At present, there are hundreds of intrusion detection products on the market, and how to choose a product that suits you is a headache for the majority of security administrators and corporate technical decision makers. Next, we will talk about the basic principles in the procurement process based on the comprehensive performance of the product.
1. What is the number of attack detections for the product? Is upgrading supported?
The main indicator of IDS is the number of intrusion methods it can discover. New vulnerabilities and attack methods appear almost every week. Whether the product upgrade method is flexible directly affects its functions. A good real-time detection product should be upgraded regularly and can be upgraded locally via the Internet or download the upgrade package.
2. What is the maximum processing traffic (PPS) for network intrusion detection systems?
First of all, we need to analyze the network environment deployed by the network intrusion detection system. If a network intrusion detection system is deployed on 512K or 2M dedicated lines, there is no need for a high-speed intrusion detection engine. In a high load environment, performance is a very important indicator.
3. Are products easily avoided by attackers?
Some commonly used methods to avoid intrusion detection, such as: sharding, TTL spoofing, abnormal TCP segmentation, slow scanning, collaborative attack, etc. Is this in mind when designing the product?
4. Can you customize exception events?
IDS's special monitoring needs can only be achieved through the user's own customized monitoring policies. An excellent IDS product must provide flexible user-defined policy capabilities, including policies such as services, visitors, visitors, ports, keywords and events.
5. Is the product system structure reasonable?
A mature product must integrate three technologies and systems based on 100 megabit network, gigabit network, and host-based.
Traditional IDS is mostly a two-layer structure, namely the "Console → Detector" structure. Some advanced IDS products have begun to use a three-layer architecture for deployment, namely the "Console → Event Collector + Security Database → Detector" structure. For large networks, the three-layer structure is easier to achieve distributed deployment and centralized management, thereby improving the concentration of security decisions. Without remote management capabilities, it is basically not available for large networks.
6. What is the product’s false alarm and missed rate?
Some IDS systems often issue many false alarms, and false alarms often cover up real attacks. These products crash repeatedly under the heavy burden of fake alarms, and when real attacks appear, some IDS products cannot capture the attack, while others report from fake alarms are mixed with reports that are easily missed. The overly complex interface makes it very difficult to turn off fake alarms. Almost all IDS products will generate a lot of fake alarms under the default settings, causing many troubles to users.
7. Is the system itself safe?
The IDS system records the most sensitive data of the enterprise and must have a self-protection mechanism to prevent it from becoming the target of hackers.
8. What is the real-time monitoring performance of the product?
The load on the network caused by IDS communication cannot affect normal network services. The data must be analyzed in real time, otherwise the network cannot be protected in the event of an attack. Therefore, the maximum bandwidth for the network intrusion detection product to work normally must be considered.
9. Is the system easy to use?
The ease of use of the system includes five aspects:
Easy to use interface - full Chinese interface, easy to learn, easy to operate.
Help is easy to use - You can immediately view the help information of alarm events when monitoring abnormal events, and you can view product help in various ways in online help.
Strategy editing is easy to use – can a separate policy editor be provided? Can multiple policies be edited at the same time? Whether to provide policy printing function.
Easy to use log reports - whether to provide flexible reporting customization capabilities.
Alarm event optimization technology - whether to optimize and process alarm events, free users from massive logs, advanced IDS can merge similar events within a certain period of time to alarm, so that the log information faced by users is not only clearer but also avoid missing important alarm information.
10. What is the cost of upgrading and maintaining the feature library?
Like anti-virus software, the feature library for intrusion detection needs to be constantly updated to detect emerging attack methods.
11. Have the product passed the evaluation of national authoritative institutions?
The main authoritative evaluation agencies include: National Information Security Evaluation and Certification Center, Ministry of Public Security Computer Information System Security Product Quality Supervision and Inspection Center, etc.
In addition, there are many factors that need to be considered when purchasing IDS products, and the above are just basic points. Due to different actual situations of users, users can consider them comprehensively according to their own security needs.