False Alarms on the Firewall

How can you separate a legitimate security threat from routine traffic? A recently upgraded software product can help.


Computer security experts are fond of reminding people just how vulnerable their defenses really are. And for good reason: No security system, no matter how comprehensive or well-designed, can thwart every possible attack directed against it. Hackers and virus programmers are constantly coming up with new tricks, and system administrators can’t anticipate — much less prevent — each and every one of them. Witness September’s Slapper worm, which targeted the popular Apache Web server, or last month’s denial-of-service attacks on the Internet’s central domain name servers. Both came out of nowhere and did substantial damage before system administrators were able to put countermeasures in place.

To help keep their networks safe, many companies have started using intrusion detection systems, or IDSs. Cisco (CSCO) and Internet Security Systems both sell proprietary IDSs, and there’s a popular open-source version known as Snort. The software in these functions acts a bit like the alarms and security cameras in a bank: It doesn’t actually stop the crime, but it does warn you when an attack is in progress and provides a record of what happened, in order to help you catch the hacker or prevent similar attacks in the future.

That’s the theory, at any rate. The unfortunate reality is that IDSs typically generate a lot of “false positives” — like car alarms on city streets, they’re going off all the time even when there’s no real threat, which makes them more of a nuisance than a genuine deterrent. “There’s too much traffic out there that’s normal but looks suspicious to an IDS,” says Pete Lindstrom, research director for Spire Security. Your IT staff can tune the IDS to your network environment, reducing the number of false alarms, but that takes effort and time — months, in many cases.

ForeScout Technologies offers one of several responses to the problem of false positives. It sells security software called ActiveScout that works like an IDS, watching the traffic going in and out of your network for any suspicious activity. But when it detects something suspicious — for example, someone scanning your servers for open ports or requesting a username and password — the software goes active, sending out a bogus, “tagged” response. To the person doing the scanning, this looks like an ordinary reply, but if he tries to act on that information (say, by using the supplied username and password), he’ll give away his true status as an interloper. ActiveScout will immediately block that person’s access to your network, and only then will it notify your network managers.

The strategy works better than passive IDSs because most network attacks are preceded by some kind of reconnaissance. If you can correctly identify the reconnaissance, you can more effectively avert the subsequent attack.

ForeScout, which released a new version of ActiveScout this week, has about 20 corporate customers so far. One of them is Risk Management Systems, which provides risk analysis services to insurance companies and other financial institutions and has been using ActiveScout for about a year. According to Barry Choisser, the firm’s network manager, no attacks have made it past the system’s defenses during that time, despite frequent, often hourly, attempts. Nor has ActiveScout mistakenly blocked any legitimate traffic. It hasn’t required much maintenance — a boon for Choisser, with who together oversees just two people responsible for defending the company’s California headquarters as well as offices in North America, Europe, and Asia — and hasn’t needed the frequent tweaking that most IDSs (and most security tools of any type, for that matter) require to recognize and respond to the newest attacks.

ActiveScout isn’t alone in this battle. Other IDS vendors, such as IntruVert Networks, are using sophisticated analysis techniques to identify and stop network attacks more quickly and effectively. None are perfect. That’s why you still need firewalls, virus scanners, and other security measures. But these developments in IDS technologies should be welcome news for companies defending their virtual borders against an increasingly sophisticated crowd of viruses, worms, and hackers.

Link: False Alarms on the Firewall

Link broken? Try the Wayback Machine.

False Alarms on the Firewall