Intrusion Detection...  Or Prevention?
by David Piscitello

Published May 2002




Intrusion detection systems (IDSs) rank among the most highly publicized elements of network security. But until recently, IDSs have failed to deliver the lofty results vendors promised. Organizations that have deployed IDS complain most about complexity, completeness (attack coverage) and inaccurate detection.


Perhaps the biggest disappointment lies in the inability of most IDSs to do more than report attacks. The information contained in IDS alerts in and of itself is useless to all but serious security experts, and organizations quickly find that incident correlation and real-time response are beyond their expertise.


The latest generation of network intrusion detection systems, from companies like OneSecure, Tippingpoint, NFR Security, MazuNetworks and IntruVert, promises measurable improvement. IntruVert, for example, applies stateful inspection to its signature-based attack detection, and complements this with traffic anomaly detection, a real-time comparison of network traffic against a baseline of "routine" or normal traffic to detect unusual and potentially harmful traffic.


When next-generation IDSs are deployed as in-line instead of passive monitoring appliances, they will drop traffic identified as intrusive. This is often labeled intrusion prevention, but a more accurate term would be attack blocking or intrusion rejection: The vulnerability still exists, but the in-line IDS is able to block the attack.


That's no small accomplishment, but an even more secure system would be one in which the vulnerability didn't exist in the first place. Achieving this higher level of security requires tighter integration and greater scalability.


The most frustrating thing about network security today is that the canonical security posture is entirely defensive and largely reactive. We need to move from reactive intrusion detection to a proactive stance of intrusion prevention. That might sound like a concept everyone can agree with, but in practice, intrusion prevention—in the form of demanding software that's not easily exploited—won't be a popular notion. It flies in the face of the "as is" software licenses we all accept with a mouse click, daily. Intrusion prevention in its most basic form means vendor quality-assurance programs and third-party, independent source code review performed to assure that code is not exploitable due to logic or coding errors.


Organizations with significant purchasing power can influence the "software as is" situation. Just as these organizations negotiate service level agreements with telephone, cellular and Internet service providers, why should they overlook the opportunity to negotiate software confidence (i.e., security/reliability) agreements?


Intrusion prevention is more like a vaccine than an antibiotic (i.e., anti-virus). Vaccines make the human body resistant to viral attacks by enhancing the immune system. Similarly, intrusion prevention measures make your systems and networks resistant (immune) to certain attacks. Intrusion detection is sexy and absolutely necessary for certain kinds of attacks, but over the long haul, intrusion prevention will better serve an organization.


About the author:

David Piscitello is president of Core Competence, Inc., an internationally recognized expert in security technology and founder of the Internet Security Conference.



Access paper

Approx. 127 kB


For help with .pdf file downloads, please check out the help topic.


Return to Business Communications Review Gold Sponsor Archives


Return to Security menu

This article is reproduced by special arrangement with our partner, Business Communications Review.


Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at