Select Q&A, QA-20-4654 Research Note

J. Pescatore, R. Stiennon, A. Allan 22 July 2003

Intrusion Detection Should Be a Function, Not a Product

Intrusion detection's permanent placement in the Trough of

Disillusionment does not mean that it is obsolete. Intrusion
detection should be incorporated into other products rather
than implemented as a stand-alone product.

Core Topic
In "Hype Cycle for Information Security, 2003," Gartner stated
Security and Privacy: Security Tools, that "intrusion detection systems are a market failure. Vendors
Technologies and Tactics are now hyping intrusion prevention systems, which also have
Key Issues stalled. The functionality is moving into firewalls, which will
How will network-based applications perform deep packet inspection for content and malicious traffic
become safe for mission-critical businesses
during the next five years?
blocking, as well as antivirus activities." Although this statement
was supported by recent research (see Note 1), it generated a
Which technology and business factors will barrage of questions from clients.
enterprises use to structure network-based
security strategies?
Should I simply not try to detect network intrusions?
Strategic Planning Assumptions
By year-end 2003, established firewall
platforms will offer packet-level analysis and You should continue to detect intrusions. However, you shouldn't
blocking capability from established and invest in stand-alone, network-based intrusion detection systems
integrated intrusion detection system
offerings, providing the first wave of (IDSs). Network-based IDSs suffer from two major shortcomings:
network-based intrusion prevention
technologies (0.9 probability).
• There are too many "false alarms." Without extensive,
By year-end 2004, advances in continual tuning, network-based IDSs generate thousands of
nonsignature-based intrusion detection alerts for every actual attack detected.
technologies will enable network-based
intrusion prevention to replace 50 percent of
established intrusion detection system
• They don't work at wire speeds. Most network-based IDS
deployments and capture 75 percent of new products don't detect attacks in real time, and they can't
deployments (0.6 probability). handle the high speeds of internal networks.
By fourth-quarter 2005, market-leading
firewall vendors will offer deep packet
The first shortcoming has caused enterprises to abandon their
inspection technologies for application IDS investments, outsource monitoring to managed security
defense (0.9 probability). service providers or invest in security management products to
Note 1
plow through false alarms to detect actionable events. The
Recent Intrusion Detection/Prevention second shortcoming means that the IDS is purely reactive — it
Research detects attacks that have already hit their targets by the time
"Four Paths to True Network Security"
security staff responds to the alarm.
"Defining Intrusion Prevention"
"Deep Packet Inspection: Next Phase of Have IDS vendors improved IDS accuracy and performance?
Firewall Evolution"

"Network Security Platforms Will Transform

Security Markets"
IDS vendors have slightly improved false-alarm performance
compared to first-generation systems. However, there is a
"Intrusion Prevention Will Replace Intrusion
Detection"
Gartner
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is
forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the
accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information
contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended
results. The opinions expressed herein are subject to change without notice.
 fundamental flaw in IDS vendors saying that they have solved
the false-alarm problem and can run at wire speeds. If they can
detect real attacks with high accuracy, and do so at wire speeds,
why just sound the alarm — why not block the attack?

Although the false-alarm and performance problems primarily

have been associated with network-based IDSs, host-based
IDSs also must move toward "more blocking, less alarming."

Should I block network attacks if, by doing so, I risk

disrupting legitimate traffic?

The two most widely used security products are firewalls and
antivirus products. Both block attacks. Because network-based
IDSs have terrible reputations for producing false alarms,
enterprises likely will not believe that their IDS products will start
blocking attacks. However, by 2006, most enterprises will
perform intrusion detection as part of firewall processing with
next-generation firewalls.

There are three classes of events:

• High-confidence normal traffic — allow to pass

• High-confidence attack traffic — block
• Unidentified traffic — log or alarm (intrusion detection)
Firewalls already perform this type of processing, although
mostly at the network protocol level. Web application firewalls
and other deep-packet-inspection-based products have begun to
perform this processing at the application level. There have been
enough advances in algorithms and high-speed network security
processors to enable next-generation firewalls to perform
network intrusion detection and blocking at all layers of the
protocol stack. Mature products will ship in 2005.

If I depend on the firewall for intrusion detection, isn't that

like saying that automobiles don't need car alarms because
the locks will keep out thieves?

If car alarms went off 10 times per minute and only issued real
alarms two hours after the car was actually stolen, then we would
say that car alarms were a market failure. IDSs must improve
their performance to be useful. If performance improves, IDSs
can be used to block attacks. Firewalls will absorb the
functionality.

Should I use an IDS on internal networks to detect attacks

that don't come through the firewall?

QA-20-4654
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 22 July 2003 2
 Most internal attacks consist of authorized users taking
unauthorized actions or otherwise abusing their privileges.
Network-based IDS systems don't detect this type of activity.
Network IDS sensors can detect internal hacking events, but
these comprise less than 5 percent of the "insider" problem.

IDSs can be useful on internal networks to discover "rogue"

servers, or servers that have suspiciously changed their
behavior. However, the cost of configuring internal networks with
IDS sensors is not much higher than placing in-line firewalls at
the same points. As the technology matures, the performance
and pricing of next-generation firewalls will allow internal
intrusion detection to be performed as part of network zoning
efforts that can greatly reduce the impact of worms and other
blended attacks.

Using firewalls to deny or allow application-level

connections will require many rules on the firewall. Are
firewall performance and security degraded when rule sets
get large and complex?

Enterprises require extensive tuning of the network-based IDSs

to use them effectively. These tuning actions are essentially
security policy rules that determine what is allowed or denied
(where denial means issuing an alarm), similar to what a firewall
does. Therefore, any application-level security approach will
require more rules than simple network-protocol-based security
controls.

Next-generation firewalls can implement complex rule sets at

wire speeds. Leading products will provide user interface and
management capabilities to support enterprise security needs.

What should I do with my current or near-term IDS

deployments before next-generation firewalls are available?

• Abandon plans for "IDS everywhere" deployments. Use your

IDS investments to focus on trust boundaries (directly inside
firewalls) and LAN segments that house high-value servers.
• Purchase security management products (see "The IT
Security Management Magic Quadrant Lacks Leaders") to
perform IDS alarm data reduction and correlation to firewall
and vulnerability assessment logs, or outsource IDS
monitoring to managed security service providers.
• Redirect network-based IDS funding to host-based intrusion
prevention on high-value servers, and to automated
vulnerability assessment and remediation processes and
products.

QA-20-4654
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved. 22 July 2003 3