Category: Product

“Servers that have the host-based security agent on them are usually the most cooperative servers,” Pescatore said. “They’re the least the likely to go wrong. Where the security problems come from are rogue servers that pop up on the network that are not in the right configuration.” “So, if you’re only an agent-based solution, you’ll never see them. You’re only looking at what you’re controlling. That definitely fills a hole and they had to have it. ESM had hit that wall.”

ESM’s architecture was host-based, meaning it deployed agents, or software code that monitors, manages and reports on each machine’s status on a network. The software then checks the system information against assessment templates for government regulations like Sarbanes-Oxley and Health Insurance Portability and Accountability (HIPAA). Although these agents ensure that a computer has the latest patches and current user permissions, they also must be installed on every computer in the enterprise.

The company makes agent-less security management products based on credentialed access, considered ideal for automating security and policy compliance management on computers throughout an enterprise, regardless of where the machines operate. Symantec has said it will sell the BindView assets alongside ESM to give customers the choice of agent-based or agent-less security software, but analysts think the clock is ticking for architectures like ESM.

Many customers are clamoring for the credentialed access, he said, noting that agent-based solutions like ESM are both expensive and time-consuming because the agent has to be installed on every single thing on the network.

Mike Rothman, founder of new security research firm Security Incite, said that Symantec has to figure out what to do with ESM now that is has a more modern policy management software in place. “But again the mentality of buying BindView was to get that functionality but with an up-to-date and strategic architecture.” Rothman also noted Symantec isn’t the only company to make such a play, choosing to buy a company with market traction and a healthy install base to sink its teeth into the market.

http://www.internetnews.com/security/article.php/3579076

One big change in Vista is in the TCP/IP networking stack itself. Vista has a totally revamped Next Generation TCP/IP stack that has a ton of enhancements with regard to performance, scalability, and extensibility. There’s also a new architecture called Windows Filtering Platform (WFP) that provides APIs for accessing packets at virtually any point in the path as they are processed by the stack. These changes to the stack affect how IPSec works because of the addition of built-in callout functions that can be used for IPSec communications.

A list of APIs for this feature can be found on MSDN if you’re a developer interesting in building IPSec-aware applications and tools. Note that these APIs, like any other feature of Vista, are subject to change before RTM.

Another change in Vista is that management of IPSec and Windows Firewall now are tied closely together. This is accomplished by integrating the firewall filtering functions and IPSec protection settings and managing them using a single snap-in called Windows Firewall with Advanced Security.

There are also unified command-line tools you can use as well to manage both Windows Firewall and IPSec settings. In fact, even the Group Policy settings for Windows Firewall and IPSec are now in the same place with Vista and are found under Computer ConfigurationWindows SettingsSecurity SettingsWindows Firewall with Advanced Security. That means in existing Windows XP and Windows Server 2003 platforms, it’s possible to set up firewall filters that conflict with IPSec policies and prevent network traffic from working the way you intend it to. With a single console for configuring both Windows Firewall and IPSec settings, there’s less chance for errors like this to occur, which is good since IPSec problems are notoriously difficult to troubleshoot.

Finally, the new console and command-line tools for managing Windows Firewall and IPSec settings are designed to make it a heck of a lot easier to configure IPSec policies in the first place.

The question is whether these enhancements on the client side will work with current Windows servers, or whether we’ll have to wait for Longhorn Server to see these benefits fully realized.

First, a Microsoft PressPass news release concerning the December 2005 Community Technology Preview (CTP) of Windows Vista says that the new integrated firewall/IPSec console “centralizes inbound and outbound traffic filtering along with IPSec server and domain isolation settings in the user interface.” And Vista is designed to help make domain isolation easier to implement–though Longhorn Server will probably be required for domain isolation to be truly simple to configure.

And second, Vista supports Network Access Protection (NAP), a new security technology that extends the Network Access Quarantine Control feature of Windows Server 2003 to help protect Active Directory-based networks from infected, misconfigured, or otherwise unhealthy client computers. Vista will change some of that, and Longhorn Server will bring this elusive goal even closer.

