By Baselinemag  |  Posted 2006-05-15 Print this article Print

Security managers need cutting-edge technologies to get a 30,000-foot view of their operations—and to wage the ongoing battle against network attacks.

. Intrusion Prevention Systems">

3. Intrusion Prevention Systems

Over the last three years, information provider LexisNexis Group has rolled out 80 intrusion prevention systems from 3Com's TippingPoint division. The systems, deployed worldwide across the networks of LexisNexis and its parent company, Dutch publisher Reed Elsevier, detect network-based attacks and automatically stop them based on more than 2,500 filters.

Leo Cronin, chief information security officer of LexisNexis, says the project was initiated to solve the game of leapfrog that involved constantly patching desktops while keeping antivirus software up-to-date. After Microsoft issued a critical Windows security patch, it would be weeks—or even several months—before LexisNexis could get even 80% of all systems patched, according to Cronin.

"The problem is," he says, "it's difficult to play catch-up when so many exploits are being introduced at a rapid pace." The TippingPoint appliances provide an additional layer of protection, on top of the antivirus software and other end-point security measures on employees' computers.

Cronin says the intrusion prevention project, which cost about $2 million over three years, has yielded tangible returns. In 2003, Reed Elsevier worldwide had between $1.5 million and $2 million of operational expense associated with cleaning up from virus and worm infections (including downtime costs for lost productivity). In 2004, when Cronin and his team started deploying the IPSs, the total spent on cleanup activities was $500,000; in 2005, it was less than $5,000, due to minor outbreaks at Reed Elsevier's Pacific Rim offices.

"We're not expecting costs to be zero," Cronin says. "But definitely, getting it down to local containment and then just the time and materials to clean it up is pretty good."

Drop-Kicking the Bots

At HoneyBaked Ham, a producer and retailer of meat products, the need to protect customers' credit card information was a big driver

for an intrusion prevention system rollout, says Erik Goldoff, information-technology systems manager.

The Norcross, Ga.-based company, which operates 110 retail outlets, had to comply with the Payment Card Industry (PCI) Data Security Standard by June 2005. The standard, developed jointly by Visa and MasterCard, requires merchants to store credit card information using security technologies and best practices for privacy.

HoneyBaked Ham could have complied with PCI by installing an intrusion detection system (IDS), which monitors network activity but, unlike an intrusion prevention system, doesn't take action to stop anomalous traffic. Instead, Goldoff decided to simply go right to an IPS. With an IDS, "you'll be alerted—but that's after the fact," he says. "You're either dealing with a ton of false positives or you're getting an alert that you've already been attacked."

In May 2005, Goldoff and his team deployed an IPS from Top Layer Networks, opting for a hardware device instead of a lower-cost measure such as running open-source IPS software on Linux, on a generic Intel-based server. "We didn't want an IPS to be the bottleneck," he explains.

The team put the Top Layer system between the firewall and the Internet connection to screen out malicious traffic; Goldoff estimates the IPS has reduced the amount of traffic coming into the company's network by at least 15% by screening out bot probes and other unwanted access attempts.

But Goldoff cautions that there's no single big-box approach to security. "There are some big things like IPSs and firewalls, and then a lot of little things," he says. And it's important to keep watch over the little things, he adds, like monitoring the percentage of processor utilization on an e-mail server: "If you ignore your kids until they're not feeling well, you're in trouble."

Goldoff also is skeptical of the notion advanced by some security vendors that IPSs or any other device can simply be plugged into the network and left alone without any maintenance. "Anything you plug in and walk away from either wouldn't do everything you want it to," he says, "or it's doing something you don't want it to do."


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.