Every day, millions of vulnerability-assessment scans are conducted. Some are complex, targeted probes by professional attackers. Most are new vulnerabilities made public in late-night underground chat rooms, then logbbed hither and yon by script kiddies hoping to strike gold. Your server could be 0wn3d before you finish your morning McMuffin.
We presented a simple premise to several host instrusion prevention (HIP) product vendors: "We have these servers that may or may not be vulnerable. Make sure they aren't." And we set two key requirements for the products we would test: First, they cannot rely solely on signature scans because signatures are reactive, not proactive. Second, the software must work with any application--from file servers to custom in-house services to Discount Bob's Big Webman Web server--because a server rarely runs only one process.
In addition, we wanted to be able to develop policies ourselves. All the vendors we invited to participate in our tests offer professional services or training sessions, directly or with partners, but we figured a reasonably smart security admin should be able to build basic policies without help. We also wanted the products to support centralized management for setting policies, reporting and alerting. To help us set up each system, we invited the vendors to our Syracuse University RealWorld Labs for a walk-through, but continued testing well after they left.
Cisco Systems sent us its Cisco Security Agent (CSA); you may know it as the Okena StormWatch, which won our previous HIP review. Cisco acquired Okena last year. Platform Logic, Sana Security and Computer Associates also accepted our invitation, sending us AppFire Suite, Primary Response 2.1 and eTrust Access Control 5.2, respectively.
No-shows included Sygate, which cited its partnership with Sana; Argus Systems Group, which said it "wasn't a good time" (possibly because it's in bankruptcy; see www.news-gazette.com/story.cfm?Number=14257); and Zone Labs, which said its product is focused on clients, not servers. Network Associates, whose product makes greater use of signatures to prevent attacks, also declined. Harris and WatchGuard Technologies did not respond to our invitation.