You're looking at the next generation of IDS products. IntruVert Networks' IntruShield system offers intrusion detection and prevention with a degree of flexibility and functionality that's difficult to rival.

by Jeff Goldman [June 5, 2002]

In February 2000, when a series of denial of service attacks were leveled at Yahoo, CNN and other high profile websites, Parveen Jain and Ramesh Gupta were among the many who took notice. By the end of the year, the two had founded IntruVert Networks with the intention of developing an innovative product that could provide reliable protection against a wide range of attacks.

That product, the IntruShield system, was finally announced last month for release later this summer. Raj Dhingra, IntruVert's Vice President of Marketing, explains that the interim has been spent in extensive research and development. "Since October of 2000, we've been working to build a company that could actually deliver a lot of innovation in the intrusion detection market," he said.

IntruVert Networks 3200-A North First Street San Jose, CA 95134 Voice: (408) 434-8300 E-mail: info@intruvert.com

One of IntruVert's strengths, Dhingra suggests, is the fact that Gupta (now the company's vice president of engineering) is able to see things from the customer's perspective. "Ramesh ran HP's worldwide IT infrastructure for 14 years, so he's very sensitive to customer deployment issues, manageability issues, and cost of ownership issues," Dhingra said.

The company doesn't lack expertise from other perspectives, either. "We've got hardware people from Cisco that built the Catalyst switching product line," Dhingra said. "And we have people in software doing the management that were at HP as well, doing the HP management software for provisioning and billing. We have a pretty strong team."

The research that Gupta and Jain have been conducting for the past two years, Dhingra says, has shown that customers are experiencing frustration in three key areas. The first is accuracy, regarding both false negatives and false positives. The second is the challenge of deploying IDS in a switched network. And the third is the difficulty of acquiring and retaining the skilled personnel you need to operate the system.

"The major frustration we heard is that these are not issues that are new," Dhingra said. "Customers have been expressing this to their vendors, but there has been little or no innovation coming back in the industry. Now you're just starting to see the next generation of intrusion detection systems—and we've looked at the problem more comprehensively than some of the other people making that claim."

Better than aspirin
The products that make up the IntruShield system include two sensor appliances, the 600 Mbps IntruShield 2600 and the 2 Gbps IntruShield 4000—and two management solutions, IntruShield Manager and IntruShield Global Manager. Manager is designed to support deployments of up to three sensors, while Global Manager can support several hundred.

To respond to the first area of frustration, regarding accuracy, Gupta and Jain combined three different methods of detection in one product. "We're the first to integrate signature, anomaly, and denial of service detection on a single purpose-built platform," Dhingra said. "That means an ISP can actually deliver a service that says, 'We provide comprehensive protection against all kinds of attacks.'"

In addition, IntruShield performs full stateful inspection on every packet. "We can reconstruct TCP streams and IP fragments," Dhingra said. "If an attacker is trying to fragment an exploit and send it so it gets reconstructed at the destination, we can actually determine if there is a network attack occurring, because we can reconstruct that within the sensor itself."

In response to deployment concerns, IntruShield sensors can accommodate a wide range of deployment options (above). Most importantly, they can be positioned in-line to drop malicious packets in real time, providing active intrusion detection and prevention. They can also be deployed in SPAN mode or tap mode, enabling real time TCP resets or firewall reconfiguratio .

Regarding personnel issues, IntruShield can't make your security team smarter—but it can lighten the load they face. The system's management interface offers a highly graphical view with drill down capability, and sensors can be clustered in admin domains to assign them to individual security personnel or groups (below). "There's a lot of richness built in that an ISP can take advantage of," Dhingra said.

All updates are fully automated, allowing personnel to focus on other tasks. "An IntruVert update server is polled by the Manager on a regular basis, and the Manager then downloads the latest signature without any human intervention," Dhingra said. "And those updates can be downloaded to the sensors also without human intervention, without requiring a sensor reboot."

The complexity of the offering doesn't necessarily mean that it's time-consuming to implement. "We've had sensors come up and be alerting in about 10 to 30 minutes—and then you can further tune your intrusion policy," Dhingra said. "It's a multi-phase process: get the system up and running, get the default policies in place, and then you can keep fine tuning the policies as necessary."

Virtual customers
For ISPs in particular, IntruShield's Virtual IDS capability could be a great asset. A single IntruShield sensor can be segmented into a number of virtual sensors, each with an individual security policy. Each Virtual IDS can be defined using IP addresses, VLAN tags, or sensor ports. Dhingra says the Virtual IDS concept was created specifically to address the needs of service providers (below).

"Imagine that you have a high speed intrusion detection sensor like our 4000 deployed at an aggregation point," Dhingra said. "It can create up to 1000 Virtual IDS domains. That's a huge advantage for an ISP, because now they can offer differentiated levels of service, providing real distinction between what one customer wants versus what another customer wants, and what actions might be taken."

The 600 Mbps IntruShield 2600 will be priced at $35,000, while the high performance 2 Gbps IntruShield 4000 will cost $100,000. Ongoing technical support will be available for a standard percentage of the list price, with some flexibility and options available. "We're certainly happy to work with customers on that," Dhingra said.

Gartner Analyst Richard Stiennon is extremely enthusiastic about the functionality that the IntruShield system has to offer. "It's in what I think is a completely new sector, network intrusion prevention," Stiennon said.

The only product that Stiennon sees as directly competitive to IntruShield is OneSecure's Intrusion Detection and Prevention (IDP) system. Other potential competitors include TippingPoint and Check Point, which has announced, but not yet released its SmartDefense product.

OneSecure's IDP and IntruVert's IntruShield share very similar approaches, which Stiennon says bodes well for the viability of the security sector. Still, he notes, even the most advanced system can only do so much. "There are always going to be things to be concerned about," he said. "If your CFO is absconding with funds and has got complete access to the system, it's not going to stop that."

Regardless, Stiennon is extremely excited about the significant advancements being presented by both IntruVert and OneSecure. "I'm more optimistic about this than I am about anything else I've seen in the security space in the last two years," he said.

— End

Online Resources:
   Intrusion Detection Systems Directory
   IDS Quick Reference Chart

Related articles:
	[Dec. 24, 2001]	White Paper: Reducing Network Security Risk
	[Sept. 25, 2001]	Physical Security Augments Logical Security
	[July 11, 2001]	ISP-Planet Survey: MSSPs