Home > Articles > Cisco

  • Print
  • + Share This
This chapter is from the book

Host and Network IPS

IPS technology can be network based and host based. There are advantages and limitations to HIPS compared with network-based IPS. In many cases, the technologies are thought to be complementary.

Host-Based IPS

HIPS audits host log files, host file systems, and resources. A significant advantage of HIPS is that it can monitor operating system processes and protect critical system resources, including files that may exist only on that specific host. HIPS can combine the best features of antivirus, behavioral analysis, signature filters, network firewalls, and application firewalls in one package. Note that the Cisco HIPS solution, Cisco Security Agent (CSA), is signature-free that reduces the maintenance required to be performed on that software.

A simple form of HIPS enables system logging and log analysis on the host. However, this approach can be extremely labor intensive. When implementing HIPS, the CSA software should be installed on each host to monitor all activity performed on, and against, the host. CSA performs the intrusion detection analysis and protects the host.

A Cisco HIPS deployment using CSA provides proactive security by controlling access to system resources. This approach avoids the race to update defenses to keep up with the latest exploit, and protects hosts even on day zero of a new attack. For example, the Nimda and SQL Slammer worms did millions of dollars of damage to enterprises on the first day of their appearance, before updates were even available; however, a network protected with a CSA stopped these attacks without any updates by identifying their behavior as malicious.

Host-based IPS operates by detecting attacks that occur on a host on which it is installed. HIPS works by intercepting operating system and application calls, securing the operating system and application configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious activity.

More precisely, HIPS functions according to the following steps, as shown in Figure 6-5:

  • Step 1. An application calls for system resources.
  • Step 2. HIPS checks the call against the policy.
  • Step 3. Requests are allowed or denied.
Figure 6-5

Figure 6-5 HIPS Operations Steps

HIPS uses rules that are based on a combination of known attack characteristics and a detailed knowledge of the operating system and specific applications running on the host. These rules enable HIPS to determine abnormal or out-of-bound activity and, therefore, prevent the host from executing commands that do not fit the correct behavior of the operating system or application.

HIPS improves the security of hosts and servers by using rules that control operating system and network stack behavior. Processor control limits activity such as buffer overflows, Registry updates, writes to the system directory, and the launching of installation programs. Regulation of network traffic can help ensure that the host does not participate in accepting or initiating FTP sessions, can rate-limit when a denial-of-service (DoS) attack is detected, or can keep the network stack from participating in a DoS attack.

The topology in Figure 6-6 shows a typical Cisco HIPS deployment. CSA is installed on publicly accessible servers, corporate mail servers, application servers, and on user desktops. CSA reports events to a central console server that is located inside the corporate firewall. CSA is managed from a central management console.

Figure 6-6

Figure 6-6 HIPS deployment

The advantages and limitations of HIPS are as follows:

  • Advantages of HIPS: The success or failure of an attack can be readily determined. A network IPS sends an alarm upon the presence of intrusive activity but cannot always ascertain the success or failure of such an attack. HIPS does not have to worry about fragmentation attacks or variable Time to Live (TTL) attacks because the host stack takes care of these issues. If the network traffic stream is encrypted, HIPS has access to the traffic in unencrypted form.
  • Limitations of HIPS: There are two major drawbacks to HIPS:

    • HIPS does not provide a complete network picture: Because HIPS examines information only at the local host level, HIPS has difficulty constructing an accurate network picture or coordinating the events happening across the entire network.
    • HIPS has a requirement to support multiple operating systems: HIPS needs to run on every system in the network. This requires verifying support for all the different operating systems used in your network.

Network-Based IPS

Network IPS involves the deployment of monitoring devices, or sensors, throughout the network to capture and analyze the traffic. Sensors detect malicious and unauthorized activity in real time and can take action when required. Sensors are deployed at designated network points that enable security managers to monitor network activity while it is occurring, regardless of the location of the attack target.

Network IPS sensors are usually tuned for intrusion prevention analysis. The underlying operating system of the platform on which the IPS software is mounted is stripped of unnecessary network services, and essential services are secured (that is, hardened). The hardware includes the following components:

  • Network interface card (NIC): Network IPS must be able to connect to any network (Ethernet, Fast Ethernet, Gigabit Ethernet).
  • Processor: Intrusion prevention requires CPU power to perform intrusion detection analysis and pattern matching.
  • Memory: Intrusion detection analysis is memory intensive. Memory directly affects the capability of a network IPS to efficiently and accurately detect an attack.

Network IPS gives security managers real-time security insight into their networks regardless of network growth. Additional hosts can be added to protected networks without needing more sensors. When new networks are added, additional sensors are easy to deploy. Additional sensors are required only when their rated traffic capacity is exceeded, when their performance does not meet current needs, or when a revision in security policy or network design requires additional sensors to help enforce security boundaries.

Figure 6-7 shows a typical network IPS deployment. The key difference between this network IPS deployment example and the previous HIPS deployment example is that there is no CSA software on the various platforms. In this topology, the network IPS sensors are deployed at network entry points that protect critical network segments. The network segments have internal and external corporate resources. The sensors report to a central management and monitoring server that is located inside the corporate firewall.

Figure 6-7

Figure 6-7 Network-Based IPS Deployment

The advantages and limitations of network IPS are as follows:

  • Advantages of network IPS: A network-based monitoring system has the benefit of easily seeing attacks that are occurring across the entire network. Seeing the attacks against the entire network gives a clear indication of the extent to which the network is being attacked. Furthermore, because the monitoring system is examining only traffic from the network, it does not have to support every type of operating system that is used on the network.
  • Limitations of network IPS: Encryption of the network traffic stream can essentially blind network IPS. Reconstructing fragmented traffic can also be a difficult problem to solve. Possibly the biggest drawback to network-based monitoring is that as networks become larger (with respect to bandwidth), it becomes more difficult to place network IPS at a single location in the network and successfully capture all the traffic. Eliminating this problem requires the use of more sensors throughout the network. However, this solution increases costs.
Figure 6-8

Figure 6-8 Enterprise Campus Topology with Its Management Module

Comparing HIPS and Network IPS

Table 6-5 compares the advantages and limitations of HIPS and network IPS.

Table 6-5. Advantages and Limitations of Host-Based IPS and Network-Based IPS

Advantages

Limitations

HIPS

Is host specific

Operating system dependent

Protects host after decryption

Lower-level network events not seen

Provides application-level encryption protection

Host is visible to attackers

Network IPS

Cost-effective

Cannot examine encrypted traffic

Not visible on the network

Does not know whether an attack was successful

Operating system independent

Lower-level network events seen

A host-based monitoring system examines information at the local host or operating system. Network-based monitoring systems examine packets that are traveling through the network for known signs of intrusive activity. As you move down the feature list toward network IPS, the features describe network-based monitoring features; application-level encryption protection is a HIPS feature, whereas DoS prevention is a network IPS feature.

  • + Share This
  • 🔖 Save To Your Account