RSA : intrusion prevention is the way ahead

This week's RSA Conference 2003 in San Francisco features a range of security technologies to allow organisations to more...

This week's RSA Conference 2003 in San Francisco features a range of security technologies to allow organisations to more actively defend themselves against a growing array of cyber threats.  

Unlike most traditional firewall and intrusion-detection products, which passively detect problems, the new tools use rules, usage models and correlation engines to enforce authorised network behaviour. In some cases, these tools automatically prevent unauthorised or malicious tasks from executing. 

But many of the technologies are still in their infancy, are largely untested in enterprise environments and may not deliver all of the promised functionality just yet, users and analysts cautioned. 

Rules-based protection 

One of the suppliers touting such products at the conference, sponsored by RSA Security, is Entercept Security Technologies which is releasing an updated version of a host-based intrusion-prevention software tool that uses virus signature information and behavioural rules to intercept suspicious activity before it accesses an application. 

For example, if a rule states that only web server processes can access web files, all attempts by other processes to do so will be automatically blocked by Entercept software, company officials said. 

Network Associates announced 4 April that it would acquire Entercept for $120m (£76m). Three days earlier it acquired Intruvert Networks, a provider of intrusion-detection systems, for $100m (£63m). 

Also this week, Teros will add a new module called SafeIdentity to its Teros 100 Application Protection System. Teros 100 is an "in-line" hardware device that sits directly on the network in front of a web application server and inspects every packet going in and out of the server in real time. 

Like other intrusion-prevention products, Teros' technology blocks anything that deviates from predetermined norms for a particular server or application. While Teros claims that its product can determine what those norms should be, companies that are unwilling to leave that decision to the technology can specify them. 

Baker Hill, a provider of application services to the banking industry, has placed such "default deny" application firewalls in front of several Microsoft Internet Information Servers, said Eric Beasley, a senior network administrator at the company. 

Among other benefits, the technology has eliminated the need for Baker Hill to immediately patch its servers every time a Microsoft vulnerability is discovered, Beasley said.

Since the Teros firewall is designed to allow only a very limited set of activities on the servers it protects, any malicious activities triggered by viruses like Slammer are automatically stopped, he said. 

Traditional firewall technologies are not equipped to stop attacks that come through commonly used ports such as Port 80, said Raj Dhingra, a vice-president at Intruvert.

The company this week will announce IntruShield 1.5, a hardware appliance that sits on corporate networks and sifts through the contents of each packet looking for problems. The technology is able to modify, drop or block individual packets or entire sessions if needed, company officials said. It can also modify firewall policies while an attack is happening or provide real-time alerts for manual follow-up, they said.   

Intrusion-detection system devices have long been notorious for generating false positives, and there's little to show that the new tools are much better, said Ted Julian, president of Arbor Networks, a supplier of network anomaly detection products. For automatic prevention to become a reality, "the need for better filtering and detection methods is patently obvious", he said. 

Read more on IT strategy