Intrusion Detection: The Guard Inside the Gate

By Lynn Haber | Oct 30, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/624751/Intrusion-Detection-The-Guard-Inside-the-Gate.htm

Security is critical for the operation of an extensive network infrastructure, especially for any company with an e-business strategy. That's why an intrusion detection system (IDS) is a key component of the security architecture at Twentieth Century Fox (TCF), in Los Angeles. According to Jeff Uslan, associate director information protection and security at TCF, companies that don't invest in IDS are playing Russian roulette.

Sooner or later companies are going to get hit. When it will happen depends on the size of the environment and how active users are, he says.

IDS Complements a Firewall

Although a firewall may be the equivalent of putting a lock on the front door, once in a while illegitimate users get past the front door. When they do, IDS provides the next layer of securitythe real-time identification of threats as they occur on the network. IDS is a technology designed to complement the firewall.

Responsible for IT security for tens of thousands of employees, Ulsan knows better than to take chances. TCF is one of 48 companies owned by The News Corp., Ltd., in New York, which employs 45,000 to 50,000 people worldwide. His responsibility for IT security extends to all News Corp. employees. In the business of entertainment, TCF, part of the Fox Filmed Entertainment group, provides all of its employees with Web access and serves up two Web sites, as well.

As more corporations open their information stores to the world, vulnerability to security attacks increases. Why? Because as businesses offer their services electronically over the Internet, they willingly invite outsiders to initiate actions on their networks.

Companies like TCF know there's no silver bullet solution for security. Instead, a robust security architecture is made up of a weave of multiple comprehensive security solutionsantivirus software, authentication and encryption products, firewalls, security assessment software, and IDS.

"A robust security architecture is made up of a weave of multiple comprehensive security solutionsantivirus software, authentication and encryption products, firewalls, security assessment software, and IDS."
The truth of the matter is that the Internet has been a wake-up call for the need for a new generation of IT security. Internet technology has expanded the network both inside and outside the corporation and upped the ante for security risks. And, much is at stake.

Layers of Security

Many companies are vigilant about bolstering their IT security architecture. After all, who wants to be tomorrow's headline news? According to industry figures, firewall technology, which has been around for about a decade, has achieved about a 70% penetration rate in the marketplace.

Unfortunately, many organizations view firewalls as the great panacea for corporate security woesthey think that if they build a secure wall around the enterprise, it will be safe from attack. Not so, according to Greg Gilliom, CEO at Network Ice Corp., in San Mateo, Calif., who reports this sobering news: 90% of corporations reporting break-ins have firewalls. As e-business security failures attract public attention, intrusion detection is getting the attention of IT managers.

Shipping for about five years, IDS is reaching a point where products are technically mature enough for a larger market, according to market research firm Frost & Sullivan, of San Antonio, Texas. To date, market penetration for IDS is reportedly about 15%.

Initial IDS products simply set off an alarm, says Jason Wright, research analyst at Frost & Sullivan. Newer products have reactive capability as well, or the ability to neutralize an attack.

Where firewalls leave off, IDS steps in. Firewalls focus on entry policy, admissions, and denial of service. By blocking out certain kinds of traffic, firewalls provide organizations a high level of security.

However, although firewalls can check packets, the technology doesn't look inside the packet. Once a user gets inside the front door, firewalls don't protect a company's internal network--an illegitimate user can exploit the vulnerability of operating systems, protocols, or applications.

Providing the next layer of security, IDS identifies threats as they exist in a system. Additionally, IDS solutions classify, determine harm, and react to threats based on security policies and rules.

Twentieth Century's Uslan maintains that although he's concerned about outside hackers, the more important issue is inside problems. What you sell to your manager is security concerns about the internal hacker, the disgruntled employee, the systems administrator who may start doing things to the system so that he can look like a hero, he says.

The Playing Field

Dozens of players in this market space are offering one or both types of IDS products: Network-based solutions and/or host-based solutions. They include: Axent Technologies Inc., of Rockville, Md.; Checkpoint Software Technologies Ltd., in Redwood City, Calif.; Cisco Systems Inc., in San Jose, Calif.; Intrusion.com Inc., in Richardson, Texas; Internet Security Systems Inc. (ISS), in Atlanta, Ga.; Network Flight Recorder Inc., Rockville, Md.; Network Ice of San Mateo, Calif.; and Pilot Network Services, in Alameda, Calif. The market is growing rapidly, as illustrated in Table 1.

Table 1: Intrusion Detection Software Market: Revenue Forecasts (U.S.)

Tom Kinnear, president and CEO of Intrusion.com, explains the difference between network-intrusion detection and host-based intrusion detection. According to Kinnear, the former analyzes traffic flowing between hosts on a network in order to identify break-in attempts. Host-based IDS, on the other hand, monitors activity on each individual machine.

Vendors agree that both types of IDS offer advantages, because they monitor different types of activity. Vendors also contend that the optimal solution is to have both network-based and host-based IDS.

However, not all organizations will purchase both types of IDS products and, in fact, Mark Wood, product manager at ISS, says, There isn't a one-size-fits-all solution in this security area. Instead, he says, customers must understand their security needs and choose vendors accordingly. How a company selects an IDS solution is based on how IT managers respond to questions such as:

  • How do you want to manage IDS?

  • What is the structure of the network?

  • What are you trying to protect against?

  • How fast a response to threats are you looking for?

