Threat Management

Threat management includes a combination of hardware, software, and networking technologies whose primary function is to perform specific or multiple security functions. Threat management includes network- or endpoint-based solutions that constantly monitor network traffic or application activity for compliance to a security policy and to discover malicious activity. Upon finding security violations, these tools are designed to prevent or mitigate the specific network or system attacks. Threat management combines two specific product areas: firewall and intrusion detection and prevention. Products in this space are categorized as either one or the other, but over time, the line between what is a firewall and what is an intrusion prevention product will blur into a single threat management market. Firewall and intrusion detection and prevention products are defined as follows:

Firewall software identifies and blocks access to certain applications and data. These products may also include VPN encryption as an option. Software firewalls have been categorized into the enterprise, application, and desktop segments. Application firewalls are specialized firewalls designed to protect specific services from attack. They are designed to understand the underlying protocol and be able to offer a higher degree of protection than a general-purpose firewall. Desktop firewalls are used to determine if a given IP packet should be passed to the endpoint device. In general, the products are used to control which desktop applications can communicate with the Internet.

Intrusion detection and prevention software provides continuous monitoring of devices or networks and react to malicious activity. A device or agent on a network or a system, respectively, will compare current activity with a list of signatures known to represent malicious activity or will use other detection methods such as protocol analysis, anomaly, behavioral, or heuristics to discover unauthorized network activity. Intrusion detection products are passive systems that do not interact directly with the datastream or application calls. Intrusion prevention products are inline, thus they have direct access to traffic and commands and the ability to proactively prohibit malicious activity.

Firewall/VPN security appliance products have as their primary of packet filtering, stateful inspection, or proxy. Virtual private networking capabilities are a feature within these products that may or may not be contained in all products in this category. Firewall/VPN security appliances may also host other security features, such as intrusion detection, Web filtering, and security information services.

Unified threat management (UTM) security appliance products include multiple security features integrated into one device. To be included in this category, as opposed to other segments, the appliance must contain the ability to perform network firewalling, network intrusion detection and prevention, and gateway antivirus (AV). All of the capabilities need not be utilized, but the functions must exist inherently in the appliance. In addition to the mandatory applications, UTM appliances may also host other security or networking features.

Intrusion detection and prevention security appliance products have as their primary function the ability to provide continuous monitoring of networks and to report or react to malicious activity. Intrusion detection and prevention products will compare current activity with a list of signatures known to represent malicious activity, or they will use other detection methods such as protocol analysis, anomaly, behavioral, or heuristics to discover unauthorized network activity. Intrusion detection and prevention appliances generally have strong denial-of-service defensive capabilities and antiworm capabilities.

The following are representative vendors and products in the threat management market:

• Check Point Software Technologies (FireWall-1/VPN-1, SmartDefense, and Integrity Desktop)
• Cisco (Cisco Pix)
• Internet Security Systems (RealSecure and Proventia)
• Juniper (NetScreen)
• McAfee (Entercept, Host Intrusion Prevention, McAfee Personal Firewall Plus)
• Microsoft (Internet Security and Acceleration Server)
• SonicWALL (SonicWALL Pro)
• Symantec (Enterprise Firewall, Norton Personal Firewall, Intruder Alert, Decoy Server, and Symantec Network Security)
 
Copyright 2006 IDC - Global Headquarters: 5 Speen Street Framingham, MA 01701 USA - P. 508.872.6200 - F. 508.935.4015 - www.idc.com