by Ian Harac, PCWorld

Capsa Network Analyzer Professional Edition (various pricing; free, feature-limited, 15-day demo) is a powerful tool for network monitoring. It is not a tool for home users, unless they’re very unusual; this is a program aimed at those whose job includes knowing what’s going on with their network at an extremely technical level. It’s a good fit for a small or medium-sized business. Often, getting the kind of information this program delivers requires PERL scripts and deep command-line voodoo; Capsa displays and sorts it all in a surprisingly intuitive way. What it doesn’t do, of course, is provide the training needed to interpret the data. If DNS, SMTP, and IPV6 sound more like bad Scrabble draws than technical terms, Capsa probably isn’t a tool you will find useful.

Capsa Network Analyzer allows a very fine degree of detail in network management and troubleshooting

Assuming you do understand all the jargon, though, Capsa Network Analyzer can reveal an incredible amount about what’s happening on your network. You do need to be conversant with your network’s topology to deploy it correctly, but fortunately, there is a guide showing common configurations. Once installed, Capsa tracks the constant flow of information in and out of the network, displaying the data in a variety of views. Capsa’s interface follows all the of the Windows guidelines, but it still takes a bit of fiddling to understand how the various selection options work. Basically, you drill through and filter data using two controls: the tree view on the right and the tabs arranged along the top, and what you see is the intersection of those choices. In addition, you can view or hide specific columns, and of course sort the data.

Perhaps most important, you can set up filters on the analyzer to limit what data is recorded–for example, you may wish to track only e-mail for a specific user, or all HTTP requests to a given URL. This might be done in order to simplify locating a specific problem with the network–one user who does not get their e-mail, or one site which consistently times out, or a problem which you suspect is related to malware on your system.

Capsa Network Analyzer is extremely useful if you know what to look for. If you don’t, it is likely you will be lost in a maze of twisty little protocol reports, all alike. Anyone with a general interest in the real guts of what happens between then you type the URL and when the page shows up might find Capsa interesting, but the pricing marks it as purely a professional tool.

Note: The 15-day trial version does not permit saving any reports, or even configurations, and is limited to an hour of active runtime at a time.

Contributed article by Shawn Cooney, Co-Founder and Director of Research, Certeon

What the 2010 Cloud Means for WAN Optimization

Virtualization saw enormous gains in 2009. With clear TCO benefits from saved acquisition, operations, and maintenance/support costs, the market embraced going virtual from the desktop to the application level. This meant a never-before-seen increase in traffic over wide area network (WAN) links—which will have significant implications for application performance and enterprise productivity in 2010.

Over the next year, the amount of virtualization and subsequent strain on the WAN will continue to grow with a major shift toward cloud computing. While much has been said about cloud computing, a lot of confusion still remains—about what constitutes the term itself, and where elements like virtualization and WAN Optimization will fit in. We believe that 2010 will be the realization of the Year of the Cloud, where a firm definition of the idea will take hold and be implemented among businesses everywhere. In turn, we’ll see a larger understanding among IT and business managers that WAN optimization technology is a fundamental component for the successful delivery of cloud services.

The significant need for the right WAN optimization technology will become abundantly clear as business managers centralize more and more services in the cloud. Resources that were formerly stored locally will now be accessed exclusively via the Internet or WAN; yet expectations for application performance will stay the same or even rise. With this, enterprises will need to embrace the cost and scalability benefits of cloud computing while simultaneously continuing to meet employee standards for access and application performance. While resources might be physically farther away than ever, users will expect their applications to work quickly and flawlessly, regardless of location.

Further complicating the puzzle is that the users themselves will be accessing documents and files from increasingly disparate settings. IT managers will need to provide successful remote access to centralized corporate services as telecommuting becomes progressively more popular.

