Defend your Network: An Instrusion Defense Plan

Defend your Network: An Instrusion Defense Plan
Page content

Protecting valuable data is a real concern for any business. Learn to create a layered defense plan to keep you safe from hackers, malware and other intrusions.

Configuration and Patch Management

An effective configuration management program is a critical element in the protection of network-connected devices. Attacks against your network are opportunistic. In other words, criminals are looking for soft targets, the compromise of which requires the lowest possible work factor. Properly configuring your applications, databases, and operating systems can increase the work factor so much an attacker moves on.

Risks Associated with Poor Configuration Management

Poor, or nonexistent, configuration management practices result in network components that are easy targets. Some security risks include:

  1. Known security flaws in operating systems, applications, and databases that are not patched. Potential attackers know about these vulnerabilities as soon as they’re announced; often before. Failure to apply vendor-supplied patches to correct these flaws is an invitation to criminals looking for vulnerable company networks.
  2. Unnecessary services running on workstations or servers.
  3. Error messages providing too much information. With the right tools, an attacker can intentionally cause an error on a network device. If the device is running with a default configuration, it might provide information about the operating system, system patch levels, etc.
  4. Weak default passwords assigned to applications or system services. Accounts are sometimes created as part of the installation process for an application or operating system. Often the default password is easy to guess or doesn’t exist at all.
  5. Old production files or sample files left on server or workstation drives. Unused applications or demo software may leave behind scripts, applications, data files, configuration files, or web pages that may be easily exploited. You might not even be aware of their presence.

The purpose of configuration management is to effectively address these and other configuration issues.

Building a Configuration Management Program

Building a configuration management program consists of the following steps:

  1. Assign responsibility for managing and overseeing configuration management activities to a team or individual
  2. Create secure system configuration standards and guidelines
  3. Create and maintain an on-going configuration management process

Assign a responsible team or individual

Without assigning responsibility for creating and maintaining strong configuration management processes, your systems will most likely remain vulnerable to attack. Network engineers and software developers are usually very busy. Worrying about patches, unneeded services, and weak default passwords tend to fall low on the list of priorities. So who should be held accountable for proper device configuration?

In larger organizations, this responsibility often lies in Information Security. Information Security defines policies, standards, guidelines, and security baselines for enterprise systems, which are then used by engineering and development teams to design and implement business solutions. Information Security provides oversight by periodically testing installed for compliance.

In organizations without a dedicated Information Security team, I recommend assigning these tasks to the person or team responsible for managing the network. This separates vulnerability management from the person or team focused on implementing the organization’s technology, and puts it into the hands of those individuals who perform day-to-day operational tasks. Day-to-day activities should be expanded to include not only definition of standards and guidelines, but also oversight activities.

Regardless of who’s responsible, all members of your technical staff must work together to identify and remediate system weaknesses.

Create secure standards and guidelines

Probably the most important task in configuration management is the creation of a security baseline configuration. It should be generic enough to allow its deployment on all workstations and servers, regardless of their use. In many organizations, multiple baselines may be necessary. Workstations, application servers, and security servers may all require different configurations. Applying the baseline to a workstation or server should accomplish the following:

  1. All services not required for general operation of the device are disabled
  2. All default accounts are disabled or controlled, and strong passwords are applied
  3. Logging and alerting is enabled for failed logins, successful logins, and changes to security
  4. All critical security patches are applied

Once the baseline configurations are created and tested, special purpose configurations should be created to enable secure operation of specific types of systems. These include, but are not limited to, email, database, and web servers. The application of a type-specific configuration should result in:

  1. Necessary services, that might have been disabled with the baseline configuration, turned back on
  2. Critical security patches applied to the applications running on the system
  3. All default application accounts using controlled, strong passwords

Upon completion of successful testing of the type-specific configurations, you’re ready to deploy securely configured systems into your environment. Deployment consists of six steps.

