What Are Some of the Problems with an UTM IDP System?

This is another great, open-ended question to get you talking. You have to be aware of some of the known problems with IDP systems. One of the major ones is the problem of missing new attacks, also known as “zero-day” attacks. Sure, an IDP receives periodic updates from the vendor, but how can you be proactive with that type of solution? Attack signatures are morphed numerous times before there is a public
update available. The vendor response to this question is that “anomaly detection” will be the proactive mechanism of detection. But you know that these IDP systems depend on an accurate baseline of data to define “normal” behavior. As all programmers are aware, garbage in equates to garbage out: If your baseline was normalized with garbage, your system will make comparisons that are garbage. Another
major problem is performance. Many early IDP systems had problems with handling detection at line rate. As signature databases grow, so does the processing requirement of the IDP system. A good response to this question is to admit that an IDP has these faults but is only a tool for the engineer to use. Make the interviewer aware that you know the problems and that you are prepared to learn that organization’s network in depth. Mention experience at writing your own signatures and where you have had success adapting to new attacks.