Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Host Intrusion Prevention Software: Page 3 of 17

Remember, too, that log files must be rotated occasionally. If your policy is too restrictive, or the profiler doesn't detect log rotation, you may find that logfile.txt is permitted but logfile2.txt is denied. We easily created a policy in Cisco and Platform Logic that allowed write access to logfile.txt only. When IIS tried to cycle the log, it got a violation and couldn't cycle. The solution was to allow read/write to logfile*.txt. Cisco's profiler was relatively easy to modify, thanks to its extensive use of macros and file sets. Platform Logic's AppFire profiler wasn't as clear-cut because it generated a ton of rules.

We'd like to see finer control of role-based administration across a group of machines. For example, we wanted to create a group of servers and assign an administrator to modify only that group. CA's product allowed this, as did Sana's, but Cisco's CSA and Platform Logic's AppFire didn't offer that much granularity.

We also wanted better reporting capabilities. Sana offered the most useful reporting information, but no vendors made it crystal clear what went wrong or which rule was violated. Platform Logic's product was especially poor in this regard, displaying only a long list of violations.





HIP Software Features



Click to Enlarge

In the final analysis, though the products from Cisco and Platform Logic are nearly identical in features and operation, Cisco won our Editor's Choice award, because CSA had some of the best canned policies, centralized management features and reporting of the group.

Pricing is quite complex, with management stations, a variety of agents, and support and services all thrown into the mix. To get a ballpark estimate of your cost, see "HIP Software Features" for detailed pricing breakdowns and the cost of our scenario. Although these products seem expensive, they all, quite simply, worked. None of the attacks we threw at them caused a breach of information or elevated access rights. Of course, we did not do a full penetration test--such testing requires hundreds of work hours and thousands of dollars per product--so our results are not a 100 percent ironclad guarantee of security. But tossing Code Red at a vulnerable machine and ending up with an "attack failed" message instead of a command shell was quite a feat.
The biggest change since Cisco bought Okena is that the company has integrated the HIP product previously known as StormWatch into CiscoWorks. In fact, you must install a copy of CiscoWorks to manage CSA (fortunately, this doesn't add to the price). Aside from a bunch of reboots to install the bloody thing, the bulk of CiscoWorks can be ignored if you don't want to use it.