Intrusion detection

Network managers and consultants are beginning to realise that products such as firewalls at the perimeter do not provide total...

Network managers and consultants are beginning to realise that products such as firewalls at the perimeter do not provide total security. Enter intrusion detection systems, the 'burglar alarm' of the networks, a fast growing software market which monitors networks from the inside. People in the IT security area like to use analogies,...

so it's no surprise when someone uses this tactic to explain what intrusion detection systems (IDS) do. David Bridson, director of communications at Internet Security Systems (ISS), does it like this. Imagine a building protected by a nightwatchman at the gate. That watchman is the firewall. The IDS is comparable to a CCTV system because it's always on and monitoring, giving the people using it an opportunity to see any wrongdoing. But it's not quite that simple and Bridson informs us that IDS is now on the verge of becoming IPS (Internet protection systems). IPS will allow the people deploying them to respond to any attacks in a number of ways. Not only will they detect incursions, but they will allow users to create an alarm or reconfigure a firewall "on the fly". At present though, IDS operates as part of a larger corporate security programme, including anti-virus software, firewalls and VPNs. According to a recent Frost & Sullivan report, the technologies associated with IDS are expected to "improve in speed, enhance their mechanisms for event correlation, analysis and false-positive alarm filtering, and new hybrid solutions merging network-based and host-based systems will become more commonplace". David Ellis, director of e-security at Unipalm, believes 2002 could be the year of widespread adoption and high growth of IDS. "From a distribution perspective we are certainly seeing this," he states, "with VARs focusing on the sector as a way to make profitable and service-led sales. Not only are IDS products becoming more mature, but network managers, security consultants and the like are realising products such as firewalls at the perimeter do not provide 100 per cent effective defence against all attacks, whether they originate internally or externally." To deploy IDS, it's necessary to determine the network's vulnerabilities first and there are a number of systems from vendors such as ISS, Intrusion Inc and Snort which do this. They help to locate where information is stored, understand the security measures in place to guard that information, and identify vulnerabilities and suspect configurations that place information at risk. Once that's achieved, the IDS can be deployed. IDS products work by monitoring networks for unauthorised access or behaviour. Threats can take the form of known attack signatures or unusual behaviour. As Ellis puts it: "The IDS sensors basically act like a burglar alarm on the network." IDS market issues But those involved in the IDS market are quick to point out it's not just about monitoring the perimeter, but also about looking for suspicious activity on each network segment, as well as key hosts or servers. "Network-based IDS cannot 'see' what is happening on these individual hosts," Ellis says, "and companies mustn't forget the internal security threat. IDS vendors providing an integrated approach, such as ISS, have systems that can be deployed at key parts of the network and on business critical hosts respectively." According to Ellis, it is increasingly common for IDS to be deployed on hardware appliances from vendors such as Nokia and Intrusion Inc, a trend which is following in the footsteps of the firewall market. Bundling IDS with appliances allows for much quicker installation. Firewall vendors are also getting into the act by integrating pieces of IDS technology into their products. One of the problems associated with IDS has been the management overhead from information overload, often meaning users do not respond to alerts quickly. There are products that attempt to address this issue by sifting events, escalating important ones by generating additional responses outside the console (such as e-mail or SMTP), or de-emphasising less important events by reducing alert priority or selectively preventing an event from being displayed or logged. They also use advanced data correlation and analysis to derive the likelihood of a successful attack from aggregated vulnerability assessment information. Many look at information from other security components or products such as firewalls or anti-virus, allowing a single reporting console for solutions across the enterprise. But there are big issues affecting the market at vendor level. In a report published in January, Frost & Sullivan claimed standards would be of paramount importance in the IDS and vulnerability assessment (VA) markets. If there is no agreement on standards, growth will be inhibited. But it warned, "even if these standards are adhered to, the scope of the standard reference is such that different implementations will not interoperate". And vendors had to simplify graphical user interfaces and the workings of IDS and VA products so they could be used by non-technical people - otherwise market growth would be limited. While the IDS software market has been characterised by fast growth in recent years, Frost & Sullivan expects the VA software sector to reverse its fortunes in 2002. "As intrusion detection systems struggle to gain traction in a market that is still not entirely convinced about their value in business terms," argued Guy Chaigneau, research analyst at Frost & Sullivan, "vulnerability assessment is rising in popularity on the strength of its ability to determine what needs to be secured in the enterprise. Towards the end of the forecast period, we expect VA to represent again, the lion's share of the overall market." He pointed out that the glut of vendors in the IDS and VA markets at the beginning of 2000 is now a handful, with the strong getting stronger: "Several vendors are emerging as