Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Host Intrusion Prevention Software

We focused only on server protection in this review; however, Platform Logic, Cisco and CA also sell HIP products for the desktop, and Sana says it is evaluating desktop support.

All the products we tested work similarly. Agent software installed on each server communicates with a central management site, sending log files and status reports and retrieving policy files. Agent software comprises two components, one in user space and a kernel piece. The user-space piece handles the GUI, logging violations and communicating with the management station. The kernel module or device driver captures system calls, which are then evaluated against the policy file. If approved, the call is passed to the kernel's API and does its thing. If denied, an error is returned to the calling procedure. The returned value is a standard kernel-error code, not a proprietary one. It's then up to the application to take action, send an inquiry to the user or exit. Applications do not need to be modified to handle HIP denials.

Vendors at a Glance

Click to Enlarge

In Cisco's and Platform Logic's apps, we created a set of rules, and agents enforced them. These rules could include denying read access to certain files, denying registry write access or controlling what executables can do. Sana's Primary Response differs in that it detects and blocks unexpected behaviors. Instead of creating rules, we let the product's agent profile our machines for the amount of time it took to perform all normal functions. This adaptation process does not take into account time of day. Primary Response then determined a standard behavior model that knows what processes normally access which directories and the order of system calls--Primary Response is unique in being able to detect the normal order in which system calls are made. Our attempts to inject breakout code, for example, were thwarted. One advantage here is that we could just plop the agent on the server and it figured out the rest.

Computer Associates' eTrust Access Control differs from mainstream HIP software in that it has more of an access-control focus, which means the system is based on user-access capabilities instead of processes. This by itself is not inherently better or worse than process-based products, just different. One area that's a good fit with CA's approach is in situations where multiple users need to log into a server, and the operating system's access controls aren't granular enough.In the reader poll for our recent patch-management review "Save Your Ship", more than half of respondents said having the time and staff to test and deploy patches was a big problem. HIP can help here--all products tested protected our unpatched IIS servers from Blaster, Code Red and all other attacks we threw at them. Of course, the next worm might target a hole not covered in our HIP policies, but we're confident that these products will buy us some breathing room.

In addition, during our tests, we were able to install patches surprisingly well. We took our Windows 2000 SP2 IIS Web server and upgraded it to SP4. Cisco's product, with its included Win2K and IIS policies, even let us upgrade without having to disable the agent, though we did have to click an "allow this action to happen" button. If you use a more locked-down policy with administrator restrictions, you may need to turn off the agent. Platform Logic's default Windows policies, for example, didn't let us upgrade unless we disabled the agent or turned off protection, and Sana required us to turn off the agent and then let it re-adapt. CA's product doesn't have canned policies, so your settings determine whether you can install patches or modify policies.

  • 1