Major denial-of-service, virus, and worm attacks seem to
be occurring every week. There is broad based consensus that external threats
will continue to increase, and grow in sophistication. Intrusion protection is
a need clearly recognized by all organizations.
There
is also broad agreement among users, service providers and vendors that no one
solution delivers “bullet proof” intrusion protection and, in fact, the best
protection against external threats comes from using multiple tools in a
coordinated fashion, with a “layered” approach.
Automated Support Infrastructure (ASI) intrusion protection
value and benefits
|
ASI
Function
Benefit
|
Behavior Based Intrusion
Protection
|
Device Based Intrusion Protection
|
Remote, Centralized Management
|
Real-time Detection and Reporting
|
Software Task Automation
|
|
Zero-day
threat neutralization
|
ü
|
|
|
|
ü
|
|
Anywhere,
anytime protection
|
|
ü
|
ü
|
|
|
|
Lower
costs
· Ongoing
management
· Remediation
· Maintenance
|
ü
|
ü
|
ü
|
ü
|
ü
|
|
Higher
efficiency
|
|
|
ü
|
|
ü
|
|
Contain
IT resource growth
|
ü
|
|
ü
|
|
ü
|
|
Scalability
|
|
ü
|
ü
|
|
ü
|
|
Immediate
knowledge
|
|
ü
|
|
ü
|
|
|
Immediate
action
|
|
ü
|
ü
|
ü
|
ü
|
ASI
intrusion protection functions
Configuring
ASI intrusion protection functions to match a site’s requirements takes no more
than a few minutes. Once configured, ASI intrusion protection function
execution can be automated or run on-demand. ASI intrusion protection
procedures include:
Start-up
environment control.
Depending on your configuration choices, with this function you can
automatically prevent the addition of any executable to run at start-up,,
terminate the execution of the process trying to change the start-up
environment, and quarantine or delete it. This function also prevents the
deletion of start-up environment items.
ASI
start-up environment control helps protect systems from attack by new viruses,
worms (e.g. Sasser and Bagle), and other forms of intrusion (e.g. spyware and
adware) that are not typically detected by anti virus or anti-spyware/adware
software solutions that use signature databases because they protect systems only
against known threats.
System
configuration areas protected by ASI start-up environment control include the
start-up folder, the win.ini file, the system.ini file, and the registry keys
used to identify processes and services that are run at system start-up. This
procedure also protects a system from unwanted pending file rename operations.
Intrusion
protection control.
This function detects
attempted configuration changes to system areas outside the start-up
environment that can be used to execute unauthorized or malicious code. You can
configure it to disable or delete these changes automatically without end-user
intervention. You can also have ASI intrusion protection control terminate
execution of the process attempting the change, and quarantine or delete it.
The areas and object types
currently protected by ASI intrusion protection control include autoexec.bat,
explorer.exe, hosts, userinit.exe, shell extension handlers, screen savers,
Open verb's command default value for executable files, the Shell, Userinit,
and DllName values for
the Winlogon key, RunOnce, RunOnceEx, and RunServicesOnce registry keys,
Microsoft Internet Explorer and Microsoft Windows registry keys used for
Internet access, and Scrap Objects.
Intrusion
protection and start-up environment management. In addition to protecting
all your systems from infiltration by potentially malicious code, ASI features
two powerful procedures for remote management of the start-up environment and
all system configuration items that could be targeted by intruders. These
procedures let you enable and disable system configuration items on one, some,
or all systems at one or all locations, making the necessary changes only once.
With these procedures you can also standardize critical system configuration
settings across all your locations.
Software
update management.
ASI software update management automates the installation of software updates
on one, some, or all systems at one, some or all locations. It provides
centralized software update management, control, and status tracking. ASI
software update management automates tasks ranging from selective
downloading and installation of software updates to removal of software
updates, from immediate installation of critical software updates, to software
update testing.
File
download filtering.
With this procedure, you can tailor filtering of files that are downloaded via
HTTP/HTTPS on a system-by-system basis. Unlike the filtering performed by virus
scanning software, this procedure will filter out files regardless of whether
they are known to carry a virus payload, or not. This makes it a more effective
intrusion protection tool.
E-mail
attachment filtering.
This procedure lets you tailor filtering out of e-mail attachments from any
e-mail service, including both POP mail and Web based mail,, on a
system-by-system basis. Unlike the filtering performed by virus scanning
software, this procedure will filter out attachments regardless of whether they
are known to carry a virus payload, or not. This makes it a more effective
intrusion protection tool.
Network
packet filtering.
With this procedure you can centrally manage and control access to/from any IP
port or address on one, some or all systems at one, some, or all sites. ASI
network packet filtering lets you configure IP ports and address control on a
per adapter basis making it a powerful intrusion protection tool for mobile
systems.
Port
probe detection.
This procedure is enabled by default. It logs in real-time any attempt by a
local or external source to open a TCP connection that is rejected by
the local system because there is no process listening on that port. The
information recorded in the logs posted by this procedure includes the port
probed, and IP address that initiated the probe.
Registry, directory and file protection
management.
These procedures automatically monitor and prevent attempts to change the
contents of a system’s registry, directories, and files making it a useful tool
to alert you about attempts to replace or modify sensitive files and folders
and, if desired, prevent them.
ASI
registry, directory and file protection management functions are highly
configurable. You can select individual files and registry keys, and have the
function only monitor and report changes, or also prevent them.
Because
ASI registry, directory and file protection management procedures make copies
of monitored items, they also server as a simple recovery mechanism for
critical system items.
Virus
definition management. ASI virus definition management provides centralized management,
real-time completion status and virus definition dates reporting for all major
anti virus software solutions including Symantec, McAfee, Computer Associates,
and Trend Micro.
In
addition to retrieving virus definition updates from the vendor or a central
server, ASI virus definition management can also retrieve them from a
neighboring system. This increases the probability that at any point in time a
system has the latest virus definitions.
Virus
scans. ASI
supports all major anti virus software solutions including Symantec, McAfee,
Computer Associates, and Trend Micro, offering simplified centralized
management and automated completion reporting.
