StormWatch adds layer of protection
- By Earl Greer, Vincil Bishop
- Apr 14, 2003
Is it too good to be true? Okena Inc., which Cisco Systems Inc. is in the process of acquiring, advertises that its StormWatch program can protect workstations from both known and unknown types of attacks and do it all without the need for signatures that detect attack patterns.
Knowledgeable industry observers have predicted for years the demise of signatures for detecting viruses. Their main arguments are that signatures — which rely on a database of attack methods and then compare collected data against known attack patterns — do not protect against unknown types of attack and that the sheer number of viruses would soon clog virus-detection systems.
In fact, signature-based antivirus products now dominate the market while their competitors have foundered. Intrusion-detection products must have taken note of antivirus signatures' success, because most successful products use signatures to detect standard attacks.
We quickly discovered, however, that StormWatch should be classified not as an intrusion-detection tool, but as a member of a new category of "intrusion-prevention" products. When intrusions can be prevented, do they need to be detected? We were about to find out.
Installation was a two-step process. First, we installed the Management Console on a Microsoft Corp. Windows 2000 server, and from this server we generated agents we then installed on the workstations and servers we wanted to protect. Although we hardly glanced at the installation documentation, the total process, using all the defaults, took only about 30 minutes.
We had forgotten that the Management Console cannot be run on a server that hosts a Web server, but the installation program alerted us in time to fix the problem. The console installs its own Apache Web server that it uses to administer StormWatch, as well as to provide access to the StormWatch client agents.
From our test workstations, we used a Web browser to access the Management Console. We selected and then executed the correct agent-install package for each PC. A few file copy dialog boxes flashed by too quickly to read, and the screen momentarily went blank. After 30 seconds, a message appeared telling us the machine would reboot.
Buyers should definitely warn their users about this step before deploying the agents to their network. In fact, we recommend removing the automatic reboot to make installation virtually transparent to the user. The client agent services will be started the next time the user reboots.
As our first test after installing the client on a workstation, we tried to install the popular Adobe Systems Inc. Acrobat Reader. We were able to install the software, but only after several prompts from the StormWatch client. Clearly, the default policy will need to be modified before most organizations will want to deploy the software. If you spend adequate time researching what programs end users are installing, you can set StormWatch policies for them and avoid trouble tickets at your help desk.
Our next step was attempting to deliberately delete parts of the operating system. Despite our best efforts, we were unable to delete any of the system files contained in the SYSTEM32 subdirectory. StormWatch had hooked directly into the operating system kernel, and we were not able to get around it to damage the parts it was protecting.
Next we installed Silent Log, a common tool used to record keystrokes on a Windows PC in hopes of capturing passwords. But when we executed this keylogger, the agent presented a popup message stating that a program was attempting to capture keystrokes and asking if we wanted to terminate the program.
We were starting to be impressed. However, we should note that when we allowed the Silent Log program to run once, we were never prompted about it again. We recommend altering StormWatch's policies so that the user is not given a choice to allow or deny such activities.
It was then time for some serious hacking, so we readied a Linux workstation as an attack platform. To make things interesting, we installed Microsoft's Internet Information System 5.1 on a Windows XP client workstation and enabled its Simple Mail Transfer Protocol, FTP and HTTP services. Then we launched our assault using port and vulnerability scanners.
To get a true picture of how well the agent was protecting the machines, we recorded results both before and after the agent was installed. The results were dramatic.
We employed real-world tools often used by hackers. First, we ran port scans using Insecure.org's popular Network Mapper tool. The agent caused our view of the ports to disappear. Then we used the Nessus scanner for Linux to scan the target workstations for vulnerabilities. After activating the agent, the Nessus report was reduced from 10 pages to only one page.
The only findings from Nessus related to the Windows NetBIOS name service running on TCP port 137. The agent allows this service to continue functioning by default, but again we were able to tweak polices to drop even this network traffic. Essentially, there were no vulnerabilities we could use to break into these machines. Even a simple ping command to their IP addresses would not reveal their network names.
We conclude that even though the agent is not advertised as a firewall, it does intercept unauthorized access to network resources both to and from the host. Therefore, the agent can function as a personal software firewall.
All of our other tests hit the brick wall of the agent. We were not surprised to learn that the recent SQL Slammer worm was unable to infect machines running the StormWatch agent.
We give the agent high marks for working as advertised. We also give it high marks for not slowing down the system. We've been disappointed recently by incomplete uninstalls of other products, so we were pleased to find that despite its intimacy with the operating system, StormWatch can uninstall itself smoothly, leaving behind no trace.
Some of the techniques used by the agent are similar to those found in other products, such as Tiny Trojan Trap from Tiny Software Inc., SurfinGuard from Finjan Software Inc. and the application protection feature of BlackICE from Internet Security Systems Inc. But the network feature is something we have not seen before.
The Management Console comprises a sleek Web interface that is well organized and intuitive. From the home page of the interface, we were never more than a few clicks from any function in the console. We give StormWatch high marks for the quality interface and included help files.
The console allows for real-time management of the agents and for reporting their events. Although event deciphering is easy and intuitive with our small test bed, we could not imagine handling event reports from a network with even a few hundred machines on it.
We could see several places for improvement that would make the events report scalable. For example, events can be filtered by host name, but the console's groups should also filter them. Filtering by IP address would also be helpful when trying to determine the physical location of affected hosts.
The concept of grouping hosts at the console is useful. However, machines could only be added manually. A feature to add machines to groups based on IP address or machine name would be essential in networks such as ours, with more than 10,000 machines.
When deploying this product at a large agency, there probably will be users who are prevented from doing their work because of some unforeseen combination of applications that violates a security policy. When that happens, you must have someone intimately familiar with StormWatch to modify the appropriate policies. This person must be able to certify that the policy is still secure and that another vulnerability was not introduced. So although it is easy to get the hang of policy modifications, and although it quickly becomes a tedious task, nonetheless it should only be done by a competent analyst.
For protecting a network with 100 hosts or fewer and extreme security requirements, we rate StormWatch a must-have.
For protecting a medium data center with fewer than 100 servers, we rate it an A+. The agent may be more valuable on the servers than on the workstations.
For protecting an enterprise network with thousands of workstations and servers, we rate it a C+ because of the administrative overhead. But future improvements may lead us to upgrade that rating. Considering the large amount of complex network traffic on our test network, the StormWatch team has done a remarkable job of identifying actual attacks. We don't want to underestimate them.
Should administrators abandon signature-based security programs? Actually, from the beginning, such programs have nearly always included a certain amount of generic behavior detection. We feel that such products will continue to be viable, especially when they are packaged with other types of security tools.
Greer and Bishop are network analysts at a large Texas state agency. They can be reached at Earl.Greer@dhs.state.tx.us.