News

Wednesday, March 21, 2007

Application and Host IDS Tools

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Extend your MSCS cluster offsite

http://list.windowsitpro.com/t?ctl=4ECE1:4160B336D0B60CB1CF725118BDB2DE78

Free White Paper: Address the Insider Threat

http://list.windowsitpro.com/t?ctl=4ECF4:4160B336D0B60CB1CF725118BDB2DE78

Automatically fix links when you move files!

http://list.windowsitpro.com/t?ctl=4ECF0:4160B336D0B60CB1CF725118BDB2DE78


=== CONTENTS ===================================================

IN FOCUS: Application and Host IDS Tools

NEWS AND FEATURES
- Windows 2003 SP2 Ready for Download
- EldoS Provides Raw Disk Access for Vista and XP
- New Coating System Contains Wireless Signals
- Recent Security Vulnerabilities

GIVE AND TAKE
- Security Matters Blog: Helios Lite--Rootkit Detector
- FAQ: Vista BitLocker Safety
- From the Forum: "Audit Privilege Use" Events
- Tell Us About the Products You Love!
- Share Your Security Tips

PRODUCTS
- Encrypt Sensitive Files Before They Leave the Office

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: CA XOsoft =========================================

Extend your MSCS cluster offsite
MSCS clustering can be a good option for local high availability -
but it doesn't provide complete protection from unplanned downtime.
Download this free white paper and learn how extending your MSCS
cluster offsite with a high availability solution with CDP technology
can protect from data corruption, including damage done by viruses or
human error.

http://list.windowsitpro.com/t?ctl=4ECE1:4160B336D0B60CB1CF725118BDB2DE78


=== IN FOCUS: Application and Host IDS Tools ===================
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Many of you probably have some sort of intrusion detection system (IDS)
in use on your network. Most tools of this sort operate either at the
network border to monitor incoming traffic or on the internal network
to monitor internal traffic.

Recently I learned about two IDS tools that are a little bit different
from a typical IDS. One runs inside an application, and the other is a
host IDS that runs on servers or workstations.

The first tool is called Firekeeper. It's an extension for Firefox that
works similarly to Snort in that it uses a configurable set of rules to
detect suspicious activity. Firekeeper is a relatively new tool and
doesn't have the huge set of rules available that Snort does.
Nevertheless, the base set of rules is a good starting point, and you
can write your own rules with relative ease, especially if you're
familiar with Snort.

Because Firekeeper runs inside Firefox, naturally it's meant to detect
intrusion attempts that would originate from Web content. The base set
of rules detects suspicious JavaScript activity; abnormal behavior of
Real Networks' RealPlayer, Microsoft Windows Media Player, and
Nullsoft's Winamp controls; attempts to access email clients via file
extension types; and more. Another benefit is that Firekeeper can
inspect Secure Sockets Layer (SSL) traffic after it's decrypted by the
browser, which a border IDS system might not be able to do.

Overall, Firekeeper is a pretty good idea. If I understand correctly,
the project was started by Jan Wrobel as part of Google's Summer of
Code 2006. Since that time, it's come along nicely. You can check it
out at the mozdev.org Web site (click the link below), where a link to
a mailing list is also available.

http://list.windowsitpro.com/t?ctl=4ECF8:4160B336D0B60CB1CF725118BDB2DE78

The second tool I learned about is OSSEC Host IDS (HIDS). OSSEC HIDS
has two basic parts: the central server and the host monitors. The main
server collects information from the host monitors, and the host
monitors perform a variety of tasks. They can detect known rootkits and
maintain file system integrity by keeping tabs on important system
files.

Another useful aspect is that OSSEC HIDS can monitor a variety of
different logs, such as those generated by Apache, Squid, Snort, nmap,
Windows, Microsoft IIS, Cisco VPN concentrators, and Cisco PIX
firewalls. As you might expect, it can also deliver alerts to
administrators via email messages or log entries, and it can actively
respond to detected events based on your configuration settings.

I installed OSSEC HIDS on a few systems and found that it's very easy
to configure. Setting up the main server took about 20 minutes
including reading the manual as I went along. Setting up the tool on
the hosts was easier, but it did take a bit longer because the host
settings vary depending on what's being monitored on the hosts.

