Tip

Evaluating enterprise intrusion detection system vendors

Selecting an intrusion detection and prevention system vendor can be a time-consuming task. Get help evaluating vendors and products with this list of must-ask questions. Plus, a comprehensive vendor list.

Careful planning must go into an enterprise's intrusion detection and intrusion prevention system purchase. There is no one-size-fits-all product, so all vendors and their offerings must be evaluated with specific questions in mind.

Below is a list of questions to help your enterprise evaluate potential vendors and products with its specific IDS/IPS needs in mind. Additionally, view a list of intrusion detection system vendors to keep in mind when selecting prospective candidates.

Questions to ask during vendor evaluation

  1. Given the assets that require IDS/IPS protection, the current network configuration and the proj­ect budget, where would the primary components of your IDS/IPS product or service typically be lo­cated? For example, does the IDS/IPS sensor sit directly behind the firewall or between the DMZ and the internal network? Are IDS/IPS sensors deployed inside the internal network? If so, how many and where?
  2. If the IDS/IPS project is part of a managed security service, how will IPS/IDS sensors be maintained, and what level of access will managed security ser­vice employees need to the customer's IDS/IPS sys­tem? Given compliance directives such as PCI DSS, which authentication methods, network traffic en­cryption methods and administrative audit controls are compatible with the managed security service?
  3. In a managed security service scenario, does the vendor -- through packet captures or other means -- have access to the network traffic flowing through the IDS/IPS sensor? Can this capability be disabled by the customer? Is the customer's network traffic routed through any of the vendor's networks or sys­tems other than the IDS/IPS?
  4. What kind of network events can be detected by the IDS/IPS product? What is the effectiveness of the system in detecting attacks like distributed de­nial-of-service attacks, network-based buffer over­flow attacks, network scans and botnet communica­tions? Does the system have data loss prevention, advanced malware detection and operating system vulnerability-assess­ment capabilities? Is packet capture an option?
  5. What kind of sensor management is necessary for the IDS/IPS sensors? Is it an appliance, software for a physical server, or a virtual machine? Can an ex­isting management product such as McAfee ePol­icy Orchestrator work in place of a new manage­ment console? What are the limitations of these approaches, in terms of reporting options and the number of sensors that they support? How will sen­sor management be updated and configured? Will it automatically detect sensor failure and how will these failures be handled? Are these sensors true high-availability products that automatically fail over? How will the network be affected should these sensors fail?
  6. Given the network throughput, how many and what kind of supporting devices -- such as network aggregators and IDS/IPS load balancers -- will be re­quired? Are these true high-availability products that automatically fail over? How will the network be affected should these devices fail? How will these supporting devices be managed?
  7. Can the proposed IDS/IPS product integrate with existing customer security controls, such as end­point host IPS, unified threat management-based IDS/IPS, or existing open source IDS/IPS products like SNORT?
  8. How will sensor data be correlated and analyzed? Will the product or service be reporting incidents to a third-party data aggregation platform, such as Splunk, or a security incident and event management product such as LogRhythm, HP ArcSight, McAfee NitroSecurity or Splunk Enterprise Secu­rity? How much human effort is required for analy­sis of the IDS/IPS data? How much analysis can be automated?
  9. How are IDS/IPS sensor operating system up­dates handled? Can they be automatically pushed or pulled? Is this a manual process and how much downtime is required to restart a sensor after an op­erating system update? Can attack signature updates be applied automatically and, if so, how frequently can this occur? How often are these signatures up­dated? How are the sensor OS and attack signature updates protected from man-in-the-middle attacks? Are any special firewall rules required for the up­dates to be received?
  10. How does the IDS/IPS architecture balance high network throughput, high availability and accurate detection of network-based threats? How are the intrusion detection and prevention systems' sen­sors tuned? Can they automatically adjust to new types of attacks without affecting network through­put?

Check out the winners of Information Security magazine's Readers' Choice Awards

Best of intrusion detection and prevention 2014

Best of intrusion detection and prevention 2013

Best of intrusion detection and prevention 2012

Vendors at a glance

Below is a representative list of intrusion detection and prevention vendors:

About the author:
Bill Hayes is a former oceanography student and military veteran, and a journalism school graduate. After flirting with computer game design in the 1980s, Hayes pursued a full-time career in IT support and currently works as a cybersecurity analyst for a Midwestern utility company, as well as a freelance expert consultant and writer.

Next Steps

Compare IDS and IPS vendors

Check out five free enterprise network IDS tools

Dig Deeper on Threat detection and response