- Steve Jobs is a man of a few words
- Internet routing blasts into space
- 15 free downloads to pep up your old PC
- IBM smartphone software translates 11 languages
- New attack fells Internet Explorer
 |
|
|
|
|
|
|
 |
 |
 |
||||
 |
 |
 |
 |
|||
 |
 |
 |
||||
 |
||||||
|
During the month of October, Chris da Silva, network manager at California State University in Hayward, spent 80% to 90% of his time combating network intrusions.
"My overall job here is maintaining the internal campus network, but most of my time then was spent dealing with security," he says. "And that included no-sleep nights."
The overtime was caused by of a flood of denial-of-service (DoS) attacks that occurred after da Silva and his staff thwarted some hackers trying to gain access to the network. Luckily for da Silva, late in the month the school began testing IntruVert Networks’ IntruShield 2600, an intrusion-prevention appliance that not only detects intrusion attempts but also blocks them. He put the device inline, set it to reset the offending connections and saw the DoS attempts and resultant network congestion decreased by half. "The change was instantaneous. [IntruShield] shut down all those ‘bots’ the hackers had hammering on us," he says.
Now da Silva says he spends 50% less time chasing down incidents than he did before installing IntruShield.
The power of one
Intrusion prevention is a new breed of security tool that combines the powers of intrusion-detection systems (IDS), firewall, antivirus and vulnerability assessment wares. The idea is to reduce the false positives that hamper so many of today’s IDS products and to take the next step: blocking intrusions in real time, before they hit the network.
Because the tools are new, they aren’t perfect. Da Silva says false positives can be a problem. "In the default threshold mode for SYNs [where hosts open up connections to other hosts], IntruShield will trigger a false positive if you have a busy mail server with a ton of SYNs in a certain amount of time," he says.
But these tools also can learn the network norm over time, curtailing false positives as a result. "You can set IntruShield to constantly update the activity that’s going on and reset its thresholds," da Silva says. "Then, only when it sees a sudden spike does it consider it an anomaly and block it. It’s more intelligent than a traditional IDS."
Intrusion prevention also is more expensive. According to da Silva, a base IntruShield 2600 model, with real-time detection speed of 600M bit/sec, costs about $34,000, and a 1G bit/sec 4000 model costs about $100,000.
"Because it’s an ASIC-based appliance, it costs more," he says. "IDSs we had cost under $5,000 each, but they were just software you threw on a PC. They didn’t have real-time blocking."
So far, even when running inline, the IntruVert appliance has not been a network bottleneck and has worked at wire speed, da Silva says. The tool averages 400M bit/sec throughput, which is more than enough to handle his Gigabit Ethernet network.
A tip to the technology
Mike Phillips, CIO and vice president of IT at Texas Tech University Health Sciences Center in Lubbock, also has good experiences to report on intrusion prevention. He’s tested TippingPoint Technologies’ UnityOne tool since August, and expects to roll out the product across the healthcare organization in early 2003.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment