Host Intrusion Prevention Benefits

Previous page
Table of content
Next page

Host Intrusion Prevention products can address or mitigate a variety of different problems. Proper use and selection of HIPS products should include a process where you match problems your organization is facing with the benefits HIPS products provide. Before you can enter into the process, you need to know how exactly how HIPS products can benefit your organization and what problems they solve.

This section concentrates on some of the benefits provided by HIPS, including the following:

  • Attack prevention

  • Patch relief

  • Internal attack propagation prevention

  • Policy enforcement

  • Regulatory requirements

Attack Prevention

HIPS products can stop well-known and new attacks. The ability to stop a well-known attack is not particularly notable because a wide variety of countermeasures can do so. Increasingly complex and rapidly propagating viruses, worms, and Trojan horses (see Chapter 5, "Intrusion Prevention Overview") make it incredibly difficult for organizations to adequately update and reconfigure their existing countermeasures in response to new attacks. If an organization is the victim of a widespread virus, worm, or Trojan incident, cleanup and remediation costs in terms of time, lost productivity, and damaged data are usually extensive.

Thus, the most important benefit provided by HIPS is that it can stop both well-known and new attacks. This drastically reduces cleanup and remediation costs. Also, other benefits, like patch relie,f are derived from new and unknown attack prevention.

Patch Relief

Every day, new security vulnerabilities are discovered and patches are created to eliminate the new vulnerabilities. Organizations spend a great deal of time and money deploying these new patches. Patching is, in some cases, a very large information technology budget item.[click here]

Vulnerabilities and Patches

Vulnerabilities are nothing more than openings or exposures that can be exploited. Exploits take advantage of vulnerabilities, whereas attacks use exploits for nefarious purposes. Patches are used to eliminate vulnerabilities.

A good analogy is the doorway to your home. It is a vulnerability, or opening, that can be used to gain entry to your house. An attacker who walks through the door has exploited the vulnerability, and if the attacker were to steal something from inside, that would be an attack. To patch the vulnerability, you could lock the door or brick it up.


Two factors conspire to make patching so costly. The first factor is that a tremendous number of vulnerabilities to patch exist, and new ones are unearthed constantly. The second is that the time between the discovery of a vulnerability and the creation of an exploit that takes advantage of it is shrinking (see the following note). This means that companies have more vulnerabilities to patch and less time in which to do it. Each individual patch costs money to deploy, and companies cannot wait to deploy multiple patches at once because an exploit might be available any minute.

The second factor is that the shrinking vulnerability to exploit window means that organizations have very little time to test patches before they are deployed. An improperly written patch can "break" the program being patched. This is a risk organizations run every time they roll out a patch they did not have time to fully test.

Note

The vulnerability to exploit window is the time between the discovery of a vulnerability and the availability of an exploit that takes advantage of the vulnerability. The longer the window is, the more time the vendors and customers have to create and deploy patches to remove the vulnerability.


A HIPS can stop new and unknown attacks, so patching does not have to be as high of a priority. If you are already protected against the vulnerability that the patch addresses, you have time to test patches to discover their impact on their environment. Also, you might be able to save time and money by applying multiple patches together instead of having to deploy them one by one. For example, the application of a Windows Service pack that contains dozens of patches might cost less than applying the patches in the service pack individually.

Internal Attack Propagation Prevention

The Internet is a very common way to launch an attack against a host, and many organizations focus their attentions on the Internet attack vector. However, once a single host has been compromised, it becomes the attacker. The propagation vector changes from Internet to host and becomes internal host to internal host.

Furthermore, hosts like laptops are portable and are protected from the Internet while they are in the office, but are vulnerable when they are connected to the Internet at home or sharing a public network with potentially malicious users. If a host is infected while it is outside of the corporate office and connected to the corporate network, the attack vector is once again internal host to internal host. Thus, hosts must be able to defend themselves against attack without the benefit of network security countermeasures.

The only feasible way to address the issue of internal attack propagation is to use software that resides on the host itself instead of the network. HIPS can prevent a protected host from attacking others, and it can prevent the host from being a victim of an attack.

