By Eric Ogren Analyst, Securities, Services and Solutions Yankee Group

The trusted security model of network intrusion-detection systems, triggering alarms for IT action, has become overwhelmed, says the Yankee Group. Network security is officially in the transition from passive network intrusion detection to active network intrusion prevention. The Yankee Group offers six recommendations for enterprises to improve intrusion detection.

Not long ago, network security focused on front-office and back-office security. The staples of security were a hard perimeter of firewalls and authentication to lock out intruders, and an array of antivirus products to preserve host integrity. Enterprises with advanced security deployed relatively low-performance intrusion-detection systems to examine the network for signs of abuse.

The demands of e-business have extended the corporate network back through the supply chain and forward to channel partners and customers. Securing the communications infrastructure requires enforcement of security policy, high performance for increasing traffic loads, and low latency to complete transactions. The trusted security model of network intrusion-detection systems, triggering alarms for IT action, has become overwhelmed. Network security is officially in the transition from passive network intrusion detection to active network intrusion prevention.

Network intrusion-detection systems (NIDS) were designed to help IT recognise attacks on the network that had penetrated firewall perimeter defenses. Scanning traffic and log files for evidence of intrusions was the only means of detecting a breach in perimeter defense, unless a host machine failed or a denial-of-service (DoS) attack was successful. NIDSs reported all suspicious activity to IT security teams so they could follow up and close holes in the security posture. NIDSs filled a valuable investigative role in an enterprise security program.

The recent SQL Slammer worm spread around the world in roughly 18 minutes, far quicker than anyone's ability to craft and distribute a new signature or manually reconfigure network device settings. The explosive growth in public-protocol Internet use has yielded far more traffic than IT security, as it stands, can handle. NIDS solutions for high traffic have involved incremental load-balancing equipment for extra NIDS sensors and security event management systems to reduce the size of event data reports. Additional IT staff are required to interpret NIDS reports and the best personnel are tasked with simplifying NIDS rules to reduce the burden of report processing. Enterprises are now looking at intrusion-prevention technology to maintain network availability in the face of Internet intrusions.

Enterprise Recommendations

— Mandate DoS protection from service providers in future service-level agreements. Service providers have defenses against bandwidth-consuming attacks such as SQL Slammer. Do business with service providers that can guarantee greater availability and will accept financial incentives for extended e-business.

— Make network intrusion prevention mandatory in front of critical data centres and Web-facing application zones. The cost of a service disruption merits extra attention. The technology can be deployed as widely as IT feels comfortable administering it in larger scale deployments.

— Know what security problem you are trying to solve and choose solutions accordingly. Evaluate products against specific needs. Crosscheck references with peers within the industry to avoid being swayed by vendor marketing hype.

— If manual control over the network and protocol exploits is important, use a network intrusion-detection system. Large enterprises should choose from among Cisco, ISS, Sourcefire, and Symantec. A monitoring system, such as the one provided by Securify, also allows IT to defend the network against security vulnerabilities.

— If DoS attacks against revenue-generating application zones are a concern, focus on intrusion-prevention products strong in flow-based algorithms. Consider vendors such as Arbor Networks and Mazu Networks.

— If freedom to evolve the solution as the technology matures is a priority, focus on blended solutions that provide the best of both worlds. Vendors such as IntruVert, NetScreen, TippingPoint, and Top Layer deserve attention.