Intrusion Detection Systems (IDS) have been so thoroughly marketed that it seems that every company is now claiming to be better than IDS. Captus Networks is selling a solution to ISPs that is designed to detect and prevent intrusions before human managers are aware of them.

by Alex Goldman ISP-Planet Associate Editor [June 30, 2003]

Woodland, Calif.-based Captus Networks released an intrusion detection appliance, the Captus 4000, in February of this year, but, says Stephen Schramke, Captus president and CEO, ISPs told the company that security wasn't enough. "ISPs told us that if we didn't make the net faster or cheaper they wouldn't buy from us."

So it was back to the drawing board. Schramke says that in the development process, he had the advantage of an alliance with UC Davis. "We provide lab facilities for them to test attacks against our equipment," he says.

Once the technology was perfected in the lab, Schramke went back to ISPs and other customers. "We exposed our technology to real customers who told us what to keep and what to throw away. That's much better than a development-only environment."

Captus came up with a system of what it calls "dynamic policies." Wheras a "static policy" is very specific, such as "block port 80," a dynamic policy describes how the network is supposed to behave, with a specific action if it does not. For example, if traffic to and from a particular server or mailbox exceeds 300 Kbps for more than 10 seconds, throttle traffic down to 300 Kbps. If it runs at 300 Kbps for one hour, throttle it again, down to 100 Kbps.

"In a typical blacklist scenario," Scramke says, "if you're being attacked, you block an entire subnet just to block one bad guy, and if innocent people get blocked too, well, that's just too bad. It's like hitting a flea with a sledgehammer."

Captus says its policies can cover:

• Any combination of source and destination addresses, source and destination ports, protocols, and flags for match condition
• Any combination of rate and time for trigger conditions; the system supports multiple triggers per match condition
• AND/OR Boolean logic for comparisons
• Individual and/or aggregate tracking
• Over 1000 possible traffic subsets or "areas," with over 1000 policies per "area" possible

Scramke says that network operators are finding traditional intrusion detection to have significant total ownership costs. "There's an ongoing lifecycle cost. Most buyers did not anticipate the need to buy more storage to archive files for trend analysis. A complete set of parameters could generate 40 MB to 60 MB of files each day, and if you fall behind, you're doomed. One of our customers had operated an IDS for a year and then turned it off. Companies today simply cannot afford to feed a machine with a body."

He says that it became obvious that the machine would have to make the technical staff more powerful, and not require constant attention.

With the Captus 4000, Schramke says that ISPs go through a two stage process. First they write policies to generate alerts but take no action. "When they see alerts when they should and don't see them when they shouldn't then they put it into active enforcement, throttling, redirecting, or denying traffic. Look, even if you don't put Captus in your network, you need to do something."

The product's element management software can perform the following functions: configuration, reporting, backup and restore, and upgrade features. It can report intrusions in a graphical interface (GUI), and can handle policy updates and changes through either a GUI or a command line interface (CLI). It does allow ISPs to build whitelists and blacklists

The product uses 275 Watts and weighs 35 pounds. It has a 1.13 GHz Pentium III processor with a 133 MHz frontside bus (FSB). It has a 512 K level 2 cache, 512 MB of SDRAM, and an 18 GB SCSI hard drive.

Cutting costs, increasing security
We spoke to Brian Turbow, founder, president, and CTO of Myrient, a network service provider that is restructuring (OTCBB: MYNT). The company does not have money for new products, unless they will cut costs.

Turbow says the box does exactly that. "It's like a big layer 2 bridge that watches stuff cross the bridge and kills it before it gets to the servers. When you've got hundreds of customers on the same infrastructure, a single DoS attack against one customer can bring them all down."

He says that the box allows his company to react quicker, and that translates into cost savings. "In theory, if you had a router jockey watching the routers constantly, he could do the same, but I'd rather pay less trained people who can react to the information provided by Captus."

He notes that Myrient has tweaked the rule set that Captus provided. "Some customers have a financial transaction stream going to a database, a predictable, low bandwidth data stream. Others, such as architects, send and receive huge files, causing traffic to bust. We change the parameters so the box monitors different customers' bandwidth differently, and we're able to protect everyone with the same box."

He said the box is worth "half a head of payroll" meaning that someone can watch Captus information and have another job duty as well. He said the company implemented Cisco IDS, which is great for forensic studies of attacks, but needed to prevent attacks.

Turbow says he was tired of "the emergency scenario" and that Captus prevents emergencies. He cited a recent example. "One of our customers had set up Microsoft SQL 7 on their own box, and by the time the guy had locked the cage door, the box was infected with the slammer worm and was attacking Cornell University. Captus shut his whole subnet down. We called him while he was in our car park, and got him before he'd gone home. A dual Pentium III box will do 90 Mbps or more when infected with the slammer worm. I wonder what the cut rate webhosts are doing. Those poor bastards are looking at blinking lights to see what's wrong. We can just put a general rule set on the Captus box."

Turbow says his company still uses the Cisco IDS for forensics, and also uses a host-based IDS from eeye.com called blink IDS. "Layered security is really effective. There's no one-box-fixes-everything scenario."

Pricing and availability
The Captus 4000 is available now. Pricing starts at $12,000 for the box. Element management and reporting software is an additional $10,000.

—End