Aside from a flurry of beta releases, security updates, and the usual E.U. he said/she said dance, it's been a pretty quiet week in Redmond. In case you're wondering which betas to watch for (past, present, and near-immediate future), the list includes Vista RC2, Exchange Server 2007 Beta 2 Help, Virtual PC 2007 Beta 1, and PowerShell RC2. All that and the happy announcement that Microsoft will soon be ending support for Windows XP Service Pack 1. (Is it my imagination or was that awfully quick?)
So while you're waiting for the beta bounty or the desktop support complaints, what to do? With all the recent press about new zero-day attacks and software vulnerabilities, we decided to take a look at our overall security strategy. Right now, it's fairly basic. Our smaller businesses tend to rely on a perimeter firewall (or two for that all-important DMZ), desktop firewalls, and corporate-level anti-virus and spyware detection. Midsize customers usually get some kind of network intrusion monitoring thrown in, although the vendors in that space are really varied, even among just our customer portfolios.
Enterprises are the real squirrels. Security tools are constantly changing with those guys, and the two new hot buttons are end-point security and HIPS (host intrusion prevention systems) -- next to the never-ending challenge to make security compliance reporting effortless, of course. My smaller customers can't get on these wagons right now because neither technology is really all here yet, and I don't like customers that size experimenting with security. Our enterprise customers are more adventurous, but so far, only host intrusion is showing enough progress that we might start recommending it as early as next year for full implementations.
End-point security is characterized by systems such as Cisco's NAC (Network Access Control) or Microsoft's NAP (Network Access Protection) platforms. Basically, it defines a certain security state that clients must adhere to or they're quarantined off the network. Vendors have been trying to get some kind of standard going in this department, but so far that's vapor. There are third-party vendors, such as Altiris, who have complete end-point scanners embedded in their systems, but unless you're already using one to perform desktop or systems management, I can't see tying yourself to a third-party vendor simply for end-point perimeter muscle. Better to wait until the big platform boys get their acts together, and then take stock. Might happen next year; might not.
HIPS is a better bet — and in some ways is related to NAC/NAP. This technology is pretty new, but there are bigger vendors working on it. McAfee has had a system for a while, called (imaginatively) Host Intrusion Prevention. ISS has one, called Proventa, and Symantec also has one called Critical System Protection. And, yes, there are more. Microsoft is undoubtedly working on its own in some Redmond tech dungeon, but right now, it's a third-party game.