Network IDS: To Tailor, or Not to Tailor

Intrusion Detection Systems (IDS) identify attacks on a company's resources. As security requirements grow more demanding, and resources more scarce, IDS vendors have attempted several approaches for increasing the amount of throughput an IDS can handle. One of those solutions is trimming the amount of resources utilized through decreasing the amount of rule sets or patterns searched for. This trimming of patterns, known as tailoring, is the greatest question mark on Network Signature-Based Intrusion Detection Systems. Products such as ISS's Real Secure, Intrusion.com's Secure Net, Cisco's Secure IDS (formerly Net Ranger), Symantec's NetProwler, the Navy's Shadow project, and the open source community's Snort can all limit system resource utilization through rule-based tailoring. The following discussion centers on the benefits and detractors of rule-based Intrusion Detection Tailoring, and how, overall, it is best to leave tailoring for Network IDS systems to the product vendors. If tailoring is required due to legacy product selection or unexpected network growth, be forewarned of the consequences. When this tailoring occurs, make sure a process is set in place to review as completely as possible any changes that need to be made.