Documente Academic
Documente Profesional
Documente Cultură
Core Topic
In "Hype Cycle for Information Security, 2003," Gartner stated
Security and Privacy: Security Tools, that "intrusion detection systems are a market failure. Vendors
Technologies and Tactics are now hyping intrusion prevention systems, which also have
Key Issues stalled. The functionality is moving into firewalls, which will
How will network-based applications perform deep packet inspection for content and malicious traffic
become safe for mission-critical businesses
during the next five years?
blocking, as well as antivirus activities." Although this statement
was supported by recent research (see Note 1), it generated a
Which technology and business factors will barrage of questions from clients.
enterprises use to structure network-based
security strategies?
Should I simply not try to detect network intrusions?
Strategic Planning Assumptions
By year-end 2003, established firewall
platforms will offer packet-level analysis and You should continue to detect intrusions. However, you shouldn't
blocking capability from established and invest in stand-alone, network-based intrusion detection systems
integrated intrusion detection system
offerings, providing the first wave of (IDSs). Network-based IDSs suffer from two major shortcomings:
network-based intrusion prevention
technologies (0.9 probability).
• There are too many "false alarms." Without extensive,
By year-end 2004, advances in continual tuning, network-based IDSs generate thousands of
nonsignature-based intrusion detection alerts for every actual attack detected.
technologies will enable network-based
intrusion prevention to replace 50 percent of
established intrusion detection system
• They don't work at wire speeds. Most network-based IDS
deployments and capture 75 percent of new products don't detect attacks in real time, and they can't
deployments (0.6 probability). handle the high speeds of internal networks.
By fourth-quarter 2005, market-leading
firewall vendors will offer deep packet
The first shortcoming has caused enterprises to abandon their
inspection technologies for application IDS investments, outsource monitoring to managed security
defense (0.9 probability). service providers or invest in security management products to
Note 1
plow through false alarms to detect actionable events. The
Recent Intrusion Detection/Prevention second shortcoming means that the IDS is purely reactive — it
Research detects attacks that have already hit their targets by the time
"Four Paths to True Network Security"
security staff responds to the alarm.
"Defining Intrusion Prevention"
"Deep Packet Inspection: Next Phase of Have IDS vendors improved IDS accuracy and performance?
Firewall Evolution"
The two most widely used security products are firewalls and
antivirus products. Both block attacks. Because network-based
IDSs have terrible reputations for producing false alarms,
enterprises likely will not believe that their IDS products will start
blocking attacks. However, by 2006, most enterprises will
perform intrusion detection as part of firewall processing with
next-generation firewalls.
If car alarms went off 10 times per minute and only issued real
alarms two hours after the car was actually stolen, then we would
say that car alarms were a market failure. IDSs must improve
their performance to be useful. If performance improves, IDSs
can be used to block attacks. Firewalls will absorb the
functionality.
QA-20-4654
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 22 July 2003 2
Most internal attacks consist of authorized users taking
unauthorized actions or otherwise abusing their privileges.
Network-based IDS systems don't detect this type of activity.
Network IDS sensors can detect internal hacking events, but
these comprise less than 5 percent of the "insider" problem.
QA-20-4654
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 22 July 2003 3