Security /

More intrusion-detection options emerge

By Ellen Messmer
Network World, 11/12/01

A handful of established security vendors and start-ups this week are parading a range of new intrusion-detection systems that will broaden the choices in vulnerability-assessment tools and network security monitoring.

Symantec is upgrading host-based vulnerability-assessment software calle

d Enterprise Security Manager (ESM) to receive live updates from the Symantec Web site when new vulnerabilities affecting any of 55 different operating systems - including Linux, NetWare, Windows NT/2000/XP and Unix - are discovered. A product Symantec acquired when it purchased Axent last year, ESM previously had to be updated manually. With automatic updating in ESM 5.5, which ships this week, Symantec will be matching competitors BindView and Internet Security Systems (ISS), whose tools already support automatic updates.

"A vulnerability-assessment tool is only as good as the last time you updated it," says Ronald Van Geijn, a Symantec product manager. ESM includes a management console that keeps track of vulnerabilities detected in up to 2,000 servers or workstations. ESM agent software has to be installed on the hosts to enforce security policy for password and file use, and report to the ESM manager.

Pricing starts at $2,000 for the manager console, while server agent software costs $1,000 and workstations $100 each. Symantec says future releases will include ESM agents for Oracle, DB2 and SQL Server databases, Check Point's Fire Wall-1 and Cisco routers.

New York start-up Application Security launches this week with a network-based scanning tool called AppDetective for Oracle, which can locate Oracle servers within a network and pinpoint security vulnerabilities through penetration testing.

The tool, which runs on Windows NT/2000, costs $200 per device scanned.

Application Security is also working on application-layer scanners for Lotus Notes, SQL Server and Exchange. The start-up is competing against Network Associates with its Cybercop product and ISS with its Internet Scanner.

Another start-up, security consultancy Foundstone, is branching out into penetration testing by providing a hosted application to test Web applications, particularly those used for e-commerce. With the service called FoundScan, Foundstone will compete against ISS, Qualys and Vigilante, which all offer hosted services for scanning e-commerce applications and devices such as firewalls.

"[FoundScan] is looking for the highest-risk problems, those easy to exploit and that grant administrative access," says Dave Cole, Foundstone's director of managed security services.

Running comprehensive scans can be time-consuming if the tool has to look for every known vulnerability, Cole says. Selective scanning allows the process to be accomplished in a "reasonable time frame."

The FoundScan service costs $5,000 to $20,000. Rhonda McLean, Bank of America's senior vice president for corporate information security, says the bank has started using the FoundScan service to get "a continuous and complete picture" of the security of its computing resources.

According to a poll of almost 1,000 information-technology managers conducted by research firm IDC, about half have begun using intrusion-detection systems, while the rest are kicking the tires on the ever-growing number of products and hosted services for vulnerability assessment and monitoring (see graphic).

Johns Hopkins University uses ISS' network-based RealSecure to monitor its large intranet, which includes more than 100 Cisco Catalyst switches, for signs of suspicious activity from either intruders or university users attempting unauthorized activities.

But Johns Hopkins lead engineer Alan Wilkins says he has to link together four RealSecure IDS monitors via Top Layer Networks' load-balancing switch AppSafe to ensure all IP packets are inspected. That's because one ISS monitor alone can't deal with more than 200 megabits of traffic at one time. AppSafe also handles load balancing for firewalls, Web server traffic management and Remote Authentication Dial-In User Service access-control devices.

"The way these IDS vendors like ISS and NFR designed their products is a sore point with network architects," Wilkins says. "A single IDS probe will drop half the data." As a consequence, the traffic isn't run through the IDS at all.

This week, Top Layer is releasing an appliance designed specifically for the load balancing of network-based IDS. Next year Top Layer plans to ship a second product, called Attack Mitigator, for alerting managers to denial-of-service attacks and filtering out attack traffic.

Top Layer's IDS Balancer, with 12 Fast Ethernet connections, costs $12,000; with two Gigabit Ethernet and 12 Fast Ethernet connections, $20,000. Attack Mitigator will start at $9,000 for four to eight Fast Ethernet connections or $13,000 for two Gigabit and 12 Fast Ethernet connections.