NetScreen update expands reach of intrusion detection

NetScreen Technologies is upgrading its intrusion-detection software so it also gathers and parses data about network traffic to reduce false intrusion alarms and pin down sources of network attacks.

NetScreen Technologies is upgrading its intrusion-detection software so it also gathers and parses data about network traffic to reduce false intrusion alarms and pin down sources of network attacks.

The upgrade, called Enterprise Security Profiler (ESP), is part of a new release of the software that runs on NetScreen’s Intrusion Detection and Prevention hardware, called IDP Version 3.0.

NetScreen IDP devices are placed between networks and key assets, typically servers, to shield them from intrusions. The addition of traffic gathering and analysis will help the gear determine whether suspicious traffic is threatening or legitimate for any given network, says Charles Kolodgy, an analyst with IDC.

For instance, a burst of requests to a server from one IP address might be normal in a given network, but an intrusion-prevention device could interpret it as a denial-of-service (DoS) attack and shut it down. “False positives are the bane of intrusion prevention,” Kolodgy says. “You don’t want to have your prevention system taking down legitimate activity.”

NetScreen IDP boxes can only see traffic that flows through them on the way to key network resources, so they have blind spots in their view of overall network traffic, NetScreen acknowledges. This means malicious traffic not passing through would go undetected, so customers should take supplemental steps if they want full network coverage.

ESP parallels the efforts of Sourcefire, whose RNA product also gathers network traffic information for administrators to analyze. Sourcefire’s goal is for data that RNA collects to be shared directly with intrusion-detection and -prevention platforms, Kolodgy says. By contrast, NetScreen is for the first time rolling the gathering and intrusion-prevention features together in one platform.

The data ESP gathers includes network and application analysis. So it would track traffic by source IP address but also by application session initiated from that address.

With IDP 3.0, users are alerted to all threats in a compound attack. With earlier versions, an attack might generate only a DoS alert, even though the attack also included an attempt to take root control of a server. With Version 3.0, all components of attacks are reported.

NetScreen has teamed with TruSecure to provide its Intellishield Alert Manager software, which supplies information that identifies machines vulnerable to the attack and where to find patches to defend against them.

ESP data tracking and storage can be used to log and analyze normal traffic flows on a network, valuable data that network executives often lack the tools to monitor, NetScreen says. It can send alarms when new servers are added to a network, for example, to track potentially rogue use of the network. It also can monitor the network to make sure banned applications such as Kazaa trigger alerts.

NetScreen also is announcing a new IDP hardware device called NetScreen IDP 1000. It has all the features of other NetScreen IDP devices, but has gigabit throughput, making it the fastest of the four IDP models. It costs $50,000.

IDP 3.0 is available as a free upgrade for customers with service contracts.