January 30th, 2002, 02:40 PM
Need for Network Intrusion Systems(IDS)?
I've been reading a lot about IDS lately, and the concept is pretty clear. But I don't see if there's any real need for IDS. For instance, what should happen when a possible intrusion is detected? A mail can be sent to sys admin, but what if it's after hours and he doesn't read his mail til next morning. Perhaps the IDS could page him or something? Or the IDS could start logging the attack. But it can't prevent the attack. If it did, it would also break the connection to all the real users, and that is not a good thing.
Another thing, doesn't the firewalls provide enough protection? Say you have an e-commerce site with external users inserting orders into a database and employees fetching orders from the db. The requests to the db is coming from two app/web servers, one server for the external users and one for internal users. The firewall with the db-server behind it can be configured only to accept requests from the app/web servers, am I right? So it will be close to impossible to break into the database. And if the web/app servers is placed behind a firewall that only accepts requests over HTTP and HTTPS (ports 80&443), it's even harder to break in. I'm not saying it's totally impossible, but it's pretty damn difficult.
So the IDS is only gonna give the system admin more hassle and less spare time . And is also gonna create extra overhead for the total network, making it slower. (At least with certain types of IDS).