Remember the Little Dutch boy who stuck his finger in the dike and saved the Netherlands from flooding? In reality, the water pressure would have enlarged the crack around his finger, eventually ripping the dike apart and flooding the land anyway. The Dutch boy would have died a heroic, albeit stupid, death.
Still, you empathize with him when you hear about the newest worm running rampant across the Internet and headed for your network. The problem is that most security products try to erect protective walls against the burgeoning swell of attackers. Firewalls, VPNs, antivirus software and proxies are necessary, as are server and application patching and configuration, but one crack in the cement can spell disaster.
Our advice: Stem the tide by putting protection where the vulnerability lies--on the host platform. HIP (host intrusion prevention) products shield the operating system from applications by restricting available functions, such as read, write, execute and access the network, and protect system resources, such as files, registry keys, network ports and COM objects. We aren't talking about host or desktop firewalls here--HIP applications enforce an access policy at the OS level so that the vulnerability du jour will fail because the application can't extend beyond its defined access policy.
We invited Argus Systems Group, Armored Server, Computer Associates, Entercept Security Technologies, Harris Corp., Network-1, Okena, Tiny Software, Tivoli and WatchGuard to participate in our tests of HIP products. Tiny Software was unable to get us a product in time. Network-1 said it didn't have a product fitting our criteria and Tivoli just refused to come play in our sandbox.
That left Argus' PitBull LX and Protector, CA's eTrust Access Control, Entercept's Web Server Edition, Harris' STAT Neutralizer, Okena's StormWatch and StormFront, and WatchGuard's ServerLock and AppLock/Web for testing in our Syracuse University Real-World Labs®.
These products run the gamut from all-encompassing systems--such as CA's Access Control, Harris' STAT Neutralizer and Okena's StormWatch, that protect a wide range of applications--to products like Argus PitBull Protector and WatchGuard AppLock/Web that are targeted at Web server protection.
All the products install as kernel-level modules, or in the case of Argus PitBull LX on Solaris, as a kernel and shared library replacement, to trap or modify system calls. The products process the access requests via policy engines before passing them on to the system for execution. Access requests that are denied never get to the underlying operating system; the server hums along unaffected and the attack becomes water under the bridge.
Although we expected different types of configuration options depending on OSs supported, we were surprised to find disparities such as those in CA Access Control, in which you can limit the actions servers are allowed to take on Unix but not on Microsoft Windows 2000, or in Argus PitBull Protector, which is highly configurable on Unix, but not on Windows 2000. A few products, including Entercept, Argus PitBull LX and CA Access Control, allowed user-based access-control rules that let us create policies specifying which users can write or update files while blocking all other writing.
REPORTS
Analyize In-Line NAC strategies and products.
ANALYTICS Plan and design your enterprise blade server deployments
InformationWeek U.S. IT Salary Survey 2008
Salaries for business technology professionals are falling. Here's what you need to know in order to make good hiring decisions and personal career choices. Purchase Today: $299
REPORTS
ANALYTICS
Follow 