  1. Build a server or workstation using standard system build documentation
  2. Apply your secure baseline configuration
  3. Confirm proper configuration and operation of the system
  4. Apply your type-specific configuration, if necessary
  5. Confirm proper configuration and operation of the system
  6. Move to production

Create and maintain an on-going configuration management process

It isn’t enough to simply apply secure configurations and assume your network devices will remain secure. Configuration management is a continuous process that includes:

  1. The creation and maintenance of a system inventory. It’s impossible to develop an ongoing configuration management program unless you know, at a minimum, the operating systems and applications, with associated patch levels, that are running on your network.
  2. Monitoring for the latest announced vulnerabilities related to the items in your inventory. The National Vulnerability Database (https://nvd.nist.gov/) and vendor sites are good sources for this information.
  3. Prioritization of vulnerability remediation tasks. Not all vulnerabilities for which patches exist should be immediately patched. Managing the application of patches is a risk-based activity. A simple application of risk management principles can help determine where to apply your resources to maximize your vulnerability mitigation efforts.
  4. Testing of all configuration changes. Change management is an important process in any configuration management program. Failure to properly test a change, and to assess the risks associated with that change, might result in the same or greater negative business impact you would experience due to an attack.
  5. Update baseline configurations, standards, and guidelines. Threats and vulnerabilities change over time. It’s important to maintain a set of system configurations and processes that work to defend against the changing nature of system risks.
  6. Continuous vulnerability scanning. There’s always some drift from the optimum computing environment as defined in your security program. Vulnerability scanning, for both internal systems and of your perimeter, can help identify deviations from written policy. This prevents a false sense of security based on incorrect assumptions about the level of hardware and software compliance. It also provides a means to determine how vulnerable your systems are to newly announced threats.

Challenges to Effective Configuration Management

It isn’t always easy to convince company management to commit resources to configuration management activities. Let’s face it. There’s no immediate positive impact on your company’s bottom line. Other obstacles to effective configuration management include:

  1. Lack of standard system configurations for workstations and servers. The greater the number of differences among your systems, the lower the probability that you’ll be able to cost effectively manage system configurations. Testing for every possible combination of workstation and server image present on your network might require a resource commitment large enough to convince management to simply accept a large number of vulnerabilities.
  2. Poor software quality or poor vendor response when vulnerabilities are discovered. When purchasing new solutions for your business, research the overall quality of each component. Include in your research the level of customer satisfaction with the component vendor’s response to discovered security problems in their products. What is the average time between vulnerability discovery and patch release?

The proper application of risk management principles can help justify the additional effort required to select the right solutions and to manage inherent vulnerabilities over time.

Intrusion Detection Systems (IDS)

No perimeter defense is sufficient to block determined criminals or insiders from hacking your network. When that happens, it’s important to have intrusion monitoring and blocking controls in place. This article looks at the earliest type of detection technology–intrusion detection systems.

In the mid to late 1990s, as attacks against corporate networks became a major concern, IT managers needed a way to determine if attacks were making it through their network perimeters. To meet this need, IntrusionDetection Systems (IDS) were developed. The purpose of an IDS is to monitor for intruder activity by looking at the following:

  1. User activities
  2. User policy violations
  3. System integrity
  4. File integrity
  5. System vulnerabilities
  6. System activities

There are two types of IDS: Network IDS (NIDS) and Host IDS (HIDS)

NIDS

A NIDS consists of sensors, or monitors, placed at strategic locations in a network. These sensors can send information about the network back to a central management system. When placed properly, a NIDS can provide visibility into all network activity.

Placement of sensors

Traditionally, NIDS sensors have not been fast enough to be placed inline. In other words, network traffic forced to flow through an NIDS on its

way to a target device is likely to experience significant latency. So, NIDS sensors are typically connected to a network through the use of Switched Port Analyzer (SPAN) connections or taps.

A switch sends non-broadcast packets out the port to which the target device is attached. If you simply plug a sensor into a switch port, or to a hub connected to the port, it will only see the packets sent out that port. To correct this, you can configure one of the ports as a SPAN port. Copies of all packets traveling through the switch will be forwarded out the SPAN port and available to the sensor.

A problem with SPAN ports is the possibility that the bandwidth of the configured port may not be sufficient to handle all the traffic passing through the switch. For example, if you are using a 24 port, 100 Mbps Ethernet switch, the SPAN port will likely be able to handle a maximum of 100 Mbps. So what happens if the other 23 ports are only 10% utilized? That’s 230 Mbps of traffic attempting to squeeze through a 100 Mbps pipe. The switch is likely to drop packets, resulting in the sensor presenting an incomplete picture of switch traffic.

