RealSecure SiteProtector Security Fusion Module

happylandcannedSoftware and s/w Development

Jul 2, 2012 (5 years and 2 months ago)

821 views

6303 Barfield Road



Atlanta, GA 30328 Tel: 404.236.2600

Fax: 404.236.2626




RealSecure

 SiteProtector

 Security Fusion
Module Policy Recommendations for Internet
Scanner

 and RealSecure Sensors
An ISS Technical White Pape
r

RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 1
Overview
The RealSecure SiteProtector security fusion module relies on accurate vulnerability and
intrusion detection information supplied by Internet Scanner and RealSecure sensors. For
optimal benefit, Internet Scanner and RealSecure sensors should be tuned to collect information
that supports security fusion correlation.

One of the easiest ways to configure Internet Scanner or a RealSecure sensor is to use the
default security fusion policies available in SiteProtector. Alternatively, you can create your own
custom policies to support correlation.

This white paper describes the contents of the default policies and provides information about
constructing your own policies.

Internet Scanner Policies
The Fusion Scanner policy is a good base policy to use to support the security fusion module.
This policy includes all the checks enabled in the L2 Classification policy plus all checks that the
security fusion module can correlate, except for those checks that use a denial of service attack
to test services or operating systems for a particular vulnerability.

RealSecure Policies
Each sensor type has a supporting security fusion policy.

The policy for 6.0 network sensors is the Fusion Network Sensor policy. This policy includes all
the signatures enabled in the Attack Detector policy plus signatures that the security fusion
module can correlate.

The policy for 6.0.1 server sensors is the Fusion Server Sensor 6.0.1 policy. This policy includes
all the signatures enabled in the Original policy plus signatures that the security fusion module
can correlate.

Custom Policies
If you want to create your own policies or need to know more about how correlations are made,
you can refer to the table at the end of this document. This table lists all the signatures and
checks that the security fusion module can correlate. It also indicates denial of service checks
and special correlation methods for particular signatures.

Customizing port settings: Use care when customizing signatures and checks to run on ports
other than default ports. The security fusion module assumes, in most cases, that port settings for
Internet Scanner and RealSecure sensors are consistent. For example, if you add or change the
default port settings of a particular RealSecure signature, change the corresponding Internet
Scanner check to scan the same ports. Failure to maintain consistent port settings may cause
inaccurate correlations for those signatures.

Enhanced Internet Scanner Checks (Vulnerability not found/Target not vulnerable)
All Internet Scanner checks can report that a vulnerability exists. Some enhanced Internet
Scanner checks can report that a vulnerability does not exist. When combined with security fusion
correlation, this enhancement greatly reduces the number of false alarms caused by attacks that
were probably not successful. The table indicates which checks have this enhanced capability.


RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 2
Signature and Check List
The following table lists the signatures and checks (up to Internet Scanner version 6.2 and
RealSecure sensors version 6.5) that are currently correlated.

For more information about the meaning of a heading or a note, double-click the note (in PDF) or
hold your cursor over the highlighted asterisk to see a pop-up description (in Word).

SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
allaire-jrun-read-
sample-files
Allaire_JRun_Sample_Fi
les
AllaireJrunReadSampleF
iles




allaire-jrun-webinf-
access
Allaire_JRun_WebInf_Sl
ashSlash
AllaireJrunWebinfAccess




allaire-jrun-webinf-
dotslash
Allaire_JRun_WebInf_D
otSlash
AllaireJrunWebinfDotsla
sh