All of this means that Internet and WAN acceleration will take on new levels of importance to protect against lost productivity and employee frustration. Because cloud services’ infrastructure relies on virtualization for its implementation, the most successful WAN optimization solution will also utilize virtualization technologies in order to deliver the following elements:

•Deployment flexibility and consistent performance. A fully virtualized application acceleration appliance will boost deployment flexibility due to the lack of new hardware requirements, because the software approach to WAN optimization instead effectively uses existing server hardware.

•Savings and scalability. This approach ensures that there is no need for dedicated hardware to support WAN optimization, saving on CAPEX and OPEX. Cost savings will also be realized through virtual scalability. As enterprises add more services or applications to be accessed by additional remote workers via the cloud, the virtualized WAN optimization model will be able to scale linearly.

•Seamless integration with virtualization. All delivery and deployment of centralized services happen through the cloud, and the cloud is virtualized. In order to leverage the cost and management benefits of a virtualized cloud computing environment, WAN optimization technologies work most effectively within standard virtualization infrastructures, as opposed to working outside of virtualization as a stand-alone WAN optimization appliance.

The bottom line is that the future of cloud computing and the efficiency of WAN optimization/application acceleration technologies are irreversibly linked. Increased WAN optimization, application performance, and scalability will be the true cornerstones of enabling virtualization and cloud computing environments in 2010.

Remarkably good solutions from Bit9, CoreTrace, Lumension, McAfee, and SignaCert show that whitelisting may be the new best defense against modern malware
By Roger A. Grimes , InfoWorld , 11/04/2009

Whitelisting security has always taken a backseat to blacklisting approaches. After all, when there is far more good software running on computers and networks than bad software, it’s just easier to block the bad than to approve all the good. But that was then, and this is now.

In 2009, the computer security defense world quietly marked a momentous threshold that should have us all looking anew at the value of whitelisting. Last year, the number of unique malicious programs and variants that were created outstripped all the legitimate software published in the world, straining the accuracy of anti-virus solutions like never before. It’s a disturbing fact that suggests whitelisting is now more suitable as a primary security defense than traditional anti-virus scanners, which are really nothing more than blacklisting programs.

Now for some good news: Just as whitelisting may be finding a receptive audience, a number of whitelisting solutions are proving to be mature, capable, and manageable enough to provide significant protection while still giving trustworthy users room to breathe. Nor are today’s whitelisting programs limited to locking down desktops to prevent malware executions — they’re also useful for software configuration and licensing compliance and regulatory auditing.

With these benefits in mind, InfoWorld tested six enterprise-grade whitelisting programs, otherwise known as application control programs. The reviewed products include Bit9 Parity, CoreTrace Bouncer, Lumension Application Control (formerly SecureWave Sanctuary), McAfee Application Control (formerly Solidcore S3 Control), and SignaCert Enterprise Trust Services. We also tested Microsoft AppLocker, the application whitelisting feature built into Windows 7 and Windows Server 2008 R2. In all cases, testing was done using the product’s Windows clients, though one or two of the products also support Linux or Solaris or Mac OS X.

In a rare occurrence for a product comparison of this scope, all the products came out pretty well. The overall conclusion is that any of the reviewed products would help you reduce real and measurable security risk. A few are borderline excellent (scoring in the high 8s on InfoWorld’s 10-point scale), and one, Bit9’s Parity, is not only the clear frontrunner (with a score of 9.4) but a likely candidate for InfoWorld’s Technology of the Year Award. Oh, to have such choices.

New world orderIn today’s world, where most successful malware exploitations involve Trojan horse programs that the user was tricked into installing, whitelisting programs make more sense than ever. Whitelisting programs typically uniquely identify files using one or more cryptographic hashes (such as MD5, SHA-1, and so on) but can include any identifying file attribute they can query. It is common for the file name, path, publisher, size, and digital signature (if available) to be collected and reported.

