Vendor Review: SecureWave Protects Microsoft Operating System Platforms
Featured Author - Laura Taylor
- March 2, 2002
The traditional approach to network intrusion management is to detect an intrusion, analyze it, and then works toward eradicating it. By buckling down your host security, securing the input/output devices, and intercepting Trojan executables, SecureWave can prevent intrusions from happening up front.
Founded by Marco Peretti in 1996, SecureWave has emerged as a viable contender in host, application, and network based intrusion prevention. Based in Luxembourg, With a staff of over 30 employees, Luxembourg based SecureWave also has offices in France, and the United Kingdom. SecureWave was originally founded as Digital Wave, S.A with a mission to provide consulting services to financial institutions. Mr. Peretti discovered that securing mission critical systems, in particular systems running Microsoft operating systems, to be an on-going request from customers. To meet customer requirements, Mr. Peretti, who has a background in software engineering, began coding programs to lock down host security. SecureWave's security solutions became so popular, that security soon became the focus of their consulting operations. As an outgrowth of customer demand, SecureWave's custom security solutions evolved into a refined suite of host-based intrusion protection products.
Today, SecureWave has three security products: SecureEXE, SecureNT, and SecureStack. These products can be installed and used separately, or bundled together and used as a packaged security solution. The objective of SecureWave's security solutions are to increase the security of Microsoft operating systems and networks, creating advanced built-in mechanisms to manage user access controls that are currently lacking on Microsoft platforms. These products plug into the existing Microsoft operating systems, and offer security features and capabilities that are currently lacking in Windows NT, Windows 2000, and Windows XP.
SecureEXE is a second-generation intrusion prevention product. It uses the opposite strategy that anti-virus products use. Instead of identifying intrusion types and writing signature solutions, SecureEXE locks down the systems and allows only authorized applications to run. Before any type of application gets executed, SecureEXE compares a checksum of the executable with a known good checksum list. If the proposed execution is legitimate, the application is allowed to execute. If there is a mismatch in the checksum hash, then the application is not allowed to execute. Unlike other intrusion prevention systems, the logic is applied before the application is executed in memory.
By creating File Groups, assigning files to File Groups, and then granting users permission to File Groups, through SecureEXE you can control what executables each user is allowed to run. Through the use of File Groups, you can more easily manage
software licenses, and ensure that only licensed users are able to run particular applications. When a user tries to run a program, SecureEXE uses SHA-1 to calculate a hash of the executable. It then checks this hash against the list of files the user is authorized to run. If the hash is on the authorization list, the program is allowed to run, otherwise it is blocked. The checking process happens seamlessly and virtually instantaneously. Since the hash checking mechanism is loaded on the client system, the system remains protected even if it is disconnected from the network.
SecureEXE can block unauthorized executables not just from users, but also from particular systems. Aside from making sure that licensed executables run only where they are suppose to run, this type of feature can be ideal in a software development environment when you want to make sure the developers are all using the same version software tools, patch levels, and libraries. Old versions of code can be restricted to the company QA team, and new development versions can be restricted to the engineering team.
SecureNT is a host lock-down program, and significantly increases the level of security on NT systems by controlling, and auditing, how the input/output (I/O) devices are used. The I/O devices that can be locked and audited include the CD-ROM drive, the COM port, the LPT port, and the floppy drive. Once setup, it is possible to lock and unlock I/O devices from a central console.
From the central console, the security administrator can allow access to an I/O device by assigning the user to a group that has access privileges to the device, or by granting access to an I/O device that expires after a period of time. This means that the security of the I/O devices can be administered either by User, Group or by Workstation. SecureNT obtains the User and Workstation list from one of the Domain Controllers.
Using the I/O Tracing Driver feature, it is possible to track data written to an I/O device. Archives files contain logs of what files were copied to various I/O devices on any given day. If you want to know if a confidential file ever left your network or corporate premises, you can find out this information using SecureNT.
