StormWatch adds layer of protection

Product review: Intrusion-prevention software blocks attacks at operating system level

Is it too good to be true? Okena Inc., which Cisco Systems Inc. is in the process of acquiring, advertises that its StormWatch program can protect workstations from both known and unknown types of attacks and do it all without the need for signatures that detect attack patterns.

Knowledgeable industry observers have predicted for years the demise of signatures for detecting viruses. Their main arguments are that signatures — which rely on a database of attack methods and then compare collected data against known attack patterns — do not protect against unknown types of attack and that the sheer number of viruses would soon clog virus-detection systems.

In fact, signature-based antivirus products now dominate the market while their competitors have foundered. Intrusion-detection products must have taken note of antivirus signatures' success, because most successful products use signatures to detect standard attacks.

We quickly discovered, however, that StormWatch should be classified not as an intrusion-detection tool, but as a member of a new category of "intrusion-prevention" products. When intrusions can be prevented, do they need to be detected? We were about to find out.

Installation was a two-step process. First, we installed the Management Console on a Microsoft Corp. Windows 2000 server, and from this server we generated agents we then installed on the workstations and servers we wanted to protect. Although we hardly glanced at the installation documentation, the total process, using all the defaults, took only about 30 minutes.

We had forgotten that the Management Console cannot be run on a server that hosts a Web server, but the installation program alerted us in time to fix the problem. The console installs its own Apache Web server that it uses to administer StormWatch, as well as to provide access to the StormWatch client agents.

From our test workstations, we used a Web browser to access the Management Console. We selected and then executed the correct agent-install package for each PC. A few file copy dialog boxes flashed by too quickly to read, and the screen momentarily went blank. After 30 seconds, a message appeared telling us the machine would reboot.

Buyers should definitely warn their users about this step before deploying the agents to their network. In fact, we recommend removing the automatic reboot to make installation virtually transparent to the user. The client agent services will be started the next time the user reboots.

As our first test after installing the client on a workstation, we tried to install the popular Adobe Systems Inc. Acrobat Reader. We were able to install the software, but only after several prompts from the StormWatch client. Clearly, the default policy will need to be modified before most organizations will want to deploy the software. If you spend adequate time researching what programs end users are installing, you can set StormWatch policies for them and avoid trouble tickets at your help desk.

Our next step was attempting to deliberately delete parts of the operating system. Despite our best efforts, we were unable to delete any of the system files contained in the SYSTEM32 subdirectory. StormWatch had hooked directly into the operating system kernel, and we were not able to get around it to damage the parts it was protecting.

Next we installed Silent Log, a common tool used to record keystrokes on a Windows PC in hopes of capturing passwords. But when we executed this keylogger, the agent presented a popup message stating that a program was attempting to capture keystrokes and asking if we wanted to terminate the program.

We were starting to be impressed. However, we should note that when we allowed the Silent Log program to run once, we were never prompted about it again. We recommend altering StormWatch's policies so that the user is not given a choice to allow or deny such activities.

It was then time for some serious hacking, so we readied a Linux workstation as an attack platform. To make things interesting, we installed Microsoft's Internet Information System 5.1 on a Windows XP client workstation and enabled its Simple Mail Transfer Protocol, FTP and HTTP services. Then we launched our assault using port and vulnerability scanners.

To get a true picture of how well the agent was protecting the machines, we recorded results both before and after the agent was installed. The results were dramatic.

We employed real-world tools often used by hackers. First, we ran port scans using Insecure.org's popular Network Mapper tool. The agent caused our view of the ports to disappear. Then we used the Nessus scanner for Linux to scan the target workstations for vulnerabilities. After activating the agent, the Nessus report was reduced from 10 pages to only one page.

The only findings from Nessus related to the Windows NetBIOS name service running on TCP port 137. The agent allows this service to continue functioning by default, but again we were able to tweak polices to drop even this network traffic. Essentially, there were no vulnerabilities we could use to break into these machines. Even a simple ping command to their IP addresses would not reveal their network names.

We conclude that even though the agent is not advertised as a firewall, it does intercept unauthorized access to network resources both to and from the host. Therefore, the agent can function as a personal software firewall.

All of our other tests hit the brick wall of the agent. We were not surprised to learn that the recent SQL Slammer worm was unable to infect machines running the StormWatch agent.

We give the agent high marks for working as advertised. We also give it high marks for not slowing down the system. We've been disappointed recently by incomplete uninstalls of other products, so we were pleased to find that despite its intimacy with the operating system, StormWatch can uninstall itself smoothly, leaving behind no trace.

Some of the techniques used by the agent are similar to those found in other products, such as Tiny Trojan Trap from Tiny Software Inc., SurfinGuard from Finjan Software Inc. and the application protection feature of BlackICE from Internet Security Systems Inc. But the network feature is something we have not seen before.

The Management Console comprises a sleek Web interface that is well organized and intuitive. From the home page of the interface, we were never more than a few clicks from any function in the console. We give StormWatch high marks for the quality interface and included help files.

The console allows for real-time management of the agents and for reporting their events. Although event deciphering is easy and intuitive with our small test bed, we could not imagine handling event reports from a network with even a few hundred machines on it.

We could see several places for improvement that would make the events report scalable. For example, events can be filtered by host name, but the console's groups should also filter them. Filtering by IP address would also be helpful when trying to determine the physical location of affected hosts.

The concept of grouping hosts at the console is useful. However, machines could only be added manually. A feature to add machines to groups based on IP address or machine name would be essential in networks such as ours, with more than 10,000 machines.

When deploying this product at a large agency, there probably will be users who are prevented from doing their work because of some unforeseen combination of applications that violates a security policy. When that happens, you must have someone intimately familiar with StormWatch to modify the appropriate policies. This person must be able to certify that the policy is still secure and that another vulnerability was not introduced. So although it is easy to get the hang of policy modifications, and although it quickly becomes a tedious task, nonetheless it should only be done by a competent analyst.

For protecting a network with 100 hosts or fewer and extreme security requirements, we rate StormWatch a must-have.

For protecting a medium data center with fewer than 100 servers, we rate it an A+. The agent may be more valuable on the servers than on the workstations.

For protecting an enterprise network with thousands of workstations and servers, we rate it a C+ because of the administrative overhead. But future improvements may lead us to upgrade that rating. Considering the large amount of complex network traffic on our test network, the StormWatch team has done a remarkable job of identifying actual attacks. We don't want to underestimate them.

Should administrators abandon signature-based security programs? Actually, from the beginning, such programs have nearly always included a certain amount of generic behavior detection. We feel that such products will continue to be viable, especially when they are packaged with other types of security tools.

Greer and Bishop are network analysts at a large Texas state agency. They can be reached at Earl.Greer@dhs.state.tx.us.

REPORT CARD

StormWatch 3.2

Score: B+

Okena Inc.
(781) 209-3200
www.okena.com

The Management Console costs $4,995; Server Agent, $1,800; and Desktop Agent, $85.

Because StormWatch protects the integrity of the operating system and existing applications on a workstation, it doesn't need signature updates and it can protect against undiscovered types of attacks. It is ideal for small to medium networks, but administrators of larger networks may find constantly adjusting for new applications to be burdensome.

The workstation agents run on Microsoft Corp. Windows NT 4.0/2000/XP and Sun Microsystems Inc. Solaris 8. The Management Console runs on Windows 2000 Server.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.