Yes, automated network intrusion detection is a growing field. There are several excellent intrusion detection systems available today, not just traffic monitoring devices. Network General (the inventor of the Sniffer, now known as Networks Associates after its recent merger with MacAfee) sells a product called CyberCop. StorageTek sells a combination packet filter & intrusion detection system under the name of NetSentry (this combines their BorderGuard security device with the NetRanger IDS). The WheelGroup NetRanger itself is capable of automatically setting filters on the BorderGuard devices as well as Cisco routers, based on where (in the enterprise network) they are located and a company's real-time policy enforcement needs. NetSolve (ProWatch Secure) and IBM (Emergency Response Service) both offer intrusion detection monitoring and response services as well...
These systems (and services) are capable of centralized configuration management, alarm reporting, and attack info logging from many remote IDS sensors. ID systems are intended to be used in conjunction with firewalls and other filtering devices, not as the standalone 'silver bullet' for internet and intranet security.
From: Ted Doty
Sent: Wednesday, December 03, 1997 6:16 AM
To: firewalls @
Subject: Re: Seesion Wall-3
On Tue, 2 Dec 1997 12:38:54 -0500, List_Mail @
com (List_Mail) posted:
In Windows NT Magazine, October 1997 issue page 85, there is an
article on Session Wall-3, a firewall that you can place inside the
internal network. It's both a network monitor and a firewall. Does
anyone has any experience with this product ?
There is a lot of activity on Intrusion Detection right now, especially the
combination of IDS with traditional firewalls. The idea is that when the
IDS system detects inappropriate activity, it communicates with the
firewall (for example, via Checkpoint's Opsec), to add a blocking rule.
Intrusion Detection systems are passive, so they are a pretty good fit for
an internal network, where communications needs to be open. An
organization could deploy internal firewalls that block nothing at all,
except for the sessions of malicious users (as reported by an IDS).
Separating the functionality into "detect" vs. "respond" is likely to allow
the performance of the security system to match the data rates of the
There are a number of IDS systems out (including our RealSecure), but I
don't know how many of them work with how many firewall systems.
Any comments should be sent to me, as I don't normally follow the list.
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150