Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Host Intrusion Prevention Software: Page 2 of 17

If you're a member of the "better safe than sorry" camp, you'll probably want to disable the agent and network connection, install the patch or software, and then re-enable the agent. Note that though our upgrade didn't require modifying the policies for IIS to continue working (except for Sana, which required a re-adaptation), it is possible for a patch to require modifying the policy. If a patch changes the naming convention of log files, for example, your policies may need tweaking.

What We Still Want

As we said in "Last Line of Defense," implementing HIP is a pain in the rear. That's largely intentional--enacting fine control over your system, down to which registry keys and directories a process can read or write, rightfully requires hands-on attention. The software from Platform Logic and Cisco both include profiling capabilities that let us specify a process or processes to watch on a server, generating a profile of the application. These profiles included accessed directories, file access, registry entries and other access-control options. We then could edit the profile manually and import it into our rule set.

Sana's product automatically profiled our servers to determine their normal behavior, but we couldn't easily modify or even see the profile. CA doesn't offer an application profiler; rather, it simply plopped us in front of a blank screen to have fun for a few hours.

Profiling applications was a bit tricky. We did a profile of Notepad, a simple application by any standard, to illustrate this point. There were several dozen registry reads and file read requests. We created a text file and saved it to the desktop. The Cisco, Sana and Platform Logic profilers interpreted this action as, "Give Notepad.exe read and write access to any .txt file on the desktop," and nowhere else. These three products all attempt some wildcarding in their profilers. In the Notepad example, Cisco's CSA gave access to any text file on the desktop for any user. Sana's product could interpret if a program should have write access to a directory and allow it.