Vendors Predict Bleak IDS Future

They are extinct. Soon, intrusion-detection system (IDS) technology may be headed that way as well, according to a report unveiled last week by Nemertes Research. The report, titled "Securing the Enterprise," revealed that customers and solution providers alike are complaining that using signatures as a primary means of discovering threats causes too many false-positives and does not detect zero-day exploits.

Intrusion-prevention system (IPS) technology, by comparison, offers behavior-based detection as well as blocking features, reducing false- positives and actively blocking attacks. Tom Frahm, owner of Applied Communications, a solution provider in Minneapolis, said that for his customers, mere detection isn't nearly as efficient as detection and remediation or—better yet—detection and prevention altogether.

"The difference between IPS and IDS is the difference between handling a problem proactively or reactively," Frahm said. "When your customer is clamoring for results, which approach are you going to take?" Edward Amey, an account manager for Data Systems Worldwide, Woodland Hills, Calif., offered a different and more lighthearted take on the situation. Amey, whose company sells IPS solutions from Austin, Texas-based vendor TippingPoint, likened IDS to a security guard at Wal-Mart, contrasting this with IPS, which he metaphorically labeled a nightclub bouncer. "IDS will stop you if you're suspicious and alert the store manager to call the cops," Amey said. "With IPS, if you're not on the list, you don't get in, period."

The Nemertes report indicated that more than 20 percent of IT executives are replacing IDS systems with IPS, and few solution providers disputed this statistic. Even a number of traditional IDS vendors supported it, celebrating the changing climate by changing their tunes.

This week, for instance, traditional IDS vendor Q1 Labs, Waltham, Mass., introduced enterprisewide IPS functionality with the newest iteration of its QRadar product. QRadar 4.0 is a purpose-built IPS solution that provides surveillance and control for an entire network, along with behavioral and event analysis.

"Many [IPS] solutions are built on an existing IDS and lack the flexibility of a purpose-built solution," said Chris Poulin, vice president and chief security architect at FireTower, Medfield, Mass. "A good solution provides both protocol anomaly detection and signatures, the ability to define granular, stateful rules and define different types or levels of alerts with appropriate actions."

Last month, Top Layer Networks launched a product very similar to the new QRadar version. TopLayer's IDS Balancer product delivers flexibility in selecting, filtering and distributing traffic—essentially IPS functionality. "We're finding that many of our customers are asking us to completely rewrite the IDS product," said Mike Reed, general manager of the Americas at Top Layer, Westborough, Mass. "Strict monitoring just isn't good enough anymore."

For solution providers, these developments signal an evolution in strategy as well as product capabilities. While resellers are peddling products with fewer opportunities for value-added services, the products are more affordable and more efficient, helping to build relationships across the board.

Ron Steffen, a sales representative for Sharper Technology, Newark, Calif., said he's seen a drop in the amount of services revenue since making the switch from IDS to IPS, but he isn't losing money because he's selling more.

"We might make more money selling solutions around IDS, but IPS makes more sense for our customers, so that's the solution we're going to push," said Steffen, who sells IPS solutions from Fortinet and a variety of other vendors. "My approach isn't necessarily unique—it's just to make sure the customer gets what he needs."

For some, however, IDS still makes sense. Tony Luongo, vice president of sales at Go2Communications, Woburn, Mass., said that a handful of his customers seek IDS for forensic purposes to understand what happened during an attack. Others use it to document regulatory compliance as a backup to the firewall service they already have. "Is there ever enough protection in regard to security?" Luongo asked. "Our philosophy is that there will always be a place for these kinds of things, it's just a question of how well we can incorporate this into a larger solution that makes sense for everyone."