CA’s Host-Based Intrusion Prevention System combines a trusted application repository with blacklisting tools, including IPS, firewall and operating system system security settings, to create a serviceable but not stellar application whitelisting offering.
IT managers who already use CA anti-virus or anti-spyware tools for centrally managed, stand-alone threat management should consider CA HIPS to add application blocking controls in the mix.
Application whitelisting tools, including CA HIPS, Bit9’s Parity, Core Trace’s Bouncer and Lumension’s Sanctuary Application Control, take another tack from anti-virus and anti-spyware tools that use signatures and anomaly detection schemes to try to stop unwanted software actions.
CA HIPS required significant administrative effort on my part to identify and categorize the software on my Windows PC and server systems. I spent quite a bit of time in the Application Reposi??Ãtory Rule section enrolling appli??Ãcations. As such, it trails other whitelisting tools, including Parity. However, CA HIPS, with its more traditional blacklisting approach and less aggressive software con??Ãtrols, may be easier to roll out to large user populations.
Application whitelisting isn’t without flaws. There is the need to painstakingly approve programs to prevent blocking needed applica??Ãtions. CA HIPS creates and uses an application repository to manage application and DLL recognition for use in firewall rules. The rules, once created, were easy for me to modify from the central Web-based console.
CA HIPS doesn’t clean malware from a system, although the IPS and firewall protections will play a role in reducing the amount of unwanted or malicious software that is able to make it to end-user systems.
CA HIPS r8 was released last year and costs $40 per seat.
Client/Server Application
CA HIPS is a client/server appli??ícation. I installed the CA HIPS server in a VMware ESX Server 3.5 environment on a VM (virtual machine) configured with a sin??ígle processor, 20GB drive, 2GB of RAM and a single NIC with a fixed IP address.
CA HIPS can use an exter??ínal Microsoft SQL Server 2005 database to track clients, which I installed on a VM in the same VMware ESX cluster. There is currently no Oracle database support. The CA HIPS agent, which performs monitoring and policy enforcement on the target workstations and servers, can be installed on Windows 2000-, XP- or 2003-based systems. Vista is not currently supported.
CA HIPS policies are enforced according to a complex set of rules. Out of the box, I used the monitor (everything is allowed and tracked) to start learning about the applications on my systems. Other policy groups were relevant to the firewall and IDS functionality of the product, although applica??ítion rules I created could be used in these modules. Users are not able to allow unapproved applica??ítions.
Instead of allowing end-user control over application approval, CA HIPS provides a “test har??íness” that can be used in learning mode on representative end-user systems. I used a model com??íputer with the test harness appli??ícation to detect network traffic and applications. I then created rules and policies that governed how end users could use these applications and then imported the rules to the CA HIPS server for deployment.
The process for using the test harness was quite tedious and required a complex workflow to ensure that the application reposi??ítory, firewall zones and OS security rules were imported correctly.
While the CA HIPS monitors client activity, it was not easy to understand what kind of counter??ímeasures were being taken by the CA HIPS agent to protect my end-user systems. Like Bit9’s Parity, it was easy to get lost in the volumi??ínous amount of system messages, the vast majority of which merely reported only that the system was functioning normally.
After installing the CA HIPS agent on a system, the product started to work at once. While the agent can be installed and active with no user notification, I used mine with the local user interface active. Here I could see how many files had been blocked and get other information about how the product was working. While I was able to get most of this informa??ítion in the reporting tool provided on the administrative console, I can imagine that end users would appreciate and use this kind of information.
I easily integrated CA HIPS with the Active Directory infrastructure in use on my test network, which made short work of grouping end-user systems.
Once the CA HIPS system was fully operational, I spent most of my time in the reports section, gathering information about what was happening in my test envi??íronment. Combined with data I gleaned from the event viewer and the system messages, I was able to get a fair idea of the security landscape among my monitored Windows systems.
eWEEK Labs Technical Director Cameron Sturdevant can be reached at csturdevant@eweek.com.