Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

R E V I E W

Hip Check

October 21, 2002
By Mike Fratto

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Flame the author

	In this article
	Introduction
	What We Really Want
	Okena StormWatch 3.0 & StormFront 2.0
	Other Products Reviewed
	How We Tested
	Report Card

Remember the Little Dutch boy who stuck his finger in the dike and saved the Netherlands from flooding? In reality, the water pressure would have enlarged the crack around his finger, eventually ripping the dike apart and flooding the land anyway. The Dutch boy would have died a heroic, albeit stupid, death.

Still, you empathize with him when you hear about the newest worm running rampant across the Internet and headed for your network. The problem is that most security products try to erect protective walls against the burgeoning swell of attackers. Firewalls, VPNs, antivirus software and proxies are necessary, as are server and application patching and configuration, but one crack in the cement can spell disaster.

Our advice: Stem the tide by putting protection where the vulnerability lies--on the host platform. HIP (host intrusion prevention) products shield the operating system from applications by restricting available functions, such as read, write, execute and access the network, and protect system resources, such as files, registry keys, network ports and COM objects. We aren't talking about host or desktop firewalls here--HIP applications enforce an access policy at the OS level so that the vulnerability du jour will fail because the application can't extend beyond its defined access policy.

We invited Argus Systems Group, Armored Server, Computer Associates, Entercept Security Technologies, Harris Corp., Network-1, Okena, Tiny Software, Tivoli and WatchGuard to participate in our tests of HIP products. Tiny Software was unable to get us a product in time. Network-1 said it didn't have a product fitting our criteria and Tivoli just refused to come play in our sandbox.

By the Numbers

Click here to enlarge

That left Argus' PitBull LX and Protector, CA's eTrust Access Control, Entercept's Web Server Edition, Harris' STAT Neutralizer, Okena's StormWatch and StormFront, and WatchGuard's ServerLock and AppLock/Web for testing in our Syracuse University Real-World Labs®.

These products run the gamut from all-encompassing systems--such as CA's Access Control, Harris' STAT Neutralizer and Okena's StormWatch, that protect a wide range of applications--to products like Argus PitBull Protector and WatchGuard AppLock/Web that are targeted at Web server protection.

All the products install as kernel-level modules, or in the case of Argus PitBull LX on Solaris, as a kernel and shared library replacement, to trap or modify system calls. The products process the access requests via policy engines before passing them on to the system for execution. Access requests that are denied never get to the underlying operating system; the server hums along unaffected and the attack becomes water under the bridge.

Although we expected different types of configuration options depending on OSs supported, we were surprised to find disparities such as those in CA Access Control, in which you can limit the actions servers are allowed to take on Unix but not on Microsoft Windows 2000, or in Argus PitBull Protector, which is highly configurable on Unix, but not on Windows 2000. A few products, including Entercept, Argus PitBull LX and CA Access Control, allowed user-based access-control rules that let us create policies specifying which users can write or update files while blocking all other writing.