Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

R E V I E W

Hip Check

October 21, 2002
By Mike Fratto

>> continued from previous page

What We Really Want

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Flame the author

	In this article
	Introduction
	What We Really Want
	Okena StormWatch 3.0 & StormFront 2.0
	Other Products Reviewed
	How We Tested
	Report Card

Our ideal product would let us centrally manage and enforce a host-security policy that limits access to only those system resources required to run the application. For example, Web servers need to read configuration files or registry keys, read documents from the webroot, execute scripts from a cgi-bin directory, and bind to Ports 80 and 443. You should be able to block the ability to overwrite or modify critical OS files except where necessary for normal system operation, a block all the products we tested allowed.

We also want to build policies for any server-based application. While prepackaged protection is helpful for deployment, tons of enterprise applications--including collaboration, Web application, ERP (enterprise-resource planning) and groupware servers--can harm the underlying OS and provide an avenue of attack. Of course, profiling the required resources and the types of access per resource means you have to thoroughly exercise the application, log all the resource requests and develop the policy. Only Okena StormFront tracked application activity and developed what it thinks is a reasonable policy based on the events logged. We still had to modify and test the generated policy through several cycles, but the initial resource discovery by StormFront shortened our policy-development cycle considerably.

The types of objects to which you can control access, and the types of access per object, are important: Attacks happen both locally and remotely. If you limit the ability of servers to read, write and execute files, you prevent them from running a shell or shell commands. But that may not stop an attacker who can walk up to the console and load a Trojan or backdoor from a floppy disk. You want to control access to the file system, network ports, I/O ports and other means of communicating with external resources. In addition, blocking stack and heap buffer overflows provides another layer of protection. Only Okena StormWatch, Argus PitBull LX and CA Access Control on Unix let us regulate file and network access, while the products from all the others except Harris provided buffer-overflow protection.

Vendors at a Glance

Click here to enlarge

The more precisely we can define an application's access requirements, the more likely we can contain successful attacks against the OS. That includes being able to specify access based on user name or group affiliation. Argus PitBull LX on Unix and CA's Access Control let us set user-based access control so we could create a user group that could modify or create files only in webroot--and nowhere else. Administration of the Web server would be granted to a group that wouldn't need write access to HTML, ASL or PHP files and CGI executables.

After a month and a half of testing and hours of poking and prodding (punctuated by bursts of salty language), we gave our Editor's Choice award to Okena StormWatch. It's a complicated product--expect to spend some time swimming through various policy options--but it grants nearly everything on our wish list. It cannot make policy decisions based on user IDs, and though arguably that's not the problem Okena is solving with StormWatch, such a capability would add that extra touch.

If you don't need an all-in-one tool like StormWatch, CA Access Control or Argus PitBull LX on Unix, but would rather have a more targeted HIP product, Entercept, Argus PitBull Protector and Harris STAT Neutralizer are good choices. WatchGuard ServerLock, however, lacks many of the features offered by rivals, including read and execute access, support for multiple applications and network control.