Aside from a flurry of beta releases, security updates, and the usual E.U. he said/she said dance, it's been a pretty quiet week in Redmond. In case you're wondering which betas to watch for (past, present, and near-immediate future), the list includes Vista RC2, Exchange Server 2007 Beta 2 Help, Virtual PC 2007 Beta 1, and PowerShell RC2. All that and the happy announcement that Microsoft will soon be ending support for Windows XP Service Pack 1. (Is it my imagination or was that awfully quick?)
So while you're waiting for the beta bounty or the desktop support complaints, what to do? With all the recent press about new zero-day attacks and software vulnerabilities, we decided to take a look at our overall security strategy. Right now, it's fairly basic. Our smaller businesses tend to rely on a perimeter firewall (or two for that all-important DMZ), desktop firewalls, and corporate-level anti-virus and spyware detection. Midsize customers usually get some kind of network intrusion monitoring thrown in, although the vendors in that space are really varied, even among just our customer portfolios.
Enterprises are the real squirrels. Security tools are constantly changing with those guys, and the two new hot buttons are end-point security and HIPS (host intrusion prevention systems) -- next to the never-ending challenge to make security compliance reporting effortless, of course. My smaller customers can't get on these wagons right now because neither technology is really all here yet, and I don't like customers that size experimenting with security. Our enterprise customers are more adventurous, but so far, only host intrusion is showing enough progress that we might start recommending it as early as next year for full implementations.
End-point security is characterized by systems such as Cisco's NAC (Network Access Control) or Microsoft's NAP (Network Access Protection) platforms. Basically, it defines a certain security state that clients must adhere to or they're quarantined off the network. Vendors have been trying to get some kind of standard going in this department, but so far that's vapor. There are third-party vendors, such as Altiris, who have complete end-point scanners embedded in their systems, but unless you're already using one to perform desktop or systems management, I can't see tying yourself to a third-party vendor simply for end-point perimeter muscle. Better to wait until the big platform boys get their acts together, and then take stock. Might happen next year; might not.
HIPS is a better bet — and in some ways is related to NAC/NAP. This technology is pretty new, but there are bigger vendors working on it. McAfee has had a system for a while, called (imaginatively) Host Intrusion Prevention. ISS has one, called Proventa, and Symantec also has one called Critical System Protection. And, yes, there are more. Microsoft is undoubtedly working on its own in some Redmond tech dungeon, but right now, it's a third-party game.
The technology aims to combine AV, malware, and network intrusion detection into an intelligent overall security umbrella that covers your entire desktop -- and sometimes server -- landscape. The only problem with HIPS is the same problem you encounter with any "umbrella" technology: When the term becomes a buzzword, everyone scurries to get under and out of the rain — no matter what they do.
For example, some vendors are trying to call their wares HIPS with single-application support -- a specific database, for example. That doesn't do it for me. HIPS needs to be broad. To keep me dry, the HIPS umbrella needs to be as diverse as possible, from desktop to network. That includes network-level scanning: port scanning and traffic scanning, preferably. The anti-virus/malware deal is a given, but how deeply -- and for which attacks -- is still evolving. Again, for me, that needs to be as deep as possible.
Perhaps most important for systems administrators is how much impact HIPS will have on network and network application performance. Scanning of any kind takes overhead, and something as broad and smart as a HIPS platform is going to be making some CPUs smoke somewhere. So the big question is, Where are those CPUs, and exactly how much smoke are we talking about?
As long as it's not coming out of my users' ears, I'm happy, but somebody needs to show me that in real life. Right now, that question is still up in the air, and as far as I'm concerned, that puts HIPS up in the air — at least for production-level deployment.