HIPS
Unlike HIDS solutions, which tell you only that a suspicious event took place, HIPS solutions attempt to stop the suspicious activity from happening in the first place. Like NIPS appliances, HIPS solutions can use signature-or behavioral-based approaches. For example, suppose an attacker wants to carry out a buffer overflow so that his malicious code can run in the memory space of the kernel. To prevent this type of activity, the HIPS solution will review the system call and compare it to either a list of signatures or a list of known good behaviors. If the HIPS solution identifies the call as malicious, it doesn't allow access. Vendors can use one or both approaches in their products. For example, McAfee's Entercept uses signature-and behavioral-based methods, whereas Cisco System's Cisco Security Agent (formerly known as Okena StormWatch technology) uses a purely behavioral-based approach.
Although the various HIPS solutions might use different approaches, most of them employ agents, which are centrally managed, on the systems needing protection. The agents examine system and API calls to identify when an attack is being attempted. The agent must understand the security context in which the process is running, the command requests being sent to the interface, and the resource that the process is attempting to access. When a call comes in, signature-based HIPS solutions check what is usually a long list of illegal call patterns that have been identified with certain types of attacks. If the incoming call contains one of the identified patterns, they don't allow access. Behavioral-based HIPS solutions usually have specific modules for individual system-service APIs. For example, there might be a module that reviews requests between processes and the file system, a module that reviews network stack requests, a module that monitors registry requests, and so on. There are also modules for commonly used services and applications, such as DNS, DHCP, and Microsoft SQL Server.
HIPS solutions can protect against many types of attacks. For example, they can
- prevent access to email clients' contact lists so that viruses and worms can't be spread through this means
- prevent privilege escalation exploits in which a user account tries to obtain administrative or root access
- prevent the loading of root kits, backdoors, and Trojan horses
- prevent the alteration of system files, registry settings, and user accounts
- prevent buffer overflow exploits
What You Need to Know
Now that you know about the different types of IPSs, you can determine which type is best for your network. First, you need to figure out what type of protection your organization requires. Does it just need perimeter protection to identify any malicious traffic that has passed through the firewall? If so, you need to obtain a dedicated NIPS appliance and place it behind your firewall, most likely within your demilitarized zone (DMZ). Does your organization need to look for malicious activity within the network? If so, you need to deploy several NIPS appliances or purchase network products that have this functionality integrated into them. Do you need individual system protection? If so, you need to investigate the HIPS solutions currently on the market. Do you mainly need protection from DoS attacks (in which case you need rate-based IPS), other types of attacks (in which case you need content-based IPS), or both?
When you start talking with vendors about an IPS product, get answers to the following applicable questions:
- If it's an inline product, does it fail open or closed? If the product fails closed, you run the risk of blocking all network traffic at that point, so there needs to be a redundant component to ensure that this doesn't take place. If the product fails open, all traffic will be entering the network without being properly analyzed.
- If it's an inline product, what type of redundancy is built into it?
- Where in the network is the product designed to reside?
- What are the product's performance metrics (e.g., throughput, latency)?
- If it's a rate-based product, how difficult is it to set and maintain rate baselines?
- If it's a content-based product, what types of attacks does it look for?
- If it's a content-based product, how large is the signature base and how many signatures are enabled? (More enabled signatures can equate to more false negatives.)
- To what degree can the product be customized for your specific environment?
- What type of traffic does the product block (e.g., protocol anomalies, fragmentation attacks, buffer overflows, spoofing attacks)?
- Does the product monitor traffic coming into and going out of the network?
- How will the product work with your existing firewall and what are the proper configurations for both the product and the firewall?
- Can the product be centrally managed and configured?
- What are the product's logging and alerting capabilities?
These are good questions to start with, but you'll probably want to drill down further to ensure that you purchase the IPS product that meets your company's needs. Before purchasing the IPS product, check to see whether any reviews or comparative analyses have been done. In addition, get feedback from companies that have implemented the product.
An Immature But Promising Technology
There's no doubt that IPS is an immature technology. However, the idea behind the technology—that is, the idea of stopping all types of malicious attacks before they enter the network—seems to be a sound one. Equally important, the security industry seems to be heading in the right direction by starting to develop IPS products that provide a more holistic and integrated approach to security.