amd-bo
Amd_Overflow
AmdBo


X

amd-pid
Amd_Pid
AmdPid




amd-version
Amd_Version
AmdVersion




avirt-directory-
create
Email_To_Dot_Dot
AvirtDirectoryCreate




backdoor-aol-
admin
AolAdmin
BackdoorAolAdmin
X



backdoor-asylum
Asylum
BackdoorAsylum
X



backdoor-
backconstruction
BackConstruction
BackdoorBackconstructi
on
X



backdoor-
backdoor2
BackDoor2
BackdoorBackdoor2
X



backdoor-biggluck
BigGluck
BackdoorBiggluck
X



backdoor-blazer5
Blazer5
BackdoorBlazer5
X



backdoor-bo2k
BackOrifice2000
BackdoorBo2k




backdoor-bugs
Bugs
BackdoorBugs
X



backdoor-
chupacabra
Chupacabra
BackdoorChupacabra




backdoor-coma
Coma
BackdoorComa
X



backdoor-
connection
Connection_Backdoor
BackdoorConnection
X



backdoor-crazzynet
CrazzyNet
BackdoorCrazzynet
X



backdoor-
deltasource
DeltaSource
BackdoorDeltasource
X



backdoor-doly15
Doly
BackdoorDoly15
X



backdoor-event-
horizon
EventHorizon
BackdoorEventHorizon




backdoor-evilftp
EvilFTP_Backdoor
EvilFTP Backdoor
X



backdoor-
forcedentry
ForcedEntry
BackdoorForcedentry
X



backdoor-fore
Fore
BackdoorFore
X



backdoor-frenzy
Frenzy
BackdoorFrenzy
X



backdoor-
gatecrasher
GateCrasher
GateCrasher Backdoor
X



backdoor-girlfriend
GirlFriend
GirlFriend Backdoor
X




RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 3
SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
backdoor-glacier
Glacier
BackdoorGlacier
X



backdoor-
hackatack
HackATack
Hack'a'tack Backdoor
X



backdoor-
hackersparadise
HackersParadise
BackdoorHackersparadi
se
X



backdoor-host-
control
HostControl
BackdoorHostControl
X



backdoor-hvlrat
Hvl_Rat
BackdoorHvlrat
X



backdoor-kuang2v
Kuang2Virus
BackdoorKuang2v
X



backdoor-
mavericks-matrix
MavericksMatrix
BackdoorMavericksMatr
ix
X



backdoor-
millenium
Millenium
BackdoorMillenium
X



backdoor-
netmonitor
NetSpy
BackdoorNetmonitor
X



backdoor-
netsphere13
NetSphere
NetSphere Backdoor
X



backdoor-netspy12
NetSpy_v12
BackdoorNetspy12
X



backdoor-
phasezero
PhaseZero
BackdoorPhasezero
X



backdoor-progenic
Progenic
BackdoorProgenic
X



backdoor-prosiak
Prosiak
BackdoorProsiak
X



backdoor-qaz
Qaz_Command
BackdoorQaz

X


backdoor-qaz
Qaz_Connect
BackdoorQaz
X
X


backdoor-remote-
storm
RemoteStorm
BackdoorRemoteStorm
X



backdoor-rws
RemoteWindowsShutdo
wn
BackdoorRws
X



backdoor-
schwindler
Schwindler
BackdoorSchwindler
X



backdoor-
secretservice
SecretService
BackdoorSecretservice
X



backdoor-serveme
ServeMe
BackdoorServeme
X



backdoor-snidx2
SnidX2
BackdoorSnidx2
X



backdoor-snipernet
SniperNet
BackdoorSnipernet
X



backdoor-sockets-
de-troie
Sockets_de_Troie
BackdoorSocketsDeTroi
e




backdoor-
stealthspy
StealthSpy
BackdoorStealthspy
X



backdoor-subseven
SubSeven
SubsevenBackdoor
X



backdoor-subseven
SubSeven_Scan
SubsevenBackdoor
X



backdoor-swift
Swift
BackdoorSwift




backdoor-syphillis
Syphillis
BackdoorSyphillis
X



backdoor-syphillis
Syphillis_Scan
BackdoorSyphillis




backdoor-the-thing
TheThing
BackdoorTheThing
X



backdoor-tini
Tini
BackdoorTini
X
X


backdoor-total-
TotalEclypse
TotalEclypse
X




RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 4
SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
eclypse
backdoor-truva12
Truva
BackdoorTruva12
X



