HP to bundle security system with servers

Hewlett-Packard Co. will begin bundling a security product designed to detect and analyze hacks on a server operating system with its hardware running HP-UX.

The IDS/9000 intrusion detection software will now be bundled with HP-UX, HP’s flavour of the Unix operating system, said Mark Crosbie, security architect at HP, speaking at the RAID 2001 conference at the University of California at Davis.

HP will also put out version 2.0 of the product in “a few weeks” and is considering making the software available for other operating systems, Crosbie said. IDS/9000 is already available as a free download from HP.

IDS/9000 looks for intrusions at the kernel level of an operating system, can take a snapshot of the system at the time of the attack and can trigger automatic responses that help lessen the impact of a hack, Crosbie said. The software uses a set of about 12 attack templates to match against unusual activity, looking to see if something seems out of the ordinary, such an odd log file or unauthorized change to a file’s properties.

Users can check for information on what system conditions were like when the attack attempts occurred and possibly use the data to avoid future break-ins. In addition, the IDS/9000 product can trigger a number of automatic responses to an intrusion, such as locking a suspect user account, sending an alert to an administrator and activating detection programs in other applications.

Detection software often takes a toll on system speed, but HP’s software lowers transaction processing throughput on an average Web site by only one per cent, Crosbie said. However, he added that on a Web site with the “worst configuration,” the product would slow transactions by about 20 per cent.

Also at the conference, research institute SRI International showed an intrusion detection system that runs on the popular Apache Web server. The SRI product can monitor as many as ten virtual clients from one central point, tracking URL (Uniform Resource Locator) requests on a Web server and collecting information on possible attacks. The group has a working prototype of the software ready for iPlanet E-Commerce Solutions’ iPlanet Web Server as well and is working to make the product run on databases, FTP (File Transfer Protocol) servers and mail servers, said Ulf Lindqvist, a computer scientist at SRI.

System administrators should still work to monitor resources across their networks, applications, servers and server operating systems instead of relying on one set of detection products, according to some users and vendors at the show.

“There are more systems to monitor the network, and the return on investment for network solutions has been pretty good, but each system has its advantages and disadvantages,” said Marvin Christensen, director of intrusion engineering at enterprise security and privacy services company Guardent Inc.

Companies with transaction-heavy Web sites or heavy amounts of traffic will have high performance requirements for intrusion protection products, because the companies need to focus on keeping the site’s speed high, Christensen said. With this in mind, a product such as HP’s that monitors the operating system would need to show it can stay out of the way of other applications and not hamper processing power too much.

HP, in Palo Alto, Calif., is at http://www.hp.com/.