Meanwhile, the enhancements to TCP/IP and the IPSec management improvements found in Vista will make IPSec easier to use in the enterprise and likely lead to more organizations adopting it as an inside network protection technology.

http://www.windowsdevcenter.com/pub/a/windows/2006/01/17/an-inside-look-at-ipsec-in-vista.html

By watching a computer’s main memory, the System Integrity Services can detect when an attacker takes control of the system.such attacks sever the ties between data loaded into memory by an application and the application itself.and can fool a system so as to avoid detection while potentially allowing for surreptitious pilfering of data or the perpetration of other attacks.

“Our threat model assumes that the attacker gets on the system somehow and has unrestricted access to the system,” said Travis Schluessler, a security architect inside Intel’s Communications Technology Lab.

If it were to be put into a product platform, Intel’s System Integrity Services could be used in conjunction with other elements, including the Intel Active Management Technology for monitoring hardware, and could also be used in concert with other research projects such as Circuit Breaker.

Such a combination might help quickly head off widespread infections, which can cost companies not only in data theft by also in reduced employee productivity due to computer downtime and heavy use of IT resources to clean them up, the Intel researcher said.

Indeed, in one example, “Once System Integrity Services has detected a problem, it can tell Circuit Breaker to turn [a machine] off the primary network and switch it over to a remediation network,” he said.

That focus has been brought about by the chip maker’s recent shift to designing platforms around devices such as servers or desktop PCs. Unlike when it sold chips individually, the platform design strategy has Intel creating numerous add-ons, which include features such as virtualization and the Intel Active Management Technology, which are designed to increase the usability and manageability of desktops, notebooks and servers.

Many of Intel’s more advanced worm and virus detection technology are still at the research stage today.some of Intel’s other projects include worm signature detectors called autograph and polygraph.but it could easily wind up as features inside Intel’s future product platforms. Now we’re looking at this even more from a platform level on how we can bring these things together to drive new value to customers.”

The lab is also working on a projects called Autograph and Polygraph projects, which are designed to help prevent large-scale worm infections altogether by analyzing individual worms and quickly publishing data on how to detect them. Autograph and Polygraph employ a combination of heuristics and good old sleuthing to track down worms and locate their signatures.or the unique pattern of data required for its particular exploit.and then notify other systems with those signatures so that they can move to identify and block the worm, said Brad Karp, at Intel Research Pittsburg, a lab located on the campus of Carnegie Mellon University.

http://www.eweek.com/article2/0,1895,1900533,00.asp

According to Bob Muglia, high ranked in Windows server group, Microsoft had put in place a ‘patch guard’ on the Windows kernel, which would make it impossible to append code to the core of the OS while it was running.

Such a design would stop software such as rootkits from hitching into kernel software processes as a means to make themselves appear legitimate.

Microsoft’s 64-bit Longhorn Server is expected to ship in 2007, with the 64-bit only Release 2 two years later.

http://www.xatrix.org/article4189.html

Sentinel Mainframe Connect captures security and compliance events directly from mainframe computers and, used with Sentinel 5, correlates the information with other IT security and compliance events across the organization to provide an enterprise-wide view of critical compliance data.

“With the government’s and the industry’s focus on data protection, organizations must be able to monitor and protect these assets and provide proof of compliance with regulatory requirements.

http://www.securitypipeline.com/news/174300509

The X505 isn’t competitive in the small- business space, but it is a solid midmarket offering that will compete with SonicWall and Cisco Systems in the unified threat management market, said Bob Kerr, executive vice president and CTO of NetSpec, a Newport Beach, Calif., solution provider.

Up to this point, TippingPoint has been a best-of-breed niche player, Kerr said. Broadening awareness of TippingPoint and its products will be good for NetSpec’s business, even if it means competition from more VARs sourcing the product through distribution, Kerr said.

http://www.securitypipeline.com/news/173602394