http://www.baselinemag.com/article2/0,1540,2069358,00.asp By Brian P. Watson December 12, 2006 Maybe Gartner was right. Back in 2003, the research firm predicted the downfall of standalone intrusion detection tools, which monitor network traffic and alert administrators to anything out of the ordinary, by the end of 2005. Gartner said organizations would turn to a layered approach, utilizing software and appliances that not only spot viruses, worms and hacker attacks, but also block them. Technology managers are also deploying anomaly-based monitoring tools, which sample normal network behavior and react to unusual activity. But that's not to say intrusion detection technologies alone haven't proved their mettle. "Any company that takes its security seriously should run an [intrusion detection system] at the bare minimum," says Michael Morgan, network security administrator with The Bankers Bank, an Atlanta firm that services community institutions. "You need to know what's going on with your business." For Bankers Bank, intrusion detection was a necessity. Businesses like MasterCard and Visa mandated that its partners invest in security tools, as did government and industry regulators. In late 2005, Morgan and his team moved to a third-party intrusion detection system. For two years, the firm used a homegrown solution, but Morgan wanted better reporting to prove its worth to senior executives. As he explains it, Bankers Bank needed to produce reports that showed recordssuch as what kind of attacks took place, how often and how they were controlledto pass audits required by partners and regulators. Morgan opted for Sourcefire's intrusion detection software, based on the open source Snort language, along with its Real-Time Network Awareness sensor, citing the products' "outstanding" reporting capabilities. He receives real-time alerts on his BlackBerry and daily summaries each morning, while supervisors receive weekly reports. On top of spotting intrusions, Morgan says the firm customized the Sourcefire system to detect and block harmful traffic like malware or Internet Relay Chat traffic. Morgan hasn't quantified the return on his total investment of around $70,000, but says that without it, Bankers Bank would never have passed the audits, which could have led to regulatory fines or loss of business with partners. Intrusion detection tools monitor the packets of data coming through a corporate network. Sometimes that traffic includes attacks like viruses, spam, worms or spyware that can jeopardize a company's ability to operate and guard customer and partner information. Intrusion detection software contains signaturesdefinitions of common computer network attacksthat identify unwanted traffic, log the intrusion into a management system or database for aggregation, and alert network administrators to the event. Intrusion prevention goes one step further: It spots, logs and sends alerts about the intrusion, but also pulls it out of incoming traffic, thwarting its entry into the network. Down the road from Bankers Bank, Fred Vignes, information security director for Zoo Atlanta, set up an intrusion detection system that paid for itself in a matter of weeks. Protecting networks, Vignes says, meant protecting the zoo's business. Consumers can book tickets to the zoo, buy merchandise and make donations over the corporate network; in season, vendors sell up to $8,000 in food per day over a wireless network. "If they're not working," Vignes says of his networks, "we're not selling." Finding the right tools was not such a pressing effort, though. Instead of going through a long evaluation process, Vignes last year turned to Atlanta-based Internet Security Systems (recently acquired by IBM) and its Proventia M30 appliance, which recognizes and blocks more than 1,000 attacks. According to Vignes, the vendor offered Zoo Atlanta the boxes for less than $10,000 in exchange for live product testing on his networks. Vignes says attacks weren't common on the zoo's networks, but that worms like Code Red and viruses had forced him to shut them down for two full days. Since deploying the appliance, Vignes says he's been worry-free: "I have not had a single incidence of anything running loose in here since it's been turned on." As technology managers looked to tools that could not only spot but block threats, vendors like Cisco, Internet Security Systems, Juniper Networks, Sourcefire and TippingPoint began combining detection and prevention tools into a single product. (Systems typically range in price from just under $10,000 to $70,000, depending on licensing, support and service agreements.) That market, which includes network and host intrusion tools, along with firewall products, totaled $475.4 million in worldwide sales in 2005, according to IDC. For some, the combination of the two makes all the difference. "All [intrusion detection systems] are barking dogs," says Perry Jarvis, who until early November was network operations manager for the city of Burbank, Calif., and now works at Extreme Networks. "They don't take any corrective action." Until 2003, the city operated its power grid, which supplies electricity to its population of more than 104,000, via a supervisory control and data acquisition (SCADA) network, a physically isolated local-area network that mirrored the grid itself. Since it was isolated, Jarvis and his team didn't have any intrusions or threats coming in or going out. That soon changed: To predict how much power would be available for consumption, the city needed to figure in weather conditions. That meant Burbank had to tie the SCADA network to the municipal network, which left the SCADA setup susceptible to attacks. To handle security threats, Jarvis and his team spent about $100,000 on a pair of Juniper Networks' NetScreen firewalls and two Intrusion Detection and Prevention 100s to sit behind them. Those products allowed Jarvis and his team to link the two networks, permitting the SCADA network to access weather reports from the city grid while blocking harmful traffic and attacks in real time. The ability to create and customize signatures was a key selling point, Jarvis says. But above all, Jarvis prefers the Juniper systems for their ability to do both: "I like the device saying, 'You don't look right, so you're not passing through to my systems.'" _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Dec 12 2006 - 22:06:40 PST