My Photo

Categories

Creative Commons Attribution-ShareAlike 3.0 Unported

« July 2008 | Main | February 2009 »

November 2008

November 27, 2008

Todays Bit: Making the Case for Host Based IPS

In Todays bit I decided to write about Host Based IPS Technologies, and how you can make a case for it within your environment. I have succesfully installed possibly over 5000 IPS Host Based Systems since I first used one in 2004. I have been happy with 2 specific vendors, those being of eEYE Digital Security Primarily and Cisco's Security Agent.

Host Based Intrusion 'Prevention' technologies is the ability to analyze traffic patterns, and system behavior on an operating system level. It is the same type of 'technology' that is used today in the Unified Threat Management Systems or in the IPS systems many have deployed on the network level. So why consider a Host Based System?

A Host Based System will protect your system from attack without an actually penetration occurring and then scanning for the malicious activity after the fact. In other words, when your current 'Anti-Virus' system or 'Anti-Malware' system finds an infection the file itself has been placed on the system. In other words the system has been compromised and the scanner is then going to either stop the process from running or delete the file. In addition most 'anti-virus' scanners will not detect many payloads. For example, a recent podcaster uploaded a payload from the popular metasploit framework. What is a 'payload'? A payload is nothing more than 'code' that runs on your computer that is delivered with an 'exploit' or some other method such as email, USB, etc, and does something. What can it do? Open a Command Shell to the attack, add a user, add VNC, whatever your heart desires now a days. The payload was uploaded to virustotal. Virustotal takes 36 different Antivirus Engines and scans the file. 4 of the 36 detected the file. In addition other such events such as DefCon's 'Race to Zero' event where the challenge was to slightly change a 'virus' in order to completely evade Virus Scanners should concern you as well. The even 'scarier'  What does this mean to you? This means that the 'effectiveness' of your current anti-virus scanner is possibly insufficient for todays environments.

This where Host Based Intrusion Detection and Prevent Systems will shine. These systems are more than just firewalls, which is a good thing. A firewall will typically allow virus's or any other malicious attacks through if they are permitted through the firewall. A IPS/IDS especially a Host Based IDS/IPS system will read into the packet and detect the malicious attack and prevent them from penetrating your system. In addition since it sits in the host system it is not ignorant of what is happening in encrypted streams while a Network IPS cannot view the encrypted traffic on the network.

Stay tune for my analysis on how to choose them, how they perform, and some possible gotcha issues.

Posted at 10:55 AM in Todays Bits | | Comments (0) | TrackBack (0)

|

November 26, 2008

Have I been lazy?

S_sunset15 Yes I have. I purchased this system several months ago thinking I would motivate myself into keeping a working journal. What happened? I imagine life happen. But I told myself. Write. Write everyday. Don't Stop and do it.

So here we go.

The state of the information world today, how we got here, where we are going.

I think that this year we will be seeing a mixture of threats that will be both social in nature and digital in attack. First of all the upcoming recession and possible depression will make an impact to the state of IT as a hole. I think we will be seeing a possible uptick in theft virtual and physical. I think we will be seeing an uptick in foreign and domestic threats. There maybe some disenfranchisement happening within the states. While all this may spell 'good news' in the eyes of some security consultants, I think that there are not enough 'good' guys to help out. Unfortunately Information Security is a difficult field, it requires a specific type of person and its possibly easier to attack in some aspects than defend. What should this mean to you?

Well first of all I think we really need to put many of our ongoing projects on hold. Why should we continue to roll out insecure architecture, products, or designs if the attack vectors become larger? I hope that companies take this time re-categorize the importance of information security as a whole, however I find that many will be reactionary in effort. These next few months will be challenging, and many in the world are watching and waiting. I do apologize if this post is rather morbid, but brutally honest. At the end of the day it will be a struggle, but consider that it may be a good thing. I found that the largest learning experiences in my life are when I have struggled t

Make the best of it!  

Posted at 01:48 PM in Security | | Comments (0) | TrackBack (0)

|