Getting the drop on network intruders
Intrusion-detection software stands sentry over your network.
Your network is your kingdom, and you're the leader of the security force. What are you doing to protect your territory? Firewalls help police the perimeter, but they may not be enough. Luckily, there's some pretty advanced technology available for detecting enemies trying to make unauthorized incursions into your home base.Software that alerts the network manager to attempted or actual break-ins on servers or networks is still a relatively new idea. The first home-grown software was put into action by the U.S. military in the mid- '90s. Since then, a growing army of commercial software vendors has launched products designed to detect the wily hacker. Some vendors developed host-based products to guard operating systems, Web servers or databases. Others approached the problem through network-based intrusion detection, which works by scanning network traffic to detect suspicious activities. The market for both kinds of intrusion-detection products is growing. According to International Data Corp. (IDC), the market has grown from about $20 million in 1997 to about $100 million this year and is projected to hit $528 million by 2005. With today's hacker tools being so automated that even those not well-trained in networking can use them, corporations are looking for all the protection they can get. In each of the two market segments, a single vendor - but not the same one - dominates. Axent Technologies, with its Intruder Alert product, captured three-quarters of the host-based intrusion-detection segment last year. ODS Networks, with its Computer Misuse Detection System, accounted for about 9% of the market, while Security Dynamics seized 6% with its product, Kane Security Monitor. In the sphere of network-based intrusion detection, Internet Security Systems (ISS) last year held about half of the market with its RealSecure product. Cisco, which purchased WheelGroup, managed to capture about 23% with the WheelGroup NetRanger product. Computer Associates also bought its way into an 8% share through its purchase of SessionWall-3 from MEMCO. Not only is the size of the market growing, so is the number of vendors. Some of the more recent entries include start-ups Network ICE and Intellitactics. Unfortunately, prices for many intrusion-detection products are still out of reach for smaller companies, with server-based agent software costing $4,000 per server. As the market matures and competition increases, prices should drop.
Keeping up with the bad guysThere's always room for improvement in intrusion-detection tools. Hackers are constantly devising new schemes to trick their way into computer systems. Intrusion-detection firms have to track these exploits as best they can and turn out software-based countermeasures. Consequently, products are constantly in upgrade mode, with users compelled to install new "attack signatures" whenever new attacks are identified. In general, vendors lack any kind of "push" technology to make this constant upgrading easy. Even "pulled" updates in the style of antivirus software vendors remain a novelty for many intrusion-detection software providers. This situation reflects the immaturity of the industry, but as users make their demands known, that situation, too, should improve. Researchers working in this field are hopeful that artificial intelligence can be applied to intrusion detection so smarter network or host software can recognize trouble on the network or the host system without specific attack signatures having to be constantly added. Another common problem is that of false positives: situations in which a product misidentifies an authorized user as unauthorized. Analysts say products are slowly but surely working out the kinks with false positives. In addition, products are starting to give users more flexibility to add their own custom attack signatures for specific applications by including intrusion-detection software developer kits. Another drawback with many intrusion-detection products is they are unable to send alerts to the large enterprise management platforms. Alerts and reports are consolidated only on their own consoles. However, we're seeing signs of a trend toward product integration on several fronts. Axent's NetProwler can now alert Axent's Raptor firewall or Check Point Software's Firewall-1 to take a defensive action on the firewall, such as shutting down a port. Cisco is building the NetRanger intrusion-detection capability directly into its routers and switches in order to detect a few dozen attacks. Network Associates and ISS, whose intrusion-detection products can also interact with some firewalls or network management platforms, are eager to take the idea of automated response further by bringing the larger network industry into the game. The idea is to have host-based agent software or network-based intrusion-detection scanners capable of activating an automated response across a variety of network equipment once a serious threat is identified. But there's little agreement on this front, as Network Associates and ISS are spearheading competing plans. With a push from ISS, the Internet Engineering Task Force last year started an Intrusion Detection Working Group to define a standard for interoperability. But the fruits of this labor are probably years off at best.
Don't do it yourselfThe trend likely to bring more immediate benefit to corporations looking into intrusion detection is the growing availability of intrusion-detection services. Just as managed firewall services have gained momentum, so too will managed intrusion-detection services, some analysts predict. Because finding security professionals experienced with intrusion detection can be a challenge, corporations will be outsourcing the responsibility to a number of industry players. One of the main questions facing the intrusion-detection industry in coming years is whether corporations buying intrusion-detection tools will want to continue buying them as separate components or will prefer to purchase them as part of network equipment, such as routers, switches or LANs, says Aberdeen Group analyst Jim Hurley. While that answer isn't clear right now, no one doubts that intrusion detection, now used mainly by large security-conscious companies (such as banks) and the government, will be finding its way into many more organizations in the future. RELATED LINKS
Contact Senior Editor Ellen Messmer
Intrusion-detection software is hot, but can it really stop hackers cold? Network World, 9/27/99.
Intrusion detection buyer's guide
Use it to compare the specs for 11 different models or download all the specs to perform your own analysis.
Review: Intrusion detection
See why we give our highest marks to Network ICE. Network World, 10/4/99.