Prevention shapes tools of choice
- 28 June, 2004 11:37
Intrusion detection systems (IDS) are so last century with a new set of technologies and new buzzwords intrustion prevention systems (IPS) taking over.
In fact analyst firm Gartner did it's final IDS research note in April 2004 bluntly stating the technology has reached the peak of its usefulness as a stand-alone technology. There is little point in assessing this market, the researcher said, as IDS vendors that do not introduce the technologies featured in IPS products now will not be viable providers by the end of 2005.
Network Associates (NA) ANZ regional director Gavin Struthers willingly admits that IDS is a failed technology describing it as costly and complicated.
Thankfully, the move to IPS products allows for detection and prevention and joins an armoury of tools used to protect the enterprise such as vulnerability management, firewalls and antivirus.
Unlike the IDS technology of old, the new IPS products include signature-based inspection and in-line blocking making them a tool of prevention - today's IT security buzzword.
"IDS is a bit of a wet rag; it is resource intensive providing lots of logs and reports, but it is only reactive and doesn't prevent attacks," Struthers said.
Too bad for all those companies that made significant investments in IDS products.
Struthers said most of the top 200 enterprises in Australia would have some form of IDS, but IPS has really only gained traction in the last six months.
While market education is still at the low end, Struthers says NA has been working closely with companies revamping their IDS strategies in recent months.
"IPS has been on the market for almost two years, but it is only in the past nine months that the market has really been making noise about it; most enterprises now are focusing on prevention to avoid the high cost of cleanup after an attack," he said.
An effective IPS product, Struthers said, can inspect traffic at multiple gigabit speeds and of course boast accuracy and uptime. So basically, PC sensor-based monitoring is out and in-line blocking is in.
Fittingly, security is the hot topic that IT managers face on a daily basis simply because of the amount of viruses and worms that interrupt workflow and their ability to cripple systems and put IT staff well into overtime.
The pace at which wireless LANs are being adopted by companies in Australia has led many to consider the advantages of wireless integration, however increased mobility poses the very real threat of opening the door to an intruder inside their network through either lax or ineffective policies, protocols, unknowing staff or outdated software. Which, in turn, highlights the need for a robust network security.
Gartner research director Steve Bittinger said "everything security-wise is heading towards intrusion prevention as opposed to intrusion detection".
Bittinger added that in some ways intrusion prevention systems cost more, but the technology is far more effective.
"Previously, creating a fortress model for security was the way to go; having three firewalls back-to-back was supposed to have created an impervious external perimeter of security, but people have seen it as just not good enough because you need well-architected internal security," Bittinger said.
"If you look at what the Blaster virus affected (August 2003), while most organizations had adequate external security, the minute someone bought a laptop in it infected a high proportion of machines. This was because the internal architecture could not prevent a lapse in security; it is difficult to prevent staff from connecting PDAs and laptops.
"You are never going to be able to respond to threats fast enough, but what you can do is build systems and networks that are completely tolerant to threat. You do not have to have a specific virus signature to find an actual virus, what you need to do is design systems that limit the spread or impact and take a broader architectural perspective to network security.
"The immaturity level of understanding of security architecture is the challenge in business today."
Bittinger said the best way to ensure that business conducted online was failsafe and bulletproof was to push for ground rules for interaction between organizations that offer a level of trust.
"The culture of the industry now is driving to trust each other enough to interact; to run business throughout the world we need basic platform requirements like processes, policies, architecture, training, robust technology and now mutual certification," Bittinger said.
"Maybe we did not build enough security in the Internet to start with – after all it was created by academics who were not worried about security."
Bittinger said Microsoft's move to include a firewall into the operating system (Windows XP) is better than nothing and over time will push other vendors to follow suit.
IBM ANZ Tivoli security executive Con Yianakos said the biggest move in the IT industry currently is the move towards compliance as the marketplace moves away from network security firewalls back to policy level security.
"Corporate policies that address corporate security also now respond to regulations and are audit compliant in a way that is manageable for senior executives," Yianakos said.
"This will then lead to IT providing the technology to enable the policy shift from network and firewall to a substantial front-end policy in Australia and around the world.
"You have to ensure your network security not only keeps the bad guys out but also chooses who of the good guys are let in and how do we control it?
"Companies need to address security, not just for audit reports, but to build the processes and data management requirements that go way beyond protecting a hacker coming in."
Honeypots, heuristics and intrusion prevention are now the buzzwords for IT executives. Current intrusion prevention software has become a purpose-built arsenal for network security, allowing for the predictive modelling of potential infections and of course counteracting the dreaded spam.
Behavioural Anomaly Detection (BAD) technology is sweeping the industry at the moment, with one example being Tier-3's Huntsman software. The BAD software collects statistics of how a network is being used and detects abnormal behaviour in real time, building profiles of all enterprise events.
Heuristics take into account the total effect of suspicious activity over time making it possible to track suspicious behaviour which does not warrant an alert but when viewed in the context of past activity, may indicate a likely security threat.
Geoff Sweeney, chief technology officer for Tier-3 said heuristics are the way of the future, given the fact there is no way to predict what someone will be doing next so basing the software methodology on the basis of past attacks will just not cut the mustard.
