StormWatch Stops Attacks

Upgrade's Windows and Solaris add-in provides flexible but firm security access controls.

Okena Inc.s StormWatch 3.0 ups the ante in the security-hardening tool space with its ease of use and large set of pre-built security lock-down rules. Administrators who want to go beyond the usual patches-plus-firewalls combination will find StormWatch a big step forward.

This release adds Solaris support to StormWatchs existing Windows NT and Windows 2000 support on the server agent, although Windows XP and Linux still arent supported. (Version 3.1, which began shipping at the end of last month, adds XP client support.) The desktop client supports Windows NT and Windows 2000. We tested the product on Windows 2000 Server and Windows 2000 Professional systems.

The server agent costs a competitive $1,800 per system, and the desktop agent costs $85 per system—quite a low price for the security protection provided. The required Web-based management console costs $4,995.

As a kernel-level security add-in for Windows and Solaris, StormWatch 3.0, which shipped in August, has a great deal in common with Entercept Security Technologies Inc.s Entercept 2.5, an eWeek Labs Analysts Choice award winner that was reviewed in our Aug. 12 issue (see the review at These two packages are the leaders in this space for their overall functionality and manageability.

Both products let administrators apply trusted-operating-system-style security controls to prevent system penetration, including blocking buffer overflow attacks and enforcing mandatory access controls. We could not bypass these measures with either of the packages, even when logged in with administrator-level access.

However, each implemetation has strengths where the other has weaknesses. Given its combination of features, we think Entercept is still the best choice for protecting Web servers, but the ease with which StormWatch let us create new rules, plus its more extensive set of packaged rules, makes it a better choice than Entercept for other types of server applications and for desktop systems.

We criticized Entercept 2.5 in our review for not allowing us to create our own security rules and its lack of packaged sets of exceptions for common third-party applications. StormWatch, in contrast, makes it easy to add new rules and comes with packaged rule sets for a decent number of common server and desktop applications—nine for Solaris and 16 for Windows, including ones for Microsoft Office, Microsoft SQL Server and various instant messaging clients.

StormWatch also has built-in network traffic filtering features, so it can act as a firewall (a big advantage over Entercept). And it supports desktop Windows installations in addition to Windows and Solaris servers, making it the first trusted operating system product weve seen to even try to address the desktop market. Definitely investigate this product for security-sensitive laptops.

StormWatchs management tools are well-organized and clear and provide good reporting. We especially liked its detailed audit trail tracking, which shows who performed each administrative change and when changes occurred.

StormWatch isnt as flexible in creating exceptions to rules (such as for administrator access). It lacks Entercepts ability to allow exceptions to its rules on the basis of three important factors: process name, host name and logged-in user. StormWatch makes exceptions based only on process name, along with some built-in general categories based on general application characteristics, such as type of network traffic sent or received. For example, when we blocked all access to a particular file and enabled access only through one particular executable, we couldnt also restrict access to a particular user.

StormWatch also lacks Entercepts HTTP traffic filtering and rewriting features, a valuable part of a defense-in-depth strategy, as well as Entercepts ability to identify attacks by name because it doesnt use signatures in any way. Of course, the ability to stop attacks is far more important than naming them, but knowing what attacks are present and their frequency is still valuable intelligence for security staff.

West Coast Technical Director Timothy Dyck can be reached at