One solution to the bandwidth problem is the use of a 1 Gbps switch port as the SPAN port. Another solution is to configure multiple SPAN ports. Then aggregate data ports to each SPAN port in a way that guarantees sufficient bandwidth.

If you’re only interested in analyzing packets passing through a single switch port, a tap might be the answer. A tap is a device placed inline with the packets you want to analyze. In a very simple implementation, a hub can be a tap. Since all packets entering a hub are sent out all the hub’s ports, connecting a sensor to one of the ports results in all packets traveling to the sensor for analysis. The problem with using a hub is the lack of resiliency. If the hub in Figure 1 fails, all traffic traveling between the router and the switch will stop until the hub is repaired or replaced.

A device designed specifically to serve as a tap can provide the resiliency most business networks require. You can configure it to fail open. In other words, packets will continue to flow between the router and switch even if the tap fails.

Whether you use a tap or a SPAN port, you have to decide what it is you plan to monitor. Some placement ideas include:

  1. Placing a sensor outside your perimeter firewall. This provides visibility into the types of attacks hitting your perimeter. An analysis of these attack characteristics can assist you in assessing and minimizing your vulnerabilities.
  2. Placing a sensor in your DMZ. An analysis of traffic in your DMZ can help detect attack attempts that have penetrated the outer perimeter before they have the opportunity to gain access to your internal network.
  3. Placing a sensor at the entrance to a network segment. It’s a good idea to understand whether unusual traffic is moving in or out of the network segments that contain your most sensitive data.

Once you’ve placed your sensors, they can use signature detection, anomaly detection, or both to identify attacks against your information assets.

Signature detection

When using signature detection, a NIDS looks for byte patterns in packets or packet sequences that are common to known attacks. When there is a signature match, the NIDS logs the event. In most cases, companies set up the NIDS to send an alert when a possible attack is logged.

The key advantage of signature detection methods is the ease with which signatures can be developed if you know what you’re looking for. In addition, signature detection might require less overhead on your monitoring devices; this depends on the number of signatures you want to analyze. NIDS vendors normally provide a means to select whether you want to check for all or just specific attacks.

Because signatures must be developed for each known attack, there is usually a delay between the time an attack is released into the wild and the time a signature is provided by your NIDS vendor. This is a disadvantage when defending against attacks during the first few hours or days after their release. Another disadvantage is the potential for a high number of false positives. A false positive results when a NIDS logs an attack, but an attack is not actually occurring. In some cases, signature patterns related to known attacks might appear regularly in perfectly normal traffic. Finally, in today’s malware environment, threat agents, both human and malware, are capable of changing their characteristics both between and during attacks.

These disadvantages shouldn’t stop you from deploying signature based detection methods. However, you should consider supplementing them with anomaly detection.

Anomaly detection

Using a NIDS for anomaly detection starts with a baseline of your network’s behavior. Comparing later traffic to the baseline, the NIDS looks for statistical deviations from the network’s normal operation. It also looks for unusual or incorrect packet configurations. Since anomaly detection methods are not dependent on attack signatures, they can detect attacks well before your NIDS or anti-malware vendors release an update to combat a new threat.

One disadvantage of anomaly detection is the difficulty often experienced in setting up rules the NIDS uses to assess what is and what is not characteristic of an attack. Although many devices are shipped with some predefined rules, it’s rare that an organization implementing a NIDS doesn’t have to tweak them a little. Each network is unique. Another disadvantage is the number of false negatives that can result when attacks do not cause a significant change to network behavior.

If you decide to implement a NIDS, it’s a good idea to consider using both detection methods to analyze network traffic. One method helps to mitigate the weaknesses in the other.

Active response

Current NIDS technology is capable of blocking attacks. One way to quickly react to detected attacks is to cause your NIDS to build packets intended to drop the connection over which the attack is occurring. Another method is to configure your NIDS to automatically reconfigure a router or firewall to prevent the flow of packets from the identified source of an attack. The advantage of using these methods is the elimination of the delay inherent in human reaction to NIDS attack alerts. This might reduce business impact, but criminals have figured out how to use these methods against you.

