CyberSecurity Institute

Its browser-based LiquidCredit Bank2Business, for example, is a hosted service for small business loans used by over 150 U.S. banks. About two years ago, “we first went out and looked into the market for a reverse proxy solution,” says Eric Beasley, Baker Hill’s senior network administrator. The company has a three-tiered architecture, all based on Microsoft products.

“We have Microsoft IIS for our Web component, of course our middle tier uses COM/DCOM objects, and our third tier is Microsoft SQL Server 2000.” “Because of [our] reliance on Microsoft, we had some of the larger clients that we were pursuing at the time balk,” Beasley says. “They did not feel comfortable with a purely Microsoft environment, and especially two years ago, when there were so many reported Microsoft IIS vulnerabilities.”

Beasley began investigating ways of making these potential customers happy. “Some of these clients even went to the extreme of saying we will not do business with you unless you put something out in front of this environment to mitigate the fact that it’s all Microsoft.” While the approach “did a good job of getting in between our client and the Web servers,” he says, it didn’t guard against “SQL injection, forceful browsing, and the like.”

So Baker Hill shifted its focus to Web-application firewalls, a relatively new class of products two years ago, now available from such manufacturers as Imperva, Kavado, Sanctum, and Teros (then known as Stratum8). Baker Hill created a test environment, tested products from Kavado, Sanctum, and Teros, and selected the Teros Gateway.

“The Web application firewall learns what is acceptable use of our Web application, and then by default, it will deny all traffic that does not meet the behaviors it’s learned.” Since this approach doesn’t rely on signatures, he says, it helps eliminate zero-day exploits, an especial concern in his Microsoft environment.

One benefit of this technology isn’t just to stop help block attacks, but to give IT more time to test patches before implementing them. In essence, the firewall acts as like a virtual patch.

Gartner estimates that 70 to 80 percent of all attacks today focus on the application layer; Web applications are at risk.

“Virtual patching is designed to address that window.”

Some firewalls, such as Kavado’s InterDo, can also integrate with Web application scanners—in this case, Kavado’s ScanDo—to build a profile of the application in the test or audit environment.

“From a patch standpoint, we no longer feel the need to deploy the Microsoft patches immediately after they’ve been released,” says Beasley. “The reason that I feel a lot more comfortable in not pursuing a strategy like that is there is no 100-percent guarantee that the patch is going to leave your application in a working state,” he says. Without a Web-application firewall, Beasley says he’d have to perfect some other plan for patching, one that takes into account the fact that some Microsoft patches—even if they don’t work—are not meant to be uninstalled. “Then you really have to look at what kind of strategy are you going to use to create some kind of snapshot or backup of that server prior to the patch being applied,” he says.

http://www.esj.com/news/article.aspx?EditorialsID=1273

The company is set to post for download the new “Release Candidate 2” (RC2) beta builds of SP1 and its x64 editions, company officials confirmed.

Some industry watchers have pegged April as the likely final delivery date, since that is when Microsoft will be holding its annual Windows Hardware Engineering (WinHEC) conference.

“The difference between RC1 and RC2 really is one of increased robustness as Microsoft prepares for the final RTM,” or release to manufacturing, a company spokeswoman said. “This change was made based on feedback that the link was difficult to find in RC1,” the spokeswoman added.

Microsoft is making the RC2 releases available to members of the Microsoft technical beta program. The company also is making the code for Windows XP Professional X64 edition available to some customer testers, via the company’s Customer Preview Program.

http://www.microsoft-watch.com/article2/0,1995,1762756,00.asp?kc=MWRSS02129TX1K0000535

The final version of Longhorn is slated for the second half of next year.

“There will be a beta 1 of Longhorn… happening in the first half of this year,” John Montgomery, a director in Microsoft’s developer division, said during an interview at VSLive, a conference devoted to the company’s Visual Studio .Net toolkit.

The release will be primarily aimed at developers, Montgomery said. “I do, however, expect that you will find IT departments starting to look at it, kick the tires, figure out what’s in it and what’s not in it.”

Beta 1 will be the first look at Longhorn in its current form. Microsoft released a developer preview version of Windows at the Professional Developers Conference in the fall of 2003 and updated that early code last spring. However, Longhorn has changed significantly since then, with Microsoft announcing changes in August affecting all three of the key pillars of Longhorn.

Two of the components — a presentation engine called Avalon and a Web services architecture called Indigo — are being pulled out of the next Windows release so they can be offered for both Longhorn and the current generation of Windows operating systems. The third major component, a reworking of the Windows file system known as WinFS, has been delayed past Longhorn’s release and is expected to be in beta testing when Longhorn ships. It is unclear when WinFS will be integrated into Windows itself.

Microsoft has not talked a great deal about what features will be part of the beta release. Montgomery said many of the updates have to do with improving the “operational characteristics” of the operating system — basically an effort to make Windows easier to manage and more reliable.

Among the changes will be a new model for drivers.

Another improvement will come in the way businesses are able to install Windows on large numbers of machines. Today, mass deployment is done through a process known as “ghosting” an image of the operating system. An improved method will come with Longhorn, Montgomery said.

http://news.zdnet.co.uk/software/windows/0,39020396,39187091,00.htm