Intrusion battleground evolves

Just as network attack methods evolve, so do intrusion-detection systems. As the market matures, expect to see improved speeds, better mechanisms for event correlation and false-positive alarm filtering. New “hybrid” approaches (merging network- and host-based systems) also show promise. One thing you likely won’t see anytime soon, though, is falling IDS prices.

The Urge to Merge

While network-based IDS will continue to protect a network’s perimeters, IDS’s future is in hybrid solutions, end users, according to analysts and vendors. Host-based intrusion detection consists of special software that runs on servers and other “host” platforms.

Host-based systems have an advantage on encrypted connections, such as Secure Sockets Layer Web sessions, or on VPN connections, because they can see the data unencrypted. On the other hand, a network-based detection system cannot decrypt data and so it just lets it pass. Some attacks exploit this shortcoming of network-based systems.

Babak Salimi, director of product management at Sygate Technologies Inc., says network IDS nodes placed at critical network aggregation and entry points will provide an extra level of protection – as part of a hybrid approach to intrusion detection that includes all types of IDS products.

Joel McFarland, IDS product marketing manager at Cisco Systems Inc., agrees that a layered solution of network- and host-based detection systems will evolve. He says network-based systems provide the broadest, most pervasive coverage, especially when an IDS is well-integrated into the network fabric. Cisco’s Catalyst 6000 IDS module can be integrated with Cisco routers, Catalyst switches and the Cisco PIX firewall.

But McFarland says it’s also imperative to deploy host-based protection on corporate and ‘Net servers that support critical business resources. Cisco recently introduced the Cisco IDS Host Sensor to complement its Catalyst switch-based IDS product. Residing on servers, the host-based software detects malicious activity and blocks access to resources to prevent serious damage.

Chris Petersen, IDS product marketing manager at Enterasys, says IDS will be a combination of technologies, including host, network and the hybrid products. The objective, Petersen says, is to gain visibility across the entire company about what’s occurring on the router, switch and servers, among others, and forward that information to an intelligent system that can make the right decisions, based on aggregation and correlation of notification messages coming from throughout the company.

Intelligent Analysis Needed

Petersen and others agree on the need for intelligence – human and/or mechanical – to analyse the data IDS systems produce. Many note, too, that security expertise is often lacking on IT technical staffs.

Jon Garside, business manager of security solutions at Computer Associates Inc., says the hybrid IDS products will support artificial intelligence, which is needed to correctly interpret the voluminous security information that IDS products report.

The current state of IDS products includes event and correlation applications. Even so, most are not sophisticated enough, and vendors are addressing this. Cisco is building correlation circuits into its new management console to let IDS products aggregate information from multiple systems.

Because security poses serious challenges to in-house technical staffs, some users are deciding whether to outsource intrusion detection. Thomas Scavo, information security architect for Dow Jones & Company, says outsourcing must be done carefully because there’s so much at stake. Users are also concerned with the costs of outsourcing.

Sygate’s Salimi sums up the outsourcing issue: There is no “one size fits all.” Budgets, staffing, security expertise, organization and other factors must go into the decision, he says.

False-positive Alarm Filtering

Another improvement needed is for IDS products to filter out false-positive alarms. Richard Helgeson, CEO of Captus Networks Inc., says IT departments at large companies often don’t have sufficient staffing to deal with the thousands of alarms (up to 98 per cent being false positives) that occur each day. Helgeson says many staffs often turn off security-event alarming, but then create an audit trail of the alarms for later, off-line analysis.

Several IDS vendors employ features to filter false-positive alarms. CA’s eTrust Intrusion Detection product uses a Java applet combined with statistics-based rules to filter them out. Lancope’s StealthWatch appliance minimizes false positives with a “concern index” mechanism that attributes a level of suspicion to each host communicating on the network, based on activity. Alarms are sent only when the suspicion level crosses a predetermined threshold. Otherwise, suspicious activity is logged, but no alarms issued.

Cisco’s McFarland says tuning IDS products to respond to specific attacks results in fewer false-positive alerts. The company builds a database of information about attack signatures, including a description of benign triggers, into its Cisco Secure IDS product, formerly known as NetRanger. Operators can use this information to tune the IDS to site-specific information. Cisco is also building in mechanisms to limit the number of repetitive alarms transmitted to the operator console, among other things.

Should You Fight Back?

Another question is whether an IDS should prevent attacks in addition to detecting them. Currently, IDS products employ mechanisms to “shun” or prevent the attacks, but these are usually turned off by default. The user has to actively make the decision to apply the mechanisms.

Many within the security community contend that when IDSes are set up to automatically deflect attacks, they are open to new vulnerabilities – from outside attacks or in response to errors. Because the IDS responds automatically, it may be a while before technical staff realize that a customer has been blocked from entering the network.

For example, an intruder could spoof an IP address and send a SYN flood attack to a Web server to block legitimate user access to it. Or an IDS could interpret a mistake – someone using an incorrect address to access a server, for example – as an exploit. In either case, outside customers are prevented from accessing resources on the network. And it may take a while before the IT staff realizes it.

Helgeson says the Capt-IOG product offered by Captus averts this problem by letting users remove prevention measures automatically after a specified time period. Capt-IOG is a policy-based product. The network administrator sets up policies on which alarms should be sent. The Captus product enforces the policy, offering four preventive actions: notification that an event occurred; termination of traffic (stopping the attack); throttling the traffic (slowing down the traffic to allow for analysis); or redirecting the traffic to a specified area.

Tripwire also takes a proactive approach to attack prevention by monitoring unauthorized or undocumented network changes that could compromise a networks security. Tripwire CEO Gene Kim says if problems are detected and fixed upfront, it’s easier to prevent security breaches.

Mark Collier, CTO at SecureLogix Corp., says detection and prevention are most effectively addressed on the same appliance. Cisco’s McFarland says a balance between detection and prevention can provide value to customers. Cisco’s new IDS Host Sensor, for example, provides some prevention. It sits at the operating-system kernel level of a host device and intercepts malicious system calls and attacks before their execution (thus preventing them).

The Need for Speed

Network-based IDS products running on conventional operating systems often don’t have the system resources to perform traffic analysis at wire speed. As a result, they can become a bottleneck in the network.

IDS vendors are addressing this in various ways. Cisco added IDS capabilities on a module for its Catalyst 6000 Series switches, which can handle a fully loaded, full-duplex 100Mbps.

But even 100Mbps is not enough for today’s network environments, so IDS vendors are working on even higher-speed solutions. Cisco says it’s working on very high-speed appliances, based on ASIC technology, to break the current 100Mbps IDS speed barrier. Michael Mychalczuk, a NetIQ product manager, says his company plans to optimize its code and increase RAM, so that its Security Manager can handle higher speeds.

Lancope’s StealthWatch Threat Management System is an appliance based on optical technology that the vendor claims can handle gigabit speeds. Enterasys is developing faster methods for analysing and processing packets on the wire and designing faster rules engines and architectures. The vendor is also working on dedicated hardware systems that offer faster net-based intrusion detection.

Some vendors are also working on ways to make software more efficient in handling packet analyses. CA says it is working on software efficiency and placing rules in RAM to increase the effectiveness of its system’s packet analysis.

Pricing Holds Steady

IDS and other security products are still in developmental phases and have a long way to go before reaching commodity status. So look for prices on most products to remain about the same, or even increase slightly during the next 12 months as vendors add more sophisticated features and management functions.

Betsy Yocom is senior editor and Kevin Brown is lab test engineer at Miercom, an independent testing lab in Princeton Junction, N.J. They can be reached