By blocking the everyday barrage of network probes, intrusion-prevention tools are giving early users back the time to address their most serious security concerns. The power of one A tip to the technology Time and manpower More Power of Technology articles The bracket game Power line timeline During the month of October, Chris da Silva, network manager at California State University in Hayward, spent 80% to 90% of his time combating network intrusions."My overall job here is maintaining the internal campus network, but most of my time then was spent dealing with security," he says. "And that included no-sleep nights."The overtime was caused by of a flood of denial-of-service (DoS)\u00a0attacks that occurred after da Silva and his staff thwarted some hackers trying to gain access to the network. Luckily for da Silva, late in the month the school began testing IntruVert Networks\u2019 IntruShield 2600, an intrusion-prevention appliance that not only detects intrusion attempts but also blocks them. He put the device inline, set it to reset the offending connections and saw the DoS attempts and resultant network congestion decreased by half. "The change was instantaneous. [IntruShield] shut down all those \u2018bots\u2019 the hackers had hammering on us," he says.Now da Silva says he spends 50% less time chasing down incidents than he did before installing IntruShield.The power of oneIntrusion prevention is a new breed of security tool that combines the powers of intrusion-detection systems (IDS), firewall, antivirus and vulnerability assessment wares. The idea is to reduce the false positives that hamper so many of today\u2019s IDS products and to take the next step: blocking intrusions in real time, before they hit the network.Because the tools are new, they aren\u2019t perfect. Da Silva says false positives can be a problem. "In the default threshold mode for SYNs [where hosts open up connections to other hosts], IntruShield will trigger a false positive if you have a busy mail server with a ton of SYNs in a certain amount of time," he says. But these tools also can learn the network norm over time, curtailing false positives as a result. "You can set IntruShield to constantly update the activity that\u2019s going on and reset its thresholds," da Silva says. "Then, only when it sees a sudden spike does it consider it an anomaly and block it. It\u2019s more intelligent than a traditional IDS."Intrusion prevention also is more expensive. According to da Silva, a base IntruShield 2600 model, with real-time detection speed of 600M bit\/sec, costs about $34,000, and a 1G bit\/sec 4000 model costs about $100,000."Because it\u2019s an ASIC-based appliance, it costs more," he says. "IDSs we had cost under $5,000 each, but they were just software you threw on a PC. They didn\u2019t have real-time blocking."So far, even when running inline, the IntruVert appliance has not been a network bottleneck and has worked at wire speed, da Silva says. The tool averages 400M bit\/sec throughput, which is more than enough to handle his Gigabit Ethernet network.A tip to the technologyMike Phillips, CIO and vice president of IT at Texas Tech University Health Sciences Center in Lubbock, also has good experiences to report on intrusion prevention. He\u2019s tested TippingPoint Technologies\u2019 UnityOne tool since August, and expects to roll out the product across the healthcare organization in early 2003.UnityOne combines IDS, antivirus and vulnerability assessment features, and can be placed inline to block intrusions in real time. "We\u2019ve been inundating it with traffic off of one particular subnet, and we\u2019ve been impressed with UnityOne\u2019s performance and its ability to respond quickly," Phillips says, indicating that the device runs at up to 2G bit\/sec. "That\u2019s more than wire speed."Its strong vulnerability assessment is important, too, given that the center registers 20,000 suspicious intrusion attempts per month. "It knows what we have running, so . . . only alerts us and blocks things we\u2019re vulnerable to," Phillips says. "Our security staff can now deal with the important issues, probing things in depth, instead of chasing butterflies."Time and manpowerAnother intrusion-prevention tool is ForeScout Technologies\u2019 ActiveScout. Although this appliance blocks intrusions in real time, it does not rely on vulnerability assessment or attack signatures. Instead, ActiveScout blocks traffic based on a hacker\u2019s network scans before an actual attack. It replies to these scans with tagged false information that it will recognize and block should the hacker subsequently use the information to launch an attack.Barry Choisser, network manager at Risk Management Solutions, an insurance risk modeling firm in Newark, Calif., had evaluated IDSs for two years before he discovered ActiveScout. "I really wanted something that didn\u2019t require updating signatures all the time. ActiveScout blocks everything, and I never have to fool with it," he says.ActiveScout adds to the security architecture without adding headaches, he says, citing the example of a recent attempted worm infiltration. "We were getting 5,000 hits more than normal, but nothing got in. ActiveScout gives you an extra layer of protection that offloads the firewall. You don\u2019t throw away the firewall, the virus scanner or anything like that, but with this, you can offload a lot from them," he says.The bottom lines, Choisser says, are time and manpower. "Because who has the time to configure these things and deal with pages? They are truly proactive."Cummings is a freelance writer in North Andover, Mass. She can be reached at email@example.com .