Damage due to hacking and viruses has increased dramatically, but the more serious problem is that hacking technologies and viruses themselves have become more and more advanced and virulent. Take the example of the agobot virus that occurred last April. The virus was capable of repeatedly rebooting a company's server, creating a high level of traffic, activating other worm viruses already existing in the PC and uploading and downloading files. The ability to upload or download files seriously breaches a company's security as important, confidential documents can be leaked.
As such vicious attacks compromising security on a network are increasing, companies that have been relying on basic security systems such as vaccines or firewalls are now looking for intelligent next-generation products to protect their systems. As a result, intrusion-prevention systems (IPS) are increasing in popularity.
An intrusion-prevention system organically connects all the information protection solutions within a network so that cyber terror can be detected before it infects the system, blocked, then traced to provide recovery services. Currently, intrusion-detection systems or firewalls are useful in preventing attacks or in analyzing how the intrusion occurred, but are unable to analyze new weaknesses in the system, analyze it and then order the system to set up a firewall. IPS overcomes such deficiencies and has received much acclaim by industry analysts as a next-generation security solution capable of reacting actively to hacking, worm viruses, and cyber terror.
However, the rapid rise in IPS has spurred many security and network solution firms to release similar products causing the concept of IPS to become blurred -- creating much confusion for companies searching to establish a next-generation security system.
So what are the standards in selecting an IPS? Let's review a few important optional standards of IPS functions.
Providing service that does not lower performanceSometimes a company will be indifferent towards installing a firewall because of concerns about slowing Internet speeds. Such attitudes reflect a company's desire to pursue profits despite exposure to virulent attacks or hacking. In other words, many companies are concerned about security but are reluctant to install a security system, which might lower the performance of the company network. Such reluctance reflects the importance of network performance to a company's activities.
In order to provide security services that do not lower network performance, security equipment must be installed "in-line" on the network. In order to run the system in the in-line mode, the network must be able to process data quickly.
In addition, bypass equipment must be installed for instances when the security system fails to properly execute because of defects or malfunctions with in-line mode installations. Bypass equipment securely maintains a company's network environment by preventing traffic from going through the security equipment when the equipment is not functioning properly.
Rapid response to new worms and attacksSecondly, quick update services must be provided to prepare for serious threats to service like the Sasser worm experienced last May. In an environment where new worm viruses pop up every day, you can't just install a security system and expect your work to be done. At the very least, database updates to filter settings must occur regularly and automatically.
An automatic updating service is very important. If updates have to be executed manually, the pain of the network manager is unimaginable. Needless to say, there are so many worm viruses and for most viruses, the network manager must input over 20 character strings in the filter setting. If even one character is typed in incorrectly, there will be a big hole in the company security system.
A convenient user environmentThe sheer number of the type of worms attacking a network is astronomical. If one computer is infected by a worm, hundreds or even tens of thousands of e-mail is sent out from that one computer. In addition to e-mails, data is continuously sent out to all the computers linked to the company network. In the instance of a vast network linked to thousands of computers, traffic will increase radically. Therefore, information on such attacks needs to be conveniently provided to users so that network conditions can be monitored.
For example, if the attack log is provided categorizing attacks by type and level of threat, users can easily confirm the condition of the network. Attacks within the same society and using the same destination IP can occur at a speed of several thousand a second. Rather than report the same attack thousands of times to users, the function to group these attacks will prevent a waste of resources.
Additionally, when delivering an attack log, a function to provide the attack source and information in graph format in real time would enhance users awareness, similar to a submarine radar. Providing information about the network in this format allows users to see what is going on throughout the network and respond as necessary.
It must be clear that the stability of a company network system is directly connected to its profit. All the internal operational processes and external customer services are connected through the network -- network stoppages or slow transmission speeds due to a worm, virus or hack all result in great losses like the loss of customers, negative company image and loss of efficiency in business operations. Companies must be aware of these losses by recognizing the importance of establishing a security policy and make every effort to deploy a more effective security system.
About the Author: Sharon Trachtman has served as Radware's vice president of product management since September 1997. Prior to joining Radware, Ms. Trachtman was a product line marketing manager for Scitex Corporation and has a B.A. in computer science and philosophy from Bar Ilan University.
Radware (NASDAQ:RDWR) is the Global Leader in intelligent application switching, enabling the complete security, maximum performance and full availability of all mission critical networked applications while dramatically cutting operating and scaling costs. Radware's integrated application security, application infrastructure and end-to-end connectivity solutions are deployed by over 2,500 enterprises and carriers worldwide. Radware offers the broadest product line in the industry meeting end-to-end application needs at every critical point across the network including Web and application servers, firewalls, VPNs, ISP links, anti-virus gateways and cache. For additional information, visit Radware online at www.radware.com.
This was first published in December 2004