How to block intruders

In simpler times, simpler security tools were enough – stick a firewall at the edge of the network and relax. But threats multiplied and became more sophisticated.

“Now the attacks are so vicious and so quick that by the time the customer goes to the intrusion detection system it’s already happened and it’s too late,” says Jordan Kalpin, Canadian regional manager for Internet security systems at IBM Canada Ltd. in Markham, Ont. “So in effect the intrusion detection system, because it didn’t block anything, became a forensics tool that they went to after the fact to see exactly what happened.”

So intrusion prevention systems (IPS) – designed not just to monitor network activity but to block suspicious traffic – have largely supplanted IDS. But even they struggle to keep up with evolving threats and faster networks.

Gigabit connections between internal data centres are giving way to 10-gigabit connections, says James Collinge, director of product line management at IPS vendor TippingPoint, a unit of 3Com Corp. in Marlboro, Mass. External connections may be anything from T1 speeds to 100 Megabits per second.

Support for 10-gigabit throughput is “a big focus right now,” says Michelle Perry, chief marketing officer at Columbia, Md.-based Sourcefire Inc. TippingPoint recently launched a Core Controller that can distribute traffic on a 10-gigabit link across multiple IPSs – eliminating the need to replace older IPS gear, Collinge says.

IPSs are also spreading from the perimeter throughout the network. “One of the things that we’re seeing more is the need to protect the core of the network as well,” observes John Yun, product marketing manager at Sunnyvale, Calif.-based Juniper Networks Inc. Infected laptops or memory sticks may introduce threats from inside. Strategically placed IPSs can stop them spreading.

Customers’ networks are easier to keep up with than the proliferation of threats.

McAfee Inc. of Santa Clara, Calif., has improved its IPS’s ability to detect anomalies in network behavior, says Doug Cooke, manager of systems engineers for McAfee Canada. Data gathered from devices such as switches and routers helps spot deviations from normal behaviour that might indicate an attack.

Today’s attacks aren’t as likely to be known exploits as threats never seen before, Kalpin says. “The technologies which will be able to protect (customers) against those kind of attacks … are designed to look for things that are out of the ordinary and are not based on signatures.”

Malware writers have become very good at frequent small modifications to defeat signature-based security, so many products now look not for code matching a specific signature but for code that takes advantage of a known vulnerability. Signatures still have a place, says Collinge, but TippingPoint makes about 10 times as much use of vulnerability filters as of known malware signatures. He adds that security devices are expanding their focus from network vulnerabilities to those at the operating system and application levels.

Yun says Juniper decodes network protocols to understand and address vulnerabilities, and its IPS can be tuned to reflect protocols in use.

Perry says knowing what’s running on the network makes it possible to turn filters on and off automatically, depending on what applications – and therefore what known vulnerabilities – exist in the customer’s environment. Sourcefire has automated this process so customers can spend less time tuning their systems, she says.

Many vendors are combining security functions. Juniper has linked its IPS, Secure Sockets Layer (SSL) and virtual private networking (VPN) products to better secure remote access, says Yun. McAfee’s IPS monitors SSL traffic to spot internal threats and data leakage (in which confidential data is inadvertently sent outside the enterprise, a growing concern for many businesses).

Cisco Systems Inc. and RSA, the security division of EMC Corp., recently integrated their data loss prevention technology. RSA’s technology can identify sensitive information such as credit card data and alert the Cisco Security Agent which can block its transmission out of the organization, says Katie Curtin-Mestre, director of product marketing for RSA’s data security group.

Yun says firewalls are increasingly being combined with other functions. Unified Threat Management, first seen as an easy option for smaller businesses, is spreading to larger organizations, and vendors like Sourcefire are now calling it Enterprise Threat Management. We’ve come a long way from the days when a simple firewall would do.