By Brian P. Watson
December 12, 2006
Maybe Gartner was right. Back in 2003, the research firm predicted the
downfall of standalone intrusion detection tools, which monitor network
traffic and alert administrators to anything out of the ordinary, by the
end of 2005.
Gartner said organizations would turn to a layered approach, utilizing
software and appliances that not only spot viruses, worms and hacker
attacks, but also block them. Technology managers are also deploying
anomaly-based monitoring tools, which sample normal network behavior and
react to unusual activity.
But that's not to say intrusion detection technologies alone haven't
proved their mettle.
"Any company that takes its security seriously should run an [intrusion
detection system] at the bare minimum," says Michael Morgan, network
security administrator with The Bankers Bank, an Atlanta firm that
services community institutions. "You need to know what's going on with
For Bankers Bank, intrusion detection was a necessity. Businesses like
MasterCard and Visa mandated that its partners invest in security tools,
as did government and industry regulators.
In late 2005, Morgan and his team moved to a third-party intrusion
detection system. For two years, the firm used a homegrown solution, but
Morgan wanted better reporting to prove its worth to senior executives.
As he explains it, Bankers Bank needed to produce reports that showed
recordssuch as what kind of attacks took place, how often and how they
were controlledto pass audits required by partners and regulators.
Morgan opted for Sourcefire's intrusion detection software, based on the
open source Snort language, along with its Real-Time Network Awareness
sensor, citing the products' "outstanding" reporting capabilities. He
receives real-time alerts on his BlackBerry and daily summaries each
morning, while supervisors receive weekly reports. On top of spotting
intrusions, Morgan says the firm customized the Sourcefire system to
detect and block harmful traffic like malware or Internet Relay Chat
Morgan hasn't quantified the return on his total investment of around
$70,000, but says that without it, Bankers Bank would never have passed
the audits, which could have led to regulatory fines or loss of business
Intrusion detection tools monitor the packets of data coming through a
corporate network. Sometimes that traffic includes attacks like viruses,
spam, worms or spyware that can jeopardize a company's ability to
operate and guard customer and partner information.
Intrusion detection software contains signaturesdefinitions of common
computer network attacksthat identify unwanted traffic, log the
intrusion into a management system or database for aggregation, and
alert network administrators to the event. Intrusion prevention goes one
step further: It spots, logs and sends alerts about the intrusion, but
also pulls it out of incoming traffic, thwarting its entry into the
Down the road from Bankers Bank, Fred Vignes, information security
director for Zoo Atlanta, set up an intrusion detection system that paid
for itself in a matter of weeks.
Protecting networks, Vignes says, meant protecting the zoo's business.
Consumers can book tickets to the zoo, buy merchandise and make
donations over the corporate network; in season, vendors sell up to
$8,000 in food per day over a wireless network. "If they're not
working," Vignes says of his networks, "we're not selling."
Finding the right tools was not such a pressing effort, though. Instead
of going through a long evaluation process, Vignes last year turned to
Atlanta-based Internet Security Systems (recently acquired by IBM) and
its Proventia M30 appliance, which recognizes and blocks more than 1,000
According to Vignes, the vendor offered Zoo Atlanta the boxes for less
than $10,000 in exchange for live product testing on his networks.
Vignes says attacks weren't common on the zoo's networks, but that worms
like Code Red and viruses had forced him to shut them down for two full
days. Since deploying the appliance, Vignes says he's been worry-free:
"I have not had a single incidence of anything running loose in here
since it's been turned on."
As technology managers looked to tools that could not only spot but
block threats, vendors like Cisco, Internet Security Systems, Juniper
Networks, Sourcefire and TippingPoint began combining detection and
prevention tools into a single product. (Systems typically range in
price from just under $10,000 to $70,000, depending on licensing,
support and service agreements.) That market, which includes network and
host intrusion tools, along with firewall products, totaled $475.4
million in worldwide sales in 2005, according to IDC.
For some, the combination of the two makes all the difference. "All
[intrusion detection systems] are barking dogs," says Perry Jarvis, who
until early November was network operations manager for the city of
Burbank, Calif., and now works at Extreme Networks. "They don't take any
Until 2003, the city operated its power grid, which supplies electricity
to its population of more than 104,000, via a supervisory control and
data acquisition (SCADA) network, a physically isolated local-area
network that mirrored the grid itself. Since it was isolated, Jarvis and
his team didn't have any intrusions or threats coming in or going out.
That soon changed: To predict how much power would be available for
consumption, the city needed to figure in weather conditions. That meant
Burbank had to tie the SCADA network to the municipal network, which
left the SCADA setup susceptible to attacks.
To handle security threats, Jarvis and his team spent about $100,000 on
a pair of Juniper Networks' NetScreen firewalls and two Intrusion
Detection and Prevention 100s to sit behind them. Those products allowed
Jarvis and his team to link the two networks, permitting the SCADA
network to access weather reports from the city grid while blocking
harmful traffic and attacks in real time.
The ability to create and customize signatures was a key selling point,
Jarvis says. But above all, Jarvis prefers the Juniper systems for their
ability to do both: "I like the device saying, 'You don't look right, so
you're not passing through to my systems.'"
Subscribe to InfoSec News