Internet Security Systems is readying technology it says could benefit companies fed up with current patch management techniques.

ISS would enable its vulnerability-assessment scanner to gang up with its network- and host-based intrusion-detection systems (IDS) to stop newly discovered attacks or worms that could damage unprotected servers or desktops on corporate networks.

ISS CTO Chris Klaus calls the idea "virtual patching" because it could eliminate the need to immediately apply server or desktop software patches, which often are required to combat new attacks that exploit software holes. Instead of having to rush to patch the application or operating system software to stop a fast-moving worm from taking over vulnerable systems, ISS would be able to have its IDS ready to take certain steps to stop specific attacks aimed at the target machine.

"Patching is unattainable. There's no Fortune 1000 company doing it across all its systems," says Klaus, who points out that sometimes vendors stop supplying patches for their legacy products. "For instance, Microsoft is no longer supporting patching for Windows NT."

Next month, ISS will add the virtual patching capability to its vulnerability-assessment tool, Internet Scanner 7.0, which runs on Windows 2000.

Updated with new attack information as it becomes known, Internet Scanner would examine Web servers, firewalls, operating systems, routers, switches, mail servers and other applications to determine where weaknesses reside. The product also would perform network discovery to locate network resources.

Internet Scanner would no longer simply be a stand-alone tool, but would be able to take commands from the ISS management console, SiteProtector. Companies then could perform a scan when a new vulnerability or threat was identified, to see which machines could be hit. Then, based on the network manager's decision, SiteProtector would be able to instruct the ISS network-based sensor, RealSecure Network 7.0, or the host-based IDS, RealSecure Server 7.0 and RealSecure Desktop 7.0, to take certain steps. The host-based IDS could block access, based on a specific check or signature.

Because traditional "passive" IDS products aren't inline devices that can block large traffic streams, RealSecure Network 7.0 would be limited to instructing the firewall to block the attack through a process called shunning or, alternatively, terminating a session with TCP resets.