OSSEC HIDS is an open source tool and has been tested on OpenBSD,
FreeBSD, Mac OS X, Slackware Linux, Debian GNU/Linux, SUSE Linux,
Ubuntu, Red Hat Enterprise Linux, Fedora Core, Solaris, and AIX, as
well as Windows XP and Windows 2000. You can check it out at the OSSEC
Web site, where you'll find the manual along with other resources such
as a wiki and an associated mailing list.

http://list.windowsitpro.com/t?ctl=4ECFB:4160B336D0B60CB1CF725118BDB2DE78

===

Do you work in a mixed environment? Visit TechX World (first URL below)
for information about Windows interoperability. The TechX World
community gives you access to interoperability articles that aren't
available anywhere else; news, tips, and tricks from interop experts
and other users; and forums and blog posts by other community members.
Join the TechX World community and sign up for the TechX
Interoperability UPDATE email newsletter (second URL below):

http://list.windowsitpro.com/t?ctl=4ECFA:4160B336D0B60CB1CF725118BDB2DE78

http://list.windowsitpro.com/t?ctl=4ECF5:4160B336D0B60CB1CF725118BDB2DE78


=== SPONSOR: NetIQ =============================================

Free White Paper: Address the Insider Threat
Learn how to develop a comprehensive management system that
virtually eliminates the risk of an insider threat. Co-authored by
NetIQ and Dr. Eric Cole, this informative white paper identifies the
key business processes that must be secured and ready to build a
solution to contain the insider threat.

http://list.windowsitpro.com/t?ctl=4ECF4:4160B336D0B60CB1CF725118BDB2DE78


=== SECURITY NEWS AND FEATURES =================================

Windows 2003 SP2 Ready for Download
Windows Server 2003 Service Pack 2 adds new features and tools,
including WPA2 and improvements to IPsec. Be absolutely certain that
you review the installation requirements and instructions.

http://list.windowsitpro.com/t?ctl=4ECEA:4160B336D0B60CB1CF725118BDB2DE78

EldoS Provides Raw Disk Access for Vista and XP
Security component maker EldoS announced the availability of
RawDisk, a raw disk access driver for Windows Vista and Windows XP
systems. Fortunately, the company won't make the product publicly
available.

http://list.windowsitpro.com/t?ctl=4ECE9:4160B336D0B60CB1CF725118BDB2DE78

New Coating System Contains Wireless Signals
EM-SEC Technologies announced the successful testing of its new
liquid coating product designed to contain Wi-Fi signals. The EM-SEC
Coating System also prevents leakage of signals from several other
types of electronic devices.

http://list.windowsitpro.com/t?ctl=4ECED:4160B336D0B60CB1CF725118BDB2DE78

Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at

http://list.windowsitpro.com/t?ctl=4ECE4:4160B336D0B60CB1CF725118BDB2DE78


=== SPONSOR: LinkTek ===========================================

Automatically fix links when you move files!
Patented LinkFixerPlus is the first application that automatically
fixes broken links in Excel, Word, Access, PowerPoint, Acrobat,
InDesign, PageMaker, AutoCAD and other files when performing data
migrations due to: server consolidations, server name changes, path
name changes or folder reorganizations! Detailed broken link reporting
too!
Download the FREE trial version NOW at

http://list.windowsitpro.com/t?ctl=4ECF0:4160B336D0B60CB1CF725118BDB2DE78


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Helios Lite--Rootkit Detector
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=4ECF2:4160B336D0B60CB1CF725118BDB2DE78

Can you ever have enough rootkit detectors? MIEL-Labs just released
Helios Lite. Read more about it and get a link to download a copy in
this blog article on our Web site!

http://list.windowsitpro.com/t?ctl=4ECEB:4160B336D0B60CB1CF725118BDB2DE78

FAQ: Vista BitLocker Safety
by John Savill, http://list.windowsitpro.com/t?ctl=4ECEF:4160B336D0B60CB1CF725118BDB2DE78


Q: Does Windows Vista BitLocker Drive Encryption have a security
vulnerability?