backdoor-ultors
Ultors
BackdoorUltors
X



backdoor-
unexplained10
Unexplained
BackdoorUnexplained10
X



backdoor-y3k-rat
Y3K_RAT
BackdoorY3kRat



TCP/UDP
differences *
bind-nxt-bo
DNS_NXT_Overflow
BindNxtBo

X


bind-tsig-bo
DNS_TSIG_Overflow
BindTsigBo


X

bind-version
Bind_Version_Request
bindvrs




cart32-admin-
password
HTTP_Cart32_ChangeA
dminPassword
Cart32AdminPassword

X


cart32-clientlist
HTTP_Cart32_ClientList
Cart32Clientlist

X


cart32-expdate
HTTP_Cart32_Expdate
Cart32Expdate




chargen
Chargen_Denial_of_Ser
vice
chargen




cisco-ios-cable-
docsis
Cisco_Cable_Docsis_SN
MP_Community
CiscoIosCableDocsis




cisco-ios-modify-
snmp
Cisco_ILMI_SNMP_Com
munity
CiscoIosModifySnmp




coldfusion-admin-
dos
HTTP_ColdFusion_Admi
n
ColdfusionAdminDos

X


coldfusion-
expression-
evaluator
HTTP_Cold_Fusion
ColdFusionEvaluator

X


coldfusion-file-
existence
HTTP_ColdFusion_FileE
xists
ColdFusionFileExists




coldfusion-source-
display
HTTP_ColdFusion_View
Example
ColdFusionSource




coldfusion-
sourcewindow
HTTP_ColdFusion_Sour
ceWindow
ColdFusionFileRead




coldfusion-syntax-
checker
HTTP_ColdFusion_Synt
axChecker_DOS
ColdFusionSyntaxCheck
er

X


compaq-web-
management-bo
Compaq_Insight_Cpqlo
gin_Overflow
CompaqWebManageme
ntBo


X

dansie-form-
variables
HTTP_Dansie_Infoleak
DansieFormVariables




ddos-freak88
Freak88
DdosFreak88
X
X


ddos-mstream-
master
Mstream_Master
DdosMstreamMaster

X


ddos-mstream-
zombie
Mstream_Zombie
DdosMstreamZombie

X


dns-iquery
DNS_Iquery
iquery




dns-zonexfer
DNS_Zone_Transfer
zonexfer




echo
Echo_Denial_of_Service
echo




ecware-dos
HTTP_ECware_DoS
EcwareDos


X

exchange-store-
dos
Email_ExchangeStore_
DoS
ExchangeStoreDos




finger-bomb
Finger_Bomb
fingerbomb


X


RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 5
SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
frontpage-ext-
device-name-dos
HTTP_FrontPage_Devic
eName
FrontpageExtDeviceNa
meDos