market leaders for network-based and host-based intrusion detection systems and vulnerability assessment." The market has split between large organisations with established products, such as Cisco and Computer Associates, and those which specialise in IDS, such as ISS and Intrusion Inc. Then there are the bundlers, such as Symantec and Network Associates, with broad portfolios of security products that include intrusion detection, firewall, anti-virus software, VPN, vulnerability assessment, and risk and security management. Bridson at ISS claims that the firewall market is reaching saturation point and there is a trend towards consolidation and vendors looking to other areas, such as intrusion detection. ISS had a long-running bundling deal with Check Point which has just ended. The suspicion is that Check Point ended the deal as it is considering entering the IDS market itself. Meanwhile, ISS has entered into an alliance with Network Associates which gives it access to the latter's anti-virus capabilities. Looking at the opportunity for resellers, Bridson believes existing firewall users are "the low-hanging fruit", especially if they believe they're "not getting everything they expected from the firewall". Not that it's necessarily easy. Although "anybody who has a firewall is a potential IPS owner" to Bridson, "the problem with IPS is that you're trying to sell yet another level of security to somebody who already has anti-virus and a firewall". Policy management Bernie Dodwell, sales and marketing director at Allasso, says there is a growing interest in IDS as customers start to take notice of what goes on within the network, rather than protecting it from outside forces. Looking at the strategies employed by Network Associates and Symantec, Dodwell says they are "going for nirvana. In the real world, they haven't got best of breed. One size does not fit all in security. There's no single vendor that has the best firewall or the best anti-virus technology. If it did, it would absolutely dominate the market." And although there are clear market leaders in each niche of the security market, the challenge - as highlighted by Frost & Sullivan - is to make everything work together. Dodwell says a customer could end up with five or six technologies in its security system, encompassing areas like IDS, firewall and e-mail management, each with their own policy. "There is a need for policy management. It's not so much the cost of buying the product, it's the cost of managing. The company nearest to [making it easier] is Computer Associates with its e-Trust range which has a single management policy. The technologies are not best of breed but the approach is right." Bridson agrees. "It has to be made much more simple to implement security - and cheaper too. Our research shows that 15 per cent of a security solution is the cost of the initial purchase. The other 85 per cent is managing it. Gradually, people have to offer IPS on the desktop, network and server. That's certainly the direction we're going in. Our product strategy is to simplify the whole thing." And while Dodwell concurs with Frost & Sullivan that VA is taking off, he argues there are significant issues to be addressed in the long term, suggesting that VA's limitation is that it offers only a snapshot in time for the state of the network. But new vulnerabilities could be introduced or somebody could attach a new PC to the network or viruses could emerge after that snapshot. "It's extremely good at telling you the state of the network at one point in time, but you need continual vulnerability assessment five or six times a day. The other thing you need is a 24-hour patrol and VA doesn't look at traffic. That's why you need IDS for things that begin to traverse the network. The two go hand-in-hand." IDS and network security According to a recent report by Frost & Sullivan, vulnerability assessment (VA) and intrusion detection systems (IDS) are becoming critical components in managing and monitoring the security of network and host systems. It says some larger IDS vendors are moving to incorporate intrusion detection management into enterprise network and system management systems. It also forecasts that licence revenues in the VA and IDS industry are set to climb from $58.25m (£41m) in 2001, to $182.2m in 2005. Partnership conflicts At the beginning of May, ISS announced a strategic partnership with Network Associates to conduct joint R&D and also offer integrated products and services. Under the deal, the ISS RealSecure intrusion detection system (IDS) would be integrated into NAI's Sniffer network monitoring product, there would be an ISS-managed McAfee anti-virus gateway service and managed desktop service, and NAI's McAfee anti-virus information would be integrated with ISS' RealSecure intrusion information. Commenting on the deal, Gartner said it would offer both vendors "new marketing opportunities, but conflicting interests will likely limit their cooperation in key areas". ISS would be able to sell intrusion detection products to users of NAI's popular Sniffer, while NAI could use the ISS managed security service "as a channel for selling its gateway anti-virus product (and cut into Trend Micro's lead in this area) and can also have Sniffer deployed as a production, rather than tactical device". Gartner suggested ISS gained the most from the partnership "because Sniffer dominates its market more than ISS does in the managed service market. NAI must ensure this partnership does not cause internal channel conflicts or impede continuing Sniffer enhancements". But it stressed NAI and ISS would have conflicting interests in many competitive areas, "particularly in the future revenue paths for NAI's ePolicy Orchestrator and ISS' Site Protector. Neither company will likely risk losing a competitive advantage by sharing their key technologies with non-exclusive partners, even if such combined offerings would fight multi-element threats, such as the Nimda worm, more effectively".

Read more on Antivirus, firewall and IDS products