Microsoft released another security bulletin (MS01-026) this week about serious vulnerabilities in IIS. One problem lets a remote intruder run commands on the server; two other problems affect the FTP service where intruders can cause Denial of Service (DoS) attacks or find valid user accounts across internal and trusted domains. Don't take these problems lightly; make sure you load the patch, which is linked in our report under Security Risks. This IIS patch is a cumulative patch that contains all previous IIS patches, so after you load it you don't have to load the previous patches.
I point out this latest bulletin from Microsoft because I know about a new IIS add-on that prevents these and other types of problems whether or not you've patched your systems. eEye Digital Security developed the tool, called SecureIIS, and released it only 4 weeks ago. SecureIIS is an application firewall module that filters all inbound and outbound Web traffic, looking for traffic patterns that might indicate an attack is underway. SecureIIS loads itself into the same memory space as IIS so, according to eEye, the product can examine Secure Sockets Layer (SSL) traffic without affecting server performance.
When I first heard about SecureIIS, I wondered what it offered for detecting and preventing unknown attacks. Soon after, I found out how effective the product can be. On May 1, Microsoft released bulletin MS01-023 regarding a serious vulnerability (discovered by eEye) in the IIS .printer extension that lets remote intruders run code of their choice under the security context of the System account by exploiting an unchecked buffer. As it turns out, SecureIIS can detect erroneous buffer overflow exploits and stop them cold. So users of SecureIIS didn't experience the problems reported in Microsoft's bulletin. The same holds true for the directory traversal and parsing error condition mentioned in Microsoft's latest IIS bulletin—SecureIIS users remain unaffected because the plug-in generically stops directory traversal attacks, parsing attacks, buffer overflow attacks, and more. Be sure to check it out.
Are you interested in biometric security? Another slick tool I've used for the past month is Identix's BioLogon. BioLogon is a fingerprint logon mechanism for Windows 2000, Windows NT, and Windows 9x systems that eliminates the need for passwords. The unit I have came as a PC card finger scanner, which I slipped into a laptop running Win2K. The product integrates into the Windows security subsystem, and you can configure it in a variety of ways, including fingerprint-only logons, where passwords aren't allowed—no matter how the system is booted, a person can't log on without the correct fingerprint. When combined with disk encryption, BioLogon offers strong security, especially for mobile users who are more susceptible to stolen or lost computer equipment. You can use BioLogon as standalone security for one system, or you can integrate the tool across a network with Identix's BioServer software. If you're looking for fingerprint-based security technology, give BioLogon a close look.
The third security product I've been playing with is an intrusion-detection system (IDS) called Snort, which is provided free to everyone under the GNU General Public License scheme (as published by the Free Software Foundation.) Snort was originally designed by Martin Roesch to run on UNIX systems; however, Michael Davis has graciously ported Snort to the Win32 platform so now it runs on Windows.
Like other IDS systems, Snort works by comparing network traffic to a database of known attack types and traffic patterns. Snort is very flexible; users can write their own rules using fairly simple syntax, or they can download any of several predefined attack signature databases (called rules) for use within the product. The ability to define your own attack signatures means that you don't have to wait for your IDS vendor to produce them for you; you can protect yourself as soon as you discover a new risk by writing your own rules.
No IDS can detect attack types it doesn't know about, so the rules are crucial. And because Snort is freeware (and open source at that), the tool has a tremendous amount of community support, and as a result, new rules are created about as fast as hackers and crackers discover new exploits. So in most cases, instead of writing your own rules, you can simply go to a site that maintains Snort rules and quickly download any new rules. For example, Whitehats.com maintains a list of rules called Vision that add to Snort's detection capabilities, so if you use Snort, consider loading the Vision rules along with any others you find useful.
Developers have created many Snort add-ons that make the tool easier to use. Snort is command-line-based, so remembering the command switches is cumbersome. Snort users realized this and created Windows-based GUIs for Snort. The GUIs help automate command-line switch configurations through the use of simple dialogs. Other add-ons include log analyzers that help make sense of Snort logs. Logs can be written in Snort's native ASCII log format or to a familiar TCPDump-style binary format. In addition, Snort can send its output to a Posix-compliant syslog daemon (which typically runs on UNIX systems), to the Win2K/NT Event Log, or to a SQL database—all of which help you take advantage of existing technology infrastructures.
Setting up Snort takes a little work, but its setup isn't beyond the capability of any network administrator who understands basic networking concepts. The real work comes from the need to download Snort along with other required components that might not be present on your system (e.g., WinPcap, which provides the packet driver—DLL file—that the Win32 version of Snort uses).
I installed Snort, a GUI-based configuration tool, and a log analyzer/alerter in less than an hour. I installed the software on a honey pot I leave running on my network as bait, and in the first 3 days, it caught crackers' port scans as well as their attempts to break into the honey pot's Web service, mail server, and DNS server. I suppose it's no coincidence that two of those three crack attempts originated from networks in China! (See last week's column, "Cyberwar: Deadly Battleground or Hype Beyond Compare?".)
Snort is easy to use, good at detecting attacks, runs on a variety of OSs, and comes with a plethora of snap-ins and add-ons that further extend its abilities. If you thought you couldn't afford a good IDS system for your network, Snort is just what you need—and it's free! You can thank the open-source community for that fact. Download Snort and the required WinPcap packet driver from their respective Web sites.