Okena builds a better mousetrap
StormWatch 3.2 intrusion prevention system provides peace of mind for the patch-wearyFollow @pvenezia
IDS (Intrusion Detection Systems) do little more than inform administrators of a potential violation of a secured space. And because these systems rely on signatures to identify threats, they are incapable of flagging new or unfamiliar kinds of attacks. As a result, using an IDS is akin to using only the rear-view mirror when driving a car; you can see what hit you, but you can't avoid the next collision.
IPS (Intrusion Prevention Systems) go beyond mere detection to take a proactive approach to security. Developed by Okena (a company in the process of being acquired by Cisco), StormWatch 3.2 is essentially a network and application firewall that runs locally on servers and workstation systems. Available for Windows and Solaris (and soon for Linux, according to Okena), StormWatch server and desktop agents watch for aberrant network or application activity from within the OS, granting or denying requests to the OS on the basis of policies they receive (at intervals you specify) from the StormWatch Management Server.
StormWatch performed exceedingly well during our testing, stopping every remote and local exploit that we threw at it, from IIS buffer overflow bugs to viruses distributed via e-mail. On a purely functional level, StormWatch is a solid product, deserving our highest rating of "Deploy." However, StormWatch takes a more intrusive approach to security than network-based solutions. Implementing it will require careful planning and testing before deployment.
Prepping for prevention
To test StormWatch, we used the Nessus open-source security scanner ( ) to attempt to exploit the vulnerabilities of a Windows 2000 server, two Windows workstations, and a Solaris server to see if StormWatch was able to thwart the attacks against them. Nessus scans a host for potential remote vulnerabilities, tries to exploit these vulnerabilities, and generates a report on the status of each system tested.
We installed the StormWatch Management Server on a Windows 2000 Advanced Server system, and installed the agent on two Windows 2000 Professional systems, a Solaris 2.8 server, and a Windows 2000 Advanced Server system running IIS and Microsoft SQL 2000. The installation on all platforms was fairly quick and painless, with the StormWatch Management Server installation requiring an MSDE (Microsoft Data Engine) database at minimum and a Microsoft SQL 2000 server for implementations larger than 500 agents.
The agent can be installed on workstations manually by browsing to the StormWatch server and selecting the agent installation links, or automatically via login scripts or other enterprise client management utilities. Deployment via Active Directory group policies may be possible, but StormWatch does not offer MSI installation packages. Solaris is installed via a standard Solaris package applied with pkgadd.