Beruflich Dokumente
Kultur Dokumente
The Role of CA Host-Based Intrusion Prevention System (CA HIPS) in Integrated Threat Management
Ellen Newlands January 2007
Table of Contents
Why Do You Need A Host-Based Intrusion Prevention System (HIPS)? .............................................................................................. 3 Evolving Business Practices ......................................................................................................................................................................3 New Blended Threats Require New Prevention Strategies ............................................................................................................3 Anti-Virus and Anti-Spyware Are a Good Start, But Not Enough ....................................................................................................3 Additional Blended Solutions Firewall, Intrusion Detection and Intrusion Prevention ..........................................................3 The Three Technologies Stand-Alone Firewall, Intrusion Detection and Intrusion Prevention ....................................................4 Firewall ..........................................................................................................................................................................................................4 Host-Based Intrusion Detection System................................................................................................................................................4 Host-Based Intrusion Prevention System ..............................................................................................................................................4 HIPS and Zero-Day Protection..........................................................................................................................................................................4 Stand-Alone Product Inefficiencies ................................................................................................................................................................4 CA HIPS Capabilities Firewall, HIDS and HIPS Technologies Combined ..........................................................................................4 Learning Mode......................................................................................................................................................................................................5 Policy and Rule Setting ......................................................................................................................................................................................5 Policy-Based Client User Interface ..................................................................................................................................................................5 The Role of CA HIPS in Integrated Threat Management............................................................................................................................6 CA HIPS Rounds Out CAs Portfolio of Threat Protection Products ........................................................................................................6 CA Integrated Threat Management........................................................................................................................................................6 eTrust PestPatrol Anti-Spyware Corporate Edition ..........................................................................................................................6 eTrust Antivirus..........................................................................................................................................................................................6 eTrust Secure Content Manager ............................................................................................................................................................6 Summary................................................................................................................................................................................................................7
In his recent article Host-Based Intrusion Prevention, posted on About.com, Tony Bradley points out: Using a combination of host-based technologies to identify, quarantine and eliminate malware threats is now a common security strategy for enterprise security professionals who want to stay one step ahead of the escalating malware coders. Deploying layered security, using anti-spyware, antivirus, firewall and intrusion detection products, is a widely accepted response to online attacks. The basic principal is that it takes multiple layers of defense to protect against the wide variety of attacks and threats. Not only can one product or technique not protect against every possible threat, therefore requiring different products for different threats, but having multiple lines of defense will hopefully allow one product to catch things that may have slipped past the outer defenses.
The Three Technologies StandAlone Firewall, Intrusion Detection and Intrusion Prevention
To set a common understanding of the additional layers of protection now recommended for a comprehensive threat solution, here is a brief review of the general capabilities of each one of the products, firewall, host-based intrusion detection systems (HIDS) and host-based intrusion prevention systems (HIPS). Definitions taken from Webopedia.com and Security Wizardry.com. Firewall a logical barrier designed to prevent unauthorized or unwanted communications between sections of a computer network. Firewalls protect a host by monitoring network packets and attempting to identify good versus bad traffic. Traffic is both ingoing and outgoing. Host-Based Intrusion Detection System (HIDS) monitors host and server event/system logs from multiple sources for suspicious activity. It can alert a system administrator to this suspicious activity, but it cannot deter or prevent it from taking place. Host-Based Intrusion Prevention (HIPS) works to protect a host by monitoring applications that execute. HIPS products generally look at what the program does, either by intercepting system calls, or by watching packets or other system activity. HIPS products are designed with policies that set rules to identify traffic and then makes decisions on what will happen based on preset policies and rules. HIPS has the ability to identify anomalous behavior, allow or restrict the applications ability to execute and stop unknown code from executing.
Learning Mode
System Administrators can use key functionality within CA HIPS to learn system behavior and then base specific rules and policy around information learned when they profiled the activities of a group of machines. This information can be used to create or edit existing policies that may detect anomalies based on known behavior, prevent potentially malicious activity or contain new activity until it is deemed harmless by a System Administrator. This feature helps ensure service continuity and helps keep your critical IT assets up and running by protecting resources and processes. This also helps the System Administrator customize environments based on business requirements and user work patterns.
The System Administrator can determine the level of access and control applied to the system, to groups of users or to an individual user. CA HIPS allows the system administrator to set up policies that apply to specific users when they are in specific roles or locations. IT professionals and network administrators can protect against security breaches and ensure service continuity by determining what traffic is appropriate in their network environment, what applications can communicate and even what behaviors and access rights on individual systems will be allowed or blocked. Centralized management functions allow for efficient and effective logging of all relevant events to help with compliance, reporting and investigations. The CA HIPS server collects and records the events that occur on each client. To help administrators make sense of the high volume of events, CA HIPS provides primary criteria that the System Administrator may use to filter the events. For example, the System Administrator can display a list of the last events uploaded to the server, or examine a specific event for more information using the additional filtering criteria on the convenient drop-down menu.
Summary
Todays aggressive, blended threats targeted at the enterprise require aggressive, blended threat defenses to counter them. The CA HIPS combination of stand-alone firewall, intrusion detection and intrusion prevention technologies provides behavior-based, proactive protection from blended threats and make it an excellent addition to the current arsenal of enterprise threat prevention applications.
Copyright 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document AS IS without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP311740107