Recommend an intrusion detection system (IDS/IPS), and are they worth it?

Solution 1:

Several years ago I reviewed several intrusion prevention systems .

I wanted to deploy something between a couple of locations and the corporate network.
The system was to provide an easy to manage and monitor (something that could be handed off to a second tier help desk person). Automated alarming and reporting were also needed.

The system that I ended up choosing was the IPS from Tipping Point. We still like it after being in place for several years. Our implementation includes the subscription to their Digital Vaccine, which pushes out vulnerability and exploit rules weekly.

The system has been very useful to watch what is going on (alert but take no action) as well as automatically block or quarantine systems.

This ended up being a very useful tool for locating and isolating malware infected computers as well as blocking bandwidth hogging or security policy related traffic without having to work with router access control lists.

http://www.tippingpoint.com/products_ips.html

Solution 2:

One thought; you ask "are they worth it". I hate to give a non technical answer, but if your organization needs to have an IDS to indicate to a regulatory body that you are in compliance with some regulation or other, even if you find that from a technology perspective the device doesn't give you what you want, they may be by definition "worth it" if they keep you in compliance.

I'm not suggesting that "it doesn't matter if its good or not", obviously something that does a good job is preferred to something that doesn't; but reaching regulatory compliance is a goal in itself.

Solution 3:

Intrusion detection systems are invaluable tools, but they need to be used properly. If you treat your NIDS as an alert-based system, where the alert is the end, you will get frustrated (ok, alert X was generated, what do I do now?).

I recommend looking at the NSM (Network security monitoring) approach where you mix NIDS (alerting systems) with session and content data, so you can properly examine any alert and better tune your IDS system.

*I can't link, so just google for taosecurity or NSM

In addition to the network-based information, if you mix HIDS + LIDS (log-based intrusion detection) you will get a clear view of what is going on.

**Plus, don't forget that these tools are not meant the protect you from an attack, but to act as a security camera (physical comparison) so proper incident response can be taken.