ISS hatches 'virtual patching' plan

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0526isspatch.html

By Ellen Messmer
Network World Fusion
05/26/03

Internet Security Systems is readying technology it says could benefit 
companies fed up with current patch management techniques. 

More precisely, ISS will enable its vulnerability-assessment scanner 
to gang up with its network- and host-based intrusion-detection 
systems (IDS) to stop newly discovered attacks or worms that could 
damage unprotected servers or desktops on enterprise networks. 

ISS CTO Chris Klaus calls the idea "virtual patching" because it could 
eliminate the need to immediately apply server or desktop software 
patches, which are often required to combat new attacks that exploit 
software holes. Instead of having to rush to patch the application or 
operating system software to stop a fast-moving worm from taking over 
vulnerable systems, ISS would be able to have its IDS ready to take 
certain steps to stop specific attacks aimed at the target machine. 

"Patching is unattainable. There's no Fortune 1000 company doing it 
across all its systems," contends Klaus, who points out that sometimes 
vendors stop supplying patches for their legacy products. "For 
instance, Microsoft is no longer supporting patching for Windows NT." 

Next month ISS will add the virtual patching capability to its 
vulnerability-assessment tool, Internet Scanner 7.0, which runs on 
Windows 2000. 

Continuously updated with new attack information as it becomes known, 
Internet Scanner will examine Web servers, firewalls, operating 
systems, routers, switches, mails servers and other applications to 
determine where a variety of weaknesses reside. The product also will 
perform network discovery to locate network resources. 

Internet Scanner will no longer simply be a stand-alone tool, but will 
be able to take commands from the ISS management console, 
SiteProtector. Companies could then perform a scan when a new 
vulnerability or threat was identified, to see which machines could be 
hit. Then, based on the network manager's decision, SiteProtector 
would be able to instruct the ISS network-based sensor, RealSecure 
Network 7.0, or the host-based IDS, RealSecure Server 7.0 and 
RealSecure Desktop 7.0, to take certain steps. The host-based IDS 
could block access, based on a specific check or signature. 

Since traditional "passive" IDS products aren't in-line devices that 
can block large traffic streams, RealSecure Network 7.0 would be 
limited to instructing the firewall to block the attack through a 
process called shunning, or alternatively, terminating a session with 
TCP re-sets. 

The ISS in-line prevention product, Guard, also will support the 
virtual patching process, as will the upcoming line of Proventia 
intrusion-prevention system appliances ISS plans for the third 
quarter. 

The virtual patching capability is coordinated with the debut next 
month of what ISS has dubbed The X-Force Catastrophic Risk Index that 
the company will issue periodically as a guide to the worst security 
threats and risks. 

While the virtual patching capability is still in testing mode, and 
it's not clear how well the idea will work in practice, there's little 
doubt that network managers are fed up with patching. 

"We have to apply patches nearly every day," says Bill Arnold, 
information technology manager at Purdue Employees Federal Credit 
Union in West Lafayette, Ind.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.