Intrusion prevention touted over detection

Next week's RSA Conference 2003 in San Francisco will feature a range of security technologies meant to let corporations more proactively defend themselves against a growing array of cyberthreats. Unlike most traditional firewall and intrusion-detection products, which passively detect problems, the new tools use rules, usage models and correlation engines to enforce authorized network behavior. In some cases, these tools automatically prevent unauthorized or malicious tasks from executing.

But many of the technologies are still in their infancy, are largely untested in enterprise environments and may not deliver all of the promised functionality just yet, users and analysts cautioned.

Rules-based protection

One of the vendors touting such products at this week's conference, sponsored by RSA Security, is Entercept Security Technologies. The San Jose-based company will release an updated version of a host-based intrusion-prevention software tool that uses virus signature information and behavioral rules to intercept suspicious activity before it accesses an application.

For example, if a rule states that only Web server processes can access Web files, all attempts by other processes to do so will be automatically blocked by Entercept software, company officials said.

Network Associates announced April 4 that it would acquire Entercept for US$120 million in cash, and on April 1 the company said it would buy San Jose-based Intruvert Networks for $100 million.

Entercept's technology recently helped Arlington County protect its core databases from being corrupted by the Slammer worm and has contributed to a more proactive security posture, said Vivek Kundra, the county's director of infrastructure technologies.

"Historically, we would learn of an attack only after it happened, and we would react to it. Now we are in a position to prevent some of it as well," he said.

Also this week, Teros will add a new module called SafeIdentity to its Teros 100 Application Protection System. Teros 100 is an "in-line" hardware device that sits directly on the network in front of a Web application server and inspects every packet going in and out of the server in real time.

Like other intrusion-prevention products, Teros' technology blocks anything that deviates from predetermined norms for a particular server or application. While Teros claims that its product can determine what those norms should be, companies that are unwilling to leave that decision to the technology can specify them.

Baker Hill, provider of application services to the banking industry, has placed such "default deny" application firewalls in front of several Microsoft Internet Information Servers, said Eric Beasley, a senior network administrator at Baker Hill.

Among other benefits, the technology has eliminated the need for Baker Hill to immediately patch its servers every time a Microsoft vulnerability is discovered, Beasley said. Since the Teros firewall is designed to allow only a very limited set of activities on the servers it protects, any malicious activities triggered by viruses like Slammer are automatically stopped, he said.

Traditional firewall technologies aren't equipped to stop attacks that come through commonly used ports such as Port 80, said Raj Dhingra, a vice president at Intruvert, a provider of intrusion-detection systems (IDS).

The company this week will announce IntruShield 1.5, a hardware appliance that sits on corporate networks and sifts through the contents of each packet looking for problems. The technology is able to modify, drop or block individual packets or entire sessions if needed, company officials said. It can also modify firewall policies while an attack is happening or provide real-time alerts for manual follow-up, they said.

The product has resulted in more accurate and real-time reporting of vulnerabilities, said Andrew Berkuta, manager of network and physical security at HomeBanc Mortgage, an Atlanta-based mortgage lender.

"Originally we were more in the 'detect and tell us' mode," said Berkuta. IntruShield "understands the traffic flow and gets into more of a dynamic prevention" mode, he said.

But Kundra and other users offered several caveats. For one thing, the tools have to mature so that they're able to consistently block malicious activity without interfering with legitimate traffic. Currently, companies often have to fine-tune and extensively customize such products to prevent that problem, Kundra said.

IDS devices have long been notorious for generating false positives, and there's little to show that the new tools are much better, said Ted Julian, president of Arbor Networks, a vendor of network anomaly detection products in Lexington, Mass. For automatic prevention to become a reality, "the need for better filtering and detection methods is patently obvious," he said.

Such devices could also be single points of failure for companies that rely too heavily on them. Baker Hill, for instance, is investing in load-balancing technologies to spread the load flowing into its Teros systems. The company plans to install standby servers in case its primary systems fail, Beasley said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Arbor NetworksEntercept Security TechnologiesIntruvert NetworksMicrosoftRSA, The Security Division of EMC

Show Comments