A security godsend

By blocking the everyday barrage of network probes, intrusion-prevention tools are giving early users back the time to address their most serious security concerns.

The power of one A tip to the technology Time and manpower More Power of Technology articles The bracket game Power line timeline

During the month of October, Chris da Silva, network manager at California State University in Hayward, spent 80% to 90% of his time combating network intrusions.

“My overall job here is maintaining the internal campus network, but most of my time then was spent dealing with security,” he says. “And that included no-sleep nights.”

The overtime was caused by of a flood of denial-of-service (DoS) attacks that occurred after da Silva and his staff thwarted some hackers trying to gain access to the network. Luckily for da Silva, late in the month the school began testing IntruVert Networks’ IntruShield 2600, an intrusion-prevention appliance that not only detects intrusion attempts but also blocks them. He put the device inline, set it to reset the offending connections and saw the DoS attempts and resultant network congestion decreased by half. “The change was instantaneous. [IntruShield] shut down all those ‘bots’ the hackers had hammering on us,” he says.

Now da Silva says he spends 50% less time chasing down incidents than he did before installing IntruShield.

The power of one

Intrusion prevention is a new breed of security tool that combines the powers of intrusion-detection systems (IDS), firewall, antivirus and vulnerability assessment wares. The idea is to reduce the false positives that hamper so many of today’s IDS products and to take the next step: blocking intrusions in real time, before they hit the network.

Because the tools are new, they aren’t perfect. Da Silva says false positives can be a problem. “In the default threshold mode for SYNs [where hosts open up connections to other hosts], IntruShield will trigger a false positive if you have a busy mail server with a ton of SYNs in a certain amount of time,” he says.

But these tools also can learn the network norm over time, curtailing false positives as a result. “You can set IntruShield to constantly update the activity that’s going on and reset its thresholds,” da Silva says. “Then, only when it sees a sudden spike does it consider it an anomaly and block it. It’s more intelligent than a traditional IDS.”

Intrusion prevention also is more expensive. According to da Silva, a base IntruShield 2600 model, with real-time detection speed of 600M bit/sec, costs about $34,000, and a 1G bit/sec 4000 model costs about $100,000.

“Because it’s an ASIC-based appliance, it costs more,” he says. “IDSs we had cost under $5,000 each, but they were just software you threw on a PC. They didn’t have real-time blocking.”

So far, even when running inline, the IntruVert appliance has not been a network bottleneck and has worked at wire speed, da Silva says. The tool averages 400M bit/sec throughput, which is more than enough to handle his Gigabit Ethernet network.

A tip to the technology

Mike Phillips, CIO and vice president of IT at Texas Tech University Health Sciences Center in Lubbock, also has good experiences to report on intrusion prevention. He’s tested TippingPoint Technologies’ UnityOne tool since August, and expects to roll out the product across the healthcare organization in early 2003.

UnityOne combines IDS, antivirus and vulnerability assessment features, and can be placed inline to block intrusions in real time. “We’ve been inundating it with traffic off of one particular subnet, and we’ve been impressed with UnityOne’s performance and its ability to respond quickly,” Phillips says, indicating that the device runs at up to 2G bit/sec. “That’s more than wire speed.”

Its strong vulnerability assessment is important, too, given that the center registers 20,000 suspicious intrusion attempts per month. “It knows what we have running, so . . . only alerts us and blocks things we’re vulnerable to,” Phillips says. “Our security staff can now deal with the important issues, probing things in depth, instead of chasing butterflies.”

Time and manpower

Another intrusion-prevention tool is ForeScout Technologies’ ActiveScout. Although this appliance blocks intrusions in real time, it does not rely on vulnerability assessment or attack signatures. Instead, ActiveScout blocks traffic based on a hacker’s network scans before an actual attack. It replies to these scans with tagged false information that it will recognize and block should the hacker subsequently use the information to launch an attack.

Barry Choisser, network manager at Risk Management Solutions, an insurance risk modeling firm in Newark, Calif., had evaluated IDSs for two years before he discovered ActiveScout. “I really wanted something that didn’t require updating signatures all the time. ActiveScout blocks everything, and I never have to fool with it,” he says.

ActiveScout adds to the security architecture without adding headaches, he says, citing the example of a recent attempted worm infiltration. “We were getting 5,000 hits more than normal, but nothing got in. ActiveScout gives you an extra layer of protection that offloads the firewall. You don’t throw away the firewall, the virus scanner or anything like that, but with this, you can offload a lot from them,” he says.

The bottom lines, Choisser says, are time and manpower. “Because who has the time to configure these things and deal with pages? They are truly proactive.”

Cummings is a freelance writer in North Andover, Mass. She can be reached at jocummings@attbi.com .