Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested

Reviews /

Getting the drop on network intruders

Today's breaking news
Send to a friendFeedback

Intrusion-detection software stands sentry over your network.

Your network is your kingdom, and you're the leader of the security force. What are you doing to protect your territory? Firewalls help police the perimeter, but they may not be enough. Luckily, there's some pretty advanced technology available for detecting enemies trying to make unauthorized incursions into your home base.

Software that alerts the network manager to attempted or actual break-ins on servers or networks is still a relatively new idea. The first home-grown software was put into action by the U.S. military in the mid- '90s. Since then, a growing army of commercial software vendors has launched products designed to detect the wily hacker. Some vendors developed host-based products to guard operating systems, Web servers or databases. Others approached the problem through network-based intrusion detection, which works by scanning network traffic to detect suspicious activities.

The market for both kinds of intrusion-detection products is growing. According to International Data Corp. (IDC), the market has grown from about $20 million in 1997 to about $100 million this year and is projected to hit $528 million by 2005. With today's hacker tools being so automated that even those not well-trained in networking can use them, corporations are looking for all the protection they can get.

In each of the two market segments, a single vendor - but not the same one - dominates. Axent Technologies, with its Intruder Alert product, captured three-quarters of the host-based intrusion-detection segment last year. ODS Networks, with its Computer Misuse Detection System, accounted for about 9% of the market, while Security Dynamics seized 6% with its product, Kane Security Monitor.

In the sphere of network-based intrusion detection, Internet Security Systems (ISS) last year held about half of the market with its RealSecure product. Cisco, which purchased WheelGroup, managed to capture about 23% with the WheelGroup NetRanger product. Computer Associates also bought its way into an 8% share through its purchase of SessionWall-3 from MEMCO.

Not only is the size of the market growing, so is the number of vendors. Some of the more recent entries include start-ups Network ICE and Intellitactics.

Unfortunately, prices for many intrusion-detection products are still out of reach for smaller companies, with server-based agent software costing $4,000 per server. As the market matures and competition increases, prices should drop.

Keeping up with the bad guys

There's always room for improvement in intrusion-detection tools. Hackers are constantly devising new schemes to trick their way into computer systems. Intrusion-detection firms have to track these exploits as best they can and turn out software-based countermeasures. Consequently, products are constantly in upgrade mode, with users compelled to install new "attack signatures" whenever new attacks are identified. In general, vendors lack any kind of "push" technology to make this constant upgrading easy. Even "pulled" updates in the style of antivirus software vendors remain a novelty for many intrusion-detection software providers. This situation reflects the immaturity of the industry, but as users make their demands known, that situation, too, should improve.

Researchers working in this field are hopeful that artificial intelligence can be applied to intrusion detection so smarter network or host software can recognize trouble on the network or the host system without specific attack signatures having to be constantly added.

Another common problem is that of false positives: situations in which a product misidentifies an authorized user as unauthorized. Analysts say products are slowly but surely working out the kinks with false positives. In addition, products are starting to give users more flexibility to add their own custom attack signatures for specific applications by including intrusion-detection software developer kits.

Another drawback with many intrusion-detection products is they are unable to send alerts to the large enterprise management platforms. Alerts and reports are consolidated only on their own consoles.

However, we're seeing signs of a trend toward product integration on several fronts. Axent's NetProwler can now alert Axent's Raptor firewall or Check Point Software's Firewall-1 to take a defensive action on the firewall, such as shutting down a port. Cisco is building the NetRanger intrusion-detection capability directly into its routers and switches in order to detect a few dozen attacks.

Network Associates and ISS, whose intrusion-detection products can also interact with some firewalls or network management platforms, are eager to take the idea of automated response further by bringing the larger network industry into the game. The idea is to have host-based agent software or network-based intrusion-detection scanners capable of activating an automated response across a variety of network equipment once a serious threat is identified. But there's little agreement on this front, as Network Associates and ISS are spearheading competing plans.

With a push from ISS, the Internet Engineering Task Force last year started an Intrusion Detection Working Group to define a standard for interoperability. But the fruits of this labor are probably years off at best.

Don't do it yourself

The trend likely to bring more immediate benefit to corporations looking into intrusion detection is the growing availability of intrusion-detection services.

Just as managed firewall services have gained momentum, so too will managed intrusion-detection services, some analysts predict. Because finding security professionals experienced with intrusion detection can be a challenge, corporations will be outsourcing the responsibility to a number of industry players.

One of the main questions facing the intrusion-detection industry in coming years is whether corporations buying intrusion-detection tools will want to continue buying them as separate components or will prefer to purchase them as part of network equipment, such as routers, switches or LANs, says Aberdeen Group analyst Jim Hurley.

While that answer isn't clear right now, no one doubts that intrusion detection, now used mainly by large security-conscious companies (such as banks) and the government, will be finding its way into many more organizations in the future.


Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Hacker alert
Intrusion-detection software is hot, but can it really stop hackers cold? Network World, 9/27/99.

Intrusion detection buyer's guide
Use it to compare the specs for 11 different models or download all the specs to perform your own analysis.

Review: Intrusion detection
See why we give our highest marks to Network ICE. Network World, 10/4/99.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.