ZIFFPAGE TITLEBlock ItBy Baselinemag | Posted 2005-05-23 Email Print
Sometimes, security projects get the go-ahead a little too late.Or Just Flag It?">
Block ItOr Just Flag It?
Some security managers question the wisdom of automatically shutting off access to systems, for fear of disrupting legitimate business.
Chris Hoff, chief information security officer at Western Corporate Federal Credit Union in San Dimas, Calif., uses both intrusion detection and intrusion prevention, depending on the circumstances. WesCorp manages $25 billion in assets for 1,100 credit unions, and has an outside service provider to cleanse incoming Internet traffic of any obviously unwanted or malicious activity before it reaches WesCorp's network. "They cut off the background noise that a traditional firewall would have to deal with," Hoff says.
Hoff has installed intrusion detection software sensors on WesCorp's servers to sniff for anything fishy (say, attempts to reconfigure the operating system). But he draws the line at automatically stopping unusual activity on the servers.
"You don't want active prevention in all cases," he says. "It may be more important to allow a transaction and have confidence that there are other controls that will protect your systems."
But others prefer to err on the side of caution. "We've put rules in place that say, 'If you see this kind of anomaly, stop it,'" says Mark Rein, director of information technology at the 334-bed Virginia Hospital Center in Arlington. "I'd rather make people mad that we shut off their access than risk infecting the hospital."
The hospital uses intrusion detection and prevention devices from Juniper Networks, though Rein says he plans to upgrade or replace them this year because they can't keep pace with his heavy-duty Internet connections, which can transmit 80 billion bits of information per second.
Rein says the devices save time and resources. To do the same task without them would require at least four staff members to constantly review firewall activity logs.
On the other hand, Rein notes, the products have required extensive configuration to be useful. At installation, the Juniper devices generated 400 alarms per day, which Rein's team has since cut to one or two. Intrusion detection and prevention systems, he says, have "matured to the point where you can tune them so you don't get lots of false positives."
In practice, no one blocks traffic immediately after plugging in one of these systems. Companies usually set up an intrusion prevention system in a "passive" mode for two to four weeks to monitor alerts before gradually raising the threshold to block suspicious activity, says John Vecchi, senior product marketing manager for McAfee's intrusion prevention products.