Management Infrastructure


HIPS agents that have a robust user interface can and sometimes do operate without any kind of central management. Enterprise-class HIPS, however, require a management infrastructure. Typically, the infrastructure is composed of a management center, or back end, and a management interface used to access the management station.

Security product management stations are high on the typical attacker's target list. If the management station is compromised, the attacker can disable the countermeasure completely or simply reconfigure it in a minor, unnoticeable, and dangerous way. Host Intrusion Prevention agents are immensely powerful, and their management infrastructure should be protected at all costs. To that end, you need to understand the components of a HIPS management infrastructure and the security implications therein.

Management Center

HIPS management centers have three logical elements. The first is a database where event, policy, agent, and other configuration data are stored. The second is an event handling capability, and the final element is policy management.

It's helpful to think of each element separately, because depending on the management model, each component can be installed on a different physical machine. The three most common management models are as follows (see Figure 6-12):

  • Hierarchical Also known as "manager-of-managers," this model is best for large companies who have agents distributed across a wide geography.

  • Tiered Supports a large number of users but has them report to a single location. Therefore, it is not as well-suited for distributed environments.

  • Single-server Single-server implementations are best for small, centralized companies.

Figure 6-12. Management Models


Database

The most critical component of the management center is the database, as it is repository for all policy information. It must be powerful enough to support the number of agents that use it without crashing and secure enough to withstand attack. For these reasons, many, if not all, of the centrally managed HIPS products use some kind of enterprise database such as Microsoft SQL Server or Oracle.

Management Models

The most straightforward management model is the single-server implementation. In the single-server model, all three management elements are installed on a single server. Many HIPS products, such as Entercept, CSA, and Sana, use this implementation because it is relatively easy to install and configure. On the other hand, scalability can be a problem and most single server management centers cannot support many more than 20,000 agents.

One way to overcome the scalability limitations of a single server is to take the tiered approach, where each management element on a separate physical machine. In other words, you have one machine for event handling, one for the database, and a third for policy management. Logically, the three machines act as single entity. In some cases, the database portion can be clustered to further enhance scalability. The downside of a tiered solution is that agents in geographically distributed organizations might have to use limited WANs to deliver events and update policies.

The final management model is hierarchical. It is also known as "manager-of-managers" because many submanagement centers report to a central management center. The central manager distributes the policies to the submanagers, synchronizes policies between them, and collects events from them. Ideally, a hierarchical solution should also offer some kind of roaming capability where agents are able to report to the geographically closest submanager. This solution is well-suited for large distributed environments.


Event and Alert Handler

The event handling portion of the management station is also important, but less so than the database because of the fact that HIPS products are supposed to stop attacks before they succeed. HIPS events are almost exclusively informational. They identify what almost happened and what action was taken rather than give a notification that requires a response. This is in stark contrast with Host Intrusion Detection where the most critical component is the event delivery. HIDS cannot take action, so finding a way to elicit a response from an administrator is crucial.

Event handling covers both event delivery and alert generation. The difference between events and alerts rests in their priority. Events are simply bits of information that might or might not be important. Alerts are any events that are marked, usually by the administrator, as being important and use a higher priority mechanism such as e-mail, pager, or Simple Network Management Protocol (SNMP) messages to deliver them.

Two event-handling models are shown in Figure 6-13. In one, the agents report all their events to the management center, and the management center generates alerts for important events. Alerting is centralized, and events are stored in one location, although a large number of simultaneous events can impact management center performance. Another event delivery approach is to have each agent generate its own alerts. Responsibility for alerting is distributed, so performance is of less concern, although no events are stored centrally.

Figure 6-13. Event Handling Models


Ideally, events and alerts should be delivered as quickly as possible. If the agents cannot communicate with the alert or event receiver, you might have a delay; however, all HIPS agents should store event information until it can be delivered.

Policy Management

The last piece of the management center is the policy editor. Security policy evolves over time in response to environmental or security-related changes. You use the policy editor to make these changes and distribute them to the agents.

The communications channel used to distribute policy changes must be responsive, reliable, and secure. HIPS products use one or more of the following communications models:

  • Push Changes are forced onto the agent by the management center. Agents must listen for pushes constantly so that they are prepared when it happens. The push model propagates changes rapidly, although it represents a security risk because the agents are listening for connections. An attacker could masquerade as a management server and push dangerous policy changes to the agents.

  • Pull Agents periodically check with the management center to see if any policy changes are available. In the pull model, policy distribution takes longer because the management center must wait for the agents to check in before the new policy can be delivered. One of the advantages of the pull model is that you stand less risk that agents accept policy changes from unauthorized sources.

  • Push/pull Push/pull is the middle ground. The management center can send a message to the agents directing them to "Check Now," which greatly speeds the policy update process. The agents listen for this message, so they are able to receive remote connections However, the risk of a false management center is reduced as long as they are able to connect only to the legitimate management center when prompted to make a policy check. Push/pull is similar to a dial-back modem where the user dials the modem, the modem hangs up, and dials the preprogrammed phone number for the user.

Most HIPS products use some kind of encryption to make sure that the communications between the agents and the management center cannot be overheard (also known as eavesdropping). The encryption also serves the purpose of authenticating the agents and the management console so that the agents cannot deliver events or receive updates from an unauthorized, or spoofed, source. Eavesdropping and spoofing are very common attack vectors, so communications security is very important.

Management Interface

The tool HIPS administrators use to interact with the management center is called a user interface and comes in two forms. It can either be an installed client user interface or a web interface. Although a full user interface sometimes offers more functionality, a web interface is well-suited for remote administration.

In either case, the communications between the management interface and the management center should be as carefully secured as agent to MC communications. You should enforce strong authentication, encryption, and least privilege in addition to layers of defense you usually apply. The endpoint on which the interface is installed should also have a HIPS agent installed to prevent attackers from piggybacking.




Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net