We have examined host defense components that help provide defense in depth at the level of an individual host and allow us to treat the host as an active member of the overall security perimeter. We have discussed individual strengths and weaknesses of each component type. In this section, we look at major challenges that face host defense components as a unified product category. Some of these challenges, which impact the deployment of antivirus software, host-based firewalls, and host IDS components, are listed next:
Let's take a closer look at these challenges so that we are prepared to adjust the design of the overall security perimeter accordingly.
Defense Components on Compromised Hosts
As you probably realize, systems that are protected by host defense components can still be compromised. The attacker can deploy a malicious agent that is not recognized by the antivirus software or can bypass the host's firewall protection via an open port or through another compromised route. As a result, an attacker can delete security logs, create new accounts, install backdoor programs, and disable locally installed security components. To minimize the likelihood that such an attack will succeed, we deploy multiple security components that work in unison, but we need to be prepared for the possibility that our controls will be bypassed.
The host-hardening procedures we discussed in Chapter 9 offer an effective way to limit the scope of the attacker's influence on the compromised host. A constraining mechanism that we mention in Chapter 13 calls for the use of chroot to create a "jail" around an application on a UNIX system. Additionally, a host-based firewall on the compromised host has not necessarily outlived its usefulness; it can still assist the administrator in detecting the compromise, and it can help restrict a host's access to other systems on the network.
Although these measures can help dampen the attacker's progress, the effectiveness of host defense components drastically decreases after the intruder has gained access to the system. Having access to the host gives that attacker the capability to target the system's defense components from within. Malware specimens, for example, have been known to proactively fortify their positions on the infected system. Many worms automatically kill processes of common antivirus products, personal firewalls, and other host-based security controls. These actions make it more difficult for the victim to determine that the system has been compromised, make it easier for the infection to spread to other systems, and allow attackers to use the system without the interference of host-based firewalls that would otherwise stop unauthorized incoming and outgoing activity.
Controlling Distributed Host Defense Components
Another challenge to the deployment of host defense components lies in the ability to centrally manage large numbers of them. Any participant of the security perimeterwhether it is a router, a firewall, or an IDSneeds to be watched over after it has been installed. This often involves fine-tuning its configuration, installing software updates, reviewing activity logs, and responding to alerts. The more security components we have to manage, the more challenging it is to do so effectively. Manually maintaining a limited number of servers is something that is possible with a relatively small staff, but the challenges increase as we consider deploying host defense components on workstations throughout the organization.
Attackers have developed effective mechanisms for centrally controlling thousands of victimized computers in an efficient manner. Copies of the Leaves worm, for example, knew to retrieve encrypted instructions for operation from a network of publicly accessible websites. Instances of the SRVCP Trojan were programmed to log in to specific Internet Relay Chat (IRC) channels and sit there waiting for instructions from the attacker.
Antivirus products are the oldest among the host defense components we discussed in this chapter. As a result, their means of effectively operating in large numbers are the most mature. Nearly every antivirus product has the ability to automatically retrieve virus signature and antivirus software updates from the vendor's site, without special modifications to the organization's existing infrastructure. This helps ensure that antivirus software is up to date, but it does not really assist the company's system administrators in keeping an eye on the effectiveness of virus protection. Major antivirus vendors offer products that centrally manage distributed antivirus software installations. For example, Symantec System Center allows the administrator to use Microsoft Management Console to see what, if any, viruses were found on Norton AntiVirus installations throughout the company, obtain copies of infected files, and remotely install and update antivirus software on multiple hosts.
Makers of commercial host-based firewalls and IDS software also offer products for centrally managing their defense components that are installed on multiple hosts. These enterprise-centric products are typically structured to consist of the following major tiers:
Most of the commercial products we discussed in this chapter follow this architecture. Also, most commercial host-based products have been merging into host-based product suites. For example, Tiny Firewall originally offered only personal firewall capabilities; it has been expanded to provide file integrity protection, network traffic intrusion detection and prevention, and Windows-specific monitoring, such as file and Registry key access. The Norton Internet Security suite offers antivirus, personal firewall, pop-up blocking, spam and website filtering, and privacy protection for hosts. Using a single product suite that provides adequate host-based protection is much easier to administer than several separate products, each with its own configuration and maintenance needs.