While an IDS, as a product, alerts against attacks, it also produces false positives. Further, an IDS by itself does not gives a true picture of network. Intrusive activites leave a trial of logs in servers, routers, firewalls and IDS. Analyzing firewall logs and system logs, along with IDS alerts, gives much more and helps reduce false positives. Firewalls, IDSs and servers together generate millions of lines of audit information daily. Buried in all that information are the beginnings of several intrusions. Powerful cross-product analysis and filtering technology can be used to watch and sort through all that audit information, in real-time, to detect intrusions. These events are then examined by security analysts who monitor the network and determine an appropriate action for the event. In the event of an attack, security experts also help in responding to the attack by reconfiguration of network devices, to contain the attack. When choosing an IDS for the network, you would expect it to detect intrusions either while they are happening or shortly afterwards; and most importantly, you want it to give sufficient information to enable an effective response. Moreover, wish-list would include the following—they have to be capable of working on large heterogeneous networks, and be capable of detecting attacks with a minimum of prior information about potential attackers and their methods. Every network is unique and hence, IDS should have the capability to be customized. It should support user-defined suspicious activity and scripting facilities. Finally, it should not impose overhead on the attached network.

Balwant Rathore, network security engineer, Paladion Networks