Get Your Shields Up!

Though many companies now use antivirus software, intrusion-detection systems, and firewalls, hackers and worms still infiltrate business-technology systems and cause serious damage. Attacks such as Blaster, MyDoom, and Witty cost businesses more than $10 billion annually.

To combat the growing problem, security professionals are in search of better protection. They need more-intelligent shields that can fend off new attacks as they happen, rather than relying on signatures--tiny snapshots of code used to spot and block attacks--published by security vendors only after attacks are under way.

Intrusion-prevention systems may be the protection companies are looking for. Unlike conventional antivirus, firewall, and intrusion-detection systems, these proactive tools are designed to protect vulnerable computers and thwart unforeseen attack methods.

"Intrusion-prevention systems have a learning capability, and these engines are more intelligent and better able to identify and stop attacks," says Michael Assante, VP and chief security officer at energy producer and distributor American Electric Power Co.

That's important, especially since attacks are getting too fast for reactive security tools. Consider this: When the SQL Slammer worm hit the Internet in January 2003, it attacked a 6-month-old vulnerability in Microsoft SQL Server. But in March of this year, the Witty worm struck a buffer-overflow vulnerability only one day after the flaw was found in various Internet Security System Inc. products. Security professionals are even more concerned about so-called "zero-day" attacks, those against software vulnerabilities that have no patches or defensive signatures because they haven't yet been publicly disclosed.There are primarily two types of intrusion-prevention systems: host-based, which protect systems such as servers and PCs, and network-based, which protect traffic from attacks. Intrusion-prevention systems often use the more traditional attack signatures and also vulnerability signatures, which are chunks of code that protect against potential attacks aimed at known software vulnerabilities. Many intrusion-prevention systems can learn normal application and network behavior so they can block bad activities, such as a file trying to infect the operating system or a worm attempting to wiggle through an application vulnerability and launch a buffer-overflow.

American Electric's Assante has been using the intrusion-prevention features in Internet Security Systems' Proventia appliances for a year to protect key segments of the company's network. The technology works much like traditional intrusion-detection system, he says, but its blocking capabilities are better. The software automatically shuts down anomalous activity and will terminate the connection of any attacking IP addresses, he says.

Intrusion-prevention has "saved me from a lot of headaches," says Glenn Swanson, chief operating officer of Daniels Trading, a division of securities company Refco LLC. The commodities brokerage installed Stormwatch from Okena (acquired by Cisco Systems in January 2003; Cisco renamed the software Cisco Security Agent) to protect its 30-plus desktops from viruses, worms, and other attacks.

Before the firm installed Cisco Security Agent, it was tough keeping those systems secure, Swanson says. No matter how often he warned users about new viruses and advised them not to open attachments, they inevitably would. "You can tell them all of the things you want, and they'll still do the wrong things. They'll open an attachment and blow their systems up," he says. "Literally every week, one guy would blow up and then another guy would blow up." Those all-too-frequent system blowups required two part-time system administrators constantly working to get the systems running again.The company still uses its antivirus software to block bugs already discovered. But the Cisco Security Agent is "an added layer of defense for us," Swanson says.

Intrusion-prevention systems are not entirely new. About five years ago, startups such as Entercept, Intruvert, Okena, and OneSecure all launched first-generations systems, and larger security vendors quickly acquired these companies.Now the market is crowded with vendors, such as Check Point Software Technologies, Cisco, Internet Security Systems, Juniper, McAfee, and Symantec, that have already incorporated intrusion-prevention capabilities into their firewalls, antivirus apps, and intrusion-detection systems, or are beginning to do so. There's also a number of smaller startups, including Determina, Platform Logic, Sana Security, and TippingPoint, that provide gear with various types of intrusion-prevention capabilities for PCs and network traffic.

Typically, intrusion-prevention systems can be thought to run in two modes. In passive mode, they act like conventional intrusion-detection systems and set off alarms when attacks are under way. In prevention mode, however, they can be set to decide which types of traffic and attacks to block. But prevention mode has some security-professionals wary because it can create false positives that alert administrators to attacks that aren't really attacks and then automatically block the allegedly bad traffic. That means legitimate traffic could be blocked.

"I've had customers tell me that if 1% of legitimate traffic is blocked that we could come back and pick up our box," says Parveen Jain, executive VP of marketing and strategy at McAfee.

The fact that intrusion-prevention systems might block legitimate traffic doesn't phase Chris Schuler, director of the security operations center with the U.S. Army Reserve Command. The command uses intrusion-prevention systems from McAfee to protect its critical networks and servers.

It took about three months for McAfee's Intruvert network intrusion-prevention system to learn the normal behavior of the command's network and more actively block attacks. "When security alerts [are sent out], we know what anomalies they're referring to and we can make better decisions," Schuler says. The U.S. Army Reserve Command has McAfee's intrusion-prevention systems deployed at key locations, including its data centers, he adds.The Philadelphia Stock Exchange Inc. is using intrusion-prevention software from V-Secure Technologies Inc. as an electronic watchdog to keep its growing number of Web applications safe. "It's the first thing Web-site visitors encounter," says Bill Morgan, CIO at the stock exchange. "It helps to make sure there are no unauthorized accesses, that nothing out of line gets through." The V-100 protects the stock exchange's systems from denial-of-service attacks and IP-spoofing attacks. It also can block attacking Internet addresses and enforce rules that determine which users can access which applications.

For many, intrusion-prevention systems are a necessary tool in the fight against growing threats and attacks, and the technology has proven its mettle. "We've only had one machine get hit since we've bought this," says Daniels Trading's Swanson. "That's because we didn't install it on that system."