REVIEW: Bit9's IPS uses policies to limit attack surface.
Bit9s Parity 3.5 is a fine host-based intrusion prevention system that works not by identifying and blocking malware before it touches the system but rather by limiting the code that can run on the desktop. Although its a daunting product at the outset, Bit9s new tools greatly simplify management.
These tools also solve some of the shortcomings of a least-privileged user desktop environment because only administrator-approved applications are allowed to run. Although a locked-down desktop keeps users out of most trouble, the potential still exists for running malware under user credentials or for a vulnerability to be exploited.
Parity 3.5 IPS complements a locked-down desktop by keeping malware inert. Parity 3.5 limits the attack surface that comes from running unapproved vulnerable applications and triggers alerts if unknown or untrusted code is seen propagating around the network. However, Parity 3.5 will not clean the inert malware from systemsother tools are necessary for accomplishing that.
Parity 3.5, which started shipping in December, also brings to the table new enhancements that monitor software usage across the enterprise, control the use of USB storage devices and provide Parity 3.5 administrators in-line integration with Bit9s software vetting service, ParityCenter.
Parity 3.5 can be licensed in two ways (all prices quoted are for a 1,000-seat deployment): In the perpetual model, companies may purchase the software for a one-time fee of $35 per workstation, with an additional 20 percent annual maintenance fee for standard support (or 25 percent for premium support); the subscription model costs $19 per workstation per year for standard support and maintenance (or $21 per workstation per year for premium support).
The Parity Server component must be installed on at least a Microsoft Windows Server 2003 SP (Service Pack) 1 machine that has at least 1GB of RAM and 20GB of available storage. The Parity Agent, which performs disk inventory, monitoring and policy enforcement on client workstations, can be installed on Windows 2000-, XP- or 2003-based hosts.
Parity 3.5 policies are enforced per Host Group, which we set up in the Parity Server. For each policy, we could enforce lockdown (allow only approved applications), block and ask (warning users of unapproved software while allowing them to continue). We could also set up the policies in a monitor-only mode, which is helpful for getting to know exactly what is running on the network, or we could disable policy enforcement or the agent entirely.
Once the agent is installed on a Windows 2000-, XP- or 2003-based client, Parity 3.5 performs an initial discovery of executables residing on the workstation, reporting all findings to the Parity Server for evaluation. At first glance, the file inventory is overwhelming: We found more than 5,000 items on a single client with only a few applications installed. These items are presented to the administrator in list form on the Web-based Parity 3.5 console.
Thankfully, Bit9 has made several improvements to ease the approval process. Parity 3.5 creates a hash of every file and reports the hash to Bit9s ParityCenter. (This service is included for subscription customers and costs an additional 10 percent annually for perpetual customers.) ParityCenter reports back what it knows about the file, whether the files publisher is trusted and whether the file contains malware discovered by ParityCenters anti-virus and code analysis tools.
Based on ParityCenter recommendations, we could safely approve some of the found software. We learned that ParityCenter has not seen everything, though, as many of our found executables had not been vetted (including software that had been reported as malicious or suspect by other anti-malware companies). Wed like to see Bit9 pursue relationships with other anti-malware companies to expand the depth of its database.
For now, administrators will have to make most policy decisions themselves, and Parity 3.5 provides several methods for doing so. During tests, we could make policy approvals based on a number of Bit9-provided criteria. For example, we could automatically approve software installed by certain users, software installed from approved installation sources, and software from known and trusted publishers. If needed, we could approve software on a file-by-file basis.
It is useful to understand the different ways Parity 3.5 operates. Lockdown mode is effectively a whitelistif software isnt approved, it wont run. But Parity 3.5 also provides the option of banning software, allowing administrators to blacklist specific apps.
For example, Parity 3.5 can block Internet Explorer plug-ins and ActiveX controls, so we placed a ban on the Google Toolbar for IE. One of our test machines had the Google Toolbar installed prior to the Parity 3.5 deployment. Within a few seconds of creating the policy banning it, Google Toolbar would not start, even though the host group was configured to monitor mode.
However, this experience also showed us how things can quickly get annoying for users if a blocked application is wrapped tightly into the operating system. The Google Toolbar attempted to launch every time IE or Windows Explorer started, creating a lot of pop-ups on users screens and numerous entries in the Parity Server log. Parity 3.5 also blocked users ability to uninstall the tool bar, so, in a case like ours, administrators will have to take some action (changing the policy or uninstalling the software) to quell the alert storm.
This underlies one of the perils of trying to install Parity 3.5 on an active desktop fleet. The wise administrator would begin configuring Parity 3.5 by using a freshly imaged workstation to set a base line of approved software. But rolling out Parity 3.5 to workstations already in the field is another matter, especially if users have had free rein to install software in the past.
Administrators should be able to approve acceptable software fairly easily given the variety of tools Bit9 provides, but dealing with the complications arising from unapproved software not working after being denied by Parity 3.5 could lead to some pain.
Technical Analyst Andrew Garcia is at firstname.lastname@example.org.