Sun, June 15, 2003 — CIO — The SQL Slammer worm began its rampage shortly after midnight on Jan. 25, 2003. Within days, the insidious piece of code had infected more than 120,000 computers, slowed Internet traffic, crashed sites and even disabled ATMs, costing companies an estimated $1 billion in lost productivity worldwide, according to analyst firm Mi2g. The irony? Slammer exploited a vulnerability in SQL Server for which Microsoft had already issued a patch—six months earlier.

It’s not that IT administrators are lazy or negligent—it’s that locking down operating systems and applications has become an almost unmanageable job. The CERT Coordination Center recorded 417 security vulnerabilities in 1999. By 2002, there were 4,129 new vulnerabilities.

This situation makes the newest class of security technologies—intrusion prevention systems (IPSs)—look pretty good. Supplementing patches, firewalls and other traditional approaches to security, an IPS can provide security at the most fundamental levels: the operating system kernel and the network data packet. An IPS can also be cheap insurance: Host-based systems can cost as little as a few thousand dollars per server, while network-based IPS appliances typically cost between $10,000 and $90,000, plus ongoing support fees.

"It makes sense to protect the host so that if all else fails, it will have a better chance of standing alone on its own two feet," says Bill Stevenson, information security officer for New Century Mortgage. His company has been using host-based intrusion prevention from Entercept since late 2000 as a major part of the back-field defense for its servers. So far, it’s worked: New Century’s IPS successfully repulsed Slammer.

Don’t Tell Me, Fix It!

Interest in intrusion prevention is increasing, thanks in part to a growing disenchantment with intrusion detection systems (IDSs), which notify administrators of attacks but don’t actually stop those attacks. Market maturity is also a factor, as demonstrated by the acquisition of IPS company OneSecure by Netscreen along with planned acquisitions by Cisco (of Okena) and Network Associates (of Entercept and Intruvert).

These factors should spark significant growth in the IPS space. Market research company Infonetics estimates the combined intrusion detection and intrusion prevention market will grow to $1.6 billion by 2006, with IPS accounting for the majority of the growth.

Market Confusion

Intrusion detection vendors, such as Cisco, Internet Security Systems and SourceFire, are retooling their products to proactively stop network attacks. CheckPoint and NetScreen are adding IPS capabilities to their firewalls. And dozens of smaller vendors are touting security add-ons, secure Web servers and even ordinary firewalls as "intrusion prevention systems."