Find the answer at

http://list.windowsitpro.com/t?ctl=4ECEC:4160B336D0B60CB1CF725118BDB2DE78

FROM THE FORUM: "Audit Privilege Use" Events
A forum participant wonders what events will be created if he selects
Audit Privilege Use--Failures in the audit policy. All he can find are the
three IDs that appear for successes: 576, 578, and 579. He's trying to
determine if it's worth having the failures on in the audit policy. To join the
discussion, go to

http://list.windowsitpro.com/t?ctl=4ECDF:4160B336D0B60CB1CF725118BDB2DE78

TELL US ABOUT THE PRODUCTS YOU LOVE!
What products are you using that save you time or make your workload
a little lighter? What hot product discoveries have you made that other
IT pros need to know about? Let the world know about your experiences
in Windows IT Pro's monthly What's Hot department. If we publish your
story in What's Hot, we'll send you a Best Buy gift card! Send
information about your favorite product and how it has helped you to
whatshot@windowsitpro.com.

SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
by Renee Munshi, products@windowsitpro.com

Encrypt Sensitive Files Before They Leave the Office
Spotted Dingo announced GuardTheft, an Internet software application
that lets users encrypt sensitive documents before taking them out of
the office on removable media or before storing them on a server for
transmission. Users can then use GuardTheft's Internet "black box" to
decrypt the files when the users get to their destination and want to
work with the files. GuardTheft can encrypt AutoCAD, ArcInfo, DNG, JPG,
GIF, BMP, TIFF, MDI, PDF, DOC, TXT, PPT, and XLS files. The software
uses the RC2 (128-bit) encryption algorithm and lets users make their
key set unique by modifying the key set's 16 keys. A one-week free
trial of GuardTheft is available. For more information, go to

http://list.windowsitpro.com/t?ctl=4ECF9:4160B336D0B60CB1CF725118BDB2DE78

=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit

http://list.windowsitpro.com/t?ctl=4ECEE:4160B336D0B60CB1CF725118BDB2DE78

Deploy Exchange Server 2007 Without a Hitch!
This one-day technical training event teaches you how to preempt
pitfalls and avoid corrupting your infrastructure. Learn how to
effectively install, manage, and secure Exchange Server 2007 in a 64-
bit environment. You'll also get a peek into the integration of
Outlook, SharePoint Server 2007, and Exchange Server 2007. Register
today!

http://list.windowsitpro.com/t?ctl=4ECE3:4160B336D0B60CB1CF725118BDB2DE78

Get Ready for the Windows Server Longhorn Roadshow!
Seize control of your Windows infrastructure with Microsoft's
biggest server release since Windows 2003. Get a live, under-the-hood
look at Longhorn virtualization, deployment, Web services, and
breakthroughs in core reliability. This one-day event is filled with
demonstrations and in-depth discussions designed for IT pros who want a
deep understanding of Windows Server Longhorn.

http://list.windowsitpro.com/t?ctl=4ECE7:4160B336D0B60CB1CF725118BDB2DE78

SQL Server Reporting Services is an exciting way for organizations to
gain access and insight into their important business data. Get an
overview of how to increase your production server's performance by
offloading Reporting Services to a secondary server. Download your free
copy today!

http://list.windowsitpro.com/t?ctl=4ECE2:4160B336D0B60CB1CF725118BDB2DE78


=== FEATURED WHITE PAPER =======================================

Learn the 7 critical email problems to watch for and how to prevent
them. Find out how to better manage your email environment, including
disaster recovery, compliance, data storage, security, and wireless
devices. Download this free white paper today.

http://list.windowsitpro.com/t?ctl=4ECE0:4160B336D0B60CB1CF725118BDB2DE78


=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!

http://list.windowsitpro.com/t?ctl=4ECE5:4160B336D0B60CB1CF725118BDB2DE78

Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting May nominations now, but only for a limited
time! Submit your nomination today:

http://list.windowsitpro.com/t?ctl=4ECF3:4160B336D0B60CB1CF725118BDB2DE78


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://list.windowsitpro.com/t?ctl=4ECF1:4160B336D0B60CB1CF725118BDB2DE78

http://list.windowsitpro.com/t?ctl=4ECF7:4160B336D0B60CB1CF725118BDB2DE78

Subscribe to Security UPDATE at

http://list.windowsitpro.com/t?ctl=4ECE8:4160B336D0B60CB1CF725118BDB2DE78

Unsubscribe by clicking

http://list.windowsitpro.com/u?id=4160B336D0B60CB1CF725118BDB2DE78

Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
About Security UPDATE content -- letters@windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=4ECF6:4160B336D0B60CB1CF725118BDB2DE78

About your product news -- products@windowsitpro.com
About your subscription -- windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://list.windowsitpro.com/t?ctl=4ECE6:4160B336D0B60CB1CF725118BDB2DE78

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive