Evaluating enterprise intrusion detection system vendors
Selecting an intrusion detection and prevention system vendor can be a time-consuming task. Get help evaluating vendors and products with this list of must-ask questions. Plus, a comprehensive vendor list.
Careful planning must go into an enterprise's intrusion detection and intrusion prevention system purchase. There is no one-size-fits-all product, so all vendors and their offerings must be evaluated with specific questions in mind.
Below is a list of questions to help your enterprise evaluate potential vendors and products with its specific IDS/IPS needs in mind. Additionally, view a list of intrusion detection system vendors to keep in mind when selecting prospective candidates.
Questions to ask during vendor evaluation
- Given the assets that require IDS/IPS protection, the current network configuration and the project budget, where would the primary components of your IDS/IPS product or service typically be located? For example, does the IDS/IPS sensor sit directly behind the firewall or between the DMZ and the internal network? Are IDS/IPS sensors deployed inside the internal network? If so, how many and where?
- If the IDS/IPS project is part of a managed security service, how will IPS/IDS sensors be maintained, and what level of access will managed security service employees need to the customer's IDS/IPS system? Given compliance directives such as PCI DSS, which authentication methods, network traffic encryption methods and administrative audit controls are compatible with the managed security service?
- In a managed security service scenario, does the vendor -- through packet captures or other means -- have access to the network traffic flowing through the IDS/IPS sensor? Can this capability be disabled by the customer? Is the customer's network traffic routed through any of the vendor's networks or systems other than the IDS/IPS?
- What kind of network events can be detected by the IDS/IPS product? What is the effectiveness of the system in detecting attacks like distributed denial-of-service attacks, network-based buffer overflow attacks, network scans and botnet communications? Does the system have data loss prevention, advanced malware detection and operating system vulnerability-assessment capabilities? Is packet capture an option?
- What kind of sensor management is necessary for the IDS/IPS sensors? Is it an appliance, software for a physical server, or a virtual machine? Can an existing management product such as McAfee ePolicy Orchestrator work in place of a new management console? What are the limitations of these approaches, in terms of reporting options and the number of sensors that they support? How will sensor management be updated and configured? Will it automatically detect sensor failure and how will these failures be handled? Are these sensors true high-availability products that automatically fail over? How will the network be affected should these sensors fail?
- Given the network throughput, how many and what kind of supporting devices -- such as network aggregators and IDS/IPS load balancers -- will be required? Are these true high-availability products that automatically fail over? How will the network be affected should these devices fail? How will these supporting devices be managed?
- Can the proposed IDS/IPS product integrate with existing customer security controls, such as endpoint host IPS, unified threat management-based IDS/IPS, or existing open source IDS/IPS products like SNORT?
- How will sensor data be correlated and analyzed? Will the product or service be reporting incidents to a third-party data aggregation platform, such as Splunk, or a security incident and event management product such as LogRhythm, HP ArcSight, McAfee NitroSecurity or Splunk Enterprise Security? How much human effort is required for analysis of the IDS/IPS data? How much analysis can be automated?
- How are IDS/IPS sensor operating system updates handled? Can they be automatically pushed or pulled? Is this a manual process and how much downtime is required to restart a sensor after an operating system update? Can attack signature updates be applied automatically and, if so, how frequently can this occur? How often are these signatures updated? How are the sensor OS and attack signature updates protected from man-in-the-middle attacks? Are any special firewall rules required for the updates to be received?
- How does the IDS/IPS architecture balance high network throughput, high availability and accurate detection of network-based threats? How are the intrusion detection and prevention systems' sensors tuned? Can they automatically adjust to new types of attacks without affecting network throughput?
Check out the winners of Information Security magazine's Readers' Choice Awards
Best of intrusion detection and prevention 2014
Best of intrusion detection and prevention 2013
Vendors at a glance
Below is a representative list of intrusion detection and prevention vendors:
- Check Point
- Cisco
- Core Security
- Corero Network Security (previously Top Layer Security)
- Dell
- Extreme Networks (acquired Enterasys)
- F5 Networks
- FireEye
- Fortinet
- Gigamon
- GuidePoint Security
- HP
- IBM
- Juniper Networks
- ManageEngine
- McAfee
- NitroSecurity (acquired by McAfee)
- Palo Alto Networks
- Radware
- Snort (Sourcefire/Cisco)
- Solutionary (acquired by NTT)
- Sourcefire (acquired by Cisco)
- Splunk
- StoneSoft (McAfee)
- Trend Micro
About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company, as well as a freelance expert consultant and writer.