The right combination of specially formed packets sent by an attacker can cause your NIDS to view traffic coming from valid sources as attacks. If your NIDS is configured to do so, it will shut down all traffic associated with these sites; this effectively results in a denial of service attack. This doesn’t mean you shouldn’t consider using this technology; just be sure you understand its possible shortcomings.

So why use NIDS?

Although NIDS may not be the best answer for preventing intrusions into your network, it can offer a low cost solution for identifying the who, what, when, where, and how of an attack. Armed with this information, you can take steps to either eliminate or mitigate the probability of another attack as well as the level of business impact. Two ways to accomplish this are sanctions and control modification.

An effective security program includes well-defined sanctions and controls. Knowing who is responsible for intentional or unintentional network incidents allows management to deal with the human factor through additional training, counseling, or other more stringent means. Knowing what happened, when it happened, and how the attack was initiated can assist in strengthening appropriate administrative, physical, or logical controls.

HIDS

Host-based intrusion detection operates on the same principles as NIDS. The primary differences are placement and scope of defense. A NIDS is placed in a strategic location on the network. It can therefore protect a large number of devices on the network or a network segment. A HIDS is placed on a specific computer. Its only purpose is to protect the host system on which it runs. Used together, NIDS and HIDS provide a multi-layer defense against attacks.

A host-based intrusion detection system is capable of performing several protective tasks, which will be discussed on the next page.

The Problem with Intrusion Detection

Intrusion detection systems generate a huge amount of information about network activity. As we’ve seen, turning on automatic methods of stopping an attack can actually result in a self-imposed Denial of Service (DoS) situation. But manually reviewing this data to determine if an attack is underway is a very time-consuming task; and you don’t really have the time. Today’s attacks can travel across your network in seconds.

Many organizations have turned to managed security services providers (MSSP) to implement and manage IDS sensors in their data centers and facilities. Included in IDS services is aggregation of IDS and other device logs into a centralized correlation engine. Using defined rules, signatures, and heuristics, the correlation engine looks at overall network behavior and identifies potential problem areas. The results are posted to a Web-based portal for access by the client company’s security personnel.

Outsourcing IDS management releases internal resources to focus on activities to which they add more value, more than poking around in log data.

Intrusion Prevention

Intrusion prevention technology has the capability to detect attacks, both known and unknown, and to automatically prevent those attacks from resulting in a significant adverse impact on your business. As with intrusion detection, there are two primary deployment methods - network intrusion prevention systems (NIPS) and host-based intrusion prevention systems (HIPS).

NIPS

NIPS Device Placement

A NIPS device combines deep packet inspection technology with firewall traffic control. Like a firewall, a NIPS is placed inline with the data. In the example depicted in Figure 1, all packets that pass to and from sources outside the perimeter are evaluated. All packets passing to and from Segment B, the home of the organization’s most critical systems, are also checked.

Through deep packet inspection, each packet is checked to see if it contains information that is indicative of an attack. Packets can also be evaluated in terms of open sessions. Any traffic that displays unusual behavior, or behavior that is clearly malicious, is immediately blocked by the NIPS.

When planning the purchase and implementation of a NIPS solution, you should consider the following:

  • Inline Operation - Inline operation provides for the discard of suspect packets. It also allows for blocking the remaining packet flow associated with the potential attack. Since it’s inline, the NIPS is capable of stopping attacks without reconfiguring firewalls or routers. Inline operation of NIPS devices has been made possible by significant improvements in processing power.

  • Reliability and Availability - In order to provide continuous protection, the device you choose should function at a high level of performance with an acceptable mean time between failures (MTBF). You might also want to consider redundant devices so that if one fails, traffic will still flow through the other. In any case, if your inline device does fail, you want to ensure that the data continues to flow through the affected network segment. For example, if the NIPS protecting Segment B in Figure 1 fails closed, Segment B is effectively removed from the network. If the data on a segment is highly sensitive, you may want it isolated when no NIPS protection is available. In most cases, however, you’ll want the capability of configuring the NIPS environment to allow the continuation of traffic.

