Intrusion Detection: Playing a New Role In Network Security

[InfoSec News <alerts () infosecnews org>]

http://www.baselinemag.com/article2/0,1540,2069358,00.asp

By Brian P. Watson
December 12, 2006

Maybe Gartner was right. Back in 2003, the research firm predicted the 
downfall of standalone intrusion detection tools, which monitor network 
traffic and alert administrators to anything out of the ordinary, by the 
end of 2005.

Gartner said organizations would turn to a layered approach, utilizing 
software and appliances that not only spot viruses, worms and hacker 
attacks, but also block them. Technology managers are also deploying 
anomaly-based monitoring tools, which sample normal network behavior and 
react to unusual activity.

But that's not to say intrusion detection technologies alone haven't 
proved their mettle.

"Any company that takes its security seriously should run an [intrusion 
detection system] at the bare minimum," says Michael Morgan, network 
security administrator with The Bankers Bank, an Atlanta firm that 
services community institutions. "You need to know what's going on with 
your business."

For Bankers Bank, intrusion detection was a necessity. Businesses like 
MasterCard and Visa mandated that its partners invest in security tools, 
as did government and industry regulators.

In late 2005, Morgan and his team moved to a third-party intrusion 
detection system. For two years, the firm used a homegrown solution, but 
Morgan wanted better reporting to prove its worth to senior executives. 
As he explains it, Bankers Bank needed to produce reports that showed 
recordssuch as what kind of attacks took place, how often and how they 
were controlledto pass audits required by partners and regulators.

Morgan opted for Sourcefire's intrusion detection software, based on the 
open source Snort language, along with its Real-Time Network Awareness 
sensor, citing the products' "outstanding" reporting capabilities. He 
receives real-time alerts on his BlackBerry and daily summaries each 
morning, while supervisors receive weekly reports. On top of spotting 
intrusions, Morgan says the firm customized the Sourcefire system to 
detect and block harmful traffic like malware or Internet Relay Chat 
traffic.

Morgan hasn't quantified the return on his total investment of around 
$70,000, but says that without it, Bankers Bank would never have passed 
the audits, which could have led to regulatory fines or loss of business 
with partners.

Intrusion detection tools monitor the packets of data coming through a 
corporate network. Sometimes that traffic includes attacks like viruses, 
spam, worms or spyware that can jeopardize a company's ability to 
operate and guard customer and partner information.

Intrusion detection software contains signaturesdefinitions of common 
computer network attacksthat identify unwanted traffic, log the 
intrusion into a management system or database for aggregation, and 
alert network administrators to the event. Intrusion prevention goes one 
step further: It spots, logs and sends alerts about the intrusion, but 
also pulls it out of incoming traffic, thwarting its entry into the 
network.

Down the road from Bankers Bank, Fred Vignes, information security 
director for Zoo Atlanta, set up an intrusion detection system that paid 
for itself in a matter of weeks.

Protecting networks, Vignes says, meant protecting the zoo's business. 
Consumers can book tickets to the zoo, buy merchandise and make 
donations over the corporate network; in season, vendors sell up to 
$8,000 in food per day over a wireless network. "If they're not 
working," Vignes says of his networks, "we're not selling."

Finding the right tools was not such a pressing effort, though. Instead 
of going through a long evaluation process, Vignes last year turned to 
Atlanta-based Internet Security Systems (recently acquired by IBM) and 
its Proventia M30 appliance, which recognizes and blocks more than 1,000 
attacks.

According to Vignes, the vendor offered Zoo Atlanta the boxes for less 
than $10,000 in exchange for live product testing on his networks.

Vignes says attacks weren't common on the zoo's networks, but that worms 
like Code Red and viruses had forced him to shut them down for two full 
days. Since deploying the appliance, Vignes says he's been worry-free: 
"I have not had a single incidence of anything running loose in here 
since it's been turned on."

As technology managers looked to tools that could not only spot but 
block threats, vendors like Cisco, Internet Security Systems, Juniper 
Networks, Sourcefire and TippingPoint began combining detection and 
prevention tools into a single product. (Systems typically range in 
price from just under $10,000 to $70,000, depending on licensing, 
support and service agreements.) That market, which includes network and 
host intrusion tools, along with firewall products, totaled $475.4 
million in worldwide sales in 2005, according to IDC.

For some, the combination of the two makes all the difference. "All 
[intrusion detection systems] are barking dogs," says Perry Jarvis, who 
until early November was network operations manager for the city of 
Burbank, Calif., and now works at Extreme Networks. "They don't take any 
corrective action."

Until 2003, the city operated its power grid, which supplies electricity 
to its population of more than 104,000, via a supervisory control and 
data acquisition (SCADA) network, a physically isolated local-area 
network that mirrored the grid itself. Since it was isolated, Jarvis and 
his team didn't have any intrusions or threats coming in or going out.

That soon changed: To predict how much power would be available for 
consumption, the city needed to figure in weather conditions. That meant 
Burbank had to tie the SCADA network to the municipal network, which 
left the SCADA setup susceptible to attacks.

To handle security threats, Jarvis and his team spent about $100,000 on 
a pair of Juniper Networks' NetScreen firewalls and two Intrusion 
Detection and Prevention 100s to sit behind them. Those products allowed 
Jarvis and his team to link the two networks, permitting the SCADA 
network to access weather reports from the city grid while blocking 
harmful traffic and attacks in real time.

The ability to create and customize signatures was a key selling point, 
Jarvis says. But above all, Jarvis prefers the Juniper systems for their 
ability to do both: "I like the device saying, 'You don't look right, so 
you're not passing through to my systems.'"


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn