Okena builds a better mousetrap

IDS (Intrusion Detection Systems) do little more than inform administrators of a potential violation of a secured space. And because these systems rely on signatures to identify threats, they are incapable of flagging new or unfamiliar kinds of attacks. As a result, using an IDS is akin to using only the rear-view mirror when driving a car; you can see what hit you, but you can't avoid the next collision.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Okena StormWatch 3.2 Okena, okena.com/ Deploy  8.3 criteria score Ease-of-use 7 Implementation 9 Innovation 9 Interoperability 7 Scalability 9 Security 10 Suitability 8 Support 8 Training 7 Value 9 Business Case: Okena'sStormWatch provides a significant measure of protection to both servers and workstations in the network, reducing the likelihood of a successful security breach by crackers or Internet worms. Technology Case: StormWatch delivers network and application firewalling, user-authentication auditing, and event reporting with centrally controlled agents installed on each server and workstation. Pros: + Proactive server and desktop intrusion protection + Secured agent/management communications + Completely modular configuration layout Cons: - Supports only Windows and Solaris 2.8 - Fairly steep learning curve Cost: Management Server, $1,495; Server Agent, $1,800; Desktop Agent, $85 Platforms: Windows NT, 2000, XP; Solaris 2.8 Bottom Line: Okena's intrusion prevention system provides a significant measure of protection to servers and workstations in the network through network and application firewalling, user-authentication auditing, and event reporting using centrally controlled agents installed on each computer. About our Reviews and Scoring Methodology

IPS (Intrusion Prevention Systems) go beyond mere detection to take a proactive approach to security. Developed by Okena (a company in the process of being acquired by Cisco), StormWatch 3.2 is essentially a network and application firewall that runs locally on servers and workstation systems. Available for Windows and Solaris (and soon for Linux, according to Okena), StormWatch server and desktop agents watch for aberrant network or application activity from within the OS, granting or denying requests to the OS on the basis of policies they receive (at intervals you specify) from the StormWatch Management Server.

StormWatch performed exceedingly well during our testing, stopping every remote and local exploit that we threw at it, from IIS buffer overflow bugs to viruses distributed via e-mail. On a purely functional level, StormWatch is a solid product, deserving our highest rating of "Deploy." However, StormWatch takes a more intrusive approach to security than network-based solutions. Implementing it will require careful planning and testing before deployment.

Prepping for prevention

To test StormWatch, we used the Nessus open-source security scanner (www.nessus.org) to attempt to exploit the vulnerabilities of a Windows 2000 server, two Windows workstations, and a Solaris server to see if StormWatch was able to thwart the attacks against them. Nessus scans a host for potential remote vulnerabilities, tries to exploit these vulnerabilities, and generates a report on the status of each system tested.

We installed the StormWatch Management Server on a Windows 2000 Advanced Server system, and installed the agent on two Windows 2000 Professional systems, a Solaris 2.8 server, and a Windows 2000 Advanced Server system running IIS and Microsoft SQL 2000. The installation on all platforms was fairly quick and painless, with the StormWatch Management Server installation requiring an MSDE (Microsoft Data Engine) database at minimum and a Microsoft SQL 2000 server for implementations larger than 500 agents.

The agent can be installed on workstations manually by browsing to the StormWatch server and selecting the agent installation links, or automatically via login scripts or other enterprise client management utilities. Deployment via Active Directory group policies may be possible, but StormWatch does not offer MSI installation packages. Solaris is installed via a standard Solaris package applied with pkgadd.

Immediately after the required reboot following the agent installation, the servers stopped responding to ICMP (Internet Control Message Protocol) echo-requests (ping) because the default firewall policies forbid this packet type. Also forbidden by default server policies were SMB (Server Message Block) drive mappings to other systems and RDP (Remote Desktop Protocol) remote-management connections.

The lack of an RDP service definition was surprising, given the number of system administrators that rely on RDP to manage servers. Even if it wasn't enabled in the default policy, it would be nice to see a predefined RDP rule for easier configuration. On the positive side, this gave us our first opportunity to implement some custom policies and push them to the servers.

The browser-driven StormWatch console is refreshingly utilitarian, providing easy navigation to the various configuration templates, policy rulesets, and reports. Certain functions of the interface can be hard to locate until you become accustomed to looking at the page footer for action buttons, but when you're in that mindset, navigation is fairly intuitive. Handily, the StormWatch console was fully usable with both Internet Explorer, Safari, and Mozilla browsers.