  • Accuracy - Ensure that the vendor from whom you purchase your solution provides regular detection updates. Their application should be accomplished quickly with no interruption of information flow or protection. You should also check reliable third party sources to verify the vendor’s claims about the rates at which false positives and false negatives occur. Finally, the device should be intelligent enough to thwart attempts by criminals to use its blocking capability to create a DoS attack.

  • Alerting and Analysis Capabilities - All information collected by the various NIPS placed around your network should be sent to a central console for evaluation. From this console, you should be able to run reports that provide information relative to investigations. The console application should also send alerts when an attack, or a potential attack condition, is recognized by one or more NIPS. Consider outsourcing to a MSSP the aggregation and correlation of collected activity information

  • Highly Granular Configuration and Control Capabilities - When configuring and tuning your IPS devices, you should have the capability to define what attacks to detect and what policy violations to look for on specific network segments or on specific servers and workstations.

  • Adequate Level of Performance - Each NIPS should be powerful enough to assess network activity without hindering the flow of information across your network. In other words, they shouldn’t create any bottlenecks. There should also be enough spare processing power in the devices to allow for growth during their life expectancy.

Proper placement of a NIPS can provide protection to a large number of network devices. In addition to servers and workstations, NIPS can protect firewalls, routers, VPN concentrators, etc. It isn’t platform dependent.

HIPS

Host-based intrusion prevention is designed to intercept and block behavior deemed prohibited or suspect by the business rules configured in your HIPS management system. It does this in two ways. First, it inspects all packets flowing in and out of a protected end user device or server. The methods used to inspect packets and network behavior at the system level are the same as those used by a NIPS - signature and anomaly recognition.

Second, it prevents one or more of the following activities associated with human or malware intrusions:

  1. Copying files
  2. Deleting files
  3. Writing files to certain folders
  4. Registry changes

The deployment considerations for HIPS are similar to NIPS:

  1. Reliability and availability
  2. Accuracy
  3. Alerting and analysis capabilities
  4. Highly granular configuration and control capabilities
  5. Adequate level of performance

In addition, HIPS must also:

  1. Be capable of running your off-the-shelf applications when initially installed. Because a HIPS implementation blocks many activities on your workstations and servers, you must ensure that it doesn’t prevent normal application execution.
  2. Support user defined business rules and centralized device management. It isn’t practical to attempt management of hundreds of end user devices, for example, when rolling out new or modified business rules. You should also have the capability of viewing alerts and system status from a central console.

HIPS deployment

HIPS Management

HIPS is typically deployed as an agent on the device you want to protect. Your security team configures the agent through the use of centralized management software. The image at right shows the relationship between the management system and the agents.

In this example, management software is running on a server. The person responsible for configuring and monitoring the HIPS environment accesses management functions via a management console. The management system sends business rules to the agents. These rules govern how the agents behave when dealing with activities on the systems where they reside. The agents send business rule violation alerts and system status back to the management system. This method of deployment allows an organization to effectively deploy HIPS to any number of systems.

Next, we’ll see how to combine intrusion and detection solutions.

IDS & IPS as a Layered Defense

IPS IDS Layered Defense

The implementation of IPS as a standalone intrusion defense solution may cause some problems for your IS staff and for your employees. When you deploy a NIPS, for example, you can usually use the default rules to block well-defined attack packets without much impact on your network. However, there are many attack types that will still get through. One way to deal with this is to purchase several NIPS, and configure them to block every conceivable attack. This might protect your network, but it might also stop some or all of your applications from working properly. A better solution is to partner NIPS with NIDS. Figure 1 depicts this type of network configuration.

The layered configuration solution is very similar to the network depicted in Figure 2. In Figure 2, a NIPS is placed in

Figure 2- NIPS Sensor Placement

the DMZ to block packets with known malicious signatures and anomalous traffic. A second NIPS is placed at the entrance to a critical network segment. In Figure 1, I added a NIDS sensor to Segment A to watch for and alert on unusual network behavior. I could also remove the NIPS guarding Segment B if, by adding additional blocking rules, I cause the applications on that segment to fail. NIDS provides an organization with the ability to observe network traffic and react non-intrusively. You can build on the full network visibility of NIDS with the selective blocking capability of NIPS to create an effective intrusion defense and management program. Couple this with the protection provided by HIPS, and cracking your final defensive layers will require a work factor that only the most dedicated attackers will tackle.

