IDS Products Take Different Tacks to Prevent Attacks

By Dennis Fisher  |  Posted 2002-06-03

Reflecting the industry trend toward advanced, hybrid intrusion detection systems, two vendors have unveiled IDS products that take different approaches to the challenge of identifying and halting attacks.

Lancope Inc. last week introduced Version 2.0 of its StealthWatch product, which includes several new capabilities and gives administrators a more detailed picture of each host on their network.

The new release enables users to set up zones that restrict certain classes of users to specific areas of the network.

For example, an administrator could set up a rule preventing remote users coming in over a virtual private network from accessing certain ports.

The new, granular security capabilities also enable administrators to see all the activity for each host.

In addition, it allows administrators to pull up a report on all the activity on a certain port across every host.

"When the SQLsnake was going around, you could have asked for all of the activity on port 1433 [which the SQLsnake scans] across all of your boxes," said Byron Cleary, senior security engineer at Lancope, based in Alpharetta, Ga.

In its approach to a similar problem, NFR Security Inc., of Rock-ville, Md., recently launched its IMS (Intrusion Management System), as well as new versions of its Network Intrusion Detection and Host Intrusion Detection products.

The IMS platform is based on the companys concept of an attack timeline and the technologies that need to be deployed before, during and after an incident.

The IMS has an agent that performs vulnerability assessments, network and host-based IDS and is capable of responding to attacks that make it inside the network perimeter.

For example, the agent can modify firewall policies to close specific ports, log users off the system, disable accounts completely, send messages to SNMP traps and execute TCP reset commands.

The system also has data mining capabilities that enable an administrator to build a kind of case study of a specific event.

In addition, the IMS has the ability to determine which events have the potential to harm the network and to ignore all other events.

"Its not going to send you an alert that youre being scanned for a [Microsoft Corp. Internet Information Services] vulnerability if youre running Apache," said Jack Reis, CEO of NFR. "When youre talking about firing buckets of data around, thats not trivial."

Rocket Fuel