Intrusion prevention systems act as deadbolt locks, stopping any attacks that may be targeted at your network. Unlike intrusion detection systems, intrusion prevention systems don’t analyze attacks and effect a response; they just plain stop attacks. One of the most popular intrusion prevention systems comes from Okena. Okena's StormWatch intrusion prevention system can proactively secure your servers, desktops, and applications. It can also send you alerts and provide analysis of precarious activity. In this article, I’ll show you how to install and configure StormWatch.
StormWatch has two main components that you have to deal with: the StormWatch Management Console and the StormWatch Intelligent Agent. You use the Management Console to create policies for the StormWatch Intelligent Agent. The agent runs on the servers and desktops you want to protect. Before system resources are accessed on a protected system, the agent checks the policies to see if it's okay to act upon the requested action.
You begin by installing the Management Console. However, before you can do that, you should check to make sure your computer can handle the Management Console. Your system must meet these requirements:
- Intel Pentium 500-MHz or higher (uni-processor or dual processor) system
- 128 MB minimum of memory
- 1 GB or more of disk space
- A single NIC interface (multi-homed systems not supported)
- Windows NT 4.0 with Service Pack 6a
- Microsoft SQL Server 8.0 or higher
Make sure your Windows NT 4.0 server has Service Pack 6a on it. Install Microsoft SQL Server according to the installation and configuration guide that came with the licensed version.
To start, log on as a local Administrator to you server and insert the CD into the CD-ROM drive. Click Launch Setup from the installation splash screen. If the installation program finds that Microsoft SQL Server is not installed, it will prompt you to install it, and you can do that at this time. If Microsoft SQL Server is already installed, after you click on Launch Setup, you'll see a welcome screen, and should click Next.
You'll then see the License Agreement screen. You’ll need to click Yes to indicate you've accepted the terms of this agreement.
The next screen prompts you to select a destination directory for the program files. Accept the default directory and click Next.
Now you'll be on the Installation Wizard screen, and will be prompted to put in a StormWatch Management Console logon account and password. Do that and click Next. On the next screen of the Installation Wizard, put in your company or organization name, an alphanumeric pass phrase, and click Next. The installation program will copy the files to their appropriate destination directories. After the files are in place, you'll be prompted to restart your Windows NT server.
Bring up the StormWatch Management Console
When the server comes back up, you'll see a StormWatch icon on your desktop, but don't double-click on it because you need to import your server's certification through your browser first. The first time you use StormWatch, you should access it through your browser by putting in the following URL: http://<hostname>.<yourdomain>.com, where hostname is the DNS name of your StormWatch server and the domain name is indicated in the http request.
Install the certificate
When your browser connects to the server, you'll see the StormWatch Management Console front page, and you'll need to accept the certificate to ensure secure communications. To accept the certification, click the Certificate button. A download prompt will appear, and you'll need to select Open This File From Its Current Location and click OK. When the Certificate Information box appears, click Install Certificate.
The Certificate Manager Import page comes up next, giving you an overview of your certificate information. Click Next, and you'll be prompted to select a certificate store. Select the radio button that says Automatically Select The Certificate Store Based On The Type Of Certificate and click Next. You've finished importing your certificate, so now click the Finish button. You are then asked if you want to add the certificate to the Root Store. Click Yes, and you’re done.
You can now log on to the management console from the icon on your desktop. Double-click the icon, and then click the Certificate button. Though your certificate has been installed, you need to tell the StormWatch server that you are agreeing to become a Certificate Authority. The first screen will tell you that you are about to become a New Certificate Authority (CA). Click Next to import that certificate into the CA.
You'll be asked if you're willing to accept this certificate authority for the purpose of certifying other users, sites, and software packages. Check the first box called Accept This Certificate Authority For Certifying Network Sites and click Next.
The Certificate Authority Identifier Page will then pop up, and you'll want to put in the name of your business or organization. This will become the name of your Certificate Authority. Then click Finish.
Log on to the StormWatch Management Console
To log on to the management console, double-click the icon on your desktop, and this time click on the Login button instead of the Certificate button. Enter the administration username and password that you selected earlier, and click Login. Now you can see the navigation frame of the management console.
