Fielding a 'prevent' defense

If there is one thing the Slammer worm that hit in January proved yet again, it's that once a hostile attack gets past the firewalls and other network security safeguards, there's little anyone can do to stop it from wreaking havoc. Administrators can only observe and analyze the intrusion to improve defenses against future similar attacks — the cyber equivalent of what's known in sports as a prevent defense.

However, a group of security companies, selling what they call intrusion-prevention solutions, say they might have the answer to this part of the puzzle. They claim that their products, sitting inside the firewall or on the host, can detect and nullify suspect traffic before it moves into critical parts of an information technology infrastructure.

If that's true, then those solutions come closer than ever to the Holy Grail of IT security — a way to stop attacks before they happen.

"Prevention has always been a pillar of security and should be a consideration even before detection," said John Dias, a security analyst for the Energy Department's Computer Incident Advisory Capability.

But vendors with intrusion-prevention solutions still have a ways to go to win over a skeptical audience of security professionals.

Dias believes true prevention can only happen by applying security at every layer of the IT infrastructure. "If you hand me a box and call it intrusion prevention, I'll tell you outright it's not," he said.

Actual intrusion prevention happens where there is real-time response and remediation of systems while an attack is happening, or even before it happens, according to Ron Moritz, senior vice president for Computer Associates International Inc.'s eTrust solutions group. The technology to do that will take at least another three to five years to develop.

"What they are calling intrusion prevention today is really just classic access management technology and is about locking down systems so that people who are trying to get in illegally can't," Moritz said.

The current buzz over what is being called intrusion prevention is, he thinks, more a case of market spin by vendors helped along to some degree by recent breathless pronouncements by analysts.

There is some strong backing for this apparent new breed of products. Richard Stiennon, research director for network security at Gartner Inc., recently compared them to older intrusion-detection system technology, which he said was based on the belief that the number of security vulnerabilities and hackers is too daunting. So organizations have basically thrown up their hands and resigned themselves to just monitoring activity rather than attempting to block attacks.

With intrusion-prevention systems, however, he said that "it is now possible to relegate this theory to the same dustbin that contains client/servers, banner ads and pet rocks." He went so far as to recommend that organizations delay purchases of intrusion-detection systems while they investigate the potential of newer intrusion- prevention systems.

Joel Snyder, a senior partner with Opus One, a Tucson, Ariz.-based consulting and IT firm, is also enthusiastic about some of the new systems, although he makes a distinction depending on how you look at intrusion prevention.

Those products that are based on what he calls a "weak" definition of intrusion prevention work in near real time to isolate systems under attack, or block someone from striking again once an attack method has been detected and analyzed. That means the state of the network is changed only after the initial attack has ended, and this is what most vendors call intrusion prevention, he said.

On the other hand, a "strong" definition refers to true prevention and not just reaction. That requires that the intrusion-prevention system be an in-line device that can physically handle the data packets and determine directly if they are suspicious and can therefore be dropped, he said.

But the in-line requirement is one of the biggest potential problems with these systems.

"Anything that describes itself as an in-line device will set alarm bells ringing in the minds of network administrators, because to them, it's just one more thing that can fail," Snyder said.

For that reason, he thinks intrusion-prevention capabilities should be inserted into network equipment, such as switches, that is already commonplace, so that administrators don't have to deal with an additional component.

Okena Inc.'s StormWatch, for example, is a host-based software solution that bases its decision to intervene during possible attacks on the way that applications are expected to behave, or in this case on likely deviations from known and expected behavior. That's the only approach you can take if you want to stop new and unknown methods of attack, said Tom Turner, the company's vice president of marketing.

"There are thousands of different ways that attacks can arrive at a computer or server, but once [the attack] is actually at the machine, they all tend to try and do the same things," Turner said. "We focus on recognizing those kinds of behaviors and stopping them in real time. It's a lot easier to do it that way than by keeping huge catalogs of all previous known attacks."

The solution works by intercepting operating system calls that are made by the applications running on machines. Knowing how the application is supposed to run, and how attacks behave, StormWatch can block those calls that would interfere with applications' operations.