Companies such as ISS offer four types of IDS sensors: network sensors, OS sensors, IDS appliances with network sensors, and server sensors. Customers can put together mix-and-match solutions. (A sensor is a piece of software that monitors a data source and has built-in IDS knowledge and response capability.)

Our goal is to let customers pick and choose the solution according to their business needs, says Wood.

Josh Senzer, network security administrator for Intellispace, a New York City-based ISP, founded under the name U.S. Cybersites in 1995, agrees that companies need to take an inventory of their network and business needs when assessing security solutions. Implementing an IDS solution takes careful planning that requires an intimate knowledge of the network, he says. The company currently covers the East Coast, but by next year expects to service 22 markets as far west as Los Angeles and as far east as Paris.

The company recently got its feet wet with IDS and hopes to have a complete enterprise implementation by next February. The ISP had a list of product criteria when it went shopping for an IDS solution, according to Senzer. For example, the solution had to be Unix-based, customizable, and have basic code so that the company could program the back end to do whatever type of monitoring it desired, and it had to accommodate a high-speed network.

Initially, the IDS implementation at Intellispace will be network-based, but Senzer doesn't rule out host-based IDS in remote offices down the road.

To date, the ISP is testing IDS for its own internal use using a product from Network Flight Recorder. Intellispace does not offer IDS as a service to customers. The company does IDS filtering for generic, or textbook, types of attacks. In the future, it expects to do more specific filtering. We're investing in IDS because we believe it helps create a safer, more secure network environment for us and our customers, he says.

Software vs. Appliances

Another consideration when shopping for an IDS product is whether to choose a software solution or an appliance. Software is the most prevalent type of IDS product in the market today; however, a number of vendors are beginning to offer IDS appliances. Simply stated, software tends to be more complex but more configurable. An appliance is designed more as a plug-and-play solution.

Choosing one or the other depends on a company's needs. Appliances tend to be more powerful because they have greater processing capability, can watch more traffic and report faster, says Wright. However, he adds that appliances always need to be upgraded.

Axent, a vendor of both firewall and IDS software products, plans to introduce an IDS appliance by year-end. The company already offers both host-based and network-based IDS. The IDS appliance is a preloaded device that requires little configuration and little security expertise, says Gaurang Shah, senior product marketing manager at Axent. In an enterprise environment, the IDS appliance can be configured and shipped to a remote location where an office manager can plug it in.

IDS Services

Shoppers in the market for IDS can also consider purchasing IDS as a service. In the same way that ISPs outsource firewall security, many outsource IDS, as well. Pilot Network Services is an example of an outsource provider offering firewall, IDS, and host-protection services.

Companies of all sizes turn to managed services providers for IDS and other security services. We provide a basic service to companies and can plug in other security options, as well, says Jim Ransome, vice president of security operations and services. The company reportedly watches over 75,000 networks and sees 70 million attempts to violate security on a monthly basis. About 5,000 of those incidents are actual attacks, a 240% increase from just two years ago, he says.

Tallying the Tab

As any vendor will tell you, the cost to implement IDS depends on the size and complexity of a network; larger, more complex networks demand more investment, and smaller, less complex networks cost less. The bottom line, however, is that IDS isn't cheap. Total cost of ownership figures include product costs, implementation and configuration costs, and ongoing monitoring costs. Like many security tools, IDS requires network administrators with knowledge about security.

According to Frost & Sullivan's Wright, the average selling price for an IDS main engine is about $8,000. Coverage for additional servers costs about $1,000 each and desktop monitors run about $100 each.

ISS' Wood says the following about IDS cost: To get started, the range of the company's sensors runs from $750 to $15,000, with pricing adjusted for quantity. The company's RealSecure product is a distributed system that reports back to a central management console; the console is free. An organization with three servers can buy three OS sensors for about $2,000 versus one network sensor for $9,000.

Axent's NetProwler Enterprise, a network-based IDS solution, costs $10,995, which includes a single manager, console and agent. Axent's host-based IDS product, called Intruder Alert, is priced at $1,995 for the manager and $995 per agent (agents are installed on every machine).

Security outsourcing provider Pilot reports that companies pay $5,000 to $6,000 per month for a basic package of security services that includes IDS.

TCF's Uslan admits that IDS isn't cheap, but questions how long companies can go without it. In order to make his company's IDS investment manageable and saleable to management, his strategy is not to put an engine everywhere, but rather to purchase a number of engines and move them around.

CrossLinks
  • To get a weekly update on the networking world and EarthWeb's networking content, sign up for the CrossNodes Networking Industry Update newsletter. Each issue includes a new article that tells you the latest about the industry, and also provides descriptions and links to all the new Networking & Communications content posted during the last week.

  • Axent Technologies Inc.

  • Checkpoint Software Technologies Ltd.

  • Cisco Systems Inc.

  • Intrusion.com Inc.

  • Internet Security Systems Inc.

  • Network Flight Recorder Inc.

  • Network Ice Corp.

  • Pilot Network Services
  • The locations are only known to a few network staff, he says. Important locations for IDS include the DMZ zone and highly used segments between servers, or on servers that house intellectual property.

    What we can't afford to do [is] have our head in the sand, says Uslan.

    The Bottom Line

    There's no acceptable alternative to making the necessary investments in network security, because e-business raises the stakes for security risks. The consequences range from potential loss of customers to loss of an entire business.

    The key to finding the right IDS security solution for your organization is planning. Take the time to understand your network, the pros and cons of available products and you won't be spending money willy-nilly, says Senzer. //

    Lynn Haber writes on business and information technology from Norwell, Mass.