New Stuff

Resources for Your Developer Toolbox

Theresa W. Carey

Contents

Manage Directory-based Security
Detect Intruders
Disable Worms and Viruses
SSL Comes to IP*Works
Web Security Appliance
Monitor Network Infrastructure
Catch Hackers Red-handed
Snoop-proof Your Files
The Bookshelf

Manage Directory-based Security

ePresence Inc. and OpenNetwork Technologies, an identity management security company, recently announced a partnership to deliver directory-based security management solutions utilizing Microsoft® Active Directory® as the identity store and Microsoft .NET Web Services for e-business. Through the partnership, ePresence will provide OpenNetwork's DirectorySmart software to its Fortune 1000 Microsoft customers, enabling clients to bring e-business applications and services to the Web through a heterogeneous directory-based Web security model. This environment includes Web single sign-on, self service, self registration, and identity management.

Using directories as the trusted identity and policy store is becoming a standard for companies deploying comprehensive secure identity management solutions. Companies can bridge the security void between platforms because they can now utilize Active Directory in an outward facing role while extending Active Directory to a variety of environments within a company's enterprise infrastructure. DirectorySmart by OpenNetwork uses a directory as the central trusted store for both identity and policy information without the requirement for a separate, proprietary policy server.

Detect Intruders

GFI Software has announced the release of LANguard Security Event Log Monitor (S.E.L.M.) 3.0, a host-based intrusion detection system that monitors networks for security breaches. GFI LANguard S.E.L.M. scans the security event logs of all machines running Windows NT®, Windows® 2000, and Windows XP on a network, consolidates them into a central log for analysis, and provides detailed activity reports.

It alerts administrators about critical security breaches in real time, enabling them to respond immediately to high-security events such as unauthorized network users attempting to access shares, resources, or data. Because it performs intrusion detection by scanning the event logs, GFI LANguard S.E.L.M. is not impaired by switches, IP traffic encryption, or high-speed data transfer, as are traditional network-based intrusion detection products that operate by sniffing network traffic and analyzing attack patterns.

Prebuilt event viewers show all events configured into security levels, categorizing events by event type (logon, policy changes, privileges, and so on), and providing filters that make it possible to drill down to specific users, computers, event types, or other variables. In addition, GFI LANguard S.E.L.M. provides extensive reporting and forensic analysis. For example, administrators can view logon and logoff times of all network users, see which machines are attacked most frequently, and identify users who are creating too many events such as failed logons or failed object access.

The logs scanned by GFI LANguard S.E.L.M. 3.0 now include the application, system, DNS server, directory services, and file replication services event logs, as well as the security event logs. GFI LANguard S.E.L.M. 3.0 also offers increased customization and flexibility, allowing administrators to choose which types of event logs are to be retrieved for each machine and which event categories should be archived.

Other new features include the ability to enable correct auditing policies on all target machines automatically, refined event log filtering rules, color-coded records for improved filtering methods, and instant recognition of which events are of critical, low, medium, high, and unclassified importance, and support for three types of database back-ends—Microsoft Access, Microsoft Data Engine, and Microsoft SQL Server™.

Disable Worms and Viruses

Network Administrators are facing a new challenge in network security with the growing threat of worms and viruses which alter themselves as they migrate across LANs and WANs. In direct response to threats such as Nimda, Blue Worm, Red Worm, and Red Worm II, Flicks Software recently announced Titan, which proactively protects your Web server by disabling a worm or virus' ability to infect the server.

Titan monitors all server requests via HTTP for suspicious query formats, such as hi-bit machine code instructions, which are commonly included in server requests submitted by potential hackers. By monitoring the HTTP traffic before it hits the server, Titan is able to stop potential worms before they have the opportunity to take effect. Titan allows network administrators to set parameters and monitor all HTTP traffic over their networks for illicit behavior. Network administrators can prevent buffer overflows by limiting the request size of a URL, POST, GET, or Header.

Additional features allow you to scan for certain keywords common to hackers, such as CMD.EXE or SYSTEM32, limited HTTP methods (POST, GET, Host Header), and e-mail notification of failed hack attempts.

SSL Comes to IP*Works

/n software inc. has released IP*Works! SSL for the Microsoft .NET Framework, a Secure Sockets layer (SSL)-enabled version of IP*Works!, written entirely in C# and specifically targeted for the .NET Framework. This is a suite of secure royalty-free components that can facilitate tasks such as sending e-mail, transferring files, browsing the Web, and consuming XML Web Services. IP*Works! SSL for Microsoft .NET brings developers drop-in replacements for the components in the "classic" IP*Works! .NET package.

IP*Works! SSL makes it easy to communicate with secure clients or servers. The client components (such as HTTPS or SMTPS) provide full control over the process of setting up SSL connections, including certificate management, verification, and certificate-based client authentication. The secure server control, IPDaemonS, is a generic SSL server that provides full secure server capabilities. In addition, the CertMgr control provides certificate management capabilities.

Web Security Appliance

Rainbow eSecurity is shipping the NetSwift iGate Web security appliance which provides orgs with secure access to Web-enabled data and apps. NetSwift iGate offers user authentication and SSL acceleration to provide customers with a solution for secure Web access from the client's browser to a single server and multiple back-end servers.

