Security solutions compete

The ever-changing security strategies of enterprises

Aside from a flurry of beta releases, security updates, and the usual E.U. he said/she said dance, it's been a pretty quiet week in Redmond. In case you're wondering which betas to watch for (past, present, and near-immediate future), the list includes Vista RC2, Exchange Server 2007 Beta 2 Help, Virtual PC 2007 Beta 1, and PowerShell RC2. All that and the happy announcement that Microsoft will soon be ending support for Windows XP Service Pack 1. (Is it my imagination or was that awfully quick?)

So while you're waiting for the beta bounty or the desktop support complaints, what to do? With all the recent press about new zero-day attacks and software vulnerabilities, we decided to take a look at our overall security strategy. Right now, it's fairly basic. Our smaller businesses tend to rely on a perimeter firewall (or two for that all-important DMZ), desktop firewalls, and corporate-level anti-virus and spyware detection. Midsize customers usually get some kind of network intrusion monitoring thrown in, although the vendors in that space are really varied, even among just our customer portfolios.

Enterprises are the real squirrels. Security tools are constantly changing with those guys, and the two new hot buttons are end-point security and HIPS (host intrusion prevention systems) -- next to the never-ending challenge to make security compliance reporting effortless, of course. My smaller customers can't get on these wagons right now because neither technology is really all here yet, and I don't like customers that size experimenting with security. Our enterprise customers are more adventurous, but so far, only host intrusion is showing enough progress that we might start recommending it as early as next year for full implementations.

End-point security is characterized by systems such as Cisco's NAC (Network Access Control) or Microsoft's NAP (Network Access Protection) platforms. Basically, it defines a certain security state that clients must adhere to or they're quarantined off the network. Vendors have been trying to get some kind of standard going in this department, but so far that's vapor. There are third-party vendors, such as Altiris, who have complete end-point scanners embedded in their systems, but unless you're already using one to perform desktop or systems management, I can't see tying yourself to a third-party vendor simply for end-point perimeter muscle. Better to wait until the big platform boys get their acts together, and then take stock. Might happen next year; might not.

HIPS is a better bet -- and in some ways is related to NAC/NAP. This technology is pretty new, but there are bigger vendors working on it. McAfee has had a system for a while, called (imaginatively) Host Intrusion Prevention. ISS has one, called Proventa, and Symantec also has one called Critical System Protection. And, yes, there are more. Microsoft is undoubtedly working on its own in some Redmond tech dungeon, but right now, it's a third-party game.

The technology aims to combine AV, malware, and network intrusion detection into an intelligent overall security umbrella that covers your entire desktop -- and sometimes server -- landscape. The only problem with HIPS is the same problem you encounter with any "umbrella" technology: When the term becomes a buzzword, everyone scurries to get under and out of the rain -- no matter what they do.

For example, some vendors are trying to call their wares HIPS with single-application support -- a specific database, for example. That doesn't do it for me. HIPS needs to be broad. To keep me dry, the HIPS umbrella needs to be as diverse as possible, from desktop to network. That includes network-level scanning: port scanning and traffic scanning, preferably. The anti-virus/malware deal is a given, but how deeply -- and for which attacks -- is still evolving. Again, for me, that needs to be as deep as possible.

Perhaps most important for systems administrators is how much impact HIPS will have on network and network application performance. Scanning of any kind takes overhead, and something as broad and smart as a HIPS platform is going to be making some CPUs smoke somewhere. So the big question is, Where are those CPUs, and exactly how much smoke are we talking about?

As long as it's not coming out of my users' ears, I'm happy, but somebody needs to show me that in real life. Right now, that question is still up in the air, and as far as I'm concerned, that puts HIPS up in the air -- at least for production-level deployment.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Oliver Rist

InfoWorld
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?