Summary

In this chapter, we looked at reinforcing the security of the network perimeter by equipping hosts with defense components of three types: antivirus products, host-based firewalls, and host-based IDS software. We examined the strengths and weaknesses of each category of host defense components, and you learned to take them into account when designing and implementing a defense-in-depth architecture.

We rely on antivirus products to defend hosts against malicious software, with the understanding that they cannot detect every malware specimen that can find its way onto the system. We use host-based firewalls to protect the system from network attacks that are not blocked by traditional network firewalls. Host-based firewalls are configured based on the business requirements of the individual host on which they run, and they can usually block inbound as well as outbound network traffic. Some potentially vulnerable channels might need to remain open for the host to perform its function; these can be watched over with the use of a host-based IDS. Host-based intrusion detection further complements network IDS by monitoring the host's internal parameters, such as critical files, logs, and local user activity.

As a category of security tools, host defense components possess several limitations that need to be accounted for in the overall design of the network perimeter. We examined some of these at the end of the chapter. You learned what to expect from a host defense component running on a compromised system, as well as how to manage host defense components installed on systems throughout the organization. We will take advantage of our knowledge of the strengths and weaknesses of host and network defense components in Part III, "Designing a Secure Network Perimeter," where we concentrate on architecture considerations of the network security perimeter.