Strong aftershocks continue from the Gartner report that declared intrusion-detection systems dead and predicted the market for such products would be gone by 2005.

While the debate sparked by Gartner's assessment remains unresolved, reverberations are evident in the product road maps of IDS vendors. The companies are developing systems that can actively block attacks and passively detect them, a key recommendation in Gartner's report in June. Debates also are raging in corporate and government IT departments about whether to buy IDS products.

Gartner's Vice President of Research Richard Stiennon stands behind his report's controversial conclusion - despite conceding a point or two to critics. And he remains surprised by the intensity of the firestorm, which culminated in his being challenged in July before a collection of concerned federal agencies and unhappy IDS vendors.

"It got a little ugly," Stiennon says. "Some IDS vendors said [intrusion-prevention system] vendors were bribing me."

The "IDS is dead" report, as it's now widely called, stated IDS sensors used for passive monitoring of network traffic are a waste. According to Gartner, that's because they generate a lot of false alerts about attacks and are a round-the-clock management burden for IT. Declaring IDS a "market failure," the report advised Gartner clients to start blocking attacks outright instead of just monitoring for them, something the newer firewall-like devices - sometimes called intrusion-prevention systems (IPS) - can do. The number of IPS products is growing, though they've been slow to catch on with buyers.

Click to see:

The Gartner report prompted such an intense argument among IT officials at the Department of Defense about buying IDS that the Office of the Secretary of Defense organized a meeting at the Pentagon in July. IT representatives and procurement officials from the Army, Navy, Air Force, Federal Aviation Administration, and departments of Energy, Justice and Homeland Security were also in attendance. Also included were a handful of IDS vendors and analysts.

Stiennon had no idea he'd be facing such a crowd.

"I didn't know the industry vendors would also be there," he says. "As I was walking down the hall to the room, they let me know."

According to meeting participants, Arbor Networks, Internet Security Systems (ISS), NFR Security, NetForensics and Sourcefire had been invited to represent the IDS point of view. In addition, two independent analysts, Greg Shipley, CTO at consultancy Neohapsis, and Peter Kuper, industry analyst at SG Cowen, were part of the roundtable discussion.

After Stiennon presented his "IDS is dead" arguments, he quickly came under attack by government personnel who had bought IDSs and were having to explain their purchases to procurement officials, as well as industry vendors exasperated that Stiennon was making such a sweeping condemnation.

"People were saying 'Gartner makes statements about tracking hype, but who tracks Gartner?' Another said Gartner had an agenda to grab press,'" Shipley says of the meeting.

But Gartner's criticism struck a nerve with IT staff struggling to make IDS work and still dealing with worms and other threats, especially with internal software requiring patching. "The Pentagon personnel were saying, 'We spend all this money on this security software and we still have problems,'" Shipley says.

Stiennon "was a little ganged up on," Kuper says, adding that he found Gartner's report on IDS to be "alarmist," "irresponsible" and based on outdated information about IDS technology, which he says is improving.

Kuper notes that the Gartner report might be having a freezing effect on IDS spending as IT departments are pressed harder to defend buying such products. But he also doubts customers would rush to buy firewall-based IPS offerings if they are already worried about false alerts with IDS.

As for the debate, little has been resolved.

"The Gartner guys aren't wrong in the issues they identified," says Marty Roesch, president of Sourcefire, and creator of the open source IDS software Snort. Roesch, who attended the meeting at the Pentagon, acknowledges that false alerts are a problem the industry needs to address. But, he adds, Gartner is "wrong in their conclusions. To recommend you don't need IDS anymore is ludicrous."