printer friendly version

Intrusion protection: why it is needed, what is involved, what are the pitfalls and challenges?

Intrusion protection takes the argument for intrusion detection one stage further, by not just discovering attacks on a network, but blocking and preventing them from happening again.

With companies becoming increasingly active on the Internet, the need for intrusion detection and prevention has never been more important. Network security specialist, IDsec, estimates that an average company may receive anywhere between 10 and 100 attacks on its network per day. Any company with an Internet presence is at risk and having a firewall is simply not enough.

A growing problem

When a company connects to the Internet, it is potentially opening up a whole can of worms. Malicious attacks on company networks are becoming more frequent, effective and wide-ranging. The ingenuity of hackers has kept pace with Internet development and has become such a growing area of crime that organisations including Interpol and Scotland Yard now have sections devoted to tackling this problem. The past couple of years has seen a convergence of virus, worms and spam, so that some attacks very cleverly have several phases. In other words, the way that they infect one system is not necessarily the means they use for onward transmission to the next victim.

The people who carry out these attacks are smart. They know that most companies have firewalls, but this is a challenge to them, not a deterrent. They may spend months building up a picture of a company's network, such as what ports are open and what external servers and operating systems are being used. All this means that for many companies - particularly smaller ones with fewer resources - they will not know whether they have been hacked until something goes wrong (and in some cases, not even then: IDsec has had one client where a thriving hacker community was running a dodgy bulletin board on one of the client's servers without any of the staff being aware of its existence).

A firewall is not enough

Many companies realise the importance of Internet security, but may have simply installed a firewall. While there is a definite role for firewalls, they are not sufficient protection. They only protect what they can see and generally, do not have the inbuilt 'intelligence' to interrogate data packets thoroughly and inevitably let through a significant number of packets that ought to be examined in more depth. If a data packet is from a valid source and destination and aimed at the right port, then it will let it pass. This is the role of firewalls: after all, if they were to spend too much time dwelling on each data packet, then the network would slow down and no-one wants that.

The best security efforts of a company are often undermined by its own staff, who may unwittingly be introducing malicious data from outside the realm of the firewall. Infection of the internal network is one of the biggest problems for companies today. For example, a modem link used by a member of staff to carry out remote work out of hours would not be examined by the network firewall.

Similarly, a laptop used by a member of staff at home is not covered by the firewall: IDsec knows of one case where a single laptop infected during an Internet session at home wreaked havoc on the corporate network the next day. With an increasing number of IP-enabled devices, all feeding back in to company networks, the protection that the firewall can offer is challenged even further.

Intrusion detection systems cannot promise to solve all of a company's security problems, but they can certainly reduce them, by giving a far better idea of what the outside world is trying to do to the company network. An intrusion detection solution can automatically flag attacks as soon as they happen, rather than a company finding out next time a member of staff remembers to read the firewall logs. This means that companies can react far more quickly to malicious attacks.

Intrusion detection has been available for some time, although, until now, not within the reach of many smaller companies. The reasons for this are simple: intrusion detection systems have traditionally involved a number of different components, all of which need to be integrated with one another, a task that can be complex.

The net result is that traditional intrusion detection systems have been expensive and on-going cost of ownership and management effort has been high. Many companies have therefore felt overwhelmed at the prospect of intrusion detection and even if they bought systems, these often ended up as 'shelfware' that was never properly used. Fortunately, multifunctional devices such as the Proventia M-Series solve this in a single unit and are therefore ideal for smaller businesses. However, larger organisations cannot afford to be complacent about intrusion detection and there is always room for improvement in this important area.

Share this article:

Further reading: