The Ashimmy Blog: IDS - the beast that just won't die

Ellen Messmer has an interesting article up in Network World today (I wish Network World would stop that annoying page fold over ad that forces you to click close to view the page. It is just a pain in the butt and I wouldn't buy anything from anyone using that type of ad just on principle.), around the latest results of an Infonetics research survey commissioned by Tipping Point. The respondents were mostly from big companies with about 10k employees. Remembering who commissioned this report, you need to take this numbers with a grain of salt, but some interesting findings:

1. Cisco is hands down the market leader in IPS. It is almost universally agreed by this reports findings and in other reports, that while the Cisco product is far from the best in usability and functionality, by sheer numbers it dwarfs the other IPS vendors. That continually amazes me that everyone knows the product is not good, yet people still use it. For me that just reinforces the notion that people put IPS in as checkboxes. They really don't care if they work or not, are easy or not and are up to date or not. They just want to say they have something. When their local friendly Cisco rep throws it in with the shiny switch, they are happy campers.

2. Most people are finally deploying in line, but not filtering and blocking. Of course the Tipping Point customers overwhelmingly had the box in line. Tipping Point was always an in line IPS, so that is to be expected. The Sourcefire boxes on the other hand tend to be deployed out of band more often. The IBM/ISS and McAfee IPS are more in the middle. Regardless of whether they were in line or out of band, though the amount of filters that were being used to actually block traffic was way low. Most people are still alerting, not blocking. IDS is not dead, that is clear.

3. A sizable number of users do not update the latest filters (Tipping Point lingo for signatures and rules). This is the one that really blew me away. With all of the focus on zero day and all you would think people want to be up to date against the latest attacks. Evidently not. Even given that some people like to test the filters first, I would think they find themselves into the field pretty quickly, but it looks like I am wrong. Maybe this is a big company versus mid-market thing though. I don't think mid-market companies have the time and resources to go through that type of QA check. They expect their IPS vendor to send down signatures that don't break the box.

All in all, despite Richard Stiennon's prediction of the death of IDS, it appears that we are still a long way off from everyone using their IPS as an IPS.