A low-frequency hum of routers and workstations permeated our lab as we launched an array of attacks against the targeted hosts. Surrounded by Unix workstations, Windows NT servers, Windows95 clients, routers, switches, firewalls and approximately $100,000 worth of Intrusion detection systems (IDS), we pounded away at our objective. Scanning, poking, prodding, exploiting...we pounded and pounded and pounded.

And while we saturated links, created thousands of sessions and blasted segments until the hubs red-lined, our IDSes kept on chugging. They endured almost everything we threw their way, carefully watching, inspecting and discarding every packet. Unfortunately, they also blithely inspected, discarded and overlooked the attack that remotely ripped the NT SAM database, containing all of the domain's user names and passwords, right out from under their noses.

Real Time, Real Threats The threat of intrusion is real. Hacker penetrations have moved out of folklore status and into the mainstream. Sorting through the glossy marketing literature, it's easy to believe that without intrusion detection, your network is being lead to the slaughterhouse. After our testing, we're convinced you may be heading there anyway.

Current IDS implementations are not the final answer to the threat of intrusion. They do not stop hackers dead in their tracks, and they certainly don't offer an all-encompassing security solution. IDSes aren't perfect-in fact, they're a long way from being polished. However, IDS technology can put an administrator in touch with what's going down on the network from a security perspective in real time. Giving administrators the tools to see in areas where they were previously blind is invaluable. IDSes can be a significant asset in the administrator's repertoire, and their place in the enterprise is quickly becoming apparent.

As in many of our security product tests, in the end we determined we had an assortment of useful products that would have made for a remarkable solution if we somehow could have combined pieces of each into one package. Cisco Systems' NetRanger is quite the robust workhorse, and it has a strong set of attack signatures. AXENT Technologies' ID-Trak is by far the easiest to customize, and offers a simple solution to specific problems. Network Flight Recorders' NFR Intrusion Detection Appliance has a wonderful back end with a mighty scripting language....