Intrusion-detection tools to stop hackers cold

Any IS professional worth his salt wants to protect his network, and finding early signs of hacking is a good start. Three years ago, there was only a handful of commercial products to do this, but the market for intrusion-detection tools has now become an embarrassment of riches.

There is host-based monitoring software from Centrax, WebTrends, Axent Technologies, Tripwire Security Systems and Internet Security Systems. These packages will send a warning if they detect misuse of protected files, the operating system or a Web server.

There are network-based scanners sold by Netect, Network Associates, Internet Security Systems and Security Dynamics Technologies. These tools check for holes in firewalls or servers so IS can close them. Or you can download shareware, such as the Satan scanning tool created by Dan Farmer, for free off the 'Net.

Another type of intrusion-detection product guards LANs by inspecting and analyzing packet flows across the network, detecting patterns of connection that indicate an attack. In the packet-peeking crowd are Woodbine, Md., company Network Flight Recorder (NFR) with its product of the same name, Cisco with NetRanger and Network Associates with CyberCop.

Marcus Ranum, NFR president and founder, says the Unix-based NFR product watches up to 18,000 packets per second, analyzing patterns that indicate an attack.

Some packages are going a step beyond detecting intruders by relaying shut-off commands directly to devices such as firewalls without intervention by the network administrator. CyberCop takes this approach by communicating with Network Associates' Gauntlet firewall when it spots hacker activity.

It's getting hard to avoid intrusion-detection tools because these capabilities are being built directly into more and more network gear.

Network-1 Security Solutions' CyberWall distributed firewall, for example, can now look at traffic patterns and report back on problems.

ODS Networks added intrusion-detection capability to its line of high-speed switches. "My idea was, the computers all create audit logs, so let's put that data to work for analysis," says Steve Schall, security product manager at ODS.

Most security experts say we can thank the U.S. Department of Defense and its intelligence agencies for spending huge sums for research that led to this first generation of products.

"Intrusion detection, until two years ago, was toys for geeks," says Bill Hancock, Network-I's chief technology officer.

Catching hackers is tough and at this point, most products work mechanically by matching known patterns of attack against monitored activity. But this is an inflexible approach, Hancock says.

Industry research is now focused on detecting the "statistical anomaly," the unusual traffic pattern that might reveal new, unknown types of attacks. Alternatively, the heuristic adaptive approach relies on expert systems to come up with new monitoring rules based on network statistics. "This is still all hairy-chested macho stuff," Hancock says. "It's rare and difficult to do."

While three years ago there was virtually no commercial intrusion-detection market, sales last year hit $100 million and are expected to double again this year, according to analysts at Aberdeen Group, a consultancy in Boston (see graphic).

Axent Technologies and Internet Security Systems are the market-share leaders at this point, but Aberdeen analyst Jim Hurley emphasizes that intrusion detection is still a fragmented and immature industry. "There's no gorilla established for it yet," he says.

Internet Security Systems has tried to take advantage of its head start by organizing the Adaptive Network Security Alliance. This group aims to define a common technical framework for active response and shutdown against hackers. The framework would let network devices share intrusion information.

About 50 vendors are members of the alliance, but some industry heavyweights, such as Microsoft, IBM and Cisco, are not. So far, the alliance has defined a network management API for intrusion detection, which is supported by Hewlett-Packard's Open View.

Users buying intrusion-detection products naturally want to know: Do they really work?

The International Computer Security Association wants to tackle that question by providing independent testing. It recently organized an intrusion-detection consortium with 10 founding members.

The association plans to clearly define product capabilities in the short term and also hopes to have a buyer's guide out by fall. But the organization doesn't expect to start testing or certifying intrusion-detection products any time soon because association members "are in agreement that, at this point, the industry is too immature for product certification," a spokesman says.

Network professionals believe that intrusion-detection software helps, but in more ways than just spotting hackers.

Ernst & Young deploys the Tripwire file-monitoring software on Unix servers in its intranets to prove that risk-management data wasn't altered. "The regulatory agencies require you have certain capital requirements," Ernst & Young principal Allen Lum says. "We use Tripwire against the risk capital-model programs to make sure the data didn't change."

Intrusion detection is taken very seriously within military networks. And at Naval Sea Systems Command in Dahlgren, Va., the Naval Surface Warfare Center runs several host-based and network-monitoring intrusion-detection products to keep hackers at bay.

The Navy's detection efforts are lead by the "shadow team," which analyzes daily hacker attempts through log reviews. Team leader Stephen Northcutt says his group has deployed the ISS commercial product RealSecure as well as two home-grown systems, the Network Intrusion Detector, made by the Department of Energy, and Shadow, designed by the Navy.