X
X

fsp-fspd
FSP_Detected
Fsp




ftp-args
FTP_Args
Ftpd Args Core Dump




ftp-bounce
FTP_Bounce
ftpbounce




ftp-cwd
FTP_Root
ftpcd




ftp-glob-expansion
FTP_Glob_Expansion
FtpGlobExpansion




ftp-glob-
implementation
FTP_Glob_Implementati
on
FtpGlobImplementation




fuseware-popmail-
bo
POP_Fuseware_Overflo
w
FusewarePopmailBo


X

fw1-gettopo-
noauth
FW1_GetTopology
Fw1GettopoNoauth




fw1-localhost-auth
FW1_Auth_As_Local
Fw1LocalhostAuth

X


gauntlet-
cyberdaemon-bo
Gauntlet_CyberDaemon
_Overflow
GauntletCyberdaemonB
o


X

hp-openview-nnm-
bo
OpenView_NNM_Overfl
ow
HpOpenviewNnmBo


X

hpux-rlpd-bo
HPUX_RLPD_Overflow
HpuxRlpdBo




http-cgi-anyform
HTTP_AnyFormPost
AnyForm

X


http-cgi-cachemgr
HTTP_Cachemgr
HttpCgiCachemgr




http-cgi-campas
HTTP_Campas
Campas

X


http-cgi-cdomain
HTTP_Cdomain
CGI whois_raw

X


http-cgi-faxsurvey
HTTP_FaxSurvey
HylaFax faxsurvey
Vulnerability

X


http-cgi-glimpse
HTTP_Glimpse
Aglimpse

X


http-cgi-guestbook
HTTP_Guestbook
GuestBookCheck

X


http-cgi-jj
HTTP_JJ
CGIjj

X


http-cgi-nph
HTTP_NphTestCgi
nphtestcgi




http-cgi-phf
HTTP_PHF
vulnphf

X


http-cgi-phpbo
HTTP_PHP_Overflow
PHPBufferOverflow

X


http-cgi-
phpfileread
HTTP_PHP_Read
PHPread




http-cgi-test
HTTP_TestCgi
vulntestcgi

X


http-cgi-viewsrc
HTTP_SCO_View-
Source
ViewSource

X


http-cgi-vuln
HTTP_Shells
vulncgi

X


http-dotdot
HTTP_DotDot
rootdotdot

X


http-iis-aspdot
HTTP_IIS3_Asp_Dot
Aspdot check




http-iis-cmd
HTTP_IE_BAT
iiscmd

X


http-indexserver-
dirtrans
HTTP_IndexServer_We
bhits
HttpIndexserverDirtran
s




http-ncsa-longurl
HTTP_NCSA_Buffer_Ov
erflow
NCSA Long Url
Vulnerability

X


http-nov-convert
HTTP_Novell_Convert
Convert Check

X



RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 6
SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
http-nov-files
HTTP_Novell_Files
Novell Files Script




http-sgi-handler
HTTP_SGI_Handler
Handler Check

X


http-sgi-webdist
HTTP_SGI_Webdist
Webdist

X


http-sgi-wrap
HTTP_SGI_Wrap
Wrap Check




http-webgais-smail
HTTP_Websendmail
Websendmail

X


http-website-
uploader
HTTP_WebSite_Uploade
r
Uploader

X


http-website-
winsample
HTTP_WebSite_Sample
WinSample




igmp-dos
Win_IGMP_DOS
IgmpDos




iis-asp-data-check
HTTP_IIS$DATA
DATA bug

X


iis-exair-dos
HTTP_IISExAir_DoS
IIS ExAir DoS


X

iis-htr-obtain-code
HTTP_IIS_Obtain_Code
IisHtrObtainCode




iis-htr-overflow
HTTP_IISHTR_Overflow
IIS HTR Overflow


X

iis-isapi-idq-bo
HTTP_IIS_Index_Serve
r_Overflow
IisIsapiIdqBo




iis-isapi-printer-bo
HTTP_IIS_ISAPI_Printe
r_Overflow
IisIsapiPrinterBo




iis-samples-
showcode
HTTP_IIS_Showcode
IisSamplesShowcode




iis-unicode-
translation
HTTP_IIS_Unicode_Tra
nslation
IisUnicodeTranslation




iis-url-decoding
HTTP_IIS_URL_Decodin
g
IisUrlDecoding




imail-imap-
overflow
IMAP_Imail_Overflow
IMailIMAPOverflow


X

imap-authenticate-
bo
IMAP_Authenticate_Ove
rflow
IMAP Authenticate
Buffer Overflow


X

inn-controlmsg
INN_Control
innd vuln




ip-fragment-
reassembly-dos
Jolt2
IpFragmentReassembly
Dos




kerberos-user-grab
Kerberos_User_Snarf
kerbul




land
Land
land


X

linkerbug
TelnetLinkerBug
linkerbug




linux-rpcstatd-
format-overwrite
Statd_Format_Attack
LinuxRpcstatdFormatOv
erwrite