"Most customers don't have an adequate and responsive method for detecting any type of intrusion because it comes in, incubates and then the network is down; it is very difficult to work out where it came in from because the switch is under so much load," Sweeney said.
"If you are first hit on a network you notice you are down when it stops working, but Huntsman can determine who is affected on a network on any scale and deal with the situation before it is too late.
"Huntsman works by collecting audit messages from the network telling you which machines are talking to each other and when. Then, using a series of agents which, depending on data source, it retrieves information from sources and firewalls and brings data back to the Huntsman central server which then begins the predictive modelling that you can see in real time."
The software then allows an IT manger to take back control of a network – or choose to trust the software currently in place.
"In autonomous mode, the software will make all decisions for you and respond automatically. When operating in manual mode it still gives set responses to potential worms, hacker and virus attacks; however, the system will not do anything without the decision being made by an IT staffer as to what is abnormal.
Sweeney said there is a baseline period where Huntsman learns about the network, how applications behave and which machines talk to others at particular times of the day in order to, for want of a better term, learn.
"Initially, the software makes no behavioural assumptions because everyone on a system behaves differently even though they have all the same gear, but Huntsman learns the network as people, applications and procedures change."
Education an effective weapon of choice
End user education is a favoured and effective weapon against attack.
Sure, using the best technology available can virtually guarantee a robust network and cut down on the time it takes to recognize potential security problems so that counter measures can be deployed. But a well-educated user base adds an integral and necessary defence layer to any network.
While no one expects users within an organization to possess the IT skills that would make them an effective unit to battle 'behind the lines', a little education into what viruses do, how they spread and how they can be recognized could dramatically cut down on the number of end-point incidents.
Brad Engstrom, security expert at Cisco, has details of just that experience, and considers a little user education an invaluable resource in keeping a network running.
For educational purposes only Engstrom went into detail regarding just one incident of when the Bagle virus first hit a network.
The initial Bagle virus infected systems when a user opened an e-mail attachment that contained the infection and in the example case, Engstrom said, an entire network could have been compromised through the simple process of opening an e-mail due to an end user's lack of education. "In a network of 37,000 desktops everyone received the attachment and 640 end users 'double clicked', opening the virus," Engstrom said.
"From those 640 users that opened the virus, 52 installed the virus, and they are a smart user base. But IT got the patches in place minutes too late. From this the organization learnt that 640 staff members needed e-mail training!"
In breaking news, heavyweights Cisco Systems and Trend Micro announced a partnership earlier this month which will see Cisco integrate Trend Micro's network worm and virus signatures with the Cisco Intrusion Detection System (IDS) software deployed in the IOS Software-based routers, Catalyst switches and network security appliances.
The initial integration is scheduled for the second half of 2004.
Engstrom said the development of the new system allows IT managers to deal with a virus issue and develop policies to stop viruses and people from installing the dangerous software.
Taking inspection to the depths
If going beyond just keeping a hacker from coming in sounds like a paragraph from your job description then deep packet inspection firewalls promise to deliver the next wave of defence. The deep packet inspection firewalls, such as the FortiGate system from Fortinet, have been touted as the best line of defence against anything getting through a network.
Eddie Irvine, computer systems specialist with the division of information and communications science at Macquarie University, said the process of installing the Fortinet system was at times leisurely followed by brief periods of intense stress.
Before installing the system, Irvine was running two firewalls, one of which was used to keep the students in and the other to protect desktop machines running Windows software which staff use.
Irvine said initially, the architecture was a mess.
"The firewall stopping our students from doing things - like hacking NASA - had grown organically and we had to merge the two firewalls into one; it was time for a change and to seek out an alternative," he said.
After trialling Fortinet the installation went ahead and Irvine said merging two firewalls into one is pretty painless.
There were three reasons why he chose the product. First was that the company approached him at the right time and Irvine said the vendor was pretty proactive during the entire process.
But more importantly it was price-competitive and he thought it was good technology.
"The real reason we chose Fortinet was that it inspects network traffic and finds and blocks viruses on the traffic, which I was cynical about in the beginning and initially saw only as an added bonus," Irvine said.
"Anybody responsible for desktops running Windows 2000 has got virus detection and prevention issues. We use Norton Anti-virus as well as an antivirus system in the e-mail gateway and saw the number of detections of viruses reported by Norton fall from 30 per day to maybe one or two since we introduced Fortigate.
"We had no problems with the Sasser worm or its variations."
Fortinet Asia Pacific general manager, Matt Young, said the aim of Fortigate-60 was to create an entire security platform that was affordable. "Our customers are saying they want an all-in-one system offering best-of-breed capabilities," Young said.
"An organization serious about security needs a cost-effective solution that is easy to manage and has to be 'plug and play'.
"Currently the market is swamped by managed security providers offering outsourcing and it is just as easy for a smaller firm to deploy a system like Fortigate."
Young said system attacks have risen from around 3000 a year in 1998 to 250,000 today.
He said the best defence is a network with intelligent solutions that keep IT managers informed ahead of time.
With Sandra Rossi