Intrusion Detection: Playing a New Role In Network SecurityBy Brian P. Watson | Posted 2006-12-12 Email Print
Intrusion detection systems used to be the network's best guard dog: Quiet, obedient, always sniffing around. Now they're part of a whole new breed of network security.
Maybe Gartner was right. Back in 2003, the research firm predicted the downfall of standalone intrusion detection tools, which monitor network traffic and alert administrators to anything out of the ordinary, by the end of 2005.
Gartner said organizations would turn to a layered approach, utilizing software and appliances that not only spot viruses, worms and hacker attacks, but also block them. Technology managers are also deploying anomaly-based monitoring tools, which sample normal network behavior and react to unusual activity.
But that's not to say intrusion detection technologies alone haven't proved their mettle.
"Any company that takes its security seriously should run an [intrusion detection system] at the bare minimum," says Michael Morgan, network security administrator with The Bankers Bank, an Atlanta firm that services community institutions. "You need to know what's going on with your business."
For Bankers Bank, intrusion detection was a necessity. Businesses like MasterCard and Visa mandated that its partners invest in security tools, as did government and industry regulators.
In late 2005, Morgan and his team moved to a third-party intrusion detection system. For two years, the firm used a homegrown solution, but Morgan wanted better reporting to prove its worth to senior executives. As he explains it, Bankers Bank needed to produce reports that showed recordssuch as what kind of attacks took place, how often and how they were controlledto pass audits required by partners and regulators.
Morgan opted for Sourcefire's intrusion detection software, based on the open source Snort language, along with its Real-Time Network Awareness sensor, citing the products' "outstanding" reporting capabilities. He receives real-time alerts on his BlackBerry and daily summaries each morning, while supervisors receive weekly reports. On top of spotting intrusions, Morgan says the firm customized the Sourcefire system to detect and block harmful traffic like malware or Internet Relay Chat traffic.
Morgan hasn't quantified the return on his total investment of around $70,000, but says that without it, Bankers Bank would never have passed the audits, which could have led to regulatory fines or loss of business with partners.
Intrusion detection tools monitor the packets of data coming through a corporate network. Sometimes that traffic includes attacks like viruses, spam, worms or spyware that can jeopardize a company's ability to operate and guard customer and partner information.
Intrusion detection software contains signaturesdefinitions of common computer network attacksthat identify unwanted traffic, log the intrusion into a management system or database for aggregation, and alert network administrators to the event. Intrusion prevention goes one step further: It spots, logs and sends alerts about the intrusion, but also pulls it out of incoming traffic, thwarting its entry into the network.
Down the road from Bankers Bank, Fred Vignes, information security director for Zoo Atlanta, set up an intrusion detection system that paid for itself in a matter of weeks.
Protecting networks, Vignes says, meant protecting the zoo's business. Consumers can book tickets to the zoo, buy merchandise and make donations over the corporate network; in season, vendors sell up to $8,000 in food per day over a wireless network. "If they're not working," Vignes says of his networks, "we're not selling."
Finding the right tools was not such a pressing effort, though. Instead of going through a long evaluation process, Vignes last year turned to Atlanta-based Internet Security Systems (recently acquired by IBM) and its Proventia M30 appliance, which recognizes and blocks more than 1,000 attacks.
According to Vignes, the vendor offered Zoo Atlanta the boxes for less than $10,000 in exchange for live product testing on his networks.
Vignes says attacks weren't common on the zoo's networks, but that worms like Code Red and viruses had forced him to shut them down for two full days. Since deploying the appliance, Vignes says he's been worry-free: "I have not had a single incidence of anything running loose in here since it's been turned on."