• United States
Senior Editor, Network World

Security vendors expand intrusion systems

Jul 26, 20044 mins
Intrusion Detection SoftwareNetwork Security

Although it’s the heart of summer, security vendors don’t seem to be going on vacation. Symantec, eEye Digital Security, NFR Security and Vernier Networks are rolling out new products designed to stop worms and other threats.

Symantec next month is scheduled to release an intrusion-prevention system (IPS) appliance line aimed at competing with equipment from the likes of Internet Security Systems (ISS), McAfee and TippingPoint Technologies. The three models in Symantec’s Network Security 7100 Series will block a range of attacks, including worms, but can also operate in passive mode as intrusion-detection systems (IDS), Symantec says.

“The 7100 Series will have pre-defined policies to tailor protection based on need,” says Sandeep Kumar, Symantec’s director of product management, noting that the three IPS models, ranging from 200M to 2G bit/sec, can be deployed at main distribution sites, edge or branch offices, or in data centers in a network core.

Because there always are new threats, Symantec will update the policies via the same LiveUpdate technology used in its anti-virus products. The company also will use it in its data centers around the world to offer IPS as an outsourced service.

Network managers take a cautious approach to IPS because they worry that blocking attack traffic with an in-line IPS could be disruptive.

Still, last week, NFR announced its first in-line IPS, called Sentivist, which will cost $22,000. The University of North Carolina at Charlotte, which is evaluating it, will swap out NFR’s IDS now used at the campus Internet access point for a selected IPS.

“From a university perspective, we suffer greatly during worm outbreaks,” says Carter Heath, IT security officer. To keep the university network from becoming crippled during major virus outbreaks, it has become necessary to begin blocking computer worms and other attacks rather than simply monitoring them through an IDS.

Continental Airlines has used the NetScreen Technologies’ network-based IPS for six months to defend the Internet perimeter, says Andre Gold, director of information security. The airline is completing tests of the host-based IPS that eEye announced last week called Blink.

Host-based IPS runs directly on desktops or servers as a protective layer.

Blink melds technologies that include signature-based blocking, vulnerability assessment, application firewall and behavior-blocking to fend off attacks on Windows-based desktops and servers.

Blink is intended to compete against host-based IPS and firewalls from Cisco, ISS, McAfee, Sana Security, Sygate and Microsoft, which has indicated future versions of its operating system will be designed to block attacks.

“From the tests we’ve run, we’ve found the IPS mode in Blink works fine, and it’s ready for deployment,” Gold says.

“We plan to first use it in our e-ticket machines, which are Microsoft-based and hosted on the Continental infrastructure,” he adds.

Firas Raouf, eEye Digital’s COO, says Blink represents a new product genre for the security firm, which has specialized in vulnerability assessment and remediation products for Windows-based machines.

“Yes, it’s a departure for us,” says Raouf, who claims eEye’s expertise in analyzing Windows-based problems provides a good background to develop a host-based IPS that can compete in an increasingly crowded market. Blink costs $56 per desktop and $700 per server.

Vernier Networks, which makes the System 6500 wireless LAN (WLAN) firewall, is expanding its reach by not only supporting wireline access but also adding a way to perform worm-blocking, vulnerability-assessment and patch management.

According to Bethany Mayer, vice president of marketing, the Vernier WLAN firewall – which consists of its Control Server and Access Manager – next month will get software upgrades that will let the WLAN firewall filter out worms.

The updated version of the System 6500 will be able to check the user’s desktop machines, whether on the WLAN or in the wired network, for known software vulnerabilities before allowing access.

This vulnerability-assessment check would be done via the Qualys scanning service, Mayer says. If the desktop or mobile device is found to lack required software updates, the Vernier security appliance also would be able to initiate a download to the machine via the PatchLink software-patching product.