ISS hatches 'virtual patching' mgmt. plan

Internet Security Systems is readying technology it says could benefit companies fed up with current patch management techniques.

Internet Security Systems is readying technology it says could benefit companies fed up with current patch management techniques.

ISS would enable its vulnerability-assessment scanner to gang up with its network- and host-based intrusion-detection systems (IDS) to stop newly discovered attacks or worms that could damage unprotected servers or desktops on corporate networks.

ISS CTO Chris Klaus calls the idea "virtual patching" because it could eliminate the need to immediately apply server or desktop software patches, which often are required to combat new attacks that exploit software holes. Instead of having to rush to patch the application or operating system software to stop a fast-moving worm from taking over vulnerable systems, ISS would be able to have its IDS ready to take certain steps to stop specific attacks aimed at the target machine.

"Patching is unattainable. There's no Fortune 1000 company doing it across all its systems," says Klaus, who points out that sometimes vendors stop supplying patches for their legacy products. "For instance, Microsoft is no longer supporting patching for Windows NT."

Next month, ISS will add the virtual patching capability to its vulnerability-assessment tool, Internet Scanner 7.0, which runs on Windows 2000.

Updated with new attack information as it becomes known, Internet Scanner would examine Web servers, firewalls, operating systems, routers, switches, mail servers and other applications to determine where weaknesses reside. The product also would perform network discovery to locate network resources.

Internet Scanner would no longer simply be a stand-alone tool, but would be able to take commands from the ISS management console, SiteProtector. Companies then could perform a scan when a new vulnerability or threat was identified, to see which machines could be hit. Then, based on the network manager's decision, SiteProtector would be able to instruct the ISS network-based sensor, RealSecure Network 7.0, or the host-based IDS, RealSecure Server 7.0 and RealSecure Desktop 7.0, to take certain steps. The host-based IDS could block access, based on a specific check or signature.

Because traditional "passive" IDS products aren't inline devices that can block large traffic streams, RealSecure Network 7.0 would be limited to instructing the firewall to block the attack through a process called shunning or, alternatively, terminating a session with TCP resets.

The ISS inline prevention product, Guard, also would support the virtual patching process, as would the line of Proventia intrusion-prevention system appliances ISS plans for the third quarter.

The virtual patching capability is coordinated with the debut next month of what ISS has dubbed The X-Force Catastrophic Risk Index that the company is expected to issue periodically as a guide to the worst security threats and risks.

While the virtual patching capability is still in testing mode, and it's not clear how well the idea will work in practice, there's little doubt that network managers are fed up with patching.

"We have to apply patches nearly every day," says Bill Arnold, IT manager at Purdue Employees Federal Credit Union in West Lafayette, Ind.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2003 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)