HIPS agents that have a robust user interface can and sometimes do operate without any kind of central management. Enterprise-class HIPS, however, require a management infrastructure. Typically, the infrastructure is composed of a management center, or back end, and a management interface used to access the management station. Security product management stations are high on the typical attacker's target list. If the management station is compromised, the attacker can disable the countermeasure completely or simply reconfigure it in a minor, unnoticeable, and dangerous way. Host Intrusion Prevention agents are immensely powerful, and their management infrastructure should be protected at all costs. To that end, you need to understand the components of a HIPS management infrastructure and the security implications therein. Management CenterHIPS management centers have three logical elements. The first is a database where event, policy, agent, and other configuration data are stored. The second is an event handling capability, and the final element is policy management. It's helpful to think of each element separately, because depending on the management model, each component can be installed on a different physical machine. The three most common management models are as follows (see Figure 6-12):
Figure 6-12. Management ModelsDatabaseThe most critical component of the management center is the database, as it is repository for all policy information. It must be powerful enough to support the number of agents that use it without crashing and secure enough to withstand attack. For these reasons, many, if not all, of the centrally managed HIPS products use some kind of enterprise database such as Microsoft SQL Server or Oracle.
Event and Alert HandlerThe event handling portion of the management station is also important, but less so than the database because of the fact that HIPS products are supposed to stop attacks before they succeed. HIPS events are almost exclusively informational. They identify what almost happened and what action was taken rather than give a notification that requires a response. This is in stark contrast with Host Intrusion Detection where the most critical component is the event delivery. HIDS cannot take action, so finding a way to elicit a response from an administrator is crucial. Event handling covers both event delivery and alert generation. The difference between events and alerts rests in their priority. Events are simply bits of information that might or might not be important. Alerts are any events that are marked, usually by the administrator, as being important and use a higher priority mechanism such as e-mail, pager, or Simple Network Management Protocol (SNMP) messages to deliver them. Two event-handling models are shown in Figure 6-13. In one, the agents report all their events to the management center, and the management center generates alerts for important events. Alerting is centralized, and events are stored in one location, although a large number of simultaneous events can impact management center performance. Another event delivery approach is to have each agent generate its own alerts. Responsibility for alerting is distributed, so performance is of less concern, although no events are stored centrally. Figure 6-13. Event Handling ModelsIdeally, events and alerts should be delivered as quickly as possible. If the agents cannot communicate with the alert or event receiver, you might have a delay; however, all HIPS agents should store event information until it can be delivered. Policy ManagementThe last piece of the management center is the policy editor. Security policy evolves over time in response to environmental or security-related changes. You use the policy editor to make these changes and distribute them to the agents. The communications channel used to distribute policy changes must be responsive, reliable, and secure. HIPS products use one or more of the following communications models:
Most HIPS products use some kind of encryption to make sure that the communications between the agents and the management center cannot be overheard (also known as eavesdropping). The encryption also serves the purpose of authenticating the agents and the management console so that the agents cannot deliver events or receive updates from an unauthorized, or spoofed, source. Eavesdropping and spoofing are very common attack vectors, so communications security is very important. Management InterfaceThe tool HIPS administrators use to interact with the management center is called a user interface and comes in two forms. It can either be an installed client user interface or a web interface. Although a full user interface sometimes offers more functionality, a web interface is well-suited for remote administration. In either case, the communications between the management interface and the management center should be as carefully secured as agent to MC communications. You should enforce strong authentication, encryption, and least privilege in addition to layers of defense you usually apply. The endpoint on which the interface is installed should also have a HIPS agent installed to prevent attackers from piggybacking. |