Enterprise PCs, once nestled behind perimeter security devices, are the new security frontier for 2005. Roving laptops may return to the corporate mother ship with malware that propagates itself throughout the soft chewy inside of the enterprise network. Even stationary desktops can fall victim to rogue programs that exploit OS and application vulnerabilities or are downloaded by end users.
While desktop anti-virus software has become the de facto security standard on enterprise PCs, it’s clear that anti-virus alone can’t protect these assets. For instance, spyware programs that track user surfing habits often aren’t covered in anti-virus signature libraries and usually get passed over during search-and-destroy scans.
And when it comes to zero-day attacks, all signature-based solutions are helpless until malware researchers can identify and distribute patterns to detect the new exploits. At the top of the list is anti-spyware technology, which aims to detect and remove keystroke loggers and Trojans, as well as the annoying adware programs that violate privacy and affect PC performance.
Lastly, vendors are putting together integrated suites that start with a personal firewall, then add multiple security features into a single product to simplify desktop security management.
All three categories offer stronger protection for enterprise PCs than anti-virus solutions can alone, but savvy network architects know that every silver lining carries a dark cloud.
Hosted Intrusion Protection Systems (HIPs) are notoriously finicky and require careful tweaking and tuning to ensure that harmless applications are allowed to run unhindered.
In a recent reader poll conducted by Network Magazine, 93 percent of respondents said spyware was a serious problem, even though nearly 100 percent had anti-virus software installed. In fact, a crop of upstarts, abetted by incumbent anti-virus vendors’ slow response to the spyware problem, carved out market share by protecting consumers and corporations from this new breed of intrusive software.
“There’s a liability issue with spyware,” says Bob Hansmann, product marketing manager at Trend Micro. Spyware researchers at Trend Labs have to coordinate with Trend Micro’s legal department before including software in a detection database.
Finally, spyware (and adware in particular) is often more difficult to remove than viruses. Sygate licenses detection and removal technology from Lavasoft, which makes the popular Ad-Aware detection and removal software, to power the spyware engine in its Sygate Secure Enterprise suite.
Because a HIPS can block both known and unknown exploits, administrators can test and deploy software fixes during regular maintenance windows instead of during emergencies. The dominant technology for HIPSs is behavioral analysis, which uses various methods to examine the kinds of actions taken by a program or application. Actions that appear malicious, such as attempting a buffer overflow or opening a network connection, will trigger the HIPS agent.
While eEye wants to differentiate Blink from its system call brethren, version 2.0 of the product hedges its bets by also including a buffer overflow protection module similar to those found on Entercept and other system call interceptors.
HIPSs also aren’t a replacement for anti-virus and anti-spy software. They won’t catch macro viruses, file infectors, boot sector viruses, and e-mail worms because these classes of malware tend to operate inside known good applications. Also, HIPSs can’t prevent malware from being loaded onto a machine; they have to wait until a program executes before they can check for malicious behavior.
And while HIPSs can catch keystroke loggers, Trojans, and other malware that gets lumped into the spyware category, they have difficulty identifying user-tracking adware.
Lastly, HIPSs don’t remove any of the malware they detect.
One of the problems with PC security solutions is that they multiply the administrators’ management burdens. Every security agent that sits on a machine requires policy, signature, and software updates, not to mention the licenses that need to be tracked. And of course, it goes without saying that deploying multiple solutions can be prohibitively expensive.
In short, agent-based cures can almost be as much trouble as the disease.
2005 saw an explosion of new products that combine multiple functions into a single package, including anti-virus, firewall, HIPS, and anti-spyware features.
Andre Gold, director of information security at Continental Airlines, was looking into eEye’s Blink 1.6 to run on a limited number of workstations. But after learning that version 2.0 was going to include a new anti-spyware capability, he decided to roll it out across 20,000 devices, including customer-facing kiosks, reservation servers, and corporate desktops and laptops.
A popular combination includes anti-virus software to detect viruses and other malware and a personal firewall to control which ports the computer can use for network communication. If an unknown application starts, the security agent can alert an administrator or simply prevent the application from running. However, administrators would be wise to quiz vendors carefully regarding bundled solutions. For instance, many of the products listed in the table have anti-spyware capabilities, but you have to dig deeper to find out just what that means. Check Point’s Integrity 6.0, for example, can detect and quarantine some spyware (that is, prevent the spyware program from operating), but it can’t actually clean the files off your machines–you’ll need another product to do that.
eEye’s Blink 2.0 includes host vulnerability assessment, so you can scan each of your hosts for problems that may lead to security exploits. However, to aggregate scan results and remediate the vulnerabilities you discover, you’ll need eEye’s REM management console.
Despite the maturity issue, anti-spyware and HIPSs can still be deployed in the enterprise, especially on PCs that face significant risks, such as laptops that spend significant time outside the corporate network. Any software that tinkers with registries, excises executables, or generally deletes files runs the risk of damaging computers.
http://www.networkingpipeline.com/shared/article/printablePipelineArticle.jhtml;jsessionid=DNUAIIN4HSGH2QSNDBCCKH0CJUMEKJVN?articleId=60403206