返回列表 回復 發帖

入侵防護:基於主機的IPS保衛端點

Host-based IPS guards endpoints
    As.network threats continue to grow in number and sophistication, a new technology offers an additional layer of protection. Host-based intrusion-prevention system (HIPS) technology protects endpoints behind the network perimeter. It combats infections and attacks at the device and server level of a network, providing a layered approach that complements investments in network-based IPS without relying on signatures that require near-constant updates.



    HIPS technology is extremely aclearcase/" target="_blank" >ccurate. It works by enforcing a set of basic software conventions that never changes called the Application Binary Interface (ABI). The ABI sits one step beyond the application program interface (API) and defines the API plus the machine language for a particular CPU family. Because these conventions are universal among compiled applications, it is nearly impossible to hijack an application without violating the ABI.



    HIPS deployments generally involve two components, a series of agents and a management and reporting interface. Installed on servers, HIPS agents are designed to run indefinitely with little or no administrative overhead, and prevent malicious code that enters a machine from being executed without the need for a check against threat signatures.

    In practice, agents continually verify the validity of application instructions by performing checks against their origin, preventing unintended injected code from being executed. They also catch malicious code masquerading as user data. In addition, they perform checks on program control to ensure that control transfer always conforms to the ABI. This prevents applications from being tricked into handing over control to external injected code. It also catches code-reuse attacks that are emerging as the next generation of advanced attack techniques worrying security professionals.



    The HIPS management and reporting interface enables thousands of agents to be deployed, managed and upgraded across an enterprise network. The interface, which is often Web-based to provide universal accessibility, allows network and security staff to perform configuration changes, monitor alerts and view reports. Many interfaces notify security professionals of issues via SMTP or other alerts. The interface also is key for analyzing trend reports, assigning users and roles according to policy, and maintaining a comprehensive audit trail.



    An HIPS deployment could block the threat of the Sasser worm. The worm exploited a memory flaw in Microsoft operating systems to cause billions of dollars of damage worldwide. The previously unknown Sasser code passed through unpatched firewalls undetected, reaching unprotected servers. As the code entered the memory of the unprotected server, it immediately executed a buffer overflow that gave a remote host system-level control of that server, enabling further attacks from within an enterprise network.



    In contrast, the protected server’s HIPS agent can examine, for example, the Sasser code as it enters the server’s memory. The agent’s real-time check of the code reveals the buffer overflow mechanism, a process that violates the ABI. It immediately stops the code from execution without affecting the server’s performance, and notifies the management component that an attack is underway so that network and security staff can begin remediation efforts.

    基於主機的IPS保衛端點

    由於網路威脅在數量上和複雜度上繼續加強,一項新技術提供了又一層的保護。基於主機的入侵防護系統(HIPS)技術保護網路邊界內的端點。它在網路設備和服務器層面上與(病毒)感染和攻擊做鬥爭,在不依靠需要不斷更新特徵的情況下,提供一種分層的方法,對基於網路的IPS(入侵防護系統)的投資起到互補的作用。



    HIPS技術極其精確。它通過實施一組基礎的軟體協議而起作用,這個叫做應用二進位介面(ABI)的軟體協議從未改變過。ABI緊跟在應用編程介面(API)之後,定義API加上特定CPU的機器語言。由於這些協議在編譯過的應用程式中是通用的,所以想在遵循ABI的情況下劫持應用程式幾乎是不可能的。

    部署HIPS通常涉及兩部分:一組代理和一個管理和報告介面。HIPS代理是安裝在伺服器上,設計在不需要或者只需一點點管理開銷的情況下無限定地運行,不需要針對威脅特徵進行檢查的情況下,防止進入機器的惡意程式被執行。

    實際中,代理通過針對原件進行檢查,連續驗證應用程式指令的正確性,防止了無意中被感染的程式代碼被執行。它們也捕捉偽裝成用戶數據的惡意代碼。此外,它們也進行對程式控制的檢查,以確保控制的轉換總是符合ABI。這就防止了應用程式受騙,將控制交給外部入侵的代碼。它還捕捉代碼複用攻擊,這是新出現的困擾安全專業人士的下一代先進攻擊技術。



    HIPS管理和報告介面能實現成千上萬的代理在整個企業網路上的部署、管理和更新。此介面常常是基於Web的,以提供通用的訪問能力,它允許網路和安全工作人員執行配置修改、監視警告和查看視圖報告。很多介面通過SMTP告知專業人士存在的問題或其他警告。該介面也是分析趨勢報告、按策略指定用戶和角色、以及保存綜合審計追蹤的關鍵。



    部署HIPS能阻止如Sasser蠕蟲的威脅。該蠕蟲利用了微軟操作系統中記憶體缺陷,造成了全世界幾十億美元的損失。這個以前未知的Sasser代碼穿過未打補丁的防火牆,到達沒有防護的伺服器。當代碼進入沒有防護伺服器的記憶體時,它馬上執行緩存器溢出,將伺服器系統級的控制權交給了遠端的主機,實現在企業網內的進一步攻擊。


    相反,當Sasser進入伺服器記憶體時,被保護的伺服器中的HIPS代理能檢查出Sasser代碼。代理對此代碼的即時檢查揭示出緩存器溢出機制,這是一個違背ABI的過程。在不影響伺服器性能的情況下,它馬上停止代碼的執行,並通知管理組件攻擊存在,因而網路和安全人員就能開始修補工作。
返回列表
花蓮民宿