24x7 so the IDS has someone to page. Unfortunately, firewalls alone are not enough protection.
There are two low-budget options for IDSes and IPSes that SMBs can try. You can use products that cater to smaller companies with smaller networks, or you can use an outsourcer that provides monitoring and warning services tailored to SMBs.
But before you make any decisions, consider the basic criteria for evaluating an IDS or IPS: the size and scale of your network, the type of data and infrastructure that needs protection, and how the IDS will fit into your current incident response strategy.
Network size and scale: The size and scale of your network is important because an IDS, like any other appliance on your network, can be a drag on network performance. An IDS is just another piece of security hardware alongside your firewalls, and malware, spam and content management filters. For an extremely small network, this can be a lot to bear. If so, a firewall with good logging capabilities might be more in order than a full-blown IDS. Keep in mind that a firewall blocks unwanted traffic but doesn't always log it. An IDS logs unwanted traffic but doesn't necessarily block it, unless it's also an IPS. So firewalls and IDSes are really two sides of the same coin.
On the other hand, more recent products combine all these features to offer not just IDS, but also firewall, filtering and other capabilities all in one handy appliance. This is something an SMB should consider when shopping around for an affordable and scalable device for a smaller network.
Type of data and infrastructure: An SMB should never rely solely on an IDS for security. An IDS should be part of a multilayered defense that includes, among other things, firewalls, sound access management, and desktop, server and hardware hardening.
In addition, to be truly effective, intrusion detection systems need to be installed on both sides of your firewalls, inside the network and outside your network on the gateways where traffic comes in. An IDS doesn't work in isolation. The whole point is to check traffic from all directions, both internal and external. By comparing the results from different network segments, the source of an attack or attempted intrusion can be determined. Insider attacks are quite common and can be determined, for example, by suspicious activity on the IDS on the internal -- but not the external -- network segment.
To fit the IDS into your current response strategy, conduct a thorough risk analysis of what resides on your servers:
If data is low-risk, simple firewalls may be sufficient to prevent intrusion. That said, hackers often try to break into lesser-protected systems as a back door into juicier territory. Are lower-risk systems isolated from servers with high-risk data? Along with risk levels, consider the architecture of your system when plunging into an IDS and the accessibility of low-risk systems to those of higher risk.
When reviewing a system, check how it sends out alerts and to whom. If your IT shop is one person, will that person be able to handle endless pages, many of which might be false alerts? Should it send emails? IDSes can also generate a lot of log data, most of which isn't helpful or useful. Evaluating that data -- and doing it in time to respond to real intrusions -- can be quite a task. Consider products that can help review alert data and help separate the serious intrusions from ordinary background noise coming from routine hacker probing on the Internet.
Here are two interesting appliances geared toward SMBs. They come from iPolicy Networks Private Ltd. and TriGeo Network Security Inc.
The iPolicy Release 3.0, which came out last December, uses what it calls Real-Time Vulnerability Correlation (RVC). IPolicy's RVC uses data from Nessus, a popular scanning tool from Tenable Network Security Inc., and eEye Inc.'s Retina, which collates up-to-the minute threat information from Common Vulnerabilities and Exposures and BugTraq, two vulnerability databases well known in IT security. Users can tune iPolicy by entering the values and risk levels of assets. RVC then matches the threats against these values to customize alerts from its IDS and IPS. IPolicy also includes antiviral protection and can monitor Voice over Internet Protocol networks, instant messages and other peer-to-peer forms of communication, even if it uses nonstandard ports or port hopping.
TriGeo Security Information Manager is known for doing real-time log analysis and, like iPolicy, analyzes live data and network behavior to produce more fine-tuned intrusion detection. The product centralizes and aggregates log information into a single usable report. Rather than sifting through multiple logs, as is frequently the case, TriGeo boils each incident into one line that your IT person can glance at and decide what, if any, action to take.
SMBs can also outsource to companies that specialize in intrusion monitoring and incident response. Three vendors offering services to SMBs are Internet Security Systems Inc. (ISS) in Atlanta, Qualys Inc. in Redwood Shores, Calif., and Symantec Corp. in Cupertino, Calif. All have dedicated staffs that are experts in incident response and deal with intrusions on a daily basis. Rather than using a hardware IDS, these companies remotely scan and manage network perimeters from their operations centers.
ISS, which also offers IDS appliances, uses information from its X-Force security intelligence service and has a Web-based portal for customers to keep up-to-date. Qualys ranks assets by their value and risk and then approaches its monitoring based on those rankings. Symantec's DeepSight Threat Management System checks for targeted attacks by analyzing a company's particular domain.
Symantec is also a managed security services provider partner for Sourcefire Inc., the parent company for Snort, the famous open source IDS software. Snort can also be used as a standalone product without outsourced support, and is a reliable and popular IDS that be easily deployed by an SMB.
As security threats have blended together, from hardware to network and software, so has intrusion detection. It has become part of a bigger security picture including firewall and vulnerability management, network access control and endpoint security. IDS should be seen as just one part of the IT security program for an SMB.
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and is the author of The Little Black Book of Computer Security, available from Amazon.com. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at www.theitsecurityguy.com.
This was first published in August 2007