At present, the market intrusion detection products large and small hundreds, how to choose their own products, is a large number of security managers and enterprise technology decision-makers in front of a headache. Below we will discuss the basic principles of the procurement process according to the comprehensive performance of the products.
1. What is the attack detection quantity of the product? Do you support upgrades?
The main indicator of IDS is the number of intrusion methods it can discover, almost every week there are new vulnerabilities and attack methods, the flexibility of the product upgrade mode directly affect its function. A good real-time detection product should be able to be upgraded regularly and can be upgraded locally via the Internet or by downloading the upgrade package.
2. For network intrusion detection system, the maximum processing capacity (PPS) is how much?
First of all, to analyze network intrusion detection system in the network environment, if the network intrusion detection system on the 512K or 2M line, then no need for high-speed intrusion detection engine, and in a higher load environment, performance is a very important indicator.
3. Are products vulnerable to attack by attackers?
Some commonly used methods to avoid intrusion detection, such as: Fragmentation, TTL spoofing, abnormal TCP segmentation, slow scanning, coordinated attack and so on. Whether the product is designed to take this into account.
4. Can I customize exception events?
The special monitoring requirements of IDs can only be realized by the user's own custom monitoring policies. An excellent IDs product, you must provide flexible user-defined policy capabilities, including strategies for services, visitors, visitors, ports, keywords, and responses to events.
5. Is the product system structure reasonable?
A mature product must be integrated with three technologies and systems based on gigabit network, gigabit Network, host-based.
The traditional IDs are mostly two-tier structure, that is, "console → detector" structure, some advanced IDs products began to use a three-tier architecture for deployment, that is, "console → event collector + security database → detector" structure, for large networks, the three-tier structure is easier to achieve distributed deployment and centralized management, In order to improve the concentration of security decision-making. Without remote management capabilities, there is basically no availability for large networks.
6. What are the false positives and false negatives of the products?
Some IDs systems often emit many false alarms, and false alerts often mask real attacks. These products repeatedly crash under the weight of false alarms, and when a real attack occurs, some IDs products are not able to capture the attack, while other IDs products are mixed with false alarms and are easily missed. Overly complex interface makes it very difficult to turn off false alarms, and almost all IDs products generate a lot of false alarms in the default setting, causing many problems for users.
7. Is the system inherently secure?
The IDs system, which records the most sensitive data of the enterprise, must have a self-protection mechanism to prevent it from becoming a hacker's target.
8. How is the product real-time monitoring performance?
The network load caused by IDs communication cannot affect the normal network service, the data must be analyzed in real time, otherwise the network can not be protected when there is an attack, so the maximum bandwidth of the network intrusion detection product must be considered.
9. Is the system easy to use?
The ease of use of the system includes five aspects:
Easy-to-use interface-All Chinese interface, easy to learn, easy to operate and flexible.
Ease of use-the ability to view the help of an alert event immediately when monitoring an exception event, and to view product help in a variety of ways in online help.
Policy editing is easy to use-can you provide a separate policy editor? Can I edit multiple policies at the same time? Whether to provide policy printing functionality.
Log reporting is easy to use – whether to provide flexible reporting customization capabilities.
Alarm event Optimization technology-whether for alarm events to optimize the process, the user freed from the mass log, advanced IDs can be a certain period of time after the optimization of similar events after the merger of the alarm, so that users face the log information is not only more clear and avoid missing important alarm information.
10. What is the cost of upgrading and maintaining feature libraries?
Like anti-virus software, the feature library for intrusion detection needs to be constantly updated to detect new attack methods.
11. Has the product been evaluated by the State authorities?
The main authoritative evaluation agencies are: National Information security Assessment Certification Center, the Ministry of Public Security Computer Information System safety product quality Supervision and testing center.
In addition, the purchase of IDs products need to consider a number of factors, above is just the basic points. Because the user's actual situation is different, the user may according to own security need to consider synthetically.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
