Layer 2: Host SecurityBy John Moore | Posted 2007-05-14 Email Print
As attacks on enterprise systems grow more sophisticated and diverse, companies need to rethink their defense strategies. In this special report, experts offer new and better ways to protect vital information resources.
Layer 2: Host Security
Some I.T. departments have redrawn the perimeter around PCs and workstations deep within the firewall. One class of solutions relocates intrusion prevention systems from the technology's traditional place on the network to servers, desktops and laptops. So-called host intrusion prevention systems typically include firewall protection for the individual server or desktop computer, and may also use a combination of signature-based and anomaly detection. Signature defenses, common in antivirus solutions, detect threats based on characteristics of a particular malware variety. Anomaly-based detection flags behavior that falls outside the range of a host's normal activities.
Vendors include CA, eEye Digital Security, IBM, McAfee, SecureWave, Symantec and Third Brigade. Typically, host intrusion prevention will involve a price per agent (the protected host) and a management console fee, according to Blake Sutherland, vice president of product management at Third Brigade. The price for a server agent can range from the low hundreds of dollars to as much as $1,000. A desktop/laptop agent runs from $20 to $80 per unit. Enterprise pricing and volume discounts cause pricing to vary.
Rockford Health System, a health-care provider based in Rockford, Ill., deploys intrusion prevention at both the perimeter and host layers. The health system uses Top Layer Networks' intrusion prevention system at the perimeter and eEye Digital Security's Blink on hosts, especially Web servers.
"The key is that no one product can do it all," says Joe Granneman, chief security officer at Rockford Health. "You need to have a mixture."
Tom Moss, security practice leader at outsourcing vendor Bell ICT Solutions, says customers may opt for host intrusion prevention systems to deflect attacks perimeter defenses may miss. Bell ICT, with headquarters in Montreal, rolled out Third Brigade's host intrusion prevention system at parent Bell Canada's Western Data Center. The host-based systems "can pick up behavior changes to a server that might go unnoticed at the network layer," Moss says.
Host intrusion prevention systems may also employ so-called whitelisting as a way to head off attacks. In whitelisting, only authorized applications an office productivity suite, for example are allowed to run on a PC.
First National Bank of Bosque County, based in Valley Mills, Texas, uses this approach through SecureWave's Sanctuary. SecureWave bills Sanctuary as an end-point security product, meaning that it provides host-based security primarily for desktop computers and other network end-points.
Brent Rickels, a senior vice president at First National Bank, says SecureWave's whitelisting provides a more proactive solution than antivirus software. "We don't like sitting back and waiting for someone to fire something off at us," he says.
Host intrusion prevention systems require careful tuning to work effectively. A baseline of normal, or expected, host behavior must be established for systems that emphasize anomalous behavior detection.
To set up SecureWave on a host, for instance, the product analyzes software loaded on a PC and records each program. According to Rickels, his bank used a new PC to establish the baseline of acceptable programs. That machine, which has never been attached to a corporate network or the Internet, houses an untainted image of applications from which the whitelist is generated. The whitelist is stored in a centralized database, which manages the approved-program policy across the organization's PCs. Rickels says the task of creating the baseline PC took about a day.
But host intrusion prevention systems that employ anomaly detection or whitelisting require ongoing attention after the initial configuration. Such systems must be tweaked whenever there's an application change. Otherwise, the system may perceive that change as unusual behavior and therefore a threat.
To prevent false alarms, the host system must constantly relearn what represents normal behavior. This relearning typically requires the administrator to switch the host intrusion prevention system from block to alert mode and observe how the system reacts to the application change. Moss of Bell ICT says the administrator then makes the necessary adjustments to account for the application change and switches the system back to block mode.
"The security team will have to have a very strong affinity for any changes going on at the application level," Moss says.