Intrusion Detection System Users Grapple With Performance and Management Issues

WALTHAM, Mass.–(BUSINESS WIRE)–Aug. 27, 2001–

Despite increasing speed and complexity of networks that have made

IDS solutions difficult to deploy and manage, the technology is

accepted and improving

Intrusion detection systems are here to stay as an integral part of the network security infrastructure. But security solutions vendors must work to overcome user skepticism and frustration about intrusion detection stemming from poorly performing early deployments, lack of scalability, and difficulties in management and data gathering and analysis.

Those were the common themes and opinions voiced at the Institute for Applied Network Security’s recent two-day Intrusion Detection Forum held at the MIT Endicott House in Dedham, MA. The Institute for Applied Network Security hosted the Forum in partnership with the New England Chapter of the Information Systems Security Association (ISSA). Senior information technology professionals from 16 publicly traded companies and 17 private firms participated, along with experts from security product and service providers. The combined market capitalization of the public companies exceeded $380 billion.

“The Forum was a very valuable experience for our presenting team,” commented Mike Paquette, Vice President of Product Management at Top Layer Networks, a manufacturer of network devices that balance high-speed traffic over intrusion detection systems and defend against denial-of-service attacks. “The IDS is an essential part of what has become the ‘balanced breakfast’ of a complete IP security policy, one that also includes attack mitigation, firewalls, virus protection, and virtual private networks in most companies.

“We learned that the concerns of today’s IDS users still center around nuts-and-bolts issues. Where is the best place to put my IDS sensors in the network? How can I make sense of all the data I receive on network traffic and security incidents? How can I be sure that what I buy will be fully compatible with my existing network components and my overall security policy? And what is the total cost including management time and the return on my investment?” continued Paquette.

Performance Tuning and Load Balancing Will Increase IDS Systems’ Efficiency and Scalability

In response to IDS user complaints that their sensors often ran much more slowly than advertised, Top Layer’s Chief Security Officer Joe Magee said, “An IDS system that says it will process traffic at 100 megabits per second might actually perform at 70 or even lower if they keep adding attack signatures to look for. And that’s a constant problem – Code Red had about six to ten possible signatures. Sub Seven had four signatures. The more attack signatures an IDS has to look for, the slower it will run.

“The answer here is a combination of balancing and tuning. Every network is different, and the first order of business is to determine what servers or subnets on the network need protection, and what attack signatures are associated with those servers. For instance, if you do a lot of e-commerce, you can mirror all of the HTTP flows that come in through the router to one or more IDS sensors tuned to look for only the attack signatures associated with web traffic. The IDS sensors will work much faster and more thoroughly because they’re not chugging through their database looking for every possible intrusion.

“Once you really know your network and its vulnerabilities, it becomes a matter of determining how many sensors you need to handle the traffic volume, placing and configuring the sensors properly, and intelligently distributing the targeted traffic to them. Existing IDS systems in most cases will perform much better with this approach.”

Forum participants expressed doubts about fully outsourcing security functions, although they recognized the need for retained, third party expertise. They also are seeking improvement in the quality and usability of data generated by IDS logs and other system-monitoring devices. The consensus of opinion held that using the data to determine what has happened to an attacked network and why it happened is more important than gathering information for prosecution of an attack’s perpetrator.

Forum Brings Unparalleled Insights to Corporate Members and Solution Providers

“We are delighted that Top Layer participated in the August Intrusion Detection Forum,” commented Rebecca Bace, President of Infidel, Inc. and a Forum Faculty member. “The Forum provides a unique venue in which both corporate members and their most valued solution providers can have an open, substantive dialogue addressing different aspects of intrusion detection. The Forum is all about creating technology and business insights for all of the attendees. Based on the enthusiastic response from corporate members and solution providers alike, the Boston Intrusion Detection Forum was a great success.”

The Institute for Applied Network Security will conduct its next Intrusion Detection Forum October 17-18 at the Dolce Hamilton Park Conference Facility in Florham Park, New Jersey.

About Top Layer Networks, Inc.

Founded in 1997, Top Layer Networks designs and produces a spectrum of hardware and software products that defend and protect network-attached resources. Companies using the ASIC-based AppSwitch(TM) and AppSafe(TM) from the AS 3500 family of products dramatically increase the efficacy of their network defenses and gain access to detailed network information that is otherwise unattainable. Top Layer products defend against denial-of-service and distributed denial-of-service attacks, balance and enhance the performance of firewalls and intrusion detection systems, collect highly detailed information on network security incidents and traffic, and contain potential damage emanating from compromised systems through internally directed security strategies.

Top Layer world headquarters is in Westboro, Massachusetts in the USA. The company has offices in Australia, Belgium, Germany, France, Japan, Korea, Malaysia, and the United Kingdom. Top Layer Networks has conducted in-depth research surrounding its respective technologies, which can be found at Or, for more general information, visit or email

About the Institute for Applied Network Security

The Institute for Applied Network Security hosts high insight forums on topics of interest to the network security industry. The Institute’s mission is to be an advocate for network security professionals around the world. The Institute’s forums are based on an interactive learning format that creates unique gatherings of corporate network security practitioners, network security product and service solution providers and world-renowned Forum faculty members.

The Institute is headquartered in Waltham, Massachusetts. To learn more, please visit the Institute’s web site at or email the Institute at

Don't miss