Chapter 10. Host Defense Components

The host's perimeter, operating system (OS), and applications are our last line of defense against network attacks. If an attacker manages to get through or around your firewall, or if you are defending against malicious code or an insider, it is up to the host to limit the scope of the potential compromise. In Chapter 9, "Host Hardening," we explained how to configure the system's OS and related applications to help the host withstand local and network-based attacks. We locked down the file system, disabled unnecessary accounts and services, enforced strong passwords, fine-tuned group membership, and applied patches. This chapter builds on the concepts of hardening by demonstrating how hosts can play an active role in protecting data and services. In a layered security architecture, hosts that are configured according to the risks they might face and to the tasks they need to fulfill reinforce perimeter components such as routers, firewalls, and network intrusion detection systems.

In this chapter, we explain how to use hosts to help detect and isolate attacks, and we discuss tools and approaches that will help you strengthen the system's defenses. We look at differences in needs of host categories and describe best-fit roles for antivirus software, host-based intrusion detection products, and other host-based tools. We also talk about host-based firewalls and how they compare to the gateway firewalls you have seen in the book so far. We examine the strengths and weaknesses of each type of host defense component to allow you to effectively incorporate any of them into the design of the overall network security perimeter.