Some products cover only executable files, which differ across products. Others can snapshot and block a wider range of files, including scripts and macro modules, and even write-protect any text or configuration file. The latter is useful for noting unauthorized modifications, such as the changes that many malware programs make to the DNS Hosts file. While most whitelisting products can block scripts, some do so only by blocking the main script interpreter (Perl.exe or VBScript.dll, for example), essentially enacting an all-or-none policy, while others can block specific scripts. If you need to allow or deny specific scripts, make sure to tease out your vendor’s coverage. As noted in the individual reviews, many vendors can block specific VBScript or JavaScript scripts, but can stop other types of scripts only by blocking the interpreter.

Most whitelisting products also let you allow or deny programs based upon trusted users, trusted paths, and trusted publishers (in other words, digital certificates). A few even include millions to billions of predefined file hashes that they download directly from the vendor who made them. For example, three of the programs reviewed (Bit9 Parity, Lumension Application Control, and SignaCert Enterprise Trust Services) download every file hash directly from Microsoft, so administrators don’t have to busy themselves with defining all the files they know are legitimate.

Users marked as trusted can normally install or run any program they like, within the bounds of their security privileges. All the reviewed products linked to Active Directory, and at least one can link to Novell’s eDirectory services.

All the whitelisting products in this review allow you to use existing computers as baseline models. You simply scan the system to generate your own internal whitelist. Some of the vendors, as mentioned above, come with “gold standard” whitelists from the various software vendors. A few others add templates that set acceptable baselines as defined in a regulatory standard such as PCI or Sarbanes-Oxley. You can then run reports against the baselines to determine which computers are drifting from the defined baselines and what files are causing the drift. This can be done on individual machines or reported as a metric summarizing the entire environment. I love this sort of feature because it marries real security and regulatory requirements and allows you to report measured improvements to management over time.

A welcome improvement from whitelisting products over the last decade has been the ability to automatically whitelist updated files. In the past, every single updated file had to be manually approved because the updated file contained a different hash than its predecessor. This was an administrative nightmare, especially considering that today’s regular updates for small programs can contain 80 or more files and major service packs can involve hundreds of files and multiple reboots.

Trust and protectToday, the best whitelisting products (including most in this review) allow administrators to define trusted updaters. For example, an administrator can add SMS, SCOM, WSUS, PatchLink, or Shavlik as a trusted updater, and anything they install will be automatically approved. This is a huge improvement.

Most whitelisting programs can be configured in either audit or enforcement mode. SignaCert is the only exception in this review; it has no built-in enforcement mode, but can monitor any file type. In audit mode, the whitelisting program only monitors and reports file executions. Enforcement mode blocks all monitored file types from executing or running, barring any specific exceptions. Most vendors recommend living with audit mode for a set period of time and running reports to find out what would have been denied had enforcement been enabled.

Once enforcement mode is enabled, any execution not explicitly allowed will be blocked. It goes without saying that desktop lockdowns aren’t warmly welcomed by most end users. You’re taking away their freedom. If you use any of these products in enforcement mode, make sure you’ve spent the necessary time to define the right policies to stop malware and unauthorized programs from executing while at the same time allowing end users to do their jobs. Expect an increase in the number of help desk calls. As users begin to understand that certain applications are not allowed, the help desk calls will decrease.

Most whitelisting programs are smart enough to identify file types based upon file header and don’t rely on file extensions alone. All the products reviewed allow administrators to find any specific file, by name or hash, anywhere it exists on any of the monitored systems. Some products even allow hashes to be populated before the file even exists in the environment, looking ahead to block a specific hacker tool or malware program. Of course, because blocking often uses file names or hashes, identifying polymorphic malware programs can be a challenge. That’s why it’s already better, from a pure security standpoint, to block by default all that is not specifically allowed.

It’s important to understand that whitelisting programs cannot stop every program or malware from executing. First, it’s not uncommon for malware to use legitimate software to do its dirty business. For example, the MS Blaster worm used Windows’ built-in Trivial File Transfer Program (tftp.exe) to copy itself from computer to computer. Macro viruses would be allowed to run inside of other approved programs just fine. Second, whitelisting programs often have difficulty blocking programs that run inside of virtual environments such as Java or .Net, although all of the products in this review claim to handle the individual hosted applications correctly.

