Similar to virus scanners, network- and host-based IDS solutions also frequently make use of signature scanning, looking for unique data fingerprints that identify certain types of attacks.

The weakness of this approach is that signatures must be constantly updated to keep pace with the ever-evolving techniques of hackers. To address this shortcoming, some intrusion detection systems look for any network activity that lies outside a certain prescribed range of "safe" activities, an approach known as anomaly detection.

The problem with all intrusion detection systems is that they are not, and probably never will be, plug-and-play. Unlike firewalls, most intrusion detection systems require considerable technical smarts to set up and configure properly.

But the biggest management problem is the alarms. Every IDS, by its nature, generates alarms whenever it detects something that looks like suspicious activity. But every network is different, and computers aren’t very good at telling the difference between, say, the "I Love You" e-mail virus and an e-mail message from your systems administrator that is merely warning you about the virus. As a result, most intrusion detection systems err on the side of caution. Consequently, they generate lots of false alarms?as many as thousands per day in extreme cases.

"There’s a tendency by IDS vendors to show that their products work," says Lloyd Hession, chief security officer for Radianz, a New York City-based provider of IP network services to the financial industry. Hapless IT managers are then faced with a "massive overload of information," Hession says. Every one of those alarms is potentially something that your security staff will have to evaluate to determine whether it’s a legitimate use of your network or a hostile attack.

Over time, the staff that monitors your IDS will learn both how to sort real attacks from false alarms as well as how to tune the IDS to reduce false alarms. Arkansas State’s Williamson says his staff initially got paged by their IDS 30 to 40 times per day, but after the system had been running for a few months, the number dropped to just two or three per day. "It can take six months to tune an IDS to the point where you’ve eliminated false positives," says Michael Rasmussen, director of research in information security for Cambridge, Mass.-based Giga Information Group.

The Vendor Hype

Naturally, IDS vendors aren’t sitting still. Relatively new IDS companies, such as OneSecure and Intruvert, are combining signature- and anomaly-based intrusion detection techniques to increase the intelligence of their systems and even block attacks as they happen, rather than simply alerting the IT staff to the presence of attacks. Other vendors, such as ForeScout, use statistical analysis of your network’s normal traffic to automatically identify anomalous packets?a sort of self-tuning IDS. Still others, such as TippingPoint Technologies and Sourcefire, are throwing hardware at the problem, by building very fast, optimized IDS appliances that can analyze network traffic at much higher speeds (and with more complicated signature detection algorithms) than ordinary servers running IDS software can. Finally, the market leaders, including ISS and Cisco, continue to hone their offerings to improve manageability and the intelligence of their network sensors.