Prior to designing your intrusion defense infrastructure, there are two more things to consider. First, although NIPS sensors can also serve in an intrusion detection role, the cost of deploying them for that purpose is typically not cost effective. Second, many current firewalls include IDS functionality, and many next generation firewalls include IPS functionality. You might be able to take advantage of this convergence of technologies to design a more efficient solution that easily fits within your security budget.

The Malware Challenge

Cyber-criminals used to write malicious software (malware) for fun and to show off to other crackers. However, the reasons for intruding into corporate and personal systems have changed. Today, many crackers use their skills as a way to make money from illegal activities. These activities include:

  1. Information warfare against governments
  2. Extorting money from corporations
  3. Identity theft

In many cases, the victims are unaware their systems have been compromised.

Types of Malware

Malware exists in the wild in several forms. The most prevalent are:

  • Viruses - A virus is malware an attacker attaches to another program you intentionally install or copy to your PC. When you run the wanted program, the malware also runs. Viruses can’t propagate across the Internet or your network by themselves. They need your help.

  • Worms - Worms can distribute themselves across your network and across the Internet. Once a worm takes up residence in a computer in your network, built-in routines attempt to locate other vulnerable systems, sending special packets. Once a vulnerable system is found, the worm copies itself to that system. Now there are two copies of the worm attempting to propagate in your processing environment. Over time, this replication process might slow network performance and compromise all vulnerable systems.

  • Trojans - A Trojan is a program that looks like a useful application. For example, you might download a free music player from an email advertisement. When you install the player, it performs as expected. But in the background, it’s engaged in activities designed to compromise your system.

  • Spyware ­- Spyware is software you download and install, usually as part of another program installation, that gathers information about you, your company, and your system. It then transmits this information back to a parent device where a criminal is waiting to exploit it. Spyware has become such a major problem, the next section is dedicated to examining it in more detail.

Spyware

As we saw in the previous section, one of the primary means of delivering Spyware is downloading software from the Internet. In many cases, the victim actually agrees to its installation along with the primary application. The victim is usually unaware of his or her approval, because the spyware acceptance clause is buried several pages deep in the license agreement. Most business users either don’t have the time to read the entire agreement, or are unaware of the risks. Once they accept the agreement and download the software, their computers are compromised.

Another way spyware might be installed is through clicking “OK” on a dialog box that pops up when you visit a site. This can happen even if the dialog box is just informational. If you haven’t blocked pop-ups on your employees’ desktops, you should train your users to always click the “X” in the upper right hand corner of unexpected pop-ups. This will help prevent the unwanted installation of malware.

Once executing, spyware collects information about the user or about the system. Personal information that might be collected includes a user’s Internet browsing habits, credit card numbers, and bank account information. Since spyware executes with the same security rights and permissions as the user, it can also access information stored in folders on the local machine as well as data in network storage areas.

After the information is collected, it is typically transmitted back to a host system managed by the individual or group who intends to use this information to steal the user’s identity, blackmail her organization with threats of releasing sensitive information, etc.

Once spyware is installed on a computer, it can be very difficult to remove. In many cases, attempts at removal are reported back to the controlling system. The attacker can implement manual or automated processes to ensure the application’s components are reinstalled.

Attackers are increasingly using rootkit technology to hide the presence of spyware. Neither the files on disk nor the processes running in memory are visible when using normal operating system tools or anti-spyware applications. Free utilities like Windows Sysinternals <em>Rootkitrevealer</em> can help locate and report on hidden spyware components.

Malware Prevention & Removal

Controls related malware defense should prevent malicious code from gaining a foothold in your network in the first place. Taking the following steps can help:

  1. Keep all operating systems and applications updated (patches, service packs, etc.).
  2. Properly adjust browser settings. The types of sites accessed and the types of Internet activities allowed have a direct impact on your organization’s malware vulnerability. Web filtering software and pop-up blockers are a good place to start. A good web filtering solution:
    1. Allows a manager to determine the types of sites the employees are allowed to browse.
    2. Is automatically updated, at least daily, with lists of sites that are known to spread malware. Blocking this web site category alone can significantly reduce business risk.
  3. Use firewalls. Later in this article, we look at how personal firewalls can add to the last layer of defense at the host level.
  4. Implement strict acceptable use policies and user awareness processes that cover:
    1. Downloading files from the Internet.
    2. The importance of reading all warnings and agreements before installing downloaded software.
    3. The dangers of installing anything that’s advertised as free.
  5. The importance of anti-virus and anti-spyware software on all systems attached to your network, AND KEEPING THEM UP TO DATE.

