Beta Man

Working Together

Forefront Stirling's integrated components give it an edge over single-purpose products.

• By Peter Varhol
• 07/01/2008

The compelling part of Forefront Stirling is not the individual tools or even the family of tools in the aggregate. Rather, it's the way they work together to identify threats, notify administrators about the nature of those threats and then remediate them. Best-of-breed tools from different vendors, or even separate tools from the same vendor, don't tend to use data collected by the other tools in their work.

Working with Stirling
I set up a small subnet on my main network, where I installed the threat gateway and SharePoint component onto separate systems. I also installed a copy of the administrator console on a client on the subnet. The separate subnet was so I could introduce malware, thoughtfully provided by an anti-malware company on CD, onto the network. To be on the safe side, I worked from the inside out, and used a worm that opened ports on the SharePoint system to the outside world.

Within minutes, the Threat Management Gateway notified the administrator console of a potential problem. I could zero in on the console to see just what was happening. It noted that there were ports opening on the SharePoint system directly to the Internet. Behind the scenes, the Threat Management Gateway also contacted the SharePoint component, raising the issue. In fact, the SharePoint component may already have known, but the communication from the Threat Management Gateway in effect made it clear that the problem was having an impact on the network and beyond.

Once Forefront made that connection, the SharePoint component removed its host system from the network. In this case, it was also able to close the offending ports and cleanse the system of the worm. Even if it can't do that, you've isolated the machine from doing any more damage. If you have to clean it yourself, you're still ahead of the game.

That's a powerful argument for an IT investment in Forefront Stirling across the enterprise. Individual Forefront components have little that more mature competitors don't have, yet the ability to leap ahead of other offerings through the integration of all of the components is unique. To my knowledge, while there are solutions that span the enterprise, no one has this level of integration among individual parts of the solution.

I didn't encounter any difficulties in installing and configuring the Forefront server and client components, or the admin console. However, my Forefront installs were on fresh systems. I can't vouch for the same experience with servers that have been working for months or even years.

What You Need
The server components require Windows Server 2003 Standard Edition with SP2, either x64 and x86 editions, the .NET 3.0 Framework and PowerShell, with other common components. Other than the Vista requirement for the standalone console, there's nothing out of place in these configurations. Most enterprises should be technically able to incorporate Forefront Stirling as soon as it's released.

The big question is whether enterprises that have already made significant investments in other, less comprehensive tools will be willing to rip them out to install the Microsoft solution. Despite the obvious benefits, IT tends to move slowly, and removing existing software that works well to install something better is pretty far down the priority list. Still, IT needs to look carefully at how Forefront Stirling can make its life easier, and in some cases swallow the cost and make the move.