The Wall Street Journal-20080128-Business Solutions- Don-t Fence Me In- New security technology doesn-t put a firewall around a corporate computer system- Instead- it scans traffic- piece by piece
Return to: The_Wall_Street_Journal-20080128
Business Solutions; Don't Fence Me In: New security technology doesn't put a firewall around a corporate computer system; Instead, it scans traffic, piece by piece
Full Text (1015 words)Facing a barrage of threats from hackers, companies are turning to a different type of defense to protect their networks.
Traditionally, companies have used firewalls as their first line of protection -- essentially, a big fence around their computer system that keeps out intruders. The trouble is, companies must make holes in the firewall to let certain traffic, such as email, come and go. Anything that can get through those holes can carry malicious software into a network, like an email hiding a virus or a Web page carrying spyware. And these days, more malware is slipping through to steal data or cause mischief.
Enter intrusion-prevention systems, which promise a smarter defense. These systems don't wall off networks the way firewalls do; instead, they act like the metal detector at the airport. Every piece of traffic that wants to come into your network must get scanned. If it poses a threat, it gets turned away. If it's safe, it can pass through.
The systems aren't perfect. Some companies worry that intrusion- prevention technology may drive away legitimate traffic, and many security pros caution that the technology takes lots of fine-tuning to work properly. Even so, experts say intrusion prevention is becoming a standard security measure.
Using this technology "has pretty much reached the due-diligence level," says John Pescatore, a security analyst at Gartner Inc. in Stamford, Conn. "On PCs you should have antivirus software, and on networks you need intrusion-prevention systems."
The systems work by running incoming traffic through a series of filters designed to weed out viruses and other threats, and to search for suspicious activity. The technology generally comes in two varieties. The most popular are stand-alone systems: pieces of hardware that companies physically attach to their network. Host-based systems, on the other hand, are software products that get loaded onto employees' individual computers.
According to Gartner, the world-wide market for stand-alone systems will reach $1.73 billion by 2011, up from an estimated $876 million last year. Combined, the market for network and host systems is forecast to reach $2.7 billion by 2011, up from an estimated $1.2 billion last year.
One of the big reasons for the surge in interest is improved speed. Companies sometimes found that earlier versions of these systems worked too slowly and clogged up their networks, so it would take longer to get email and load Web pages. Many companies turned off some filters to help the systems speed up. Now many systems can keep pace with company's processing needs. International Business Machines Corp.'s highest-end device, for example, can process traffic at speeds up to 15 gigabytes per second -- essentially as fast as the speediest networks.
At the same time, companies' fears about security are growing. According to the Computer Security Institute's 2007 Computer Crime and Security Survey, the average annual loss suffered by U.S. companies from computer crime more than doubled last year to $350,424 from $168,000 in 2006. And these reported losses tend to underestimate the number of attacks. "Your networks and machines are being attacked all the time," says Charles Kolodgy, research director at IDC, a market- intelligence firm in Framingham, Mass.
Indeed, some companies are turning to these new systems because they anticipate a big increase in attacks. In 2005, Go Daddy Group Inc. beefed up its defenses just before it ran its first Super Bowl ad. "The Super Bowl was a huge event for us," says Warren Adelman, president and chief operating officer of the Scottsdale, Ariz., company, which offers Web-site hosting and other services. "We realized that that increase in visibility would increase our visibility as a target as well."
The company purchased a number of intrusion-prevention appliances from TippingPoint, a unit of 3Com Corp. of Marlborough, Mass. A single device costs anywhere from $5,000 to $160,000, while its upkeep clocks in at about 20% of the purchase price annually, or up to $32,000, according to TippingPoint's vice president of marketing, Neal Hartsell.
Go Daddy selected TippingPoint in part because of its "Digital Vaccine" service, which analyzes a company's vulnerabilities and develops new filters accordingly. "When you look at the reports from your intrusion-prevention device about what's been blocked, you can't help but sleep better," says Mr. Adelman. "It only takes one thing to get through to cause a problem."
Still, the systems aren't a cure-all. Many companies find that they need to use intrusion-prevention technology in conjunction with other defenses, or to fiddle with it to get it just right.
One problem is false positives. Mr. Adelman and many other executives fear that the systems may block legitimate email and other traffic. Chenxi Wang, a principal analyst for security and risk management at Forrester Research Inc., says most companies that have installed these systems have turned off much of their ability to automatically block incoming traffic. Instead, she says, companies use them mainly to detect threats and flag them.
Beyond those complaints, companies often find they must tune their intrusion-prevention defenses to match their specific security needs -- a lot more hands-on attention than the average firewall needs. That's true right out of the box. When an intrusion-prevention device gets shipped to a company, a number of filters may already be set by default. But companies may not need hundreds or even thousands of them, says Mr. Hartsell of TippingPoint. Say a company uses an Apple Inc. operating system to run its network. It wouldn't need filters designed for the Linux operating system.
From there, companies must make constant adjustments to make sure the systems meet their needs, such as turning off filters if performance slows down or if the systems deliver too many false positives.
An intrusion-prevention system is not a "set it and forget it" technology in the same way that a firewall is, says Brandon Greenwood, a network-security engineer at juice maker XanGo LLC of Lehi, Utah. "To get the most benefit out of the solution, the proper amount of tuning must be put into configuring and maintaining the device."
---
Ms. Ransom is a reporter for SmartMoney.com in New York. She can be reached at [email protected].
