3 Tips for Intrusion Security Planning

By Brian P. Watson Print this article Print

Find out how your company can avoid network intruders.

Gartner vice president Paul E. Proctor wrote the book—literally—on intrusion detection. But a lot has changed since 2000, when he penned the Practical Intrusion Detection Handbook, a 359-page tome with tips on choosing vendors, setting up policies and justifying related costs.

The intrusion detection systems of old sat inside the network, watching the incoming traffic. They could spot malicious packets like worms, viruses or spyware and alert technology managers, but they couldn't stop those threats from pervading the network. That's where intrusion prevention came into play. Prevention systems not only sit inline and detect bad traffic; they can block the packets completely.

But those aren't the only tools at a security manager's disposal. Proctor continues to watch the evolving security market and offers these tips for technology managers looking to step up their network protection.

1. Avoid Blocking Blunders

Intrusion prevention systems can deliver value at relatively low risk, Proctor says, but technology managers need to tweak what the system will or will not block. Some packets crucial to an application's performance could get snapped up and spit out unless the system is configured to let them through. "The risk still remains that if you turn on the wrong things, you can basically break applications," he says.

2. Turn Up the Volume

Vendor products can include 3,000 or so signatures, which are patterns of unwanted network activity. Once you figure out which applications—and, therefore, which patterns--you need to allow, activate as many signatures as you can, Proctor says. This will cover your bases in blocking the maximum amount of threats.

3. There's No Silver Bullet

Vendors and users can tout the success of prevention systems all they want, Proctor says, but those systems alone cannot effectively guard your network. The right approach, he explains, is to employ multiple systems, including technologies such as detection and prevention, firewalls, anomaly-based monitoring (which takes a sample of normal traffic behavior and audits network flow against it), and security information and event management (which centralizes system logs and checks for patterns).

This article was originally published on 2006-12-12
Associate Editor

Brian joined Baseline in March 2006. In addition to previous stints at Inter@ctive Week and The Net Economy, he's written for The News-Press in Fort Myers, Fla., as well as The Sunday Tribune in Dublin, Ireland. Brian has a B.A. from Bucknell University and a master's degree from Northwestern University's Medill School of Journalism.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.