Host-Based IDSs

By now, all network administrators are aware that network security should be seen as a continuous process built around the security policy. This process is a four-step method, as described in Chapter 5: Secure the system, monitor the network, test the effectiveness of the solution, and improve the security implementation. Testing the effectiveness of the IDS host sensor is an integral part of the monitoring step.

A host IDS can be described as a distributed agent residing on each server of the network that monitors the network activity in real time. The host IDS detects the security violations and can be configured so that an automatic response prevents the attack from causing any damage before it hits the system. The section that follows focuses on the Cisco Secure Agent.

Host Sensor Components and Architecture

The Cisco Intrusion Detection Host sensor has two main components:

• Cisco Secure Agent

• Cisco Secure Agent Manager

Cisco Secure Agent

The Cisco Secure Agent is a software package that runs on each individual server or workstation to protect these hosts against attacks.

The Cisco IDS sensor (based on Entercept Security technology) provides real-time analysis and reaction to intrusion attempts. The host sensor processes and analyzes each and every request to the operating system and application programming interface (API) and proactively protects the host if necessary. The next generation Cisco Secure Agents (based on Okena's technology) extend these capabilities even further by automating the analysis function and creating protective policies for the operating system and applications. These agents control all events on files, network buffers, registry, and COM access. The architecture of the Cisco Secure Agent is the Security Agent's Intercept Correlate Rules Engine (INCORE) architecture.

Host IDSs are nowadays referred to as Host Intrusion Protection Systems (HIPS). Figure 10-7 illustrates the architecture of the Host Sensor Agent based on the Entercept technology.

Figure 10-7. Architecture of the Host Sensor Agent

[View full size image]

The Host Sensor Agent is installed next to the operating system. The host sensor software has to run adjacent to the operating system to guarantee protection of the operating system itself. The agent protects the host against attacks launched via the network and also protects against attacks or malicious activity by a user who is logged in to the protected host. The rules engine consists of console, agent, general, operating system, web, and FTP rules. The database contains the security policy parameters, user-defined exceptions, and a list of shielded applications.

Let's assume that an attempt is made to compromise the Internet Information Services (IIS) on a web server. The agent core evaluates the incoming data using the FTP rules, which are stored in the rules engine, and applies the policy and exception parameters. If malicious activity is detected, the appropriate reaction is determined. These actions can range from logging to notifications to SNMP traps, which are covered in the section entitled "Response to Events and Alerts."

Cisco Secure Agent Manager

The Cisco Secure Agent Manager is responsible for managing the Cisco Secure Agent and communication with the agent. The Cisco Secure Agent Manager provides all management functions for all agents in a centralized manner. It also has components that notify security personnel in case of an attack and that generate reports. This management session should use data encryption technologies to be robust, private, and secure. The Cisco Secure Agent Manager has three main components: the graphical user interface (GUI), the server, and the notification handler. Both the GUI and the server are linked to a database where the configuration information is stored.

The agents are directly connected with the server. When an agent sends an alarm to the server, the server is responsible for instructing the notification handler to take care of all configured notification requests such as e-mail and pager notification.

Deploying Host-Based Intrusion Detection in the Network

The deployment of host-based IDSs throughout the organization's network requires a very well-thought-out design. A few design and deployment considerations are discussed in this section, but details on deploying host-based IDSs are far beyond the scope of this book.

Based on what is defined in the organization's security policy, the network designer is responsible for identifying and deciding which systems to protect. A clear objective during the design phase is defining the different system types: Are the servers UNIX or Windows platforms, do you need to protect only servers or should you worry about desktop computers as well as laptops, and so on.

The number of installed Cisco Secure agents is in direct correlation to the number of necessary Cisco Secure Agent Managers. The number of Agents and Agent Managers has a direct impact on personnel, as described in the section "Organizational Issues and Complications" earlier in this chapter.

Figure 10-8 illustrates the host IDS deployment for a company with remote users connecting over a public infrastructure to the corporate network.

Figure 10-8. Host IDS Deployment

[View full size image]

Probably one of the most important considerations in the design phase is the IDS management communication. The agents communicate with the Agent Manager on a specific TCP port. This becomes important when agents are residing on networks other than the Agent Manager network. This is especially true for agents running in a DMZ zone or in a branch or remote home office.

Common strategies for a company's infrastructure are the deployment of web servers, mail servers, Domain Name System (DNS), FTP, and other agents on the DMZ network. Traffic to and from the agents running on these servers to the Agent Manager should be allowed through the firewall.

For remote offices or home offices, VPN and IPSec should be considered when designing the management communication channel between the Agent and the Agent Manager. More details on management communication will follow later in this chapter.

A last criterion to consider when designing your IDS deployment plan is database management. Special attention should go to disk space, disk redundancy, backup scenarios, and so on.