Information security comment from network security company IDSec. Intrusion protection takes the argument for intrusion detection one stage further, by not just discovering attacks on a network, but blocking and preventing them from happening again.
With companies becoming increasingly active on the Internet, the need for intrusion detection and prevention has never been more important. Network security specialist IDsec estimates that an average company may receive anywhere between 10 and 100 attacks on its network per day. In the case of a large corporate selling goods via the Web, the number of attacks could be many more and potentially affect bottom-line profitability. In short, any company with an Internet presence is at risk and having a firewall is simply not enough.
A Growing Problem
When a company connects itself up to the Internet, it is potentially opening up a whole can of worms. Malicious attacks on company networks are more frequent, more effective and more wide-ranging. The ingenuity of hackers has kept pace with Internet development and has become such a growing area of crime that organisations including Interpol and Scotland Yard now have sections devoted to tackling this escalating problem. The past couple of years has seen a convergence of virus, worms and spam, so that some attacks very cleverly have several phases. In other words, the way that they infect one system is not necessarily the means they use for onward transmission to the next victim.
The people who carry out these attacks are smart. They know that most companies have firewalls, but this is a challenge to them, not a deterrent. They may spend months building up a picture of a company’s network, such as what ports are open and what external servers and operating systems are being used. All this means that for many companies – particularly smaller ones with fewer resources – they will not know whether they have been hacked until something goes wrong (and in some cases, not even then: IDsec has had one client where a thriving hacker community was running a dodgy bulletin board on one of the client’s servers without any of the staff being aware of its existence).
A Firewall Is Not Enough
Many companies realise the importance of Internet security, but may have simply installed a firewall and left it at that. However, while there is a definite role for firewalls, they are not sufficient protection in themselves. Firewalls only protect what they can see and generally, do not have the inbuilt ‘intelligence’ to interrogate data packets thoroughly: they inevitably let through a significant number of packets that really ought to be examined in more depth. If a data packet is from a valid source and destination and aimed at the right port, then it will let it pass. This is the role of firewalls: after all, if they were to spend too much time dwelling on each data packet, then the network would slow down and no-one wants that.
The best security efforts of a company are often undermined by its own staff, who may unwittingly be introducing malicious data from outside the realm of the firewall. Infection of the internal network is one of the biggest problems for companies today. For example, a modem link used by a member of staff to carry out remote work out of hours would not be examined by the network firewall. Similarly, a laptop used by a member of staff at home is not covered by the firewall: IDsec knows of cases where a single laptop infected during an Internet session at home wreaked havoc on the corporate network the next day. And with an increasing number of IP-enabled devices, all feeding back in to company networks, the protection that the firewall can offer is challenged even further.
Defining Intrusion Detection and Protection
Intrusion detection systems cannot promise to solve all of a company’s security problems, but they can certainly reduce them, by giving a far better idea of what the outside world is trying to do to the company network. An intrusion detection solution can automatically flag attacks as soon as they happen, rather than a company finding out next time a member of staff remembers to read the firewall logs. This means that companies can react far more quickly to malicious attacks.
New developments in intrusion detection and protection systems gives companies of all sizes – whether large or small – access to highly sophisticated defences against the many threats they receive each day.
A new breed of solutions
Intrusion detection has been available for some time, although, until now, not within the reach of many smaller companies, and even larger organisations have not made the most of their intrusion detection investments. The reasons for this are simple: intrusion detection systems have traditionally involved a number of different components, all of which need to be integrated with one another, a task that can be complex.
The net result is that traditional intrusion detection systems have been expensive and on-going cost of ownership and management effort has been high. Many companies have therefore felt overwhelmed at the prospect of intrusion detection and even if they bought systems, these often ended up as ‘shelfware’ that was never properly used. However, during the past year, the introduction of multifunctional intrusion protection/detection ‘one box’ systems has changed this situation.
Clearly, in order for companies of all sizes to invest in intrusion detection, there is a need for a solution that meets the following criteria:
the ability to detect a range of attacks, but without affecting the speed and performance of normal network operation
straightforward installation and simple on-going management
low entry price and annual cost of ownership
a well-rounded product that covers all the necessary components.
IDsec and intrusion protection/detection
IDsec has extensive experience in selecting, installing and managing intrusion protection/detection systems on behalf of its clients. For large gateways in major corporates, IDsec takes a detailed approach and selects products on a ‘best of breed’ basis. The process includes identifying the need, analysis of requirements and network architecture, designing the intrusion protection system and help with placement of sensors in appropriate locations. IDsec also carries out the basic installation, covering deployment and configuration, connectivity and tuning. IDsec can even help corporates ensure that they have the right people in place to carry out relevant tasks, together with designing appropriate procedures and staff training.
For smaller gateway environments, IDsec usually recommends Proventia solutions from ISS. The Proventia range of solutions are ‘one box’ multifunctional devices that provide small to medium organisations with effective intrusion detection/protection that is simple to install and manage.
For desktop protection, IDsec offers RealSecure Desktop Protector from ISS. This combines a connection-based firewall with an intrusion protection system that analyses all network traffic. This means that as well as rejecting know attacks, the system filters out all suspicious traffic that may well be first probings of a new and hitherto undocumented exploit or worm.
For further information about intrusion protection and detection, contact IDsec on 020 8861 2001.
