Enterprise Security Solutions
'Application level attacks are far more business impacting'
solutions are getting more active and the emphasis is now on detecting and blotting
out attacks before the damage is done. New security solutions such as IDP can
intelligently prevent attacks on intended targets within the enterprise. Paul
Serrano, Senior Director of Marketing, Asia Pacific, NetScreen, explains
how IDP technology can protect the enterprise from current and future attacks.
by Brian Pereira
How does Intrusion, Detection and Prevention compare with
Intrusion Detection Systems (IDS) were introduced to detect attacks hidden in
traffic (and inside packets), that were allowed into the networkand to
prevent the attacks from doing damage. But due to the very nature of IDS and
the way it was placed in the network, like a sniffer sitting on the sidelines,
it was plagued by issues such as false alarms, manageability, and the lack of
Previous IDS technology was passive and reported, but did not prevent infection.
Hackers have gone beyond simple denial of service attacks and are using worms,
Trojans, etc at the application level where it is more difficult to detect problems.
Intrusion, Detection & Prevention (IDP) is a new, advanced technology in
the network security space, as it is Active technology and can drop
the attack before it reaches its intended target.
In fact, according to Gartner (IDS Magic Quadrant Report, 2002), it is forecasted
that by 2005, 75 percent of new IDS deployments will be IPS, while 50 percent
of existing IDS systems will be replaced by IDP.
How can IDP protect you from future/unknown threats?
While it is impossible to completely protect against unknown threats, security
managers can decrease the likelihood of success for some of those threats. Many
attacks are often derivatives of other well-known attacks. The ability to create
wild cards and/or create expressions that detect derivatives of
known threats can often proactively protect your network.
Security Managers can also profile the characteristics of backdoor attacks by
looking for interactive scenarios, which often result in security violations.
As an example, if someone is attempting to use an FTP exchange to an application
server that doesn't offer such servicesand if the exchange is a single
character per packet versus packets filled to capacity. In this case you may
conclude that someone is hiding an interactive session (individual keystrokes)
via a protocol not intended for interactive communication. In other words, sneaking
in via a backdoor to activate a Trojan, or attempting to actively violate the
Within the hierarchy of enterprise security, where is
IDP is positioned directly behind the firewall and in the line of the data path
(i.e. in-line operational mode), where it performs deeper application layer
detection and prevention. Therefore it provides more than perimeter security.
Can you comment on the integration of NetScreen IDP with
existing (and deployed) security solutions, or network management solutions
from other vendors like Symantec and CA?
Many enterprises are quickly converting from passive-based IDS technology or
functionally inadequate early intrusion prevention systems to proactive detection
and prevention systems (like IDP). The question is often what to do with the
older technology, which still may have depreciation value. Security managers
will often redeploy their passive systems to relatively secure segments of the
network where optimum security is not paramount. Alternatively, some enterprises
chose to initially combine the two technologies to enable a strategy that provides
superior detection and prevention, while at the same time maintaining a more
comprehensive log or history of actual events with the passive system.
Comment on the market opportunity for IDP (worldwide and in India).
The opportunity for IDP technology worldwide is significant. In fact it should
be comparable or greater than that of firewall technology. The reason for this
is that application level attacks are far more business impacting and damaging
than network level attacks (which firewalls are designed to protect against).
Application level attacks can completely take down a company's business and/or
remove extremely sensitive information, which can be misused and certainly cause
a level of mistrust between the holder of the information and its customer.
At the end of the day, security is about the trust between you and your customer,
and every method and opportunity to increase that trust must, and should be
Due to the stage of its development, Indian enterprises have the unique opportunity
to learn from the devastating effects that application level attacks have had
on companies in other countries.
Strategies and network architectures in India can often be designed from the
outset with this new level of security in mind, making it easier to deploy and
How effective are integrated security solutions? What
are the pros and cons?
First the pros. Integrated solutions mean fewer devices need to be purchased,
deployed, maintained and upgraded, hence lower TCO. Solutions that offer integrated
security technologies such as firewalls, VPN, IDP, and anti-virus are more secure
in that they provide layered security and protection against network and application
The benefits in ease of configuration and managementi.e. where the integrated
solutions enable the same set of policies to be pushed down and applied across
all security technologiessaves significant time in deployment and management,
while minimizing manual errors.
Now the cons. Truly integrated solutions should be "best of breed"
and not "worst of breed" solutions, where the different security technologies
can be logically and technically integrated together to achieve higher levels
of security and efficiencies. Otherwise it will be a "patched together"
pseudo integrated solution where the different security technologies still have
to be managed independently. In addition, they must be "best of breed"
technologies, otherwise any one of the security technologies can be a weak link
or vulnerability in the network.
With integrated solutions the device itself should be designed to handle all
the processing traffic and algorithms without significantly impacting performance.
That is, the device should be hardware based and not software based.
Companies must evaluate their user requirements and security needs while addressing
their specific network environment before deciding to purchase standalone solutions
versus integrated devices. Factors to consider are whether speed/performance
is of paramount importance, level of security required, the amount of IT resources
and manpower at the end user site etc.
What are the unique features of NetScreen's IDP solution?
The NetScreen-IDP is a unified security appliance that effectively identifies
and stops network attacks through in-line operation, multi-method detection
and centralized rule-based management.
In-line Operation - An active, in-line system placed between the firewall and
the servers. It is able to drop malicious traffic and prevent attacks from impacting
your business and causing security breaches. This placement means attacks cannot
reach victims. NetScreen's Gigabit speed means the system can remain operating
at optimum levels. The NetScreen-IDP also has several active and optional passive
modes for flexible deployment to eliminate the cost and impact of security breaches.
Multi-Method Detection - NetScreen IDP provides eight detection mechanisms (stateful
signatures, protocol anomaly detection, backdoor detection, traffic anomaly
detection, network honeypot, spoof detection, Layer 2 detection and syn flood
detection). This comprehensive combination effectively reduces false positives
and enhances detection accuracy while maximizing attack detection.
Centralized Rule-Based Management - Enables a single policy to control all sensors
across an enterprise, allowing granular control of what traffic to analyze,
what attacks to look for and how to respond. This greatly simplifies management
and gives the system administrator more time for other issues.
Brian Pereira can be reached at firstname.lastname@example.org