StormWatch is focused on protecting system resources, and its policies are defined according to what resources applications can access and how they can access them. Policies are defined per application and contain rules that allow or deny access to resources or groups of resources. In the case of StormWatch, system resources can be files, registry keys, network addresses, network services or COM objects. Groups of resources are defined in resource sets and may contain fully qualified definitions, such as "c:\winnt\system32\ cmd.exe," that match just that file, or they may contain wild cards like "**\winnt\system*\*," with file names matching *.dll, which matches anything on any drive, in the path beginning with \winnt\system, and finally matching any DLL file in that path. The other object types, of course, would have their own syntax and wild-card definitions.

Application classes are similar to resource sets, except that they define the executable files that are used by an application. Application classes can be defined using the resource sets: For example, the system applications class is defined using the system executable file-resource set. Policies can take one of three paths when a rule triggers: allow the action, deny the action or query the user for permission to run. Finally, application classes, resource sets and actions are used in the policies to define the resources an application may or may not access. Rules are ordered automatically by StormWatch and are processed from the top of the list down. Actions are taken on the first match.

Determining the resources an application needs is a complicated business. For example, applications open and close files and network ports dynamically during run time. Less frequently used resources, such as registry keys, may be activated only once. When profiling an application, it's important to fully exercise the application from start-up, through every possible action, and then shut down, logging every access. The process of building the rules then begins. Unlike the other products that allow custom-policy building, Okena has a product--StormFront--that monitors and logs an application's activity and then builds a policy. You review the policy, make changes and corrections as necessary, apply the policy and test it. You keep testing and tweaking the policy until it is properly configured. StormFront automates the bulk of the resource discovery and all that is left are minor adjustments--how much adjusting you do depends on the application you're profiling. StormFront is necessarily very literal when building a policy. When we profiled the SSH server, the policy allowed only read/write access to the directory the user logged into. Of course, we had to broaden that access.

Software Features Click here to enlarge

While flexibility equals complexity, the StormWatch manager is well-thought-out and offers easy access to all relevant details. If you are examining a policy, you can click a link to see which groups it is applied to. You can move through policy elements easily via dialog pop-ups and drop-down menus. The logging is very detailed, including links to the event details and to the rule that triggered the log entry. The log is filterable, and can include or exclude events based on event text. There is also a separate audit log detailing administrative events.

Okena has set the bar high with its robust policy development, decent discovery tools, easy-to-use management and detailed logging. If the company would support a wider variety of OSs and include user-based access control, StormWatch would be truly cooking. We expect big things from this product in the years to come.

Okena StormWatch 3.0, $1,800 per server, $85 per desktop; StormFront 2.0, $220 per server and $10 per desktop, Okena, (781) 209-3200. www.okena.com