Intrusion detection: a matter of taste, 09/27/99

absurd buzzword contest

By Ellen Messmer
Network World, 09/27/99

When it comes to choosing a method for detecting intrusions, you've got a choice between host- and network-based systems.

With a host-based scenario, agent software is installed on the server that is to be monitored (sometimes a PC can host the agent and stand watch over the server or other devices). The agent tracks unauthorized access attempts or other malicious activities on that server. Products include Axent Technologies' Intruder Alert, CyberSafe's Centrax, ODS Networks' CDMS, Security Dynamics' Kane Security Monitor and Tripwire Security's Tripwire.

In a network-based strategy, agents are installed on LAN segments or behind firewalls to monitor and analyze network traffic. Axent's Net Prowler, Cisco's NetRanger, Computer Associates' SessionWall-3, Internet Security Systems' (ISS) RealSecure and Network Flight Recorder's Network Flight Recorder fit in this category.

Intruders beware

Host-based intrusion-detection software may provide better application-layer security than can network-based tools because the host software can detect failed access attempts. It can monitor the number of files or directories accessed by a user. But it is also expensive and time-consuming to load the agent software on large numbers of servers and desktops. Moreover, the software has to be upgraded regularly as new software vulnerabilities are discovered.

Conversely, network-based software can be fairly easy to deploy. However, it too has downsides. One is that it can generate false positives about threats, and that means headaches for nothing. Another downside is that the software is not typically integrated into larger network management systems so net managers can't gain an integrated view without proliferating yet more monitors.

Deciding what to do depends on the importance of your data and the money you have to spend. Host-based software is more expensive, so deployment is usually limited to servers with sensitive information. Axent's host-based Intruder Alert 3.0, for example, costs $995 per server and $95 per workstation, plus $1,995 per manager. That adds up quickly for a large enterprise with hundreds of servers to monitor. In comparison, the network-based intrusion-detection RealSecure Network, from ISS, lists at $8,995.

It's worth noting that these vendors have been busy invading each other's historic turf by adding new products, either host- or network-based, to compete as directly as possible against the other.

How vulnerable are you?

Likewise, the vulnerability assessment tools market is segmented into host-and network-based products. Vulnerability assessment tools are off-shoots of intrusion-detection software that scan for security holes. Examples of products in the host-based camp include: Axent's Enterprise Security Manager, Bindview Development's NOSadmin, Cyberguard's Centrax, Security Dynamics' Kane Security Analyst, Computer Associates' Platinum PCM, ISS' System Scanner, as well as a freeware package called COPS.

For network-based vulnerability assessment, look to Axent's NetRecon, Cisco's NetSonar, ISS Internet Scanner, L3's Expert, Netect's HackerShield, Network Associates' CyberCop Scanner, Web Trends Security Analyzer, and two freeware programs - SATAN and Nmap.

The advantage of host-based vulnerability assessment products is they can deliver real-time information, which gives a system administrator a better ability to assess risk levels. The disadvantage is that the products require the administrator to install the necessary software agents on a large number of systems. This gets expensive and makes installation complex.

For example, Axent's Enterprise Security Manager 5.0, the leading host-based product, costs $1,995 for the manager console, $995 for each server agent and $95 for the workstation agent. The network-based ISS Internet Scanner, on the other hand, costs $2,795 for a 30-device license for any server or workstation.

Network-based vulnerability assessment products scan to take an inventory of network components and hosts. They analyze that information against a database of known vulnerabilities and recommend a fix. The advantage is ease of use. The downside is that the products deliver just a snapshot, not a real-time analysis.

At the least, every company should run a vulnerability check periodically, even if it uses hired guns, such as vulnerability testing services from security consultants or systems integrators. The money question is unavoidable. Installing host-based software on every server you have is great - if you can afford it.

Related links

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Hacker alert
Intrusion-detection software is hot, but can it really stop hackers cold? Buzz Issue, 9/27/99.

Back to the Buzz home page

Send this article to a colleague

Back to the Buzz home page

absurd buzzword competition

Hear our columnists discuss the buzz

related links

more stories

Intrusion detection

Access services

Policy-based switching

Feedback
Tell us your thoughts on this article or the issues it raises.

ICANN board approves reform agenda

House committee subpoenas WorldCom executives

KPMG Consulting to hire Andersen IT staff, not unit

Xerox accounting troubles may total $6 billion

Analysis: Ciena/ONI deal done

All of today's news

A good .plan
Plus: Porn credit-card site hacked.

Prioritizing voice over data in VoIP
Nutter helps a user make sure voice gets priority on a Cisco net.

E-comm Innovator of the Year Award
Know someone with a groundbreaking e-commerce project? Nominate him or her for our annual award.

Home
Contact us
Site Map
Today's news
This week in NW
Research

Free newsletters
Forums
Opinions
Careers
Terms of Service
Network World, Inc.

Seminars & Events
Advertiser Index
Product Showcase
Vendor white papers
NW Subscriptions

Copyright, 1995-2001 Network World, Inc. All rights reserved.