There remain many things that NIDS tools are extremely effective at detecting. Outbreaks of (known) viruses, worms, malware, etc., can stand out like a sore thumb on a network that is being monitored using NIDS tools.
Even many novel attacks can be detected using NIDS tools. For example, botnet and other malware often installs network services on infected computers. When attackers connect to these services, a desktop computer behaves -- at a network level -- much like a "server." Most modern NIDS tools will notice that sort of network activity even when it's caused by previously unknown malware.
But don't be fooled for a moment that NIDS products are effective at detecting all Web application-level attacks. The only place to put real application security measures is inside the applications themselves. That kind of security cannot be bought and bolted on post facto.
Similarly, we mustn't give up on SSL either. It remains the most ubiquitous and accepted network encryption technology available today. We really must use it to protect sensitive data in transit.
Does that mean our NIDS products are doomed to never be able to pierce the SSL veil? In many or most cases, yes it does. Now, in enterprise-class architectures, we can offload the SSL processing to front-end processors and place our NIDS sensors behind those processors, but that may well be beyond the reach of many smaller companies.
We can also consider host-based intrusion detection systems (HIDS) on our application processors, but be warned that many HIDS products are woefully inadequate at detecting application-layer attacks. Again, there is no substitute for placing application-layer defenses -- including intrusion detection -- inside an application.
And let's not also neglect another hugely beneficial aspect of using SSL -- authentication. In most applications, only the server authenticates to the client, but even that is a value-added service. And in cases where client certificates are used in addition to server certificates, SSL provides us with seriously strong mutual authentication.
Nonetheless, no technology is perfect. That statement shouldn't surprise any of us, right? Intrusion-detection technologies found today are useful tools, but we cannot rely on them for everything. Application attacks are one of their weaknesses. Let's accept that and turn our attention to building more secure applications in the first place.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.