February 09, 2001, 2:57 PM — THE COMBINATION OF an inherently insecure Internet, a mania for e-commerce, and a number of high-profile network breaches in 2000 -- such as those at Egghead.com, Microsoft, and Lucent Technologies -- finally brought security the attention it deserves. One of the security technologies that received the most recognition last year was intrusion detection. This was due not only to larger security budgets and a desperate need to thwart intruders, but also to significant advances in the capabilities of intrusion-detection systems, which began making the leap to intrusion prevention this past year.
Intrusion-detection systems monitor an organization's network and hosts, typically detecting intrusions by watching for certain actions that characterize known attacks. Of course, one important disadvantage of this approach is that the system is incapable of detecting attacks that have not been incorporated into its knowledge base. Consequently, similar to anti-virus software vendors, vendors of intrusion-detection systems are locked in an arms race against network crackers, and they're inevitably two or three steps behind.
This problem will persist for the foreseeable future. But what will change in the near term is another limitation of traditional intrusion-detection systems: the necessity of manual intervention to thwart an attack. From their beginnings, the most that intrusion-detection systems have been capable of is alerting network administrators to potential problems. After the system spots a buffer overflow, a Trojan horse, or another malicious exploit, it simply notifies an administrator and leaves it to the human to intervene. Manual defense is not only tedious and time-consuming, but it comes too late.
A new generation of intrusion-detection systems, or so-called intrusion-prevention systems, from vendors such as Entercept Security Technologies, Internet Security Systems, and Network ICE, step in to block intrusions before the damage is done. Entercept's product Entercept 1.5, for example, matches system requests against an attack signature database before they are executed, and depending on security levels, grants those requests or terminates, logs, prevents, or ignores them.
Security vendors also made headway this year in preventing attacks that exploit security weaknesses in Web applications, which traditional intrusion-detection systems are unable to spot. Perfecto Technologies' AppShield, for example, sits between the network firewall and Web server, allowing Web surfers to access the Web site only from authorized entry points and verifying that all incoming client requests are legitimate. If a request violates the defined security policy, browsers are denied access to the application.