If the security threats of the past few weeks have taught us anything, it is that virus writers and hackers are creating more complex attacks that are better able to bypass perimeter security measures. Network-based intrusion-detection systems no longer suffice as the lone monitor for intrusions. A key component of an integrated security strategy to complement network-based IDSs is a host-based IDS.
This type of intrusion-detection software is installed primarily on servers, but also can be found on desktops and laptops. Host-based IDS software is the last line of defense for all attacks targeted at these endpoints.
Corporations must prioritize the business value of their servers so that they can cost-effectively deploy security products that provide the required level of protection. Host-based IDS agents should be deployed on almost all mission-critical servers. These servers tend to be network infrastructure servers, business infrastructure servers, and servers that contain intellectual property or customer information.
While network-based IDS software inspects packets on the network for suspicious activity, host-based IDS software monitors system files, processes and log files for suspicious activity. Most host-based IDS agents rely on signatures for identifying attacks. Similar to the functionality provided by anti-virus programs, a host-based IDS agent examines various forms of data for specific, known patterns of an attack. Operating system and application log files are scanned for footprints of malicious behavior; the file system is monitored to see if sensitive files are being accessed or tampered with; and network traffic flowing into and out of the endpoint is monitored for network-based attacks.
An example of an attack on a server begins when a buffer overflow is exploited in a critical system service. The exploit opens a backdoor on the system, giving root or administrative access to the operating system. The system receives a Trojan program via the backdoor and copies it into the system folder. The Trojan file is registered with the operating system or scheduler to be executed every time on reboot. Now, every time the system is started, the malicious Trojan program runs and performs whatever malicious activity it was intended to do.
However, with a host-based IDS agent installed on a server, the attack can be stopped upfront with the detection of the buffer overflow. Yet if needed, host-based IDS systems also could stop the intrusion while the Trojan program is copied, Windows registry is altered or the Trojan program is executed.
Once a threat is detected, a host-based IDS agent can react in a variety of ways: It can generate an event that might be correlated with other events; it can alert an administrator via e-mail, pager or cell phone; or it can run a specific program or script. An increasing number of host-based IDS products can detect suspicious activity while it is in transit, making prevention, not just detection, of suspicious activity possible.
For a more complete security posture across corporations, host-based IDS should be a component of a multi-layered security strategy. It complements the capabilities of other security products such as network-based IDS, decoy-based IDS and firewalls. Each piece contributes to an integrated security infrastructure that strengthens defenses and reduces network risk.
Bonamico is senior director of host IDS product delivery at Symantec Corp. He can be reached at firstname.lastname@example.org.