Enterprise Security Solutions

'Application level attacks are far more business impacting'

Security solutions are getting more active and the emphasis is now on detecting and blotting out attacks before the damage is done. New security solutions such as IDP can intelligently prevent attacks on intended targets within the enterprise. Paul Serrano, Senior Director of Marketing, Asia Pacific, NetScreen, explains how IDP technology can protect the enterprise from current and future attacks. by Brian Pereira

How does Intrusion, Detection and Prevention compare with IDS?

Intrusion Detection Systems (IDS) were introduced to detect attacks hidden in traffic (and inside packets), that were allowed into the network—and to prevent the attacks from doing damage. But due to the very nature of IDS and the way it was placed in the network, like a sniffer sitting on the sidelines, it was plagued by issues such as false alarms, manageability, and the lack of prevention capabilities.

Previous IDS technology was passive and reported, but did not prevent ‘infection’. Hackers have gone beyond simple denial of service attacks and are using worms, Trojans, etc at the application level where it is more difficult to detect problems.

Intrusion, Detection & Prevention (IDP) is a new, advanced technology in the network security space, as it is ‘Active’ technology and can ‘drop’ the attack before it reaches its intended target.

In fact, according to Gartner (IDS Magic Quadrant Report, 2002), it is forecasted that by 2005, 75 percent of new IDS deployments will be IPS, while 50 percent of existing IDS systems will be replaced by IDP.

How can IDP protect you from future/unknown threats?

While it is impossible to completely protect against unknown threats, security managers can decrease the likelihood of success for some of those threats. Many attacks are often derivatives of other well-known attacks. The ability to create ‘wild cards’ and/or create expressions that detect derivatives of known threats can often proactively protect your network.

Security Managers can also profile the characteristics of backdoor attacks by looking for interactive scenarios, which often result in security violations. As an example, if someone is attempting to use an FTP exchange to an application server that doesn't offer such services—and if the exchange is a single character per packet versus packets filled to capacity. In this case you may conclude that someone is hiding an interactive session (individual keystrokes) via a protocol not intended for interactive communication. In other words, sneaking in via a backdoor to activate a Trojan, or attempting to actively violate the system.

Within the hierarchy of enterprise security, where is IDP positioned?

IDP is positioned directly behind the firewall and in the line of the data path (i.e. in-line operational mode), where it performs deeper application layer detection and prevention. Therefore it provides more than perimeter security.

Can you comment on the integration of NetScreen IDP with existing (and deployed) security solutions, or network management solutions from other vendors like Symantec and CA?

Many enterprises are quickly converting from passive-based IDS technology or functionally inadequate early intrusion prevention systems to proactive detection and prevention systems (like IDP). The question is often what to do with the older technology, which still may have depreciation value. Security managers will often redeploy their passive systems to relatively secure segments of the network where optimum security is not paramount. Alternatively, some enterprises chose to initially combine the two technologies to enable a strategy that provides superior detection and prevention, while at the same time maintaining a more comprehensive log or history of actual events with the passive system.

Comment on the market opportunity for IDP (worldwide and in India).

The opportunity for IDP technology worldwide is significant. In fact it should be comparable or greater than that of firewall technology. The reason for this is that application level attacks are far more business impacting and damaging than network level attacks (which firewalls are designed to protect against). Application level attacks can completely take down a company's business and/or remove extremely sensitive information, which can be misused and certainly cause a level of mistrust between the holder of the information and its customer. At the end of the day, security is about the trust between you and your customer, and every method and opportunity to increase that trust must, and should be taken.

Due to the stage of its development, Indian enterprises have the unique opportunity to learn from the devastating effects that application level attacks have had on companies in other countries.

Strategies and network architectures in India can often be designed from the outset with this new level of security in mind, making it easier to deploy and manage.

How effective are integrated security solutions? What are the pros and cons?

First the pros. Integrated solutions mean fewer devices need to be purchased, deployed, maintained and upgraded, hence lower TCO. Solutions that offer integrated security technologies such as firewalls, VPN, IDP, and anti-virus are more secure in that they provide layered security and protection against network and application layer attacks.

The benefits in ease of configuration and management—i.e. where the integrated solutions enable the same set of policies to be pushed down and applied across all security technologies—saves significant time in deployment and management, while minimizing manual errors.

Now the cons. Truly integrated solutions should be "best of breed" and not "worst of breed" solutions, where the different security technologies can be logically and technically integrated together to achieve higher levels of security and efficiencies. Otherwise it will be a "patched together" pseudo integrated solution where the different security technologies still have to be managed independently. In addition, they must be "best of breed" technologies, otherwise any one of the security technologies can be a weak link or vulnerability in the network.

With integrated solutions the device itself should be designed to handle all the processing traffic and algorithms without significantly impacting performance. That is, the device should be hardware based and not software based.

Companies must evaluate their user requirements and security needs while addressing their specific network environment before deciding to purchase standalone solutions versus integrated devices. Factors to consider are whether speed/performance is of paramount importance, level of security required, the amount of IT resources and manpower at the end user site etc.

What are the unique features of NetScreen's IDP solution?

The NetScreen-IDP is a unified security appliance that effectively identifies and stops network attacks through in-line operation, multi-method detection and centralized rule-based management.

In-line Operation - An active, in-line system placed between the firewall and the servers. It is able to drop malicious traffic and prevent attacks from impacting your business and causing security breaches. This placement means attacks cannot reach victims. NetScreen's Gigabit speed means the system can remain operating at optimum levels. The NetScreen-IDP also has several active and optional passive modes for flexible deployment to eliminate the cost and impact of security breaches.

Multi-Method Detection - NetScreen IDP provides eight detection mechanisms (stateful signatures, protocol anomaly detection, backdoor detection, traffic anomaly detection, network honeypot, spoof detection, Layer 2 detection and syn flood detection). This comprehensive combination effectively reduces false positives and enhances detection accuracy while maximizing attack detection.

Centralized Rule-Based Management - Enables a single policy to control all sensors across an enterprise, allowing granular control of what traffic to analyze, what attacks to look for and how to respond. This greatly simplifies management and gives the system administrator more time for other issues.

Brian Pereira can be reached at brianp@networkmagazineindia.com