- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
 |
|
|
|
|
|
|
 |
 |
 |
||||
 |
 |
 |
 |
|||
 |
 |
 |
||||
 |
||||||
|
During the month of October, Chris da Silva, network manager at California State University in Hayward, spent 80% to 90% of his time combating network intrusions.
"My overall job here is maintaining the internal campus network, but most of my time then was spent dealing with security," he says. "And that included no-sleep nights."
The overtime was caused by of a flood of denial-of-service (DoS) attacks that occurred after da Silva and his staff thwarted some hackers trying to gain access to the network. Luckily for da Silva, late in the month the school began testing IntruVert Networks’ IntruShield 2600, an intrusion-prevention appliance that not only detects intrusion attempts but also blocks them. He put the device inline, set it to reset the offending connections and saw the DoS attempts and resultant network congestion decreased by half. "The change was instantaneous. [IntruShield] shut down all those ‘bots’ the hackers had hammering on us," he says.
Now da Silva says he spends 50% less time chasing down incidents than he did before installing IntruShield.
The power of one
Intrusion prevention is a new breed of security tool that combines the powers of intrusion-detection systems (IDS), firewall, antivirus and vulnerability assessment wares. The idea is to reduce the false positives that hamper so many of today’s IDS products and to take the next step: blocking intrusions in real time, before they hit the network.
Because the tools are new, they aren’t perfect. Da Silva says false positives can be a problem. "In the default threshold mode for SYNs [where hosts open up connections to other hosts], IntruShield will trigger a false positive if you have a busy mail server with a ton of SYNs in a certain amount of time," he says.
But these tools also can learn the network norm over time, curtailing false positives as a result. "You can set IntruShield to constantly update the activity that’s going on and reset its thresholds," da Silva says. "Then, only when it sees a sudden spike does it consider it an anomaly and block it. It’s more intelligent than a traditional IDS."
Intrusion prevention also is more expensive. According to da Silva, a base IntruShield 2600 model, with real-time detection speed of 600M bit/sec, costs about $34,000, and a 1G bit/sec 4000 model costs about $100,000.
The Leader in Network Knowledge
Comment