Internet Security Systems is readying technology it says could benefit companies fed up with current patch management techniques.
More precisely, ISS will enable its vulnerability-assessment scanner to gang up with its network- and host-based intrusion-detection systems (IDS) to stop newly discovered attacks or worms that could damage unprotected servers or desktops on enterprise networks.
ISS CTO Chris Klaus calls the idea "virtual patching" because it could eliminate the need to immediately apply server or desktop software patches, which are often required to combat new attacks that exploit software holes. Instead of having to rush to patch the application or operating system software to stop a fast-moving worm from taking over vulnerable systems, ISS would be able to have its IDS ready to take certain steps to stop specific attacks aimed at the target machine.
"Patching is unattainable. There's no Fortune 1000 company doing it across all its systems," contends Klaus, who points out that sometimes vendors stop supplying patches for their legacy products. "For instance, Microsoft is no longer supporting patching for Windows NT."
Next month ISS will add the virtual patching capability to its vulnerability-assessment tool, Internet Scanner 7.0, which runs on Windows 2000.
Continuously updated with new attack information as it becomes known, Internet Scanner will examine Web servers, firewalls, operating systems, routers, switches, mails servers and other applications to determine where a variety of weaknesses reside. The product also will perform network discovery to locate network resources.
Internet Scanner will no longer simply be a stand-alone tool, but will be able to take commands from the ISS management console, SiteProtector. Companies could then perform a scan when a new vulnerability or threat was identified, to see which machines could be hit. Then, based on the network manager's decision, SiteProtector would be able to instruct the ISS network-based sensor, RealSecure Network 7.0, or the host-based IDS, RealSecure Server 7.0 and RealSecure Desktop 7.0, to take certain steps. The host-based IDS could block access, based on a specific check or signature.
Since traditional "passive" IDS products aren't in-line devices that can block large traffic streams, RealSecure Network 7.0 would be limited to instructing the firewall to block the attack through a process called shunning, or alternatively, terminating a session with TCP re-sets.
The ISS in-line prevention product, Guard, also will support the virtual patching process, as will the upcoming line of Proventia intrusion-prevention system appliances ISS plans for the third quarter.
The virtual patching capability is coordinated with the debut next month of what ISS has dubbed The X-Force Catastrophic Risk Index that the company will issue periodically as a guide to the worst security threats and risks.
While the virtual patching capability is still in testing mode, and it's not clear how well the idea will work in practice, there's little doubt that network managers are fed up with patching.
"We have to apply patches nearly every day," says Bill Arnold, information technology manager at Purdue Employees Federal Credit Union.