Entercept Security Technologies uses a similar approach with its host-based solution. Chad Harrington, Entercept's director of business development, said having agents on the machine itself provides a knowledge level that you can't get with network-based intrusion prevention because you are "right at the scene of the crime" and can better tell what's going on.

"If people have the budget, it would be ideal to employ both types of intrusion prevention, but the fact is you can block a lot of things at the host level that you just can't touch on the network," he said.

Arlington County, Va., uses Entercept's products to help protect the county's critical infrastructure, said Vivek Kundra, the county's director of infrastructure technologies. Such technologies as firewalls provide good protection at the perimeter of the enterprise, he said, but once you get into the enterprise, the only way to effectively protect assets is by having intelligent "cops on the beat" that are continually looking for problems and communicating with one another about how to prevent attacks.

"It's proactively preventing intrusions and making decisions about how to protect the enterprise, and that's a level of security we've never had before," he said. "The most recent proof of its effectiveness for us was the fact that we were not touched by the Slammer worm."

Companies such as Top Layer Networks and TippingPoint Technologies Inc., on the other hand, use hardware that is installed on the network and operates at multigigabit/sec speeds to read the network traffic as it passes by.

Top Layer's Attack Mitigator identifies and blocks most prevalent types of attacks such as HTTP worms, denial-of-service, IP spoofing or flood attacks. Meanwhile, TippingPoint's UnityOne product and Threat Suppression Engine run thousands of specialized algorithms in parallel that can identify hostile traffic that doesn't correspond to the expected behavior of normal network traffic or application behavior.

To that extent, these devices act somewhat like firewalls, although in this case the idea is to pick out traffic that appears to be hostile and drop it or somehow isolate it, rather than just block traffic that doesn't conform to set policies and rules.

The near real-time speeds of these devices is as vital as their ability to pick out the hostile traffic, according to John McHale, chairman and chief executive officer of TippingPoint, because network administrators won't downgrade the performance of their networks to introduce intrusion prevention.

"TCP/IP efficiencies these days calls for network latencies of no more than three milliseconds," he said. "So intrusion prevention must first and foremost be about high-speed networking."

If intrusion prevention is characterized as a more aggressive response to intrusions than normal security procedures allow, then Joel McFarland, manager of Cisco's intrusion-detection system solution line, would agree that his company has had that capability for some time. However, he said that kind of response currently only has a 10 percent to 15 percent market acceptance.

"Customers do believe in the concept of stopping attacks this way, but they don't yet believe the accuracy of the devices and solutions is good enough that they can give themselves over completely to them," he said.

Cisco's approach to the problem is one of deciding the relevance of a particular attack to a customer, McFarland said. It is a way to make intrusion-detection solutions, which have been adopted widely, more useful.

The problem with an intrusion-detection system is that it will pick out everything that seems like an apparent attack on a network, whether it's relevant or not to that network's operation. This can swamp administrators with volumes of false positive data that can take resources to sift through and understand.

Administrators can reduce the false alarms by constantly tuning intrusion-detection devices, which takes time. As a consequence, intrusion-detection is widely viewed as an underperforming security technology (see "Prevention vendors try to shed bad rap").

Cisco will soon release technology that will identify and qualify the relevance of an attack and be able to autonomously provide a highly accurate response, McFarland said.

Okena's technology will likely provide some of those capabilities, since Cisco announced in January that it is buying that company. Cisco's implementation of the technology will be integrated into its security management software for its existing firewall, intrusion-detection system and virtual private network deployments. The deal is expected to close in the second quarter of 2003: Cisco products that include the Okena technology will begin shipping shortly after.

The relevance approach makes a lot of sense to DOE's Dias. If you can just take a modest goal, such as preventing most of the Web site defacements, that represents a huge saving in time and costs for DOE, he said.

So Dias said he is exploring solutions from companies, such as NetContinuum Inc., that are aimed more at content filtering at the network application layer. This allows generic rules to be written that can be applied to a whole class of attacks for a particular kind of vulnerability, he said. For example, it can be used to block as many as 70 percent of general referral attacks that are made on the department's network.

Rather than apply specific solutions such as intrusion protection, his organization is trying to take more of an architectural approach to security.

"We're trying to see what relevance certain things have for us and where we can automate our responses," Dias said. "We're hoping that will let us at least start to come up for air."

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@mindspring. com.