intrustion detection and prevention expectations

There have been a load of posts and discussion on high-profile blogs and mailing lists about the value of IDS/IPS. Richard Bejtlich, Thomas Ptacek, Alan Shimel, Amrit, and others such as the Daily Dave have all chimed in along with their respective gaggle of comments. Lots of people get pretty vehement and passionate about this subject.
An IDS and an IPS are two wholly different things. Any discussion needs to start by laying the groundwork on which one is being talked about. The next step is to describe how the discussors define an IDS/IPS. Lastly, review their respective expectations of those IDS/IPS devices.
I really like Alan Shimel’s descriptions of the “trough of disillusionment” and “peak of inflated expectations.” I really think there are some skewed expectations of what an IDS and IPS are supposed to do. Of the two devices, I really believe IPS is the one that has had such high expectations that it will not be delivering satisfactorily, ever. IDS, on the other hand, has been mistaken to be IPS very often.
To me, an IDS is lumped with other functions such as logging, syslog analysis, intrusion response, snmp monitoring, and other network/performance monitoring. All of these functions tend to detect or record, providing information or alerts during and after the fact. They are passive technologies that do not take specific action beyond ringing bells and blowing whistles.
IPSs are in the same category as firewalls, antivirus apps, spyware cleaners, web filtering proxies, and spam gateways. They take IDS one step further by actually performing some action based on the alerts, from changing firewall rules to dropping traffic to throwing out TCP resets. As such, they fall into the problem of stopping things that should be allowed, or allowing things it didn’t know where problems.
IDS/IPS functions are not on my list of the top things to have in a corporate or home user environment. An IDS can detect and alert to events happening that may or may not be malicious or problems. This is certainly a valuable function, but not so valuable as to trump very many other things. IDS technologies tend to be the pet projects of geeky admins that have some time on their hands. The rest of us tend to have other fires that need putting out over babysitting an IDS/IPS device.
Personally, I like IDS for the knowledge and monitoring it can provide about the network. And that is what the real expectation of an IDS should be. The information it provides to better inform those who perform subsequent actions, but only in correlation to how well the device, network, and tuning is understood. IPS devices I can do without unless the environment is so huge that it needs automated responses, but even then the environment is likely so huge that only a handful of IPS-enabled (active) rules will be enabled.
There is a challenge floating around about whether there are any instances where a company was “saved” (benefitted) from having an IDS/IPS device in use. I have not had one personally, but I can certainly think of situations where someone might be throwing internal exploits at LAN systems in an attempt to break into a system, or maybe a worm trying to propogate over the network. An IDS can alert on an otherwise possibly overlooked situation and flag it for investigation. However, as much as an IDS can be helpful, every other layer of technology steals a little bit of its thunder. Network or even host-based firewalls and antivirus will lower the value of the IDS because a lot of malicious stuff is stopped before it traverses the network.
Think of it this way. An IDS/IPS is like a home security alarm system. The IDS will log attempts to break in, possibly track where the thief moves throughout the house, maybe even determining the method of breakin, and will alert the owner that a break-in is occurring and has occurred. An IPS does all of this, but also rings a loud alarm through the house, turns on all the lights and a spotlight, seals away the family valuables, locks all the entry points, and lets loose dogs to chase the intruder away, actively preventing the success of the attack. In light of this analogy, both systems will have had a very valuable effect at some point (that is not to say the IDS/IPS tends to warn when even an insect alights on the window pane or that they don’t detect hispanic intruders…).
Update: More posts are popping up on this topic. The Digital Voice has chimed in as well, with a nice post and viewpoint. TechBuddha has some thoughts as well, about finding your own truths and relax a little bit when it comes to arguments like this. Sawaba at SecuriTeam chimes in.