Intrusion Detection: The Guard Inside the Gate - Page 2

 By Lynn Haber | Posted Oct 30, 2000
Page 2 of 4   |  Back to Page 1
Print Article

The Playing Field

Dozens of players in this market space are offering one or both types of IDS products: Network-based solutions and/or host-based solutions. They include: Axent Technologies Inc., of Rockville, Md.; Checkpoint Software Technologies Ltd., in Redwood City, Calif.; Cisco Systems Inc., in San Jose, Calif.; Intrusion.com Inc., in Richardson, Texas; Internet Security Systems Inc. (ISS), in Atlanta, Ga.; Network Flight Recorder Inc., Rockville, Md.; Network Ice of San Mateo, Calif.; and Pilot Network Services, in Alameda, Calif. The market is growing rapidly, as illustrated in Table 1.

Table 1: Intrusion Detection Software Market: Revenue Forecasts (U.S.)

Tom Kinnear, president and CEO of Intrusion.com, explains the difference between network-intrusion detection and host-based intrusion detection. According to Kinnear, the former analyzes traffic flowing between hosts on a network in order to identify break-in attempts. Host-based IDS, on the other hand, monitors activity on each individual machine.

Vendors agree that both types of IDS offer advantages, because they monitor different types of activity. Vendors also contend that the optimal solution is to have both network-based and host-based IDS.

However, not all organizations will purchase both types of IDS products and, in fact, Mark Wood, product manager at ISS, says, There isn't a one-size-fits-all solution in this security area. Instead, he says, customers must understand their security needs and choose vendors accordingly. How a company selects an IDS solution is based on how IT managers respond to questions such as:

  • How do you want to manage IDS?

  • What is the structure of the network?

  • What are you trying to protect against?

  • How fast a response to threats are you looking for?

Companies such as ISS offer four types of IDS sensors: network sensors, OS sensors, IDS appliances with network sensors, and server sensors. Customers can put together mix-and-match solutions. (A sensor is a piece of software that monitors a data source and has built-in IDS knowledge and response capability.)

Our goal is to let customers pick and choose the solution according to their business needs, says Wood.

Josh Senzer, network security administrator for Intellispace, a New York City-based ISP, founded under the name U.S. Cybersites in 1995, agrees that companies need to take an inventory of their network and business needs when assessing security solutions. Implementing an IDS solution takes careful planning that requires an intimate knowledge of the network, he says. The company currently covers the East Coast, but by next year expects to service 22 markets as far west as Los Angeles and as far east as Paris.

The company recently got its feet wet with IDS and hopes to have a complete enterprise implementation by next February. The ISP had a list of product criteria when it went shopping for an IDS solution, according to Senzer. For example, the solution had to be Unix-based, customizable, and have basic code so that the company could program the back end to do whatever type of monitoring it desired, and it had to accommodate a high-speed network.

Initially, the IDS implementation at Intellispace will be network-based, but Senzer doesn't rule out host-based IDS in remote offices down the road.

To date, the ISP is testing IDS for its own internal use using a product from Network Flight Recorder. Intellispace does not offer IDS as a service to customers. The company does IDS filtering for generic, or textbook, types of attacks. In the future, it expects to do more specific filtering. We're investing in IDS because we believe it helps create a safer, more secure network environment for us and our customers, he says.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Networking Update Newsletter