First Citizens Bank, a regional bank based in Raleigh,
N.C., got hit by the Code Red worm.
That's not something you would have read in any
news report. First Citizens didn't tell anyone about
it, and it didn't have to, because the network operations
team there had installed the latest in security technology:
an intrusion prevention system that effectively neutered
the malicious worm.
"We were looking to get a proof of concept to ourselves
that intrusion prevention works," says Jay Ward, First
Citizens' senior network security analyst.
The bank's Web servers emerged unscathed by Code
Red, a self-propagating program designed to deface
Microsoft Web servers.
While most administrators have already become well-aware
of intrusion detection systems, an intrusion prevention
system is a fairly new concept. The two are closely
related, and as a tool IPSes are being used alongside
IDSes, if not outright replacing them.
But the small differences between those security
technologies can make all the difference in the world
to an I-manager such as First Citizens' Ward. An IDS
is designed to monitor for known attack signatures
and sniff out suspicious network behavior. When it
finds unusual network activity, the IDS will send
an alert to designated operations staffers, while
logging and reporting the intrusion's progress.
However, an IDS can't handle the immediate problem:
It can't stop the attack as it's happening. That's
where IPSes come in. An IPS looks out for these attack
signatures, while also watching for suspicious behavior
on specific machines in the network. When a server
tries to execute a behavior that is not the norm,
the IPS will automatically neutralize it with a countermeasure.
"We don't even know [the intrusion] is Code
Red - we just know it's misbehaving," says Eric Ogren,
vice president of marketing of Okena, which sells
an IPS. "What we do is look at how machines should
be behaving and enforce that in real-time."
One example of aberrant behavior that an IPS might
watch for is a Web server trying to execute telnet
or FTP sessions, when its only purpose is to serve
up Web pages. Another might be an unusual number of
probes from one domain, which would prompt an IPS
to shut off access to that domain altogether. Or perhaps
some code coming in through the mail gateway and trying
to cause Microsoft Outlook to send a virus-laden e-mail
automatically to everyone in the address book. All
of these scenarios are preventable with an IPS, Ogren
With Code Red, for example, First Citizens was able
to detect that the worm was trying to scan the Internet
for other vulnerable servers in order to propagate
itself. The IPS the bank had deployed, developed by
Entercept Security Technologies, stopped the activity
immediately, using software agents on the targeted
servers to terminate the unauthorized outgoing port
"With the old-fashioned IDS system, the way they
were set up, your locks are bolted and the alarm system
is activated, but the intruder's still in your home,"
says Lou Ryan, Entercept's president and CEO. "That
promise was arcane and unfulfilling."
Nir Zuk, chief technology officer of security software
vendor One-Secure, agrees that a traditional IDS is
essentially useless. "Let's just say right now it's
extremely simple to evade intrusion detection," Zuk
says. Any hacker worth his salt, he says, can bypass
an IDS in his sleep.
The IPS field is already being colonized by both
startups and established vendors. IDS suppliers that
have incorporated some form of intrusion prevention
in their products include Cisco Systems, Computer
Associates International, CyberSafe, Internet Security
Systems, Intrusion.com, Network Associates Inc., NFR
Security, SecureWorks and Symantec. There's even an
open source option: a lightweight IDS called Snort,
which is available for several different operating
A related group of companies, which includes Argus
Systems Group, Sanctum and WatchGuard Technologies,
supplies technology that locks down applications and
OSes to prevent intruders from taking advantage of
them, but doesn't actively monitor for new threats.
Security experts say the growing interest in IPSes
has been largely due to the Code Red worm.
"Anything like Code Red that's big in the news starts
to remind people how vulnerable they really are,"
says Sheila Droski, ISS' product manager of intrusion
Droski believes Code Red was a watershed event because
it spread faster than any administrator could read
an alert telling him or her what the problem was.
In fact, IDSes blipped their way onto many I-managers'
radar screens in a similar way. Last year, there was
a spurt of denial-of-service attacks on well-known
e-commerce sites such as eBay and Yahoo!, and suddenly
interest in the relatively little-known technology
called intrusion detection ballooned. "Before that,
you only had the early adopters and financial institutions
who understood it actually using it," Droski says.
"Once those attacks hit, we saw growth in mainstream
interest, and that's been growing strongly ever since."
Code Red's journey through the Internet was mirrored
in the mainstream of pop culture. The worm popped
up on local news channels and The Tonight Show With
Jay Leno. In all the attention, one thing that stood
out about Code Red was the prevailing notion that
its rapid spread could have been easily prevented
if Web administrators who were running Microsoft Internet
Information Server (IIS), which was susceptible to
the worm, had patched those systems.