SecureStack detects buffer overflows as they try to execute, creating a barrier for the execution of buffer overflow exploits. When hackers inject arbitrary code into assigned application buffer spaces, they are able to cause unwanted executions of the exploited application. This is a phenomenon that is sometimes known as "smashing the stack" (1). Typically buffer overflow vulnerabilities are caused by sloppy coding practices when no bounds checking is done on the length of input variables, arrays, and arguments.
A common network attack technique used by hackers is to inject Trojan executables into target networks that then send them information about the target network. Some of the programs hackers try to inject on target networks are password cracking utilities, and other programs that given them information about the users, network configuration, or registry settings. Using buffer overflow exploits, hackers can attach executables to unrelated streams of data in a section of memory called the stack. Aside from injected rogue executables, hackers can also change the return address of data through manipulation of the stack. By injecting rogue code into the stack, hackers can launch executables that create backdoors. The code is sent into the data-only area of the stack -- an area not normally reserved for executables. SecureStack works by preventing any code in the data-only sections of the stack from executing.
Product Strategy and Trajectory
SecureWave's strategy is to sell their products directly to customers who want to improve their information security posture. Based on Microsoft operating systems, they have positioned themselves to take advantage of a large percentage of the operating system market. According to Giga Information Group, Windows NT and Windows 2000 will continue to grow at rates that exceed the overall market rates, and will take some market share from existing installed midrange systems and new midrange sales, as well as Unix (2).
Figure 1. Corporate Information
||SecureEXE, SecureNT, SecureStack
||Security solutions for Microsoft operating systems
||Host and network intrusion prevention
|(2)||Server Operating System Trends, by Richard Fichera, Giga Information Group
Bundled together, SecureWave's product line can fortify Windows NT, Windows 2000, and Windows XP systems to a much higher degree than their out of the box installations. The flexibility of installing the products separately lets you combine them with security products from other vendors, if that is an approach that makes sense for your organization. SecureWave's products are based on protecting your systems up-front, instead of repairing them after security intrusions have already occurred.
SecureEXE has the ability to reduce Total Cost of Ownership of software licensing since software can be purchased on a per user basis, rather than a per computer basis. Computers typically out number users in most organizations, therefore licensing software on a per user basis is almost always more cost effective. Through SecureEXE you can setup who has access to what applications, thereby eliminating the possibility of inadvertent licensing violations.
SecureNT allows you to remotely control all the input/output devices on client systems. If you have a contractor on staff, and do not want to give the contractor access to your read/writeable CD-Rom drive, you can deny the contractor permission to use that drive from the SecureNT management console. The access permissions are setup on a user level, so if the contractor moves around from system to system, the lock-down feature follows the user to all nodes across the network.
SecureStack is easy to install and implement, and does not require a lot of configuration changes. A key difference between SecureStack and a competing product called StackGuard by Wirex is that StackGuard requires significant more time to setup and configure. While StackGuard requires that you replace your current compiler, SecureStack is less intrusive and interoperates with your Operating System, requiring no changes whatsoever. It should be noted that StackGuard is only available for Linux systems, and cannot protect Microsoft operating systems from buffer overflow attacks.
SecureWave's Management Console (SMC) provides an integrated and single front-end for security administrators to administer user and group access controls for both local and remote systems. From the SMC, the security administrator can manage both SecureEXE and SecureNT from one console. SecureWave's future plans are to add in management capabilities to the console for SecureStack as well.
Product and Vendor Challenges
There are a lot of contenders in the security technology area, and to remain competitive, SecureWave will have to keep up with the rapid pace of technology development, and with Microsoft's release schedule. While competitors to SecureNT are not known, OKENA's newly announced StormFront product contains code that could be altered to provide similar auditing capabilities as SecureNT.
Other companies that compete in the intrusion management sector include Entercept, OKENA, ISS, and NFR. However, the intrusion management sector is still in its infancy, and as of today, a clear leader has not emerged. Intrusion prevention products are a more advanced way of managing intrusions, and the contenders in the intrusion management market that offer these capabilities today are out in front of the companies that offer only pure detection services. ISS and NFR offer traditional intrusion detection products that work through signatures and analysis practices. Relevant Technologies expects Entercept, OKENA, and SecureWave to go head-to-head in trying to reign in customer interested in intrusion management products that work at the kernel or registry level. The intrusion management market will increase in the coming years, and if SecureWave continues on its development path, it may emerge as the intrusion prevention market leader in Europe.
