Letter to the Editor -wmd -dlh

I wish to correct several misunderstandings and false assumptions presented in the staff editorial entitled “Network insecurity.” First, Lawrence does have an intrusion detection system. However, intrusion detection systems do exactly as their name implies ******– they detect, they do not prevent. They require constant monitoring and human intervention in response to threats. In mid-2003, the Gartner Group, a well-respected provider of research and analysis on the information technology industry declared the IDS market a failure, predicting these systems would become obsolete by 2005. While their prediction hasn’t quite come true, they point out several failings of IDSs, the first of which was a rate of false positives and negatives high enough to make it difficult to gather accurate information. This, in particular, has improved, but acting automatically upon alerts is not without some risk. Vendors now tout intrusion prevention systems (IPS, yet another acronym), which must operate inline. That is, all network traffic passes through such a system and is evaluated in real-time. If it is deemed to pose a threat, it can be dropped, thereby preventing the threat from spreading or affecting other parts of a network. This, Lawrence does not have, and it seems to be what you implied an IDS can do. There has been some discussion about acquiring an intrusion prevention system, but no conclusions have yet been reached.
We use an IDS to help us identify sources of possible trouble. Using these tools we are able to pinpoint student-owned computers that exhibit behavior typical of those infected by viruses. You should know that our network itself is well able to withstand loads far in excess of what was seen earlier this month, but our Internet connection cannot, and how our Internet connection performs is often perceived to be the equivalent of Lawrence’s network from the perspective of students. Also, some types of activity can target certain types of services, such as web servers. This can result in a denial of service when for example, a web server is so busy answering requests due to constant probing that it can no longer perform any useful work. This can also make it appear as though a network is non-responsive.
I hope this information helps clarify several things.-Robert Lowe