Most whitelisting programs cannot stop buffer overflow malware programs, concentrating more on denying the payload executable that almost always results. Nevertheless, both CoreTrace and McAfee did an excellent job of blocking buffer overflows in my testing. CoreTrace Bouncer even stopped a buffer overflow program that was started before the whitelisting program was enabled.

Layer 8 considerationsAdministrators trying to implement a whitelisting program across a large organization should make sure to have senior management’s buy-in. Once you start taking away users’ “freedom,” the complaints will start coming. I’ve yet to see an administrator turn on enforcement mode, even after weeks of application inventorying, without some mission-critical application that escaped detection being temporarily interrupted. IT shops using application control must be immediately responsive to customer needs and requests.

One of the biggest unexpected side effects of using a whitelisting program in enforcement mode is lower support costs. Companies that are able to lock down desktops have significantly fewer troubleshooting events and rebuilds. Although some users will complain about their inability to install anything they like, the lockdown also means that users won’t install nearly as much malware, and that, along with the savings in support costs, usually translates well to senior management.

Most companies will want to define emergency and ad hoc approval processes so that requested software can be whitelisted and allowed to run as quickly as possible. No one wants to tell the CEO that he has to wait a week for his new golf game or stock trading program to get approved. Some environments enable enforcement mode only on problematic users with a history of abuse, while running auditing mode for everyone else. Every company should create baselines from images and programs their users are supposed to be running, and use the whitelisting solution’s reporting feature to track deviations and drift.

This review ranks the whitelisting programs based upon overall functionality, including the file types and operating systems they cover, accuracy and effectiveness against policy violations, administration (how hard was it to configure and manage), reporting (including alerting), and overall value. As noted above, all of the reviewed products performed well. There are many good choices here, and the real challenge is in picking a product that has the best feature set for your environment. One product, Bit9’s Parity, rose to the top and should be included in anyone’s consideration list.

VP has a ‘really hard time understanding’ Google’s 20 million usership figure
By Eric Lai , Computerworld

Microsoft Corp. is slashing the price of its Business Productivity Online Suite (BPOS) by a third as it debuts the service in 15 new countries.

A Microsoft executive also touted BPOS’ momentum, while questioning figures trumpeted by Google for its rival Google Apps suite .

BPOS, which includes Web-hosted versions of Microsoft’s Exchange e-mail, SharePoint collaboration, and other Office communication-related apps, now costs $10 per user per month, down from $15 per user per month. Microsoft also expanded the hosted storage limit to 25 GB per user, from the prior 10 GB.

One year after its official launch , BPOS is being used by 1 million paid customers, Microsoft announced on Monday.

Chris Capossela, senior vice-president of the information worker product management group at Microsoft, told Computerworld on Monday that 70% of those users “are coming from IBM Lotus Notes or Novell GroupWise.”

“That is a wonderful figure, because it means we are getting new business, not just migrating existing business to the cloud,” he said.

Google has been also been bragging about its success at winning new business. It said last month that it now had 20 million active users for its Google Apps at 2 million companies.

Reuters report that number includes millions of college students using a free version of Google Apps , which lists for $50 a year (about $4 per month) per user.

Capossela said Microsoft also has millions of users for its free Live@Edu service, but said the company doesn’t include them in its BPOS subscriber totals.

“I have a really hard time understanding their [Google's] numbers,” he said. “You simply don’t know what their paying user numbers are. Analysts predict that they are pretty small. It’s hard for us to really know.”

Asked what he thought of Google’s high-profile win of the City of Los Angeles for a 5-year, $7.25 million deal to use Google Apps, he said, “I feel like we are winning lots and lots of deals. We can’t spend too much time worrying about what they [Google] are doing. I feel good about how much progress we’ve made in a short period of time.”

To securely serve LA’s 30,000 employees, Google is building a special version of its Google Apps service to be called GovCloud. It will offer extra security and be hosted on separate Google servers so that the city’s data is not co-mingled with data from other companies. GovCloud will also be certified under the Federal Information Security Management Act (FISMA).

Capossela said that Microsoft already had allowed larger customers (those with 5,000 employees or more) to have their data stored on separate servers through the BPOS Dedicated service.

Microsoft is seeking the ISO 27001 security certification for its data centers. It has “nothing to announce yet” regarding FISMA credentialing, Capossela said.

Reassuring customers worried by the T-Mobile Sidekick data outage that occurred on Microsoft’s data centers, Capossela said Microsoft is “taking this very seriously and trying to learn from it.”

He also said recent executive departures in Microsoft’s online services group, including chief Debra Chrapaty , are not a big deal.

“A couple of people internally have taken over her duties. We have a fantastically deep talent bench,” he said.

Microsoft is officially starting this week to offer service in Singapore, while starting to trial service in Brazil, Chile, Colombia, Czech Republic, Greece, Hong Kong, Hungary, Israel, Malaysia, Mexico, Puerto Rico, Poland, Romania and Taiwan. It also plans to offer the service commercially to India by the year’s end.

Besides cutting the price of the BPOS suite, Microsoft is cutting the price for most individual components. Exchange Online was reduced from $10 to $5 per user per month; SharePoint Online from $7.25 to $5.25 per user per month; Office Communications Online from $2.50 to $2 per user per month; Deskless Worker Suite from $3 to $2 per user per month; and Office Live Meeting will cost the same, $4.50 per user per month.

Microsoft has released its semi-annual Security Intelligence Report. It contains a lot of useful information and metrics
By Tony Bradley , PC World

Microsoft has released the latest version of the semi-annual Security Intelligence Report (SIR). Microsoft gathers data from millions of Windows computers and high-traffic Internet sites to compile a detailed analysis of the current threat landscape and highlight attack trends. The Microsoft SIR contains some valuable insight, particularly given the recent release of Windows 7.

Looking at the highlights of the Security Intelligence Report, a lot of the information is interesting and may help you win a game of Trivial Pursuit for geeks, but doesn’t provide much beyond the trivia factor for most people. For example, knowing which countries were targeted most by worms or Trojans doesn’t really help you much unless you’re planning on traveling to one of those countries and may want to increase your security controls accordingly.

Other statistics provide more useful information. The fact that 71.2 percent of the attacks against Microsoft Office targeted a single vulnerability for which a patch had existed for three years strongly supports implementing patch management policies that assess and implement updates in a timely manner.

The most actionable information in this Security Intelligence Report though is related to which operating systems are compromised the most. Comparing the most up to date versions of Windows XP and Windows Vista, Windows XP SP3 was compromised 61.75 percent more often than Windows Vista SP1 (75 percent more if you compare Windows XP Sp3 with the 64-bit version of Windows Vista Sp1).

These results don’t yet include metrics from Windows 7, but because Windows 7 has the security of Windows Vista and then some it seems safe to assume that Windows 7 will fare at least well, if not better, compared with Windows XP.

It may seem like perhaps Windows XP is compromised more because it has a higher market share–similar to why Windows in general is targeted more often than Linux or Mac OS X. But, the Security Intelligence Report measures the rate of compromise relative to the number of systems, so the stat is an apples to apples assuming a similar number of systems.

By most accounts the release of Windows 7 is going well thus far and it seems like Microsoft may have succeeded in overcoming the ghost of Windows Vista past. There are still those diehard Windows XP users that aren’t yet willing to forgive or forget and are reluctant to make the switch until Windows 7 has been around and proven itself. They are comfortable with Windows XP and they say ‘if it isn’t broke, why fix it?’

Well, what the Security Intelligence Report reveals is that Windows XP is, in fact, broken. Users may be comfortable with the tried and true operating system, but it lacks the security features of Windows Vista and Windows 7, and it has been around long enough that attackers and malware developers are pretty comfortable with it as well.

