Resolving Issues
P-Guide, HIPS 2010: What role should they play in your security strategy?
Download
P-guide-HIPS 2010.pdf (275.13 KB)
August 2, 2010 - Host-Based Intrusion Prevention Systems 2010: What role should they play in your security strategy?
Editor’s note: In 2009, we took a look at some questions to ask before investing in a Host-Based Intrusion Prevention System (or HIPS, as they’re often called). This P-guide expands upon that piece, examining how the systems work in more depth and providing details on their unique advantages, challenges, and role in today’s marketplace.
Executive Summary
One disturbing truth about today’s IT environment is that the security tools you’ve relied on in the past—primarily signature-based anti-virus and anti-malware—aren’t as effective as they used to be. While still crucial, they can’t do it alone anymore. Most observers agree that the best approach is to use a layered defensive strategy, one that integrates multiple types of defensive tools. Host-based intrusion prevention can play a key role in such an approach. While they’ve been around for the better part of the last decade, the solutions have grown increasingly sophisticated, effective, and user-friendly in the last few years.
What do you need to know about host-based intrusion prevention? This P-guide offers practical insight.
Introduction
Chances are good that you’re at least somewhat familiar with host-based intrusion prevention systems. Chances are also good, however, that you probably don’t use one. According to a recent Forrester report, less than 10 percent of U.S. midmarket firms currently use them. Why the low adoption rate? After all, intrusion prevention systems are powerful security tools that offer a cost-effective way to wipe out malware that slips past network defenses or gets manually installed on a PC. They’re also not new—they’ve been around for much of the last decade.
That longevity might offer one reason why they haven’t been universally embraced. The earliest intrusion prevention systems had issues—excessive bandwidth consumption, too many false-positive notifications, clunky administrative controls—that helped tarnish their reputation. Those problems have largely been cleared up, however, and the current generation of solutions deserves serious consideration. Here’s a look at what you need to know.
Host-Based Intrusion Prevention Defined
As the name implies, host-based intrusion prevention systems are designed to protect individual endpoints from viruses, botnets, and other forms of Web-based nastiness. Broadly speaking, they reside on individual endpoints and monitor Web traffic, the operating system, and installed programs for unwanted or malicious behavior and then stopping it before it does any damage. Host-based intrusion prevention also shouldn’t be confused with network-based intrusion prevention systems (NIPS), host-based intrusion-detection systems (HIDS ), and network-based intrusion detection systems (NIDS). For more on them, see “What’s in a Name?” elsewhere in this document.
How Intrusion Prevention Works
Most host-based intrusion prevention products work by setting low-level operating system hooks, baselining the host computer, and then intercepting system calls, evaluating system applications, and comparing all incoming data against a predetermined (and updatable) list of rules. If everything checks out OK, the data is cleared. If not, the intrusion prevention system automatically blocks and quarantines the offending item(s), sends out alerts, and generates a detailed report. In that sense, it’s fundamentally different from, say, a firewall that monitors and controls traffic at a system entry point, but not inside individual PCs.
A standard element of the intrusion prevention evaluation process has long been behavioral-based protocol analysis, which the solution uses to decode application-layer network protocols. Once the decoding is complete, it can scan for behavior associated with potential exploits. A trend in recent years, however, has been the bundling of applications controls and/or whitelisting with an intrusion prevention solution. The key advantage here is the proactive element. By their nature, signature- or pattern-based techniques are reactive—they can only be developed in response to an existing threat, which leaves users vulnerable to zero-day attacks. Whitelists and application controls allow IT administrators to control what comes into the network and what runs on individual machines—which means there’s no need to worry about users running unauthorized programs or inadvertently installing infected executables or unlicensed software.
Another recent trend has been to bundle intrusion prevention systems into integrated security packages. The packaged offerings combine everything from anti-virus/anti-spyware protection to firewalls and operating system security settings, Web application and buffer overflow exploit protection, kernel-level network filtering, code-execution monitoring, and the like. That integration focuses on a layered approach to defense, with the host-based intrusion prevention solution as the final layer. Because signature-based antivirus and anti-malware are essentially reactive in nature, they can be vulnerable to zero-day attacks. A hybrid, multi-tiered approach with multiple security applications—and a proactive, whitelist-driven intrusion prevention system at the endpoint—offers a potent form of resistance. While it’s no magic bullet, it can help protect against Layer 4 TCP SYN flooding and Layer 7 brute force DoS attacks. It can also make life easier in Patch Tuesday scenarios by helping guard against zero-day exploits and providing additional time to test and deploy patches.
Host-Based Intrusion Prevention Advantages
While the proactive, multi-layered security approach is the top advantage of using an intrusion prevention system, it’s not the only one. For instance, most of today’s solutions are extremely user friendly—they typically can be managed and configured via a central console.
They’re also remarkably configurable. You can, for example, design and modify unique policies and tweak the amount of CPU time the intrusion prevention solution uses. Best-in-class programs also allow you to fine-tune security settings—including application controls, anti-malware configuration, and removable device restrictions—for individual PCs, and determine whether approved applications can execute other applications (i.e., to prevent camouflaged rootkits from gaining access to the network). Some vendors are even offering instant cloud-based updating for newly hatched security threats. By comparing applications with profiles stored in cloud databases, users can more clearly spot malicious applications and thereby reduce false positives.
