Host-based IPS guards endpoints
As.network threats continue to grow in number and sophistication, a new technology offers an additional layer of protection. Host-based intrusion-prevention system (HIPS) technology protects endpoints behind the network perimeter. It combats infections and attacks at the device and server level of a network, providing a layered approach that complements investments in network-based IPS without relying on signatures that require near-constant updates.
HIPS technology is extremely aclearcase/" target="_blank" >ccurate. It works by enforcing a set of basic software conventions that never changes called the Application Binary Interface (ABI). The ABI sits one step beyond the application program interface (API) and defines the API plus the machine language for a particular CPU family. Because these conventions are universal among compiled applications, it is nearly impossible to hijack an application without violating the ABI.
HIPS deployments generally involve two components, a series of agents and a management and reporting interface. Installed on servers, HIPS agents are designed to run indefinitely with little or no administrative overhead, and prevent malicious code that enters a machine from being executed without the need for a check against threat signatures.
In practice, agents continually verify the validity of application instructions by performing checks against their origin, preventing unintended injected code from being executed. They also catch malicious code masquerading as user data. In addition, they perform checks on program control to ensure that control transfer always conforms to the ABI. This prevents applications from being tricked into handing over control to external injected code. It also catches code-reuse attacks that are emerging as the next generation of advanced attack techniques worrying security professionals.
The HIPS management and reporting interface enables thousands of agents to be deployed, managed and upgraded across an enterprise network. The interface, which is often Web-based to provide universal accessibility, allows network and security staff to perform configuration changes, monitor alerts and view reports. Many interfaces notify security professionals of issues via SMTP or other alerts. The interface also is key for analyzing trend reports, assigning users and roles according to policy, and maintaining a comprehensive audit trail.
An HIPS deployment could block the threat of the Sasser worm. The worm exploited a memory flaw in Microsoft operating systems to cause billions of dollars of damage worldwide. The previously unknown Sasser code passed through unpatched firewalls undetected, reaching unprotected servers. As the code entered the memory of the unprotected server, it immediately executed a buffer overflow that gave a remote host system-level control of that server, enabling further attacks from within an enterprise network.
In contrast, the protected server’s HIPS agent can examine, for example, the Sasser code as it enters the server’s memory. The agent’s real-time check of the code reveals the buffer overflow mechanism, a process that violates the ABI. It immediately stops the code from execution without affecting the server’s performance, and notifies the management component that an attack is underway so that network and security staff can begin remediation efforts.