Wednesday, February 16, 2005

Interesting Research at MS

Doing some follow-up reading to the previous blog entry, I ran down an interesting research project at Microsoft called "Shield, the first line of worm defense". Shields are described as "vulnerability-specific, exploit-generic network filters installed in end systems once a vulnerability is discovered, and before the patch is applied."

While that approach is interesting, how about something like WIPFW, or perhaps just snort? If we're talking about protecting systems, why not install snort with some application specific rules during your build process, and then simply add the necessary rules when a vulnerability is discovered? That way, you wouldn't be installing anything new on a machine, simply adding a rule or two and restarting the process. Since things are already running fine, you won't have to worry about something new taking your system down.

The other advantage to using snort is that it's also useful for protecting home-grown apps created by in-house development teams.

Shields would be effective if the framework were such that the service could be installed, and the shields added to that framework as they become available, and without rebooting the system. Also, providing a scalable, enterprise management framework would be nice, too, so that you can track managed systems, what shields (and versions) have been installed on what machines, what shields are available for download, etc. MS has been pretty notorious for creating network operating systems (beginning with NT) but not providing a simple, viable enterprise management framework; case in point, the Event Log. 'nuff said!

The thing is, I can't seem to find a download location for anything other than the papers for this, and the same is true for the AskStrider tool mentioned in one of the papers from the previous blog entry. This seems to be pretty standard for MS...look at WOLF, mentioned in Robert Hensing's blog..."we've got a useful tool that's been developed, we have screencaptures of the tool in action, and we're going to talk about it and how useful and good it is...but we're not going to release it." Ugh!

No comments: