Seek and Destroy

New network weapons freeze attacks on sight

First Citizens Bank, a regional bank based in Raleigh, N.C., got hit by the Code Red worm.

Thats not something you would have read in any news report. First Citizens didnt tell anyone about it, and it didnt have to, because the network operations team there had installed the latest in security technology: an intrusion prevention system that effectively neutered the malicious worm.

"We were looking to get a proof of concept to ourselves that intrusion prevention works," says Jay Ward, First Citizens senior network security analyst. First Citizens got it: The banks Web servers emerged unscathed by Code Red, a self-propagating program designed to deface Microsoft Web servers.

While most administrators have already become well-aware of intrusion detection systems, an intrusion prevention system is a fairly new concept. The two are closely related, and as a tool IPSes are being used alongside IDSes, if not outright replacing them.

But the small differences between those security technologies can make all the difference in the world to an I-manager such as First Citizens Ward. An IDS is designed to monitor for known attack signatures and sniff out suspicious network behavior. When it finds unusual network activity, the IDS will send an alert to designated operations staffers, while logging and reporting the intrusions progress.

However, an IDS cant handle the immediate problem: It cant stop the attack as its happening. Thats where IPSes come in. An IPS looks out for these attack signatures, while also watching for suspicious behavior on specific machines in the network. When a server tries to execute a behavior that is not the norm, the IPS will automatically neutralize it with a countermeasure.

"We dont even know [the intrusion] is Code Red — we just know its misbehaving," says Eric Ogren, vice president of marketing of Okena, which sells an IPS. "What we do is look at how machines should be behaving and enforce that in real-time."

One example of aberrant behavior that an IPS might watch for is a Web server trying to execute telnet or FTP sessions, when its only purpose is to serve up Web pages. Another might be an unusual number of probes from one domain, which would prompt an IPS to shut off access to that domain altogether. Or perhaps some code coming in through the mail gateway and trying to cause Microsoft Outlook to send a virus-laden e-mail automatically to everyone in the address book. All of these scenarios are preventable with an IPS, Ogren says.

With Code Red, for example, First Citizens was able to detect that the worm was trying to scan the Internet for other vulnerable servers in order to propagate itself. The IPS the bank had deployed, developed by Entercept Security Technologies, stopped the activity immediately, using software agents on the targeted servers to terminate the unauthorized outgoing port scans.

"With the old-fashioned IDS system, the way they were set up, your locks are bolted and the alarm system is activated, but the intruders still in your home," says Lou Ryan, Entercepts president and CEO. "That promise was arcane and unfulfilling."

Nir Zuk, chief technology officer of security software vendor One-Secure, agrees that a traditional IDS is essentially useless. "Lets just say right now its extremely simple to evade intrusion detection," Zuk says. Any hacker worth his salt, he says, can bypass an IDS in his sleep.

The IPS field is already being colonized by both startups and established vendors. IDS suppliers that have incorporated some form of intrusion prevention in their products include Cisco Systems, Computer Associates International, CyberSafe, Internet Security Systems,, Network Associates Inc., NFR Security, SecureWorks and Symantec. Theres even an open source option: a lightweight IDS called Snort, which is available for several different operating systems (OSes).

A related group of companies, which includes Argus Systems Group, Sanctum and WatchGuard Technologies, supplies technology that locks down applications and OSes to prevent intruders from taking advantage of them, but doesnt actively monitor for new threats.

Worm Warriors

Security experts say the growing interest in IPSes has been largely due to the Code Red worm.

"Anything like Code Red thats big in the news starts to remind people how vulnerable they really are," says Sheila Droski, ISS product manager of intrusion detection technologies.

Droski believes Code Red was a watershed event because it spread faster than any administrator could read an alert telling him or her what the problem was.

In fact, IDSes blipped their way onto many I-managers radar screens in a similar way. Last year, there was a spurt of denial-of-service attacks on well-known e-commerce sites such as eBay and Yahoo!, and suddenly interest in the relatively little-known technology called intrusion detection ballooned. "Before that, you only had the early adopters and financial institutions who understood it actually using it," Droski says. "Once those attacks hit, we saw growth in mainstream interest, and thats been growing strongly ever since."

Code Reds journey through the Internet was mirrored in the mainstream of pop culture. The worm popped up on local news channels and The Tonight Show With Jay Leno. In all the attention, one thing that stood out about Code Red was the prevailing notion that its rapid spread could have been easily prevented if Web administrators who were running Microsoft Internet Information Server (IIS), which was susceptible to the worm, had patched those systems.

A month earlier, Microsoft was informed of the hole by consulting firm eEye Digital Security, and promptly released a fix prior to Code Reds arrival. "All you have to do is download the patch," security experts and Microsoft spokespeople said. That might have seemed like a simple task, but Web server administrators look at the issue of constant patching and updating quite differently.

First, system administrators are usually in charge of so much software that constantly keeping track of those updates becomes nearly impossible. Some are ambivalent enough to ignore security alerts because they say theyre frustrated by the constant discovery of new holes in Microsofts and other vendors systems.

Furthermore, applying a patch is not at all trivial. In some cases, the patch for one security vulnerability causes another. That happened earlier this year when Microsoft released a patch to Exchange Server that, when applied, caused the system to crash. Administrators who were lax in applying patches were able to avoid the problem, while those who were meticulous about it were punished by crashing their own systems.

As if the decision to apply a security patch werent difficult enough, some third-party software developers have begun to tell their customers that they wont support their software running on Windows servers if certain patches are applied, because theyre not convinced the two will work together. Thats precisely the reason First Citizens Ward hadnt patched the Microsoft IIS servers in the weeks leading up to the Code Red tsunami: One of First Citizens Web application vendors, which he declines to name, said that if Ward installed the Microsoft IIS patch, it would refuse to support its software.

Richard Stiennon, Gartners research director of network security, says thats very common, though he, too, declines to name software vendors that are guilty of this practice. In todays Internet business networks, he says, Web servers are tied to application servers, so "you cant just tie on a patch without the applications supporting it."

In light of these difficulties, administrators are turning to solutions that can defend their networks against attacks such as Code Red, even if the right patches havent been applied.

Control Freaks

Romain "Ago" Agostini, Entercepts director of product management, compares the evolution of IDSes into IPSes to the development of comprehensive antivirus software. The first antivirus software packages only had the ability to scan PCs to discover if any viruses had actually infected them — after the fact. Eventually, however, the software transformed into a system for preventing the infestation of viruses altogether.

But Gartners Stiennon warns that the move from intrusion detection to intrusion prevention is a complicated one. "The underlying philosophy has a lot of merit," he says. But adopting an IPS is a "fundamental change from where everything is allowed unless explicitly denied to everything is denied unless explicitly allowed," Stiennon says.

Those who take pride in running their networks know that handing over control of what is and isnt allowed in the network to a software program is not always desirable. The issue is that an automated security system can inadvertently block access that is allowed, disrupting business and potentially losing sales.

"Most of our customers say today they havent seen an IPS that doesnt prove it wont cut off customer access," says Mike Van Bruinisse, president of Lancope, which makes intrusion detection appliances. To a business, "its almost as bad to let an intruder in as it is to cut off a potential customer."

But Okenas Ogren says the bottom line is that security managers want a way to prevent damage, not just detect it. "IT doesnt want to be told every time theres a problem," he says. "They want a way to prevent the problem."