ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Getting the drop on network intruders

October 11, 1999
Web posted at: 2:53 p.m. EDT (1853 GMT)

by Ellen Messmer

Network World Fusion

(IDG) -- Your network is your kingdom, and you're the leader of the security force. What are you doing to protect your territory?

Firewalls help police the perimeter, but they may not be enough. Luckily, there's some pretty advanced technology available for detecting enemies trying to make unauthorized incursions into your home base.
Returning fire with Network ICE

Software that alerts the network manager to attempted or actual break-ins on servers or networks is still a relatively new idea. The first home-grown software was put into action by the U.S. military in the mid-'90s. Since then, a growing army of commercial software vendors has launched products designed to detect the wily hacker.

Some vendors developed host-based products to guard operating systems, Web servers or databases. Others approached the problem through network-based intrusion detection, which works by scanning network traffic to detect suspicious activities.

The market for both kinds of intrusion-detection products is growing. According to International Data Corp. (IDC), the market has grown from about $20 million in 1997 to about $100 million this year and is projected to hit $528 million by 2005. With today's hacker tools being so automated that even those not well-trained in networking can use them, corporations are looking for all the protection they can get.
  Network World Fusion home page
  Free Network World Fusion newsletters
  Top 5 intrusion detection downloads
  Intrusion detection buyer's guide
 Reviews & in-depth info at
 *'s bridges & routers page's hubs & switches page
 *'s network operating systems page's network management software page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

In each of the two market segments, a single vendor - but not the same one - dominates. Axent Technologies, with its Intruder Alert product, captured three-quarters of the host-based intrusion-detection segment last year. ODS Networks, with its Computer Misuse Detection System, accounted for about 9% of the market, while Security Dynamics seized 6% with its product, Kane Security Monitor.

In the sphere of network-based intrusion detection, Internet Security Systems (ISS) last year held about half of the market with its RealSecure product. Cisco, which purchased WheelGroup, managed to capture about 23% with the WheelGroup NetRanger product. Computer Associates also bought its way into an 8% share through its purchase of SessionWall-3 from MEMCO.

Not only is the size of the market growing, so is the number of vendors. Some of the more recent entries include start-ups Network ICE and Intellitactics.

Unfortunately, prices for many intrusion-detection products are still out of reach for smaller companies, with server-based agent software costing $4,000 per server. As the market matures and competition increases, prices should drop.

Keeping up with the bad guys

There's always room for improvement in intrusion-detection tools. Hackers are constantly devising new schemes to trick their way into computer systems. Intrusion-detection firms have to track these exploits as best they can and turn out software-based countermeasures. Consequently, products are constantly in upgrade mode, with users compelled to install new "attack signatures" whenever new attacks are identified.

In general, vendors lack any kind of "push" technology to make this constant upgrading easy. Even "pulled" updates in the style of antivirus software vendors remain a novelty for many intrusion-detection software providers. This situation reflects the immaturity of the industry, but as users make their demands known, that situation, too, should improve.

Researchers working in this field are hopeful that artificial intelligence can be applied to intrusion detection so smarter network or host software can recognize trouble on the network or the host system without specific attack signatures having to be constantly added.

Another common problem is that of false positives: situations in which a product misidentifies an authorized user as unauthorized. Analysts say products are slowly but surely working out the kinks with false positives.

In addition, products are starting to give users more flexibility to add their own custom attack signatures for specific applications by including intrusion-detection software developer kits.

Another drawback with many intrusion-detection products is they are unable to send alerts to the large enterprise management platforms. Alerts and reports are consolidated only on their own consoles.

However, we're seeing signs of a trend toward product integration on several fronts. Axent's NetProwler can now alert Axent's Raptor firewall or Check Point Software's Firewall-1 to take a defensive action on the firewall, such as shutting down a port. Cisco is building the NetRanger intrusion-detection capability directly into its routers and switches in order to detect a few dozen attacks.

Network Associates and ISS, whose intrusion-detection products can also interact with some firewalls or network management platforms, are eager to take the idea of automated response further by bringing the larger network industry into the game.

The idea is to have host-based agent software or network-based intrusion-detection scanners capable of activating an automated response across a variety of network equipment once a serious threat is identified. But there's little agreement on this front, as Network Associates and ISS are spearheading competing plans.

With a push from ISS, the Internet Engineering Task Force last year started an Intrusion Detection Working Group to define a standard for interoperability. But the fruits of this labor are probably years off at best.

Don't do it yourself

The trend likely to bring more immediate benefit to corporations looking into intrusion detection is the growing availability of intrusion-detection services.

Just as managed firewall services have gained momentum, so too will managed intrusion-detection services, some analysts predict. Because finding security professionals experienced with intrusion detection can be a challenge, corporations will be outsourcing the responsibility to a number of industry players.

One of the main questions facing the intrusion-detection industry in coming years is whether corporations buying intrusion-detection tools will want to continue buying them as separate components or will prefer to purchase them as part of network equipment, such as routers, switches or LANs, says Aberdeen Group analyst Jim Hurley.

While that answer isn't clear right now, no one doubts that intrusion detection, now used mainly by large security-conscious companies (such as banks) and the government, will be finding its way into many more organizations in the future.

Your PC may be tapped
September 23, 1999
Government faces security skills shortage
August 16, 1999
OPINION: A firewall can't do it all
July 30, 1999

Top 5 intrusion detection downloads
(Network World Fusion)
ISS upgrades intrusion-detection product suite
(Network World Fusion)
Air Force lab to build intrusion-detection system
(Federal Computer Week)
Security vendors update intrusion-detection capabilities
Feds launch intrusion-detection net
(Federal Computer Week)
Linux hack flies below intrusion-detection radar
Network Associates ships intrusion detection and response tool
(Network World Fusion)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

Intruder Alert from Axent
Computer Misuse Detection System from ODS Networks
RealSecure from ISS
NetRanger from Cisco
SessionWall-3 from CA
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.