Host-based IPS: A New Take on Old Problems

 
 
By Andrew Garcia  |  Posted 2007-01-29 Print this article Print
 
 
 
 
 
 
 

Review: There are many roads to HIPS; eWEEK Labs recommends the least-bumpy for enterprises.

There are numerous techniques for providing host-based intrusion prevention capabilities, but eWEEK Labs believes there are two that will best complement enterprises current strategies: vulnerability inspection and application and process vetting.

These technologies can be found in disparate solutions, but both should be seen as extensions of existing projects rather than as security as a means unto itself.
Vulnerability inspection works to shore up the problem of the diminished patch window. Administrators already have a tough time keeping up with new patches for operating systems, applications and even existing security solutions.
Limited resources and the need to maintain usage agreements remain reasons that patches arent installed. Add to that an increasing number of zero-day exploits, and the window of opportunity for IT implementers to test and deploy patches to servers and desktops is almost completely disappearing. Indeed, many administrators have quietly given up trying, which is really the worst response possible. Vulnerability inspection looks for exploit code and removes it from the stream. Defenses must be updated periodically as new vulnerabilities are discovered and analyzed, but not with the frequency needed for signature-based exploit detectors. Best of all, vulnerability inspection gives administrators time to acquire, test and deploy patches, which is still the best defense of all (and a practice that should be continued). Weve seen a number of takes on this type of vulnerability defense. As a stand-alone HIPS (host intrusion prevention system) provider, Determina has been a big proponent of this approach with its VPS (Vulnerability Protection Suite) products. Vulnerability inspection wont be found in run-of-the-mill anti-virus solutions, but companies such as Symantec and Panda Software have added it to their more advanced security suites (usually those with a firewall). McAfee includes vulnerability inspection capabilities not in any of its anti-virus platforms but, rather, in its McAfee Host Intrusion Prevention suite. Other companies, such as Blue Lane Technologies, take this breed of defense off the desktop, instead putting it in a network gateway device that provides vulnerability-specific blocking for Internet-facing servers. This approach does not require installation of software components on individual servers, so it will be a huge timesaver for organizations that are expanding their data center presence with both real and virtual servers. eWEEK Labs has often touted the advantages of a least-privileged-user desktop environment. By denying administrative credentials to users, IT administrators can help curb the installation of unapproved software and limit the damage done by many malware strains. TJX intrusion highlights pursuit of corporate data. Click here to read more. But we also acknowledge that a least-privileged-user environment is just a step toward improved security, as some malware and applications can operate solely in the user space. Some threats dont need to access restricted parts of the file system or registry to get a toehold on the system, and there are privilege-escalating threats floating around that could be combined with other exploits to access privileged parts of the operating system. The second type of HIPS technology we advocate aims to fill this breach by controlling the processes and applications that are actually allowed to run on a workstation. Products such as Bit9s Parity 3.5 maintain a list of approved applications that are allowed to run, denying all others. Unauthorized applications, installers and malware are effectively neutered because they cannot run without ITs approval. Last year, we reviewed a pair of products designed to help corporations implement least user privilege by enabling applications. In our tests, both Winternals Softwares Protection Manager and DesktopStandards PolicyMaker Application Security allowed corporations to target and run poorly coded applications with the necessary elevated security rights while the user on the whole maintained limited privileges. (Since our review, Microsoft has acquired Winternals and DesktopStandard.) Bit9s Parity is a natural adjunct to these products-in a nutshell, going the other way by denying applications instead of elevating them. But Bit9 would do well to meld the technologies: Instead of focusing on Parity as a security solution, Bit9 should target the product as a complete process privilege management solution-one that not only locks out unwanted applications but also provides the flexibility to selectively elevate an applications execution credentials. In the highly competitive HIPS security market, Parity suffers by comparison with other products. Parity doesnt clean anything, doesnt plug vulnerabilities and doesnt detect malicious code-basically, it doesnt do anything that traditional security products do. With a more expanded focus, Bit9-or another player-could be the dominant player in an underserved privilege management market. And this is a market that we expect will grow significantly as Windows Vista introduces a new audience to least user privilege through the operating systems integrated User Account Control feature. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.
 
 
 
 
Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel