Centrally Managed Host Intrusion Prevention Platform
Deep Security provides host-based intrusion detection and prevention capabilities and is targeted to both physical and virtual machines (supported VMs include VMware ESX, Citrix XenServer, Hyper-V, and Solaris partitions).
Architecturally, the product consists of both a software agent (Deep Security Agent) that is deployed to the machines to be protected, and a central management tool (Deep Security Manager) that provides functions such as the creation and deployment of security profiles to the agents, receipt and management of agent alerts, distribution of security updates to agents, and report generation. Communication between the agents and the server can be configured to be initiated either from the agent or from the server.
Onto this platform the vendor loads combinations of protective modules (per the customer's choice) providing security measures for the servers themselves. Currently among these modules are the Deep Packet Inspection module, the Firewall module, the Integrity Monitoring module, and the Log Inspection module.
The Deep Packet Inspection module includes the ability to scan traffic for the existence of malicious activity and protect vulnerable machines until such time as they can receive patches against those vulnerabilities. The vendor notes that the product is able to scan for known exploits and attacks against known vulnerabilities, as well as detect malicious code via "unusual protocol data." Web Application Protection and Application Control features of the Deep Packet Inspection module (these features are included with the module itself) add the ability to defend against such Web attacks as SQL injections and cross-site scripting, as well as control which applications are allowed to access the network.
The Firewall module offers bi-directional protective capabilities and itself includes templates tuned for specific types of servers. Features listed by the vendor include virtual machine zoning, filtering by IP/Mac addresses or ports, support for all frame types; DoS prevention, network interface specific policies, and detection of recon scans.
The Integrity Monitoring module is new in the latest product release, and provides the ability to automatically watch for changes to key applications, files, or registry keys with support for on-demand or scheduled scans.
Finally, the Log Inspection module (also new to the latest release) provides rule-based log analysis for the detection of suspicious or malicious behavior as noted in system log files. Rules can be created using OSSEC syntax and detected anomalies can be forwarded to SIEM platforms or a centralized logging server. The Log Inspection module is built using the multiplatform log monitoring capabilities of the OSSEC open source host intrusion detection project.
In addition to the Integrity Monitoring and Log Inspection modules, other new features in the latest release of Deep Security include integration with VMware vCenter, and support for the purchase of individual modules in a mix-n-match fashion with central management via the aforementioned Deep Security Manager.
Deep Security is available now; with pricing ranging from $150/server (one module) to $600/server (all modules) for 500 servers.
Visit the Third Brigade Web site for further information.
