For Williamson, a network intrusion detection system (IDS) from Cisco is the key to staying on top of the network?and its potential abuses. Whenever any one of these IDS components spots a potential security threat?a virus, say, or an impending hacker attack?it notifies a central management console. If the threat is serious enough, the system automatically pages IT staff, who can deal with the attack by shutting off access, reconfiguring systems, and even identifying a hacker’s dorm room and calling campus security.

IDS?What Is It?

Like Arkansas State, many organizations are finding that firewalls, antivirus software and user authentication policies aren’t enough to keep networks safe. That explains the growing market for intrusion detection technology from established vendors such as Cisco Systems, Enterasys Networks and Internet Security Systems; new players including IntruVert, OneSecure and Recourse Technologies (Recourse was recently purchased by Symantec); and even the open-source IDS known as Snort.

In its simplest form, an intrusion detection system identifies and records potential security threats?such as someone scanning server ports or making repeated attempts to log in using random passwords. As such, it’s not a replacement for other security measures. "An IDS is like the video camera in a convenience store or a bank," says Stuart McClure, president and CTO of security consultancy Foundstone in Mission Viejo, Calif. A video camera doesn’t replace the locks on the door or the safe, but if someone breaks through those security measures, the camera provides a record that can help nab the perpetrators and buttress the security system against future attacks.

Intrusion detection systems work in a number of ways. A network-based IDS relies on network sensors that monitor packets as they go by. Typically, a network-based IDS comprises sensors at network entry points (alongside a firewall, for instance) or at the boundaries between subnets with different security levels (such as between your LAN and your data center).

A host-based IDS, by contrast, monitors activity on specific servers or mainframe hosts by keeping an eye on the integrity of critical files, or by monitoring specific operating system events (such as suspicious error messages or unusual server processes).