NetScreen seeks to close the intrusion confidence gap

NetScreen Technologies Inc will today release version 3.0 of the software that underpins its IDP line of security appliances, with the hope that newly added features will help persuade more users to deploy the devices in inline protection mode.

A key addition to IDP 3.0 is a module the firm calls Enterprise Security Profiler, which basically logs sessions, whether they are attacks or not, to give the administrator a better idea of what is going on on her network.

IDP, for intrusion detection and prevention, can be deployed as a passive listening device, like an intrusion detection system, or to actively block attacks as they pass over the wire. Many customers, however, lack the confidence to turn on blocking.

NetScreen product line manager Ajit Sancheti said that up to half of customers take between one and three months with IDP configured to act like IDS before they have the confidence to turn blocking on without fear of too many false positives.

Sancheti added that the firm has started seeing customers that will deploy IDP inline right away, but said: About 20% to 30% of users have not gone inline, but we expect that to change, as customers with support contracts will get these new features.

ESP can be used for basic attack forensics, to help spot new networked devices or applications, to provide data to help administrators fine-tune their blocking policies to minimize false positives before going into blocking mode.

The amount of information we had before was minimal, and because it was minimal, people were afraid to go inline, Sancheti said. He said that ESP also means customers don’t have to look elsewhere for network profiling software.

Also new is what Sancheti called compound signatures, which he said are attack signatures that combine the two main intrusion prevention algorithm types – attack signature recognition and protocol anomaly detection.

Protocol anomaly detection helps catch things like buffer overflow attacks. Sancheti said these compound signatures just means the IDP devices are more accurate catching attacks, and the users are therefore more comfortable turning blocking on.

Also new is the ability for the devices to identify hosts that are opening far more simultaneous connections than usual and, assuming they are worm-infected, isolate them from the rest of the network.

The new software features are available across all four models of IDP device, but not in NetScreen’s firewalls, which contain a limited subset of IDP functionality based on the same technology. Prices range from $7,995 to $49,995.

This article is based on material originally published by ComputerWire

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing