Stormwatch: Intrusion detection becomes intrusion protection

Learn about Stormwatch, a new type of intrusion detection and prevention technology. The product is a software-signatureless host- and network-based solution.

Intrusion detection has changed dramatically in the past 10 years. From an administrator running TCPDump and scanning event logs, intrusion detection has grown into both host- and network-based sensors. When dedicated intrusion detection devices were first fielded, however, these sensors only watched and listened for traffic they suspected of being illegal.

The first implementations of these intrusion detection sensors, such as NetRanger and RealSecure, produced many false positives and missed numerous attacks altogether. This poor performance almost led to the death of this type of technology. The latest generation of intrusion sensor devices more than makes up for the technology's poor start.

Today's intrusion detection devices provide scalable network- and host-based protection that is easily monitored, detects both unauthorized and illegal network traffic, is heavily based on known attack pattern recognition, and frequently updates its attack pattern recognition signatures to protect against evolving malicious patterns.

But there's a flaw to this type of security measure: You are protected only against known attacks. As a security administrator, if I have to chase after every new exploit, my network will never be secure. I just want defense from the harmful results of malicious code and unauthorized insider activity. At least one company is pushing the intrusion detection envelope to provide this type of security solution.

Security without signatures
Okena's Stormwatch is a software-signatureless host- and network-based solution. The sensor agents are deployed to both clients and servers and enforce an easily customizable security policy.

Okena was recently purchased by Cisco Systems, and Stormwatch has been rebranded Cisco Security Agent.

Although known attack patterns are suppressed at the network level, Stormwatch's easily definable rule sets, which are based on applications currently loaded on the monitored system, offer a real boost to security. The agent intercepts application requests and customizable security rules based on your security policy to stop both internal and external hackers dead in their tracks.

For instance, if you want to prevent an intruder from launching a remote command shell on your Web server, just create a rule that denies remote execution of the command executable.

Prevent applications from misbehaving
Stormwatch intercepts network requests and enforces security decisions based on application behavior. Since the agent works at the application level, individual packets are monitored only for conformity to the current security policy, not for content. This means that a malicious packet or an illegal request is stopped easily, with very little processor overhead.

Stormwatch also features a test mode for rules, so you can verify actions against events before you change the security policy. If you're not sure that the rule you're creating will deny a specific action, put it in test mode.

For example, suppose you add the following rule to your workstation policy and put the rule in test mode:

Rule 10: When anyone attempts to open a command shell remotely, deny the application request and send an e-mail to

To verify that the rule works, open a command remotely. The alert feature tells you what happened and reports that, if this were a real rule, it would have stopped the event and sent the requested e-mail.

Intelligent alerts
Stormwatch provides six alert methods (in-console alert, e-mail, SNMP, pager, log to external file, and notify third-party security management console) to inform you of an action that has been intercepted by the sensor agent.

In addition to the numerous methods of notification, similar security events are suppressed and reported as a single event that occurred multiple times. This feature saves the human operator from overload; instead of hundreds or thousands of similar alerts, multiple messages are condensed into one meaningful alert.

Security alerts are presented after the event in a clear and concise format that lets you know what happened and what security rule prevented the undesirable action. You don't need to constantly monitor this intrusion prevention tool.

Stormwatch's monitoring console isn't tied to a single machine. Because the console interface is Web-based and provided via a secure connection, you can monitor and control your security profile from any machine on your network that has a Netscape or Internet Explorer browser.

Other alternatives
I've focused here on only one product, but several other companies (including Computer Associates, Enterasys Networks, and Internet Security Systems) currently offer excellent intrusion detection/protection solutions. If you're not monitoring your network for insider abuse and verification of your perimeter security devices, it might be time to add some real-time protection and monitoring to your servers and critical clients.

We want your feedback
Have you deployed intrusion detection sensors on your network? Are your sensors primarily meant to catch external or internal hackers? We want to hear from you! Add your comments to this discussion.

Editor's Picks

Free Newsletters, In your Inbox