January 02, 2001, 1:11 PM — WE HAD HIGH HOPES in 1998 when we reviewed the new security technology, network-based IDS (intrusion detection systems). The review shared cautious optimism about the security industry's ability to thwart (or at least detect) malicious hacker attacks. After all, didn't we all want to know what really passed across those electron-filled copper wires? But today, after nearly three years of battle scars, we are here to announce the death of network IDS.
For those of you who are unfamiliar with this once-promising technology, network IDS is designed to examine network traffic passing on the wire by using a database of known attack signatures that determines whether traffic is good or bad. Like a trained basset hound sniffing for drugs in luggage at the airport, network IDS products attempt to detect any malicious packets among the billions that travel the wires of your company's network every year. At first glance, the concept is simple to understand, but perhaps its simplicity is what lulls so many into complacently believing that it has value.
Hope turns to headaches
One of the first problems discovered with early IDS technology is its dependency on shared network segments. This old-school networking technology allows everyone on the same network segment to listen to all the traffic being sent on the wire. Because of the shared-segment requirement of IDS sensors, IDS solutions can be painful for companies that depend on performance-enhanced switched networking technology. Switching technology is so pervasive in organizations today that accommodating most network IDS proves daunting.
Along with switched-technology adoption, the need for higher network speeds has drawn most organizations to 100Mbps and 1Gbps speeds for their heaviest traffic segments. The sheer volume of packets traveling the wire at any given second on these large Web sites and e-commerce servers can make IDS as effective as a fly drinking from a fire hose. And the legitimate traffic is only the beginning. Consider the myriad network DoS (denial of service) techniques that can be used to force most IDS to drop packets. The rub with packet loss is that you'll never know which packets are being dropped, the legitimate or the malicious ones.
And we don't need to remind you of the fragmentation reassembly, insertion, and DoS problems with network IDS, do we? The IDS attacks made famous in 1998 by Timothy Newsham and Thomas Ptacek live on to this day as the de facto techniques for avoiding IDS.