You can prepare the management console so that systems slated for protection can download the protective agents. First, you'll want to configure some groups so that you can apply certain agents to certain systems. User desktops might be one group, and application servers might be another group. You might want to get specifications about your application servers, and call a group something like IIS Web Servers.
From the navigation frame, click on Groups, and click the New button to create an entry for a new group. Click the link called Untitled, and then put in the group name and description. Initially, select Test Mode instead of Verbose Logging Mode. Click the Save button to save your group information.
Now that a group is configured, you can build an agent kit. Administrators who manage the hosts that belong to the agent group will download the agent for use on their systems. From the navigation frame, click on the Maintenance link to expand it. Then click the Agent Kits link.
The view in the frame on the right will not show any kits because you haven't made any yet. Click the New button to create a new agent kit. Then click the Untitled link.
Now give your agent kit a name related to the function it will serve, for example, IIS Web Server kit. After you've entered a value into the Name and Description fields, select the group names that you want to associate with the kit. You then have the option of selecting whether you want the end-user system to load the agent as a Silent Install or Non-Silent Install. A Silent install simply requires a download and a reboot. A Non-Silent install prompts the user to answer various questions, such as where they would like the default installation directory to be. Now click the Make Kit button.
The management kit produces a kit for distribution and displays the URL for that particular kit, which you can then distribute via e-mail to the appropriate systems administrators. The URL will look something like:
When you click the URL, you'll see all the possible agent kits that exist. Systems administrators should download the appropriate kit or kits for the server they are trying to protect. After installing an agent kit, the end-user server (or desktop) must always be rebooted.
Associate policies with agents
After you’ve created the agent kits, you should associate some security policies with them. A policy is a description of access control rules. From the navigation frame in the management console, click the Policies link. In the right frame, click the New button, and you'll see a new link appear called Untitled_1. Click the Untitled_1 link and enter values into the Name and Description fields, then click Save. The name of your policy might be something like Macro Virus Protection, IIS Server, or DNS Server.
Now you can add a file access rule to the policy. When you are within a Policy in the navigation frame, the Rules section is at the bottom. Click on New to create a new rule, and you'll see a new file access control link appear in the Rules view list. Click this new link to go to the configuration view. Insert a descriptive name. You’ll notice that the Enabled box is checked. Don't uncheck it.
Next create a rule that stops the application from performing a certain operation. Select the Deny radio button and the Log radio button. Doing so enables logging for this particular rule. When you select a deny rule, all other actions are allowed unless they are expressly denied. Now go to the Application Class pull-down list and select all the appropriate applications that you want this rule to be applied to. Some of these application classes include:
- E-mail applications
- Microsoft Office applications
- Web browser applications
- FTP applications
- Installation applications
- Desktop interface applications
- Instant Messaging applications
- All applications
- Network applications
- Server TCP based
- Server UDP based
You'll then need to check the box stating whether this is a Write or Read access control rule you're defining. Select the Write rule for the purpose of this exercise. Enter a list of the files to which you do not want a hacker to write. Where it says On Any Of These Files, put in your file list. For the purposes of this example enter:
Click Save. You have now created a rule that prevents anyone from writing to system executables.
The nice thing about StormWatch is that you don't have to create your own rules. There are different types of default rules and policies to pick from right out of the box. Depending on which policy you select or create, different rule types will appear in the pull-down list. The default possible rule types include:
- File access control
- Network access control
- Registry access control
- Trojan detection
- Portscan detection
- Syn flood protection
- Network worm protection
- Application control rule
- COM component access control
- File monitor
- File version control
- NT Event Log
- Service restart
- Sniffer and protocol detection
The different out-of-the-box policies include:
- Common Security Module
- Require Windows Security Module
- Distributed Firewall Module
- Desktop Module
- File Integrity Module
- Instant Messenger Module
- Network Lockdown Module
- Server Module
- Restrictive MS IIS Module
- Restrictive DHCP Server Module
- Restrictive DNS Server Module
- Restrictive MS SQL Server Module
- StormWatch Manager Module
- Restrictive Apache Module
- Microsoft Office Module
- In-bound Port Blocking Module
That’s all there is to it
By working through this process, you can see how the rules are applied to policies, policies are applied to agents, and agents are applied to groups. The nice thing about StormWatch is that setting it up is a truly educational process. After you have installed and configured it, you'll know all the basics of how to install applications.