Intrusion prevention systems search and destroy worms

First Citizens Bank, a regional bank based in Raleigh, N.C., got hit by the Code Red worm, but nobody could tell because an intrusion prevention system effectively dealt with the worm.
Written by Brian Ploskina, Contributor on
First Citizens Bank, a regional bank based in Raleigh, N.C., got hit by the Code Red worm.

That's not something you would have read in any news report. First Citizens didn't tell anyone about it, and it didn't have to, because the network operations team there had installed the latest in security technology: an intrusion prevention system that effectively neutered the malicious worm.

"We were looking to get a proof of concept to ourselves that intrusion prevention works," says Jay Ward, First Citizens' senior network security analyst.

The bank's Web servers emerged unscathed by Code Red, a self-propagating program designed to deface Microsoft Web servers.

While most administrators have already become well-aware of intrusion detection systems, an intrusion prevention system is a fairly new concept. The two are closely related, and as a tool IPSes are being used alongside IDSes, if not outright replacing them.

But the small differences between those security technologies can make all the difference in the world to an I-manager such as First Citizens' Ward. An IDS is designed to monitor for known attack signatures and sniff out suspicious network behavior. When it finds unusual network activity, the IDS will send an alert to designated operations staffers, while logging and reporting the intrusion's progress.

However, an IDS can't handle the immediate problem: It can't stop the attack as it's happening. That's where IPSes come in. An IPS looks out for these attack signatures, while also watching for suspicious behavior on specific machines in the network. When a server tries to execute a behavior that is not the norm, the IPS will automatically neutralize it with a countermeasure.

"We don't even know [the intrusion] is Code Red - we just know it's misbehaving," says Eric Ogren, vice president of marketing of Okena, which sells an IPS. "What we do is look at how machines should be behaving and enforce that in real-time."

One example of aberrant behavior that an IPS might watch for is a Web server trying to execute telnet or FTP sessions, when its only purpose is to serve up Web pages. Another might be an unusual number of probes from one domain, which would prompt an IPS to shut off access to that domain altogether. Or perhaps some code coming in through the mail gateway and trying to cause Microsoft Outlook to send a virus-laden e-mail automatically to everyone in the address book. All of these scenarios are preventable with an IPS, Ogren says.

With Code Red, for example, First Citizens was able to detect that the worm was trying to scan the Internet for other vulnerable servers in order to propagate itself. The IPS the bank had deployed, developed by Entercept Security Technologies, stopped the activity immediately, using software agents on the targeted servers to terminate the unauthorized outgoing port scans.

"With the old-fashioned IDS system, the way they were set up, your locks are bolted and the alarm system is activated, but the intruder's still in your home," says Lou Ryan, Entercept's president and CEO. "That promise was arcane and unfulfilling."

Nir Zuk, chief technology officer of security software vendor One-Secure, agrees that a traditional IDS is essentially useless. "Let's just say right now it's extremely simple to evade intrusion detection," Zuk says. Any hacker worth his salt, he says, can bypass an IDS in his sleep.

The IPS field is already being colonized by both startups and established vendors. IDS suppliers that have incorporated some form of intrusion prevention in their products include Cisco Systems, Computer Associates International, CyberSafe, Internet Security Systems, Intrusion.com, Network Associates Inc., NFR Security, SecureWorks and Symantec. There's even an open source option: a lightweight IDS called Snort, which is available for several different operating systems (OSes).

A related group of companies, which includes Argus Systems Group, Sanctum and WatchGuard Technologies, supplies technology that locks down applications and OSes to prevent intruders from taking advantage of them, but doesn't actively monitor for new threats.

Security experts say the growing interest in IPSes has been largely due to the Code Red worm.

"Anything like Code Red that's big in the news starts to remind people how vulnerable they really are," says Sheila Droski, ISS' product manager of intrusion detection technologies.

Droski believes Code Red was a watershed event because it spread faster than any administrator could read an alert telling him or her what the problem was.

In fact, IDSes blipped their way onto many I-managers' radar screens in a similar way. Last year, there was a spurt of denial-of-service attacks on well-known e-commerce sites such as eBay and Yahoo!, and suddenly interest in the relatively little-known technology called intrusion detection ballooned. "Before that, you only had the early adopters and financial institutions who understood it actually using it," Droski says. "Once those attacks hit, we saw growth in mainstream interest, and that's been growing strongly ever since."

Code Red's journey through the Internet was mirrored in the mainstream of pop culture. The worm popped up on local news channels and The Tonight Show With Jay Leno. In all the attention, one thing that stood out about Code Red was the prevailing notion that its rapid spread could have been easily prevented if Web administrators who were running Microsoft Internet Information Server (IIS), which was susceptible to the worm, had patched those systems.

Editorial standards