Dallas/Ft. Worth Unix Users Group

*nix SOHO Protect Strategy01

  
Today's focus:  Host-based security controls

By Andreas M. Antonopoulos

One of the most costly and time-consuming enterprise security
tasks is patch management.

Estimates of the cost of patch management vary - with some
saying organizations spend millions of dollars per year - but
it's indisputable that IT executives have to audit hundreds or
even thousands of desktops and servers to discover which are
un-patched and apply the appropriate patches. Without thorough
testing, patches may cause unanticipated software conflicts and
errors. And while this effort is ongoing, new patches are
released almost daily. No wonder IT executives seek alternative
approaches!

A contributing challenge is the fact that an organization's
security is no longer clearly defined. With laptops coming and
going, it's easy for a virus or worm to enter behind a firewall
and wreak havoc from within. As the perimeter has eroded, IT
executives have built a new perimeter around every desktop and
server in their networks. Using host-based security products
such as personal firewalls and desktop intrusion prevention
systems (IPS), IT managers can provide a "personal" perimeter
that protects each host.

The advantages of moving the perimeter to the host are
significant. Host-based firewalls and IPSs can protect the host
from unknown exploits (known as zero-day exploits) even if the
host is vulnerable to the exploit and un-patched. Furthermore,
host-based firewalls can block unauthorized outgoing traffic
from the host. This means that even if a host is infected by
malware, it cannot spread the infection to the rest of the
infrastructure. Host-based protection therefore creates the
ultimate compartmentalization within the network, protecting
each host from its neighbors and vice versa.

Some of the technologies that can be deployed for host-based
protection include:

* Anti-virus - the most common host-based protection, anti-virus
  is already deployed on most systems in enterprises. All
  participants in a recent Nemertes benchmark report using at
  least some anti-virus software - and most deploy it at multiple
  levels (on the desktop, on the server and at the gateway).

* Personal network firewalls - a firewall can block incoming and
  outgoing traffic, stopping malware from propagating from system
  to system.

* Personal application firewalls - application firewalls can
  control which software packages on a host are allowed to use the
  network, which ports they can use and whether they can receive
  connections from other hosts.

* Operating system protection - monitoring and controlling
  access to files, the registry, system calls and DLLs can protect
  the host from Trojans, key-loggers and viruses even after these
  have compromised part of the OS.

* Host-based IPS - combining behavioral analysis and signature
  filters, host-based IPS combines the best features of
  anti-virus, network firewalls and application firewalls in one
  package.

Host-based protection offers the opportunity to escape the
firefighting of patch management, allowing IT executives to
focus only on the most important patches.

Without host-based protection, a single infected system can
wreak havoc on the enterprise's infrastructure. For many IT
executives, malware is a recurring nightmare that keeps
reappearing every time an unpatched host appears anywhere on the
network. This all-or-nothing state of security, where a single
weak link can re-create a wave of malware infections, is a
constant drain on resources. By applying host-based protection,
each host becomes a "bastion" within the network, and security
breaches from malware are contained.

RELATED EDITORIAL LINKS

Cisco Security Agent
http://www.cisco.com/en/US/products/sw/secursw/ps5057/

McAfee Host-IPS
http://www.nwfusion.com/nldatacenter800

ISS RealSecure
http://www.nwfusion.com/nldatacenter801
_______________________________________________________________
To contact: Andreas M. Antonopoulos

Andreas M. Antonopoulos is principal research analyst at
Nemertes Research. He can be reached at
<mailto:andreas@nemertes.com>
_______________________________________________________________


Copyright Network World, Inc., 2004

Return to Home Map and Directions Member Services Schedule of Talks Mailing Lists SIGs Roadmap to Wiki Free Books Membership/Individual Benefits Membership/Corporate Roster Benefits Organization Bylaws Policies Officers Other Talk Suggestions Volunteer! Member Blogs Member Profiles Historical Archives Newsletter Audio of Meetings Webmaster
	Top . Main . NixSOHOProtectStrategy01	Recent Changes Printable View Page History Edit Page
	Content Last Modified on March 05, 2005, at 03:03 AM CST nix SOHO Protect Strategy01 Today's focus: Host-based security controls By Andreas M. Antonopoulos One of the most costly and time-consuming enterprise security tasks is patch management. Estimates of the cost of patch management vary - with some saying organizations spend millions of dollars per year - but it's indisputable that IT executives have to audit hundreds or even thousands of desktops and servers to discover which are un-patched and apply the appropriate patches. Without thorough testing, patches may cause unanticipated software conflicts and errors. And while this effort is ongoing, new patches are released almost daily. No wonder IT executives seek alternative approaches! A contributing challenge is the fact that an organization's security is no longer clearly defined. With laptops coming and going, it's easy for a virus or worm to enter behind a firewall and wreak havoc from within. As the perimeter has eroded, IT executives have built a new perimeter around every desktop and server in their networks. Using host-based security products such as personal firewalls and desktop intrusion prevention systems (IPS), IT managers can provide a "personal" perimeter that protects each host. The advantages of moving the perimeter to the host are significant. Host-based firewalls and IPSs can protect the host from unknown exploits (known as zero-day exploits) even if the host is vulnerable to the exploit and un-patched. Furthermore, host-based firewalls can block unauthorized outgoing traffic from the host. This means that even if a host is infected by malware, it cannot spread the infection to the rest of the infrastructure. Host-based protection therefore creates the ultimate compartmentalization within the network, protecting each host from its neighbors and vice versa. Some of the technologies that can be deployed for host-based protection include: Anti-virus - the most common host-based protection, anti-virus is already deployed on most systems in enterprises. All participants in a recent Nemertes benchmark report using at least some anti-virus software - and most deploy it at multiple levels (on the desktop, on the server and at the gateway). * Personal network firewalls - a firewall can block incoming and outgoing traffic, stopping malware from propagating from system to system. * Personal application firewalls - application firewalls can control which software packages on a host are allowed to use the network, which ports they can use and whether they can receive connections from other hosts. * Operating system protection - monitoring and controlling access to files, the registry, system calls and DLLs can protect the host from Trojans, key-loggers and viruses even after these have compromised part of the OS. * Host-based IPS - combining behavioral analysis and signature filters, host-based IPS combines the best features of anti-virus, network firewalls and application firewalls in one package. Host-based protection offers the opportunity to escape the firefighting of patch management, allowing IT executives to focus only on the most important patches. Without host-based protection, a single infected system can wreak havoc on the enterprise's infrastructure. For many IT executives, malware is a recurring nightmare that keeps reappearing every time an unpatched host appears anywhere on the network. This all-or-nothing state of security, where a single weak link can re-create a wave of malware infections, is a constant drain on resources. By applying host-based protection, each host becomes a "bastion" within the network, and security breaches from malware are contained. RELATED EDITORIAL LINKS Cisco Security Agent http://www.cisco.com/en/US/products/sw/secursw/ps5057/ McAfee Host-IPS http://www.nwfusion.com/nldatacenter800 ISS RealSecure http://www.nwfusion.com/nldatacenter801 _______________________________________________________________ To contact: Andreas M. Antonopoulos Andreas M. Antonopoulos is principal research analyst at Nemertes Research. He can be reached at <mailto:andreas@nemertes.com> _______________________________________________________________ Copyright Network World, Inc., 2004
WikiHelp	Recent Changes Printable View Page History Edit Page