By Deborah Kerr,
Neal Clift no longer sleeps on the floor of his office. Ten years ago, he slept under his Digital VAX at Leeds University in England, listening for the telltale clicks and hums that signal an intruder on his network. For weeks, a hacker had been shamelessly crashing his machine, deleting files, and reconfiguring controls. Clift tracked the hacker's movements, recorded the keystrokes, and eventually closed up the hacker's entry points.
At the time, pulling late-nighters was the only way to catch a hacker, since poring over system logs could only establish the hacker's patterns after the fact. Now, intrusion-detection technology lets network security managers and administrators catch trespassers without spending the night on the office floor.
| Network-based ID systems: |
| • Network Associates' CyberCop |
| • Cisco's NetRanger |
| • Internet Security Systems' RealSecure |
| • Netect's Netective |
| • AbirNet's SessionWall-3 |
| • Internet Tools' ID-Trak |
| • MimeStar's SecureNet Pro |
Intrusion-detection tools are a $65 million industry that will grow as large as the firewall market, which reached about $255 million in 1997, according to the Hurwitz Group, in Framingham, Mass. Touted as network burglar alarms, intrusion-detection systems are programmed to watch for predefined attack "signatures," or predefined bytecode trails of prespecified hacks. Intrusion-detection systems also send out real-time alerts of suspicious goings-on inside the network.
But don't bet the server farm on intrusion-detection systems yet. They're still new, and their capabilities are limited. No matter what you buy, some portion of the enterprise will be unprotected. Intrusion-detection systems also can break down under certain types of attacks, in some cases even turning on their own networks under the guidance of a truly knowledgeable hacker.
"There's no one tool to solve all the security problems throughout your network," says Jim Patterson, vice president of security and telecommunications at Oppenheimer Funds, in Denver. Oppenheimer, which manages $90 billion in assets, recently spent about $50,000 to install Intruder Alert from Axent Technologies on 20 of its key servers. Even so, Patterson says he still worries about the rest of his network, which is protected by a specially designed firewall.
Providing complete coverage is a key problem for intrusion-detection systems. They can provide either host- or network-based monitoring. Network-based intrusion-detection systems put remote monitoringlike sensors on the wire that watch for attack signatures in packets coming into the network. But this approach leaves the system vulnerable to internal attack. Host-based systems use intelligent agents on key servers to sift through system logs for known signatures. But this means an attacker has already entered the network and gotten to the servers where the agents are deployed.
Not surprisingly, Internet connections are becoming the primary point of network attack. The Net was the source of 54 percent of attacks on networks reported by 520 IS security managers, according to the March 1998 Computer Security Institute/Federal Bureau of Investigation Computer Crimes Survey.
"With a name like the Money Store, you're going to get hack attempts." -- Keith Bowyer Money Store |
For this reason, many IS departments choose network-based intrusion-detection systems. Typically set up at a switch or router between the Web server and the firewall (commonly referred to as the demilitarized zone), these systems listen to network traffic and send alerts when they read packets containing known attack signatures. Sometimes they take automatic action such as terminating TCP connections.
Network Associates' CyberCop, Cisco's NetRanger (formerly sold by WheelGroup), Internet Security Systems' RealSecure, Netect's Netective, AbirNet's SessionWall-3, Internet Tools' ID-Trak, and MimeStar's SecureNet Pro all take this approach. With some variations, these systems are sold as consoles, along with sensors that are priced separately.
The Money Store, in Union, N.J., uses Network Associates' CyberCop to protect its Internet segment. "With a name like the Money Store, you're going to get hack attempts," says Keith Bowyer, senior network engineer at the Money Store. "We've had quite a few."
Next: Cut 'em off at the pass
Try TechWeb's RSS Feed!ACCO Brands Corp seeking Director of New Product Development in Lincolnshire, IL
Transportation Security Administration seeking Chief Information Officer in Arlington, VA
Hebrew SeniorLife seeking Business Systems Analyst in Boston, MA
Trilogy Leasing seeking General Manager in Cranbury, NJ
UVIMCO seeking Senior Information Technology Leader in Charlottesville, VA
For more great jobs, career-related news, features and services, please visit our Career Center.
TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.
Get definitions for more than 20,000 IT terms.
Editorial and vendor perspectives
