• United States
Senior Editor, Network World

Trio of IDS vendors show latest wares

Nov 11, 20024 mins
Intrusion Detection SoftwareNetwork SecuritySecurity

NetContinuum releases its first product, while ForeScout and Top Layer issue upgrades.

Choice in intrusion-detection systems gets wider this week as start-up NetContinuum makes its debut with a Web security appliance, while ForeScout Technologies and Top Layer Networks expand their product lines for thwarting network attacks.

Choice in intrusion-detection systems gets wider this week as start-up NetContinuum makes its debut with a Web security appliance, while ForeScout Technologies and Top Layer Networks expand their product lines for thwarting network attacks.

NetContinuum will unveil the Web Security Gateway NC-1000, an application-layer gateway appliance that sits behind a firewall and in front of a Web server to block HTTP-based attacks and serve as a proxy for access control and Secure Sockets Layer (SSL) encryption processes.

NC-1000 is intended to perform application-intrusion prevention like competitors Sanctum, KaVaDo and Stratum8 perform with their software-based products, but also offers an encryption engine and access control based on passwords or certificates.

NC-1000 can reach near-gigabit speed to process 6,000 encrypted sessions per second or 1 million unencrypted sessions. The gateway also can hide information about the Web site, making it harder for hackers to determine the Web server platform.

“We wanted to ‘masquerade’ our front-end systems,” says Mike O’Connell, systems architect at Ross Stores in Newark, Calif., who’s been beta-testing the NC-1000 as a core security component for the retail chain’s Web-based business-to-business site.

“But we were also looking to solve three or four problems at once with this, including SSL encryption and intrusion detection,”he says.

Ross Stores is opting to use the public-key digital certificate capability in NC-1000 to provide these trading partners with a certificate for secure access to the Ross Stores Web site. NC-1000 also can provide a log of Web-based transactions and time-stamp them.

According to Pete Lindstrom, research director at Spire Security, there is no other product comparable to NC-1000. “This represents a convergence between the IDS and trust capabilities in one security appliance,” he says.

NetContinuum was founded by two network engineers, Peter Roman, vice president of engineering, and Jan Bialkowski, CTO, with $36 million in venture capital funding, primarily from Menlo Ventures, according to Wes Wasson, NetContinuum’s vice president of marketing.

The interest in stopping attacks rather than simply monitoring them has other IDS vendors stepping up their own efforts.

ForeScout, which last year introduced ActiveScout Site Solution for stopping network-based attacks outside the perimeter firewall, now has a version of the IDS that can be managed more effectively across a large company.

Unlike the first version of ActiveScout, where Scout devices had to report to its own management console, the new version available this week, called ActiveScout Enterprise, lets a central console manage up to 50 Scouts.

The Scout device doesn’t block attacks but instead thwarts connections from attackers through techniques such as TCP re-set, says Nancy Blair, ForeScout’s vice president of marketing.

Meanwhile, Top Layer will announce products aimed at letting customers block HTTP Port 80 attacks. Top Layer’s previous Attack Mitigator products focused on stopping denial-of-service attacks.

The new products, called Attack Mitigator IPS, look at HTTP traffic and other Web server vulnerabilities. Top Layer’s four in-line IDS products can operate in active-blocking or passive-monitoring mode.

The $15,000 Attack Mitigator IPS 100, for use on a 100M bit/sec link, has a physical bypass capability in the event the in-line active-blocking device goes down. The $25,000 gigabit-speed Enterprise 1000, with up to seven 100M bit/sec ports, is for use on the Internet perimeter and inside the corporate network.

The IPS 2400 and the IPS 2800, costing from $125,000 to $250,000, are for data centers where four to eight of the appliances can be clustered to meet routing requirements common in Web-hosting facilities.

An early adopter of the Attack Mitigator IPS, Larry Pfeifer, network engineer at Widener University in Philadelphia, says the IDS appliance can block attacks against the university’s network without impeding legitimate flow. But Widener, which also uses the RealSecure passive-monitoring IDS from Internet Security Systems, has no plans to abandon this second IDS behind Attack Mitigator.

“I want this there to catch anything Attack Mitigator IPS doesn’t see and to have an IDS available if the in-line Attack Mitigator goes down,” Pfeifer says.

New from intrusion-detection vendors
Company Product Description Price
ForeScout ActiveScout Enterprise Enterprise Manager console correlates reports and manages up to 50 Scout devices, which are placed outside a firewall to detect and block selected attacks. Enterprise Manager starts at $10,000; each Scout at $3,000.
NetContinuum Web Security Gateway NC-1000 Runs at 100M bit/sec or 1G bit/sec behind a firewall and in front of a Web server to prevent Port 80 attacks; access controls; SSL encryption. $28,000 to $38,000.
Top Layer Four models of in-line Attack Mitigator IPS appliance Can detect and block Port 80 and denial-of-service attacks. Models range from $15,000 to $250,000.

ForeScout, NetContinuum and Top Layer are taking the wraps off new wares this week.