It seems that organizations are increasingly relying on Network Intrusion Detection Systems (NIDS) to monitor the security of their networks. While NIDS can certainly give IT staff insights in to what is going on with their network, these systems have several drawbacks that keep them from being the end-all-be-all of network security.
The biggest problem is that NIDS can't detect attacks within encrypted traffic. If an organization is tasked with protecting web based services that require HTTPS or SSL connections, any attacks done over those connections (cross site scripting, injections attacks (SQL or URL), or other attacks) will not be noticed by the NIDS systems. This means that many attacks will fly under the radar of organizations that don't employ other methods of security monitoring along side their NIDS.
Another issue with NIDS is that they are notoriously noisy. Since they typically need to monitor all network traffic and report on any anomalies found within those packets many ordinary behaviors will be trapped as possibly suspicious. This eats up precious manpower as analysts must routinely determine which reported items are noise and which are truly suspicious.
Which brings us to tuning of the NIDS. This can be a tricky task as you cannot simply disregard all traffic from trusted servers, because an insider (or a very crafty hacker) could compromise a trusted system and use it to perform attacks and again you would be none the wiser. However, without proper tuning the high number of false positives will render it extremely difficult to tell when real attacks have happened.
So what's the point of all this? That Intrustion Detection Systems can play an important role in helping an organization monitor network traffic for suspicious activity, however that they should be part of an overall layered defense strategy and should not be overly relied on to provide insights in to malicious attack attempts.
I recommend that NIDS be accompanied by systems that can monitor encrypted web traffic (web server log monitoring) as well as systems that monitor the configuration of all servers in a datacenter to ensure that they don't get out of compliance with organization configuration standards and security hardening best practices.
A layered security approach is always the best way to approach it. Like you, I see many companies hiding under the vale that border protection is more than enough. I'd also add that correlation of data from a layered approach model is also a strong recommendation. In addition to that, I'd certainly recommending analyzing your own business risks, prioritize these risks, then approach the entire data life-cycle to round out the approach. Easier said than done - but certainly reduces risk overall - which is the whole point of what we all do!
Posted by: Nick Shelly | Sunday, March 13, 2011 at 05:46 PM
You can terminate many encrypted connections before they reach their endpoint, so you're able to ids/ips them. If you're serious you'd look at a web application firewall for layer 7 coverage too. Like you said layered defence.
Posted by: Simon Gray | Wednesday, March 16, 2011 at 12:13 PM