If you are sitting on the sidelines trying to decide whether or not its time to let Windows XP go and move on to Windows 7, the information in this Security Intelligence Report should be the push you need to convince you. To protect your PC, and protect the rest of us on the Internet from your compromised PC, go ahead and switch to Windows 7.

These results don’t yet include metrics from Windows 7, but because Windows 7 has the security of Windows Vista and then some it seems safe to assume that Windows 7 will fare at least well, if not better, compared with Windows XP.

It may seem like perhaps Windows XP is compromised more because it has a higher market share–similar to why Windows in general is targeted more often than Linux or Mac OS X. But, the Security Intelligence Report measures the rate of compromise relative to the number of systems, so the stat is an apples to apples assuming a similar number of systems.

By most accounts the release of Windows 7 is going well thus far and it seems like Microsoft may have succeeded in overcoming the ghost of Windows Vista past. There are still those diehard Windows XP users that aren’t yet willing to forgive or forget and are reluctant to make the switch until Windows 7 has been around and proven itself. They are comfortable with Windows XP and they say ‘if it isn’t broke, why fix it?’

Well, what the Security Intelligence Report reveals is that Windows XP is, in fact, broken. Users may be comfortable with the tried and true operating system, but it lacks the security features of Windows Vista and Windows 7, and it has been around long enough that attackers and malware developers are pretty comfortable with it as well.

If you are sitting on the sidelines trying to decide whether or not its time to let Windows XP go and move on to Windows 7, the information in this Security Intelligence Report should be the push you need to convince you. To protect your PC, and protect the rest of us on the Internet from your compromised PC, go ahead and switch to Windows 7.

According to Williams, the link between PC infection rates — the percentage of computers that have been cleaned by the updated monthly Malicious Software Removal Tool, or MSRT — and piracy is due to the hesitancy of users in countries where counterfeit copies abound to use Windows Update, the service that pushes patches to PCs.

China’s piracy rate is more than four times that of the U.S., according to Microsoft’s report, published today, but the use of Windows Update in China is significantly below that in the U.S.

Brazil and France also have a higher piracy rate, and lower Windows Update usage, than the U.S., Microsoft maintained.

But the company’s own data doesn’t always support William’s contention that piracy, and the hesitancy to use Windows Update, leads to more infected PCs. China, for example, boasted a malware infection rate — as defined by the number of computers cleaned for each 1,000 executions of the MSRT — of just 6.7, significantly lower than the global average of 8.7 or the U.S.’s rate of 8.2 per thousand.

France’s infection rate of 7.9 in the first half of 2009 was also under the worldwide average.

Of the three countries Microsoft called out as examples of nations whose users are reluctant to run Windows Update because of high piracy rates, only Brazil fit William’s argument: Brazil’s infection rate was 25.4, nearly three times the global average.

Other countries with higher-than-average infection rates, however, also have high piracy rates, according to data published last May by the Business Software Alliance (BSA), an industry-backed anti-piracy organization, and research firm IDC. Microsoft is a member of the BSA.

By Microsoft’s tally, Serbia and Montenegro had the highest infection rate in the world, with 97.2 PCs out of every 1,000, nearly 10%, plagued by malware. Turkey was No. 2, with 32.3, while Brazil, Spain and South Korea were third through fifth, with infection rates of 25.4, 21.6 and 21.3, respectively.

The BSA put Serbia’s piracy rate, the percentage of the in-use software that’s not licensed, at 74% in 2008, while Turkey, Brazil, Spain and Korea had estimated piracy rates of 64%, 58%, 42% and 43%, respectively. By comparison, the U.S.’s piracy rate was pegged at 20%, and the worldwide average at 41%.

Although Microsoft wants users to patch vulnerabilities with Windows Update, people running counterfeit copies of Windows have traditionally been less-than-eager to apply fixes, believing that Windows Update will recognize their software as illegal and mark it as such with nagging on-screen messages.