In conclusion, application learning/application protection needs improvement especially those vendors who are attempting to establish themselves in the Magic Quadrant.
Application Protection and malicious application should be examined with an in-line devices and other types of solutions.
/mark
At 11:16 AM 12/9/2003, Andrew Plato wrote:
I wrote a white paper on Hardening Windows 2k that specifically addresses the problems with "Application Protection" oriented firewall (http://www.anitian.com/corp/papers/Hardening_Win2k.pdf)
Honestly, in the hundreds of RSDP/BlackICE installs I've done over the years now, I don't think I've ever had a single customer use the application protection (AP). AP is a nice idea that is just too difficult to implement properly in a distributed environment. Furthermore, how are users to know if "SVCHOST.DLL" is a legit or not program. I don't even know that and I'm a security guy.
The real problem is how often stuff changes in Windows. If you've ever run tripwire on a Windows box is appalling how often core operating system files change.
AP is the "ZoneAlamification of BlackICE." And Zone is a perfectly okay product for a single home user. But for a distributed corp with a help desk that must take boneheaded calls from users every hour, AP and products like Zone are a flippin' nightmare. I've had a dozen or more customer throw away their Zone installations after quickly realizing that AP type products are too difficult to use in a Windows environment.
One concept that I have used is to put RSDP into "learning mode". That is have it log every time an application changes but not actually block it. This is an unsupported feature, and not terribly easy to implement, but I wrote a white paper on that as well.
See http://www.anitian.com/corp/papers/BI%20AC%20tweaking.pdf
___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security
503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
-----Original Message----- From: Cunningham, Chris, R. [mailto:[EMAIL PROTECTED] Sent: December 09, 2003 5:29 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Desktop Protector and Application Protection
Does anyone have any whitepapers or personal insight into managing application protection on Desktop Protector. We are considering the use of this, but a wary of the time it may take to manage the checksums of application and OS binaries, especially if the patching schedule continues at its current pace.
Any help would be appreciated.
Thanks,
Chris
************************************************************* This e-mail and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. ************************************************************* ~~
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