Companies that compete in the stack-guarding sector include WireX and Avaya.
Both of these competitors stack-guarding products are specifically for Linux systems, and therefore shouldn't be considered a direct competitors.
Vendor Recommendations and Predictions
In order to take full advantage of the breadth of Microsoft operating system market share, SecureWave should develop a sales channel in order to increase distribution of its products to a larger IT population. A broader and more effective sales channel could help SecureWave build a stronger customer base and penetrate a wider market, resulting in improved profitability. The development of a consolidated partner program will help SecureWave's remain competitive and bolster its position in the growing security intrusion prevention market.
SecureWave's customer base in Europe is strong, as one might expect from a company based in Luxembourg. With customers like Commerzbank, London Metropolitan Police (formerly Scotland Yard), and France Telecom, it is clear that SecureWave has established a solid reputation in a variety of vertical markets. In order to continue their momentum, it will become important for SecureWave to ramp up its market share in the United States, and later expand to the Pacific Rim.
In order to expedite the deployment of their products, SecureWave should consider bundling all three of their products as one consolidated security solution. This would decrease the amount of time it takes to deploy their solutions, and would simplify the procurement process for IT decision makers.
If Microsoft wanted to acquire a company to improve the security capabilities of its operating systems, SecureWave would be an ideal candidate. SecureWave products offer advanced security capabilities that Windows NT and Windows 2000 need in order to go head to head with UNIX systems. Relevant Technologies expects SecureWave to be around for the long-haul, and anticipates that they will continue to gain market share as more enterprises accept the fact that in spite of its inherent security flaws, they cannot live without Microsoft operating systems.
IT decision makers who are interested in using the advanced features of Microsoft's enterprise operating systems, without compromising security, should consider installing all three SecureWave products on Windows NT and Windows 2000 production servers. In particular, SecureWave's line of Windows NT and Windows 2000 products are an ideal fit for organizations that don't want to rip out their IIS servers due to security vulnerabilities. Ripping out an IIS server could mean re-architecting vital network infrastructure servers since replacement products for IIS are not able to take full advantage of the domain controller capabilities that Microsoft networking offers. Locking down IIS with SecureEXE, SecureNT, and SecureStack increases the security of your IIS implementation, and is probably easier and more cost-effective than re-designing your entire Internet server strategy.
According to Ian Poynter, President of Jerboa, a security consulting firm headquartered in the Boston area, "SecureWave's products provide solutions to some of the important security issues that Microsoft has not yet addressed. Controlling access to NT systems more tightly can only enhance the overall security strategy of any organization, particularly in e-commerce environments where potential problems in IIS could lead to significant financial loss."
The use of traditional intrusion detection systems is complex, and these systems require on-going analysis to interpret the signatures and log files. Organizations that do not have a security administrator on staff are better off using second-generation intrusion prevention products like SecureEXE.
SecureWave just recently released SecureStack, v2.0 which is available for both Windows 2000, Windows NT, and Windows XP. SecureStack is ideal for protecting infrastructure servers, Microsoft IIS, Microsoft Exchange, Microsoft SQL server, and Oracle servers from buffer overflow attacks.
SecureWave's products are based on security Microsoft platforms at the host and application level. They do not provide network level security, and are not considered alternatives to the deployment of a firewall. The deployment of an organizational firewall is necessary along side the deployment of SecureWave products in order to protect the organization's networks.
About the Author
Laura Taylor is Chief Technology Officer of Relevant Technologies, a security research advisory firm that assists IT decision makers in making best-choice technology selections. Ms. Taylor was formerly Director of Security Research at TEC, and prior to that was Director of Information Security at Navisite.
Ms. Taylor has also served as CIO of Schafer Corporation, a weapons and reconnaissance national security contractor.
Relevant Technologies can be reached at www.relevanttechnologies.com.