Policy Enforcement

While the primary benefit of HIPS rests in its ability to secure an endpoint, many HIPS products are also able to enforce corporate computer security policy. Corporate security policies contain procedures and guidelines that, if followed, mitigate the risk of attack. Some organizations do not have security policies, but those that do often have a hard time making sure they are being used.

For example, the security policy might state that hosts equipped with both wired and wireless network adapters should never have both in use at the same time. Using both simultaneously does not damage the host in any way, but does present a security risk (see the "Wired and Wireless Network Adapters" sidebar). Some HIPS are able to enforce the policy by shutting down one adapter when the other becomes active.

Wired and Wireless Network Adapters

Most of the laptop computers manufactured today have a variety of built-in network adapters. That way, the laptop can use physical connections, wireless connections, and possibly Bluetooth at the same time. Although this is a very convenient hardware arrangement for users, it presents three distinct security risks if more than one adapter is active simultaneously.

The first risk is related to non-corporate wireless access points. The user could be connected to the wired network and, at the same time, the wireless adapter could inadvertently connect to an access point that is not under corporate control. Anyone who is connected to the access point can potentially use the laptop to gain unauthorized access to the corporate LAN.

The second risk has to do with ad hoc wireless networking. Ad hoc networking allows two computers with wireless network adapters to connect to each other directly rather than through an access point. If the user is connected to the wireless network and has ad hoc networking enabled, the wireless adapter might automatically connect to another computer. The other computer, which might be in use by an attacker, now has access to data on the corporate network.

The third risk is that the laptop user could use a wireless connection to intentionally deliver confidential data to a storage place that is outside of corporate control. For example, the user could connect the laptop to the LAN and connect wirelessly to a host on the Internet. This arrangement allows the user to very quickly transmit vast amounts of confidential information to an uncontrolled location.


The policy could also state that removable storage devices should not be used to store data. Storing data on removable storage does no harm, but it does make the data much more portable and easier to steal. To enforce the policy, you could remove the floppy drive, optical recorder, Universal Serial Bus (USB) ports, parallel ports, and serial ports from each system before you allow it to be used. Removing all of those devices is tedious and prevents the user from using the devices for uses that are permitted by policy.

Another option to enforce the removable storage policy is to use HIPS to control the flow of data from the hard drive or the network to removable storage devices. You can prevent anything from being written to removable storage, while allowing anything to be read. The devices can be used for legitimate purposes, but the user cannot violate policy. Figure 5-1 displays a message the user might see if the policy was violated.

Figure 5-1. Using HIPS to Control USB Storage


Acceptable Use Policy Enforcement

Another type of corporate policy HIPS can help enforce is the acceptable use policy. Acceptable use policies are different than security policies because they contain instructions related to proper use rather than security. For example, a security policy for company automobiles would enforce the use of seat belts because not using them is dangerous. An acceptable use policy might say that the car should be used for business purposes only. Using the car for personal use is not inherently dangerous as long as the security policy is followed, but it is not the proper way to use the corporate car.

Corporations often have an information technology acceptable use policy stating that employees should not use peer-to-peer (P2P) software to download or share copyrighted materials such as music or movies. Detecting the use of P2P software in an effort to enforce the policy is not always easy. HIPS can, in many cases, solve the problem by detecting and preventing the use of P2P.

A second example of an acceptable use policy relates to the use of the Internet. The policy states that Internet use is reserved for business purposes only. Employees who use the Internet for other purposes, like shopping or downloading pornographic materials, are subject to discipline. HIPS can be used to discern which users have violated the policy. It can also generate evidence to support disciplinary action, such as the name of the user who violated the policy, a list of restricted websites the user visited, and when the user visited them.

Regulatory Requirements

The final problem that HIPS can solve is that it can often fulfill government regulatory requirements. For example, the Administrative Simplification provisions of the United States Health Insurance Portability and Accountability Act of 1996 define standards for the security and privacy of health data. You have many ways to meet the standards, and HIPS products are sometimes a good way.



Previous page
Table of content
Next page
Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115
Authors: Earl Carter, Jonathan Hogue
BUY ON AMAZON
CISSP Exam Cram 2
Building Web Applications with UML (2nd Edition)
MySQL Cookbook
Microsoft VBScript Professional Projects
PMP Practice Questions Exam Cram 2
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy