RE: IDS experience's - summary

[JC Dill <nanog () vo cnchost com>]

On 08:46 AM 6/28/02, Brandon Knicely wrote:
>
>Thanks to those that responded, content listed below with a few comments of
>my own.  Also welcome additional discussion.

It appears that this recent report was overlooked:

<http://www.nwfusion.com/techinsider/2002/0624security1.html>

Crying wolf: False alarms hide attacks

Eight IDSs fail to impress during the monthlong test on a production network.

By David Newman, Joel Snyder and Rodney Thayer
Network World, 06/24/02

One thing that can be said with certainty about network-based 
intrusion-detection systems is that they're guaranteed to detect and 
consume all your available bandwidth. Whether they also detect network 
intrusions is less of a sure thing.

Those are the major conclusions of our first-ever IDS product comparison 
conducted "in the wild." Unlike previous tests run in lab settings, we put 
seven commercial IDS products and one open-source offering on a live ISP 
segment to see what they'd catch.

What we found wasn't encouraging:

  Several IDSs crashed repeatedly under the burden of the false alarms 
they churned out.

  When real attacks came along, some products didn't catch them and others 
buried the reports so deep in false alarms that they were easy to miss.

  Overly complex interfaces made tuning out false alarms a challenge.

Because no product distinguished itself, we are not naming a winner (See 
"No cigar"). The eight products we tested - from Cisco, Intrusion, Lancope, 
Network Flight Recorder (NFR), Nokia (running on OEM version of Internet 
Security Systems RealSecure 6.5), OneSecure, Recourse Technologies and the 
open-source Snort package - all ask too much of their users in terms of 
time and expertise to be described as security must-haves.

(follow the URL above for the whole story)

jc