NetSwift iGate can be deployed quickly and requires no systems integration. It provides centralized user management and access control to Web-enabled applications by authenticated users and is scalable to thousands of users.

On the client side, the NetSwift iGate solution uses Rainbow's iKey USB token to provide two-factor authentication of users for Web-enabled applications. iKey is designed to eliminate the weakness in user name and password security. iGate also provides always-on security with SSL; once the iKey is installed, SSL automatically encrypts all data and the USB key continues to reauthenticate the user without having to type in a random password every time, allowing authenticated users to access company data on the open Internet. If the iKey is removed, the session is terminated.

Typical real-world applications for NetSwift iGate include tech services sites (by preventing unauthorized users from accessing support extranets), content subscription sites (by preventing password sharing), secure remote access, and single systems used by employees, partners, clients, and vendors.

Monitor Network Infrastructure

SharpeWare has released NetWatch 2.5, a program that keeps IT staff informed about their network infrastructure from any browser. Designed for Windows, Novell NetWare, Unix, and a range of Internet services such as Web servers, NetWatch logs important data, plots trends, and generates alerts when problems occur. NetWatch users can monitor their systems remotely without the need for special agents. Using the NetWatch Web interface, monitoring and alert data, as well as trend graphs that update automatically, are available from any browser.

Users can log and plot key data such as Web page or e-mail server performance, server memory, disk, or network indicators. The "Tell me When" feature can be used to generate alerts automatically by pager or e-mail. The Alert Log tracks all problems as soon as they are identified and when they are cleared. Users can also choose a centralized console approach and view one window of alerts from all NetWatch installations on their network.

Storage information is collated into one constantly updated and color-coded list, giving a network-wide view of disk space in one place. NetWatch requires Windows NT Workstation or later for full operation with Windows servers and a Novell Client for NetWare servers.

Catch Hackers Red-handed

Increase a Web server's security with FutureWare's HackerTracker for Windows, which scans a Web server's standard W3C Extended Format log files to identify hacker attacks, capture source IP addresses, collect attack signatures, and buffer overflow info. All this data can be used to generate several built-in reports. It can also identify site errors (such as missing pages or broken links), and can filter out Internet noise and clutter (such as robot scans).

Requests from the hacker's IP address can be blocked at the server, and at a front-end router or firewall. The intermediate ISPs who handled the hacker's traffic can be contacted to help them in their tracking and security efforts.

HackerTracker can be used in an interactive mode as well as in an automatic mode in which it generates and runs command scripts for unattended operation. The HackerTracker application includes a set of common attack signatures that can be added to during the examination of the log capture display section of the application.

The application maintains an integrated database that contains captured hacker IP address, attack signatures, Web site errors, and other filtering criteria. Secured access to HackerTracker can be controlled with logon credentials that are compatible with FutureWare's KeyRing product. HackerTracker can help in reducing the cost of hacker insurance.

Snoop-proof Your Files

WinAbility Corporation has released Folder Guard Professional 5.4, which is used to restrict access to files, folders, and other computer resources for both standalone or networked computers. If you share your computer, you can use Folder Guard to stop other users from opening your personal files or even completely hide your documents until a valid password is entered. You can protect sensitive system files from modification or destruction, disable access to the floppy, CD-ROM, and other removable drives, restrict access to Control Panel, Start menu, applications, and more. Windows XP, Windows 2000, and Windows NT allow you to use their built-in security to control access to data stored on the NTFS volumes.

With Folder Guard Professional, you can secure files and folders on both the NTFS, FAT, and FAT32 drives with much greater flexibility. You can hide some files and keep others in the same folder visible, set up the access rights using wildcards, or make files accessible only to selected programs.

If your version of Windows does not support file security (such as Windows 95, Windows 98, and Windows Me), you can use Folder Guard to keep your important files and documents protected from unauthorized use. Folder Guard protects your documents by intercepting requests from other programs to work with files; your data is not modified in any way. When Folder Guard hides a folder, the folder's contents become invisible to all applications, including Microsoft Internet Explorer, Microsoft Office, and even programs written in MS-DOS®. You can require password access to the protected folders to prevent unauthorized access.

On a user-by-user basis, you can allow or deny access to the files and folders of your choice, as well as to the removable drives, Start menu, and Control Panel. You can configure the protection so that users won't be able to download programs from the Internet or install them from the CD-ROM without permission.

The Bookshelf

802.11 Wireless Networks: The Definitive Guide, by Matthew S. Gast (O'Reilly, 2002) discusses how the 802.11 protocols work, with an emphasis on the options available and on troubleshooting problems that arise. The book delves into wireless security issues, including the problems with the Wired Equivalent Privacy (WEP) standard and takes a look at the 802.1x security standard.

Since network monitoring is essential to any serious network administrator, and commercial packet sniffers for wireless apps are scarce and expensive, the book shows how to create wireless packet sniffers.

Send your New Stuff to Theresa at NewStuff@microsoft.com.

Theresa W. Careyis a freelance writer who lives in California. Her byline has appeared in Barron's and PC World.