X

lotus-domino-
smtp-bo
Lotus_Domino_SMTP_O
verflow
LotusDominoSmtpBo


X

lprng-format-string
LPRng_Format_String
LprngFormatString




management-
agent-dos
Compaq_Insight_DoS
Management Agent
DoS


X

management-
agent-file-read
Compaq_Insight_Filere
ad
ManagementAgentFileR
ead




netscape-
enterprise-list-
directories
HTTP_Netscape_List_Di
rectories
NetscapeEnterpriseList
Directories




netscape-
enterprise-revlog-
dos
HTTP_Netscape_Revlog
NetscapeEnterpriseRevl
ogDos


X


RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 7
SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
netscape-fasttrack-
auth-bo
HTTP_NS_Admin_Overfl
ow
NetscapeAdminBo


X

netscape-server-
pageservices
HTTP_Netscape_PageS
ervices
NetscapePageServices




netscape-space-
view
HTTP_Netscape_Space
View
NetscapeSpaceView




netterm-ftp-dele-
bo
FTP_NetTerm_Dele_Ov
erflow
NettermFtpDeleBo


X

netterm-ftp-dir-bo
FTP_NetTerm_Dir_Over
flow
NettermFtpDirBo


X

netterm-ftp-ls-bo
FTP_NetTerm_Ls_Overf
low
NettermFtpLsBo


X

netterm-ftp-mkd-
bo
FTP_NetTerm_Mkd_Ove
rflow
NettermFtpMkdBo


X

netterm-ftp-pass-
bo
FTP_NetTerm_Pass_Ov
erflow
NettermFtpPassBo


X

netterm-ftp-rmdir-
bo
FTP_NetTerm_Rmdir_O
verflow
NettermFtpRmdirBo


X

nfs-guess
NfsGuess
nfsguess




nfs-mknod
NfsMknod
nfsmknod




nfs-portmap
PmapMnt
nfspmap




nfs-uid
NfsUid
nfsuid




nisd-bo-check
NIS_Overflow
NISd Buffer Overflow


X

nt-iis-rds
HTTP_MDAC_Access
IIS RDS

X


nt-ip-source-route
Win_IP_Src_Route
NtIpSourceRoute




nt-logondos
SMB_Malformed
Windows NT SMB logon
DoS




ntpd-remote-bo
NTP_Readvar_Overflow
NtpdRemoteBo


X

nt-registryopen
Windows_Registry_Rea
d
registry




nt-samba-bo
SMB_Password_Overflo
w
Samba Overflow




nt-web8.3
HTTP_NT8.3_Filename
NT_web8.3




nt-wins-snmp2
SNMP_Delete_WINS
NT Delete Records


X

outlook-date-
overflow
IMAP_Outlook_Date_Ov
erflow
OutlookDateOverflow

X


outlook-date-
overflow
POP_Outlook_Date_Ove
rflow
OutlookDateOverflow

X


ping-death
PingOfDeath
pingbomb


X

pmap-sunset
PmapUnsetSpoof
pmapsunset


X

pmap-unset
PmapUnset
PmapUnset


X

pop2-fold-bo
POP_Fold_Overflow
Pop2FoldBo




popimap-bo
POP_Overflow
popimap




qmail-leng
Email_Qmail_Length
qmailswap




qmail-rcpt
Email_Qmail_Rcpt
qmailrecipient




qpopper-auth-bo
POP_QPopAuth_Overflo
w
QpopperAuthBo


X


RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 8
SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
qpopper-
username-bo
POP_QPopUser_Overflo
w
QpopperUsernameBo