Even with all these controls in place, malware will eventually find a way into your network. So how do you detect it once it’s made itself at home? First, all users, especially your company’s help desk, should be trained to identify the signs of infection, including

  1. The appearance of unexpected messages.
  2. The appearance of new tool bars or plug-ins.
  3. Programs starting by themselves.
  4. Systems running slower than normal.
  5. Browser settings changing automatically.
  6. Systems suddenly rebooting for no reason or after unusual warning messages are displayed.
  7. Any strange, unexplainable system activity.

Second, updated anti-malware software should detect and remove all non-hidden malware components. Finally, an organization’s defense should include personal firewall or HIPS solutions. These solutions may not remove the threat, but they can prevent or delay activities initiated by the threat until your response team can contain and eradicate it.

Personal Firewalls

Personal firewall technology is more mature than HIPS. Its use is a popular and effective way to protect both mobile and stationary users from becoming infected or infecting your network. Its functionality in preventing malicious activity targeted at both the host system and the organization’s network position it as an alternative to HIPS as a last line of defense.

A personal firewall is traditionally an application that is installed on an end-user device. Once installed, it performs several protective functions, including:

  1. Permitting or denying communication, both outgoing and incoming, based on one or more user-defined policies.
  2. Helping protect laptops when connected to other networks and protecting the parent network from infection once the laptop returns home.
  3. Prompting a user to accept or reject a process request to perform an action that violates one or more policies.
  4. Helping to prevent self-imposed DoS by blocking specific types of traffic, both outgoing and incoming.
  5. Providing some level of HIDS by logging unusual system behavior.
  6. Helping to identify attacks coming from internal sources.

Because of the growing necessity for personal firewalls on end-user devices, most of the anti-virus vendors include this technology in their basic offerings. But like any protective technology, there are challenges associated with implementing them.

  1. Personal firewalls consume system resources. Make sure your end-user devices have the memory and processor resources necessary.
  2. Attackers have developed ways to compromise personal firewalls without your knowledge. The presence of a personal firewall might result in a false sense of security.
  3. Rolling out personal firewalls to a large number of devices, and managing them once installed, can be a daunting task. Like HIPS implementations, personal firewalls should be managed by centralized software. This provides for:
    1. Application of software updates
    2. Ensuring firewalls are running on each end-user device.
    3. Easy roll-out of attack signature or anomaly detection information.
    4. Management of how your users interact with the firewall. This includes allowing or disallowing them to take an action the firewall warns them against.
  4. Ensuring that your host-based applications will continue to run once the firewall is operational.

So which is better, personal firewalls or HIPS? The answer is, “it depends.” HIPS is an emerging technology. As such, it has some issues that need to be worked out. Personal firewall technology, on the other hand, is mature and mainstream. Which of these solutions you decide to use depends on your organization’s willingness to accept and deploy new technology. If your company is technically conservative, or you haven’t the time to deal with the growing pains of HIPS, I recommend the safe personal firewall route. Which technology you pick is less important than ensuring that this final layer of intrusion defense is not ignored.

What’s your Best Defense?

Deperimeterization has strengthened the need for multiple layers of intrusion defense. By know you know of a number of tools and strategies to protect your data. he use of IDS and IPS, both network and host, will help you. Both external and internal threats can be detected, stopped, or delayed by the proper placement of sensors. Configuration management is a key component of intrusion defense. Hardening workstations and servers with secure operating system and application settings, together with effective patch management, minimizes the impact of attacks that make it through all other layers of your security infrastructure.

Don’t forget Malware, a significant threat to organizations. Implementing protection against the growth of spyware attacks is probably the most critical step a business manager can take when considering malware defense strategies. Personal firewalls can provide a solid last line of defense, even when your patch management processes fail to keep up with the daily discoveries of new vulnerabilities.