Educause Security Discussion mailing list archives
Re: Introduction and preliminary question re: use of IDS/IPS
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 26 Feb 2004 11:53:35 -0500
Jason Richardson wrote:
Hi, I discovered this list and the Unisog list yesterday and subscribed immediately. I am IT Security Manager at Northern Illinois Univ. We are a fairly large state university (approx. 25K undergrad + grad schools) located west of Chicago. I have searched the archives for discussion re: the use of IDS and IPS on university campuses and found a few posts but not much discussion so I decided to go ahead and post my question. My apologies if this has been discussed before under a thread that I didn't see. How prevalent is the use of IDS/IPS on campus networks? We have been using an IDS that hasn't really worked out for us for the past two years and we are considering replacing it. Our network engineering staff has some concerns about the longevity of IDS/IPS and whether such systems will even be in use 5 years from now. My reading so far has led me to believe that while pure IDS is probably on its way out, IPS is alive and well and will be for some time. I was hoping to get a general sense of whether such systems are being used to secure campus networks. To narrow the inquiry somewhat, I am referring more to NIDS than HIDS but we are looking at HIDS also.
We're finishing up an RFP process to procure two IDP NIDS devices for our Internet connections. I can't say any more than that right now but obviously we have an interest in them and I can't wait to get them installed. We've been using Snort for the past couple years. While it provided useful data on the activities on the network and let us know where to concentrate our efforts, it was a reactionary process rather than a preventive one. It was rather discouraging to watch attacks happening that could have easily been prevented had the device detecting those attacks been able to drop the associated traffic. IDP provides another tool in the arsenal to address some of those attacks. While it will not be able to block all attacks because of the difficulty in determining with certainty the malicious intent of certain types of traffic (particularly on a university internet connection), it will be able to stop some of them. When not able to prevent an attack, it will still provide the more traditional IDS reporting capability along with some useful operational monitoring and forensics capabilities. IDS, IDP, NIDS, and HIDS are not plug and play technologies. They require careful, tedious analysis of traffic and policies and careful tuning. The more active they are, the more work that needs to go into them and the more likely they are to cause operational difficulties in complex environments. But at least with IDP, the time invested will result in some attacks being prevented rather than simply being reported. Most of them have the ability to detect hundreds or thousands of different potential attacks. The determination of many of those attacks is often rather simplistic and tend to fire often on an open network for the wrong reasons. I think an IDP's primary value in a university internet environment will be in rapid response to new threats and fairly focused events. (I'll be looking for other universities using the same IDP equipment we purchase to form a cooperative to trade signatures and best practices.) Versatility and tuning capability are key. Closer to the protected resources, or in a more closed environment, where traffic can be clearly defined and limited, they can be used in a more all-encompassing manner. NIDS/NIDP will be around by some name unless the majority of applications all start using encryption over a common port (think web services). Then they'll become mostly useless unless the decryption barrier is in the network rather than on each host. HIDS/HIDP might then become more effective although one has to keep in mind the limitations of having security software on the device one doesn't trust to be secure in the first place. :) -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Introduction and preliminary question re: use of IDS/IPS Jason Richardson (Feb 26)
- <Possible follow-ups>
- Re: Introduction and preliminary question re: use of IDS/IPS Walsh, Brian R. (Information Services) (Feb 26)
- Re: Introduction and preliminary question re: use of IDS/IPS Gary Flynn (Feb 26)
- Re: Introduction and preliminary question re: use of IDS/IPS Peter Charbonneau (Feb 26)
- Re: Introduction and preliminary question re: use of IDS/IPS Dennis Vich (Feb 26)
- Re: Introduction and preliminary question re: use of IDS/IPS Jason Richardson (Mar 01)