Attack of the inhospitable host

Host-based intrusion detection and prevention products are available from a smattering of vendors, including big guns such as Cisco, Internet Security Systems, McAfee, and Symantec, but Sana Security’s Primary Response is the one that stands out, and for several reasons.

First and foremost, it is focused on protecting servers -- more specifically, Microsoft Windows and Sun Solaris servers. In addition, Primary Response takes an innovative approach to application security, learning normal code paths taken during the execution of system calls, including local file access, and stepping in when it detects deviations to prevent attacks. And it can be installed and configured quickly and can be managed centrally via a Web browser.

Primary Response consists of a management server and “adaptive profiling” agents. The agents run on your Windows or Solaris hosts, monitoring those servers and reporting back to the management box. We found that the product requires several days of “learning” before the agent can establish a baseline of normal application usage. Protection against buffer overflow attacks, however, is provided right out of the box without any need for tuning.

Primary Response is a breeze to manage. We liked the granular options for blocking file access during an anomalous event, and we appreciated the agent’s ability to learn a server’s behavior on an incremental basis and to “readapt” after an OS is patched, for example. 

During our testing, while running Primary Response in learning mode, the product detected a breach of a Windows IIS server and the installation of a virus that caused a massive DoS attack on the local network. Sana’s forensics tool helped us trace the attack to a system in Taiwan.

Primary Response provides effective host protection, but it would be nice if the product did more. For example, integration with a signature-based detection system would enable it to identify other potentially harmful occurrences rather than just those that are anomalous in nature.

It also struck us that, with an anomaly-based network IDS in place and the security features of Windows 2000 or Windows Server 2003 fully enabled, such host protection may not be necessary. But when a server is mission-critical, you don’t take chances. For those who need airtight security, Primary Response provides a hedge against unknown vulnerabilities lurking in Windows and Solaris, as well as protection against insider attacks that a network IDS may not catch.

-- Mark A. Givens and Charles D. Herring of the Naval Postgraduate School contributed to this review.

(Return to special report)