Network Sentries Fend Off Attacks

Even the most diligent information-security professional can fall victim to a security attack. Hackers are getting smarter and launching worm and virus attacks within days after new software vulnerabilities are discovered. Just last month, Russian hackers infiltrated many Web sites with malicious code and infected the computers of those who visited the sites.

More companies are turning to new intrusion-prevention technology to provide protection from attacks and make it easier to manage system security. Half of all business servers and 30% of business PCs will use computer intrusion-prevention software by 2006, research firm Gartner says.

Intrusion-prevention technology works by looking for improper or unauthorized behavior on computers and networks. It may supplant the more common intrusion-detection systems, which spot specific code that represents worms and hacker attacks, and antivirus software, which can't stop new threats until security vendors develop a "signature" for a new worm or virus.

"It never stops," says Michael Kamens, global network and security manager for Thermo Electron Corp., a maker of scientific equipment with $2.1 billion in annual sales. Kamens needs to make sure that hundreds of servers and thousands of desktops are patched. But even when software patches are available, Kamens says, it's tough getting them deployed in time. "You can't shut down manufacturing every time a patch comes out," he says.

Thermo Electron recently installed an intrusion-prevention system called a "memory firewall" from startup Determina Inc., whose SecureCore software protects computer systems from common memory-based attacks such as buffer overflows.

Kamens always is looking for new ways to better fight attacks, and he put SecureCore through a test. "We took an unpatched Windows 2000 server and stuck it out on the Internet," he says. The system got pounded by hacker attacks and worm scans, but "nothing got through. It stopped Sasser," he says.

Kamens then installed SecureCore on two internal servers and a production server and had no problems. "We watched it like a hawk for four months," he says. Now Thermo is using it on more servers that run critical apps. "We're going to be rolling this out on many more servers," he says. The security application means Kamens doesn't have to drop everything and patch systems when a new vulnerability is disclosed, he says.

Intrusion-prevention systems also can help smaller businesses that don't have large IT staffs. Mark Hogan, CEO at Government Sales Force LLC, last year installed Primary Response intrusion-prevention software from Sana Security Inc. to better protect his 28 desktops and six servers. "We're getting hit [by attempted attacks] all the time," he says.

The software has paid for itself by helping the firm, which advises companies on how to market to the government, improve its ability to manage the way it deploys software patches, Hogan says. "You can't tell a customer who calls asking for reports that your systems are down because of a worm."

More security vendors are offering intrusion-prevention products, including McAfee Inc.'s IntruShield Network IPS and Entercept Host IPS as well as Cisco Systems' Cisco Security Agent, designed to protect servers and desktops. Startup Platform Logic Inc. offers its AppFire Suite, which also protects servers and PCs from known and unknown attacks. And Microsoft is developing its recently unveiled Active Protection Technology to secure systems.