X

rexd
Rexd
rexd




rlogin-froot
Rlogin_Froot
rlogin




rpc-pcnfsd
PcnfsdExec
rpcpcnfsd


X

rpc-stat
Statd_DotDot
rpcstatd




rpc-update
Ypupdate_Exec
rpcupdate




rwhod-vuln
Rwhod_Overflow
rwhod - vulnerable


X

selsvc-holdfile
SelSvcH
selsvcvuln




siteserver-site-csc
HTTP_SiteCsc_Access
SiteServerCSC




smtp-dcod
Email_Decode
smtpdecode




smtp-debug
Email_Debug
smtpdebug




smtp-ehlo
Email_Ehlo
EhloCheck




smtp-expn
Email_Expn
smtpexpn




smtp-expn-bo
Email_Expn_Overflow
SMTP EXPN Buffer
Overflow Attempt


X

smtp-helo-bo
Email_Helo_Overflow
SmtpHeloBo


X

smtp-sendmail-
relay
Email_Relay_Spam
smtprelay




smtp-vrfy
Email_Vrfy
smtpvrfy




smtp-vrfy-bo
Email_Vrfy_Overflow
SMTP VRFY Buffer
Overflow Attempt


X

smtp-wiz
Email_WIZ
smtpwiz




snork-dos
Land_UDP
Snork DoS




solaris-
answerbook2-
admin-interface
AnswerBook2_Admin
SolarisAnswerbook2Ad
minInterface

X


solaris-
answerbook2-
remote-execution
AnswerBook2_Execute
SolarisAnswerbook2Re
moteExecution

X


solaris-
snmpxdmid-bo
RPC_snmpXdmid_Overf
low
SolarisSnmpxdmidBo


X

sol-sadmind-
amslverify-bo
Sadmind_Amslverify_O
verflow
SolSadmindAmslverifyB
o




stacheldraht-dos
Stacheldraht_DOS
StacheldrahtDos

X

source/dest
used *
sun-cmsd-bo
RPC_Cmsd_Overflow
SunCmsdBo

X


synflood
SYNFlood
syncstorm


X

teardrop
TearDrop
Teardrop


X

telnetd-option-
telrcv-bo
TelnetExcessiveAYTs
TelnetdOptionTelrcvBo


X

tfn2k-dos
TFN2000
Tfn2kDos




tfn-dos
Tribe_Flood_Network
TfnDos
X
X


tivoli-lcf-file-read
Tivoli_LCF_File_Read
TivoliLcfFileRead




tooltalk
ToolTalk_Overflow
ToolTalk Overflow

X
X


RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 9
SiteProtector
Event Name *
RealSecure Sensor
Signature *
Internet Scanner
Check *
Src
IP *
Not Vuln
*
DoS
*
Notes *
traceroute
Trace_Route
traceroute




trin00-daemon
TrinooDaemon
Trin00Daemon

X


udp-bomb
UDPBomb
udpbomb


X

vnc-installed
VNC_Detected
VNCDetect
X



vnc-installed-
noauth
VNC_NoAuthentication
VNCNoAuth
X



weblogic-
fileservlet-show-
code
HTTP_WebLogic_FileSer
vlet_Show_Code
WeblogicFileservletSho
wCode




weblogic-file-
source-read
HTTP_WebLogic_FileSo
urceRead
WeblogicFileSourceRea
d

X


websphere-header-
dos
HTTP_WebSphere_Hea
derDoS
WebsphereHeaderDos


X

webstore-misconfig
HTTP_WebStore
WebstoreMisconfig




win95-back-orifice
BackOrifice
BackOrifice

X

default port
only *
win95-nbsmbpwl
Windows_PWL_Access
nbsmbpwl




win-netbus-
installed
NetBus
NetBus

X

source/dest
used *
win-oob
Windows_OOB
oob_crash


X





RealSecure SiteProtector Security
Fusion Module Policy Recommendations for
Internet Scanner and RealSecure Sensors
An ISS Technical White Paper Page 10


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a world leader in software
and services that protect critical online resources from attack and misuse. ISS is headquartered
in Atlanta, GA, with additional operations throughout the United States and in Asia, Australia,
Europe, Latin America and the Middle East.

Copyright © 2001, Internet Security Systems, Inc. All rights reserved worldwide.

Internet Security Systems, the Internet Security Systems logo, Internet Scanner, SiteProtector and
RealSecure are trademarks and service marks of Internet Security Systems, Inc. Other marks and trade
names mentioned are marks and names of their owners as indicated. All marks are the property of their
respective owners and used in an editorial context without intent of infringement. Specifications and content
are subject to change without notice.