Vendors often tout "new technology" that's nothing more than vaporware or a rehash of existing products, but is this true of so-called "antiworm" technology, which promises new detection and prevention techniques to contain worms by weeding out bad traffic?
This technology is being hawked in a number of forms by Mirage Networks, ForeScout, Check Point Software Technologies, Silicon Defense and IBM.
The products vary, but Pete Lindstrom, research director at Spire Security, said antiworm technology is a specialized form of intrusion detection system that, for example, looks for unfulfilled Address Resolution Protocol requests. Some products are based on anomaly detection, while others automatically isolate compromised hosts. Still others redirect worm traffic to a quarantined area to buy time to isolate the worm and keep systems available, Lindstrom said.
Roger Thompson, vice president of product development at PestPatrol Inc., a Carlisle, Pa.-based developer of security tools, said it's difficult to tell at this point if this could be a valuable tool in the security arsenal because it's not widely used and may, in the end, only offer an additional layer of security.
"Genuine worms are certainly the emerging threat," said Thompson. "The biggest problem with a general purpose solution is that all worms are different."
However, virus throttling, yet another type of technology announced by Hewlett-Packard at the RSA Conference in February, will limit the number of Internet connections an infected computer can have. Ostensibly, this will limit the speed at which a worm can spread. HP's Active Countermeasures service will "inoculate" networks by running a periodic vulnerability analysis based on the latest advisories from CERT and other security organizations, then scan the network for vulnerable machines vulnerable and automatically deploys policy-driven mitigation techniques.
"Are these antiworm solutions 'the real deal?'" Lindstrom asked in his Information Security magazine column Directions. "Like any layer in a defense-in-depth scheme, they could certainly help. Ideally in the future, it will either be integrated with other IDS solutions or directly into the network fabric (hubs/switches/routers)."
Lindstrom added that security managers can justify the expense of the technology simply by comparing it to cleanup costs associated with the Blaster worm or any other major malicious code outbreak.