|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Intrusion
Detection Systems:
OneSecure
With an active IDS product that can both detect and stop
attacks, OneSecure is looking at intrusion detection in a whole new way.
[March 20, 2002] |
 |
OneSecure was founded in 1999 by Nir Zuk and Rakesh Loonkar. Prior to founding the company, Zuk was a principal engineer at Check Point Software, and Loonkar was President and Founder of InfoSolv, a San Francisco-based security integrator. Zuk, now OneSecure's chief technology officer, explains that the company's focus has recently shifted from managed security services to software.
"Customers started telling us, 'We love your technology, but we want
to run it ourselves: we don't want it as a service,'" Zuk said. "So last
July, we made the switch to selling it as a software product. We took
a few months to package everything, to develop the things that were missing,
and we just recently started selling our technology as a product."
|
OneSecure
|
 |
Zuk contends that the company's greatest strength is the experience of its team. Both Zuk and Robert Ma, OneSecure's Vice President of Marketing, previously worked at Check Point. Roger Hegland, One Secure vice president of sales, came from Internet Security Systems. "We have some substantial security experience at OneSecure, and we're using that experience to develop our products," Zuk said.
The company's first product, launched on February 25, 2002 is the OneSecure
Intrusion
Detection and Prevention (IDP) appliance. The product sits in-line
either behind or in front of the firewall, and both detects and stops
attacks as they occur. Zuk says the system was developed to address three
key issues: accuracy, management, and prevention (below).
 |
Exacting detection
Regarding accuracy, Zuk says, the first problem OneSecure faced was false
positives. It's an issue common to most IDSes on the market today. "The
way we view those IDSes is as a burglar alarm, and not a very good one,"
Zuk said. "It goes off every time the neighbor's dog walks on your lawn;
and every now and then, when you enter the house, it goes off. Certainly,
it's not a burglar alarm that can stop burglars."
The other accuracy problem that OneSecure wanted to solve was missed attacks. "IDSes today don't really detect a lot of attacks," Zuk said. "If you look at the signature-based products, it's hard to find products out there that have more than 10 or 20 good signatures that will detect real attacks that hackers actually use."
The second focus of the IDP system is management. "IDSes are being managed today the same way firewalls were managed 20 years ago," Zuk said. "Nobody has come out with the equivalent of what Check Point did for the firewall management area. Nobody's really come up with a good management system for IDSes, which is one thing we set out to do."
And the third area of focus is prevention. "IDSes today are burglar alarms: they cannot prevent the attack," Zuk said. "An IDS can tell the firewall to stop the attack, but by the time you tell the firewall, the attack has already been successful. So IDSes today are not really a security product. They can tell you about attacks, but they can't stop them."
If an IDS were able to stop the attack, Zuk explains, you wouldn't have to spend the time to investigate it. "When a firewall today tells you it stopped a connection because it wasn't in your policy, you don't have to worry about it: you know the connection was stopped," he said. "With IDSes, it's not like that. When an IDS reports an alarm, this is when your trouble begins-not when it ends."
Eradicating intrusions
In order to solve the accuracy problem, OneSecure combined multiple detection
methods in one solution. "In today's product, we have three detection
methods: signature based detection, protocol anomaly based detection,
and traffic based detection," Zuk said. "In the next version of the product,
we're adding three new methods, some of which you haven't seen before.
At the end of this year, we'll have more than ten."
To
aid in management, Zuk developed an interface that was similar to the
one he'd helped to build for Check Point's firewall solution. A single
graphical interface combines a policy editor, log viewer, and traffic
session viewer. Each rule can be implemented for an unlimited number of
sensors, allowing an enterprise-wide policy to be managed from a single
interface (below).
And because the IDP is an active device, it's able to aid in prevention. "We have the world's first IDS that runs in-line," Zuk said. " It can actually stop the attack before it reaches its victim. So you don't have to investigate an attack: you just know the attack has been blocked. One, you haven't been hacked—and two, it saves a lot of time and money: you don't have to investigate each and every alarm."
The IDP appliance is sold entirely through channel partners—VARs, service providers, and system integrators. The company itself doesn't compete with its partners: no products are sold directly to customers. The appliance costs $16,495, with maintenance fees of 20 percent for basic support on an annual basis, and 30 percent for unlimited support.
For ISPs in particular, Zuk notes, it's good to remember that OneSecure used to be a service provider itself. "We used to sell our software as a service, so we're very aware of what service providers need in order to run their business efficiently," he said. "The technologies that we have here were developed when we were a service provider: everything was developed with service providers in mind."
New thinking
Gartner
Research analyst Richard Stiennon has been covering OneSecure since
their beginnings as a service provider, and he's particularly impressed
by the IDP product. "I think it's revolutionary," Stiennon said. "They're
on to something: they are addressing a lot of the faults that are preventing
IDS from really taking off."
Stiennon contends that the way the product combines functionality may be the start of a trend. "The only other company doing the same sort of stuff is TippingPoint, which has created a security platform with IDS, anti-virus, and firewall," he said. "The combined handling of traffic flow gives you the same sort of impact as OneSecure's in-line intrusion prevention."
According to Stiennon, another key strength of the OneSecure IDP is the essential familiarity of its graphical interface. "It looks a lot like a firewall," he said. "That's one of the great things about it. It's a familiar concept, even though it's doing things a lot differently than a firewall does."
Ultimately, Stiennon says, it's all about finding a better way to stop attacks. Currently, the most common answer is to connect an IDS to a firewall, then have the IDS tell the firewall to block any attack it detects—but that solution has its problems.
"If an attack comes from South America, it blocks all connections to South America, and lo and behold, you've done a denial of service on yourself," Stiennon said. "Just dropping the offending session means that you still have open access from the source address. That way, somebody can't spoof a bunch of attacks from AOL and shut down access from it. To me, this is new thinking."
— End
Online Resources:
Intrusion
Detection Systems Directory
IDS
Quick Reference Chart
| Related articles: | ||
| [Dec. 24, 2001] | White Paper: Reducing Network Security Risk | |
| [Sept. 25, 2001] | Physical Security Augments Logical Security | |
| [July 11, 2001] | ISP-Planet Survey: MSSPs | |
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q2 2008 Top U.S. ISPs by Subscriber (Updated 08/29/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