Host-Based Intrusion Prevention ChallengesHost-based intrusion prevention products do have some drawbacks. Some solutions may place too many restrictions on the terms of what programs or processes they can protect. If you opt for a completely custom install, you’ll need to meticulously create a list of approved programs to help the intrusion prevention solution understand what’s considered “normal.” Another consideration revolves around integration. If you’re adding a standalone intrusion prevention to your existing network, you’ll need to make sure it can work seamlessly with your antivirus/antimalware products.
Finally, it’s not necessarily a drawback, but you need to factor in the cost of a standalone intrusion prevention product for each of your firm’s endpoints. That’s another reason why it makes sense to consider a bundled solution that integrates intrusion prevention with other security products. On a larger scale, however, costs and ROI aren’t always so cut and dry. With that in mind, it pays to note the staff time and money intrusion prevention can potentially save—both in terms of stopping attacks, along with the staff hours involved with, for example, testing and configuring system patches.
Host-Based Intrusion Prevention Solutions
Solution # 1: CA Host-Based Intrusion Prevention Systems (CA HIPS)
CA HIPS fits the definition of a multi-layered security solution—it features an endpoint firewall, intrusion-detection prevention, operating system security, and application control capabilities. It also provides a single-interface, Web-based management console that allows for flexible security management throughout the entire company. IT administrators can use it to determine how applications can communicate, set access rights and policies for groups or individual users, and log all key events. The product also has a feature dubbed the Learning Mode, which lets users supervise a group of systems to settle on what constitutes acceptable behavior. By doing so, it allows administrators determine the proper balance between policies that are too restrictive or too lenient.
Find out more here: www.productivecorp.com/security-products/ca-security-products/ca-host-based-intrusion-prevention-system-hips
Solution #2: McAfee Host Intrusion Prevention for Desktop
McAfee’s Host Intrusion Prevention for Desktop offers a three-part defensive approach that combines behavioral-based algorithms, signature analysis, and a stateful firewall that identifies legitimate packets for different connections and also monitors network connections. Part of the larger McAfee Total Protection for Endpoint security suite, it also features application-blocking capabilities and a Web-based management console that allows for at-a-glance overviews of individual workstations. One unique component is McAfee’s patented approach to preventing buffer-overflow attacks (i.e., ones that attempt to load malicious code into temporary storage buffers). The McAfee technique essentially blocks the execution of the code from overflowed buffers, and prevents the three primary types of buffer overflow exploits: stack-based, heap-based, and return-into-libc.
Find out more here: www.mcafee.com/us/enterprise/products/system_security/clients/host_intrusion_prevention_desktop_server.html
Solution #3: Trend Micro Deep Security
Trend Micro’s Deep Security melds multiple capabilities, including intrusion detection and prevention, application controls, and more. It also offers signature- and anomaly-based detection, along with deep packet inspection, a network packet filtering technique that examines both the data and headers of incoming and outgoing packets (as opposed to shallow packet inspection, which provides less detailed information), looking for protocol deviations. Its bidirectional stateful firewall offers a central management point for server firewall policy, covers all IP-based protocols, and provides fine-grained filtering. The software also prevents data breaches from attacks targeting software vulnerabilities, including SQL injection and cross-site scription attacks.
Find out more here: http://us.trendmicro.com/us/solutions/enterprise/security-solutions/virtualization/deep-security/index.html
Solution #4: Symantec Multi-Tier Protection
Symantec’s Multi-tier Protection is another multi-layered host-based intrusion prevention product that integrates antivirus, antispyware, firewall, intrusion prevention, and device and application control technologies into one package. One unique element is the Symantec Proactive Threat Scan, which runs a scan at predetermined points and whenever new processes load, using proprietary Symantec technology to score the behaviors of unknown applications. According to the company, the scanning process improves detection and cuts back on false positives without the need to create rule-based configurations. The highly configurable administrative control panel allows you to deny specific device and application activities deemed and even block specific actions based on an individual user’s physical location. The software also leverages the power of the Symantec Global Intelligence Network, a 24/7 service that collects data on security breaches and threats from a system of operations centers and more than 40,000 sensors around the world.
Find out more here: www.symantec.com/business/protection-suite-enterprise-edition
Conclusion
The key point to note about host-based intrusion prevention is that it can play a key role in a layered security approach. Given the complexity and overwhelming nature of today’s threat environment, it’s practically impossible for a single policy, process, or component to keep intruders out of a network. The multi-layered approach—with intrusion prevention as the final line of defense—has emerged as the best possible way to protect your systems and assets. As the market continues to evolve and mature, the solutions available to IT staffs are becoming increasingly robust and reliable. Still, it pays to do your homework and find one that works for your unique needs.
For more information on intrusion prevention, contact Productive Corporation:
Phone: 1.800.726.4099
Email: help@productivecorp.com
About Productive Corporation
Productive Corporation is a specialized software reseller that helps small and medium businesses across North America with software initiatives in security, storage, and infrastructure. We provide subject matter expertise, access to technical resources, and excellent customer service. We also strive to provide the most relevant resources for our customers.
About the Author
Chris Mikko is a Twin Cities-based writer and editor who specializes in technology topics.
