This week's RSA Conference 2003 in San Francisco features a
range of security technologies to allow organisations to more
actively defend themselves against a growing array of cyber
threats.
Unlike most traditional firewall and
intrusion-detection products, which passively detect problems, the
new tools use rules, usage models and correlation engines to
enforce authorised network behaviour. In some cases, these tools
automatically prevent unauthorised or malicious tasks from
executing.
But many of the technologies are still in
their infancy, are largely untested in enterprise environments and
may not deliver all of the promised functionality just yet, users
and analysts cautioned.
Rules-based protection
One of the suppliers touting such products at
the conference, sponsored by RSA Security, is Entercept Security
Technologies which is releasing an updated version of a host-based
intrusion-prevention software tool that uses virus signature
information and behavioural rules to intercept suspicious activity
before it accesses an application.
For example, if a rule states that only web
server processes can access web files, all attempts by other
processes to do so will be automatically blocked by Entercept
software, company officials said.
Network Associates announced 4 April that it
would acquire Entercept for $120m (£76m). Three days earlier it
acquired Intruvert Networks, a provider of intrusion-detection
systems, for $100m (£63m).
Also this week, Teros will add a new module
called SafeIdentity to its Teros 100 Application Protection System.
Teros 100 is an "in-line" hardware device that sits directly on the
network in front of a web application server and inspects every
packet going in and out of the server in real time.
Like other intrusion-prevention products,
Teros' technology blocks anything that deviates from predetermined
norms for a particular server or application. While Teros claims
that its product can determine what those norms should be,
companies that are unwilling to leave that decision to the
technology can specify them.
Baker Hill, a provider of application services
to the banking industry, has placed such "default deny" application
firewalls in front of several Microsoft Internet Information
Servers, said Eric Beasley, a senior network administrator at the
company.
Among other benefits, the technology has
eliminated the need for Baker Hill to immediately patch its servers
every time a Microsoft vulnerability is discovered, Beasley
said.
Since the Teros firewall is designed to allow
only a very limited set of activities on the servers it protects,
any malicious activities triggered by viruses like Slammer are
automatically stopped, he said.
Traditional firewall technologies are not
equipped to stop attacks that come through commonly used ports such
as Port 80, said Raj Dhingra, a vice-president at Intruvert.
The company this week will announce
IntruShield 1.5, a hardware appliance that sits on corporate
networks and sifts through the contents of each packet looking for
problems. The technology is able to modify, drop or block
individual packets or entire sessions if needed, company officials
said. It can also modify firewall policies while an attack is
happening or provide real-time alerts for manual follow-up, they
said.
Intrusion-detection system devices have long
been notorious for generating false positives, and there's little
to show that the new tools are much better, said Ted Julian,
president of Arbor Networks, a supplier of network anomaly
detection products. For automatic prevention to become a reality,
"the need for better filtering and detection methods is patently
obvious", he said.