Operation

Host-based IDPSs should be operated according to the recommendations presented in Section 3.3.2. The only exception is in updating the agents. Some agents can periodically check the management server for updates and automatically retrieve and install or apply those updates. Other agents cannot do this,

requiring an administrator to manually check for, transfer, and install or apply updates. In many cases, an agent’s update capability is related to the type of operating system on which it is deployed.

7.4 Summary

Host-based IDPSs monitors the characteristics of a single host and the events occurring within that host for suspicious activity. Examples of the types of characteristics a host-based IDPS might monitor are wired and wireless network traffic, system logs, running processes, file access and modification, and system and application configuration changes. Most host-based IDPSs have detection software known as agents installed on the hosts of interest. Each agent monitors activity on a single host and if prevention capabilities are enabled, also performs prevention actions. The agents transmit data to management servers. Each agent is typically designed to protect a server, a desktop or laptop, or an application service.

The network architecture for host-based IDPS deployments is typically very simple. Because the agents are deployed to existing hosts on the organization’s networks, the components usually communicate over those networks instead of using a management network. Host-based IDPS agents are most commonly deployed to critical hosts such as publicly accessible servers and servers containing sensitive information.

However, because agents are available for various server and desktop/laptop operating systems, as well as specific server applications, organizations could potentially deploy agents to most of their servers and desktops/laptops. Organizations should consider several criteria when selecting agent locations, including the need to analyze activity that cannot be monitored by other security controls; the cost of the agents’

deployment, maintenance, and monitoring; the OSs and applications supported by the agents; the importance of each host’s data or services; and the ability of the network infrastructure to support the agents’ communications.

Most IDPS agents alter the internal architecture of the hosts on which they are installed through shims, which are layers of code placed between existing layers of code. Although it is less intrusive to the host to perform monitoring without shims, which reduces the possibility of the IDPS interfering with the host’s normal operations, monitoring without shims is also generally less accurate at detecting threats and often precludes the performance of effective prevention actions.

Host-based IDPSs provide a variety of security capabilities. They typically perform extensive logging of data related to detected events and can detect several types of malicious activity. Detection techniques used include code analysis, network traffic analysis, network traffic filtering, filesystem monitoring, log analysis, and network configuration monitoring. Host-based IDPSs that use combinations of several detection techniques should generally be capable of achieving more accurate detection than products that use one or a few techniques, because each technique can monitor different characteristics of hosts.

Organizations should determine which characteristics need to be monitored and select IDPS products that provide adequate monitoring and analysis of those characteristics.

Host-based IDPSs usually require considerable tuning and customization. For example, many rely on observing host activity and developing baselines or profiles of expected behavior. Others need to be configured with detailed policies that define exactly how each application on a host should behave. As the host environment changes, administrators should ensure that host-based IDPS policies are updated to take those changes into account.

Host-based IDPSs have some significant limitations. Some detection techniques are performed only periodically, such as hourly or a few times a day, to identify events that have already happened, causing significant delay in identifying certain events. Also, many host-based IDPSs forward their alert data to the management servers in batches a few times an hour, which can cause delays in initiating response actions.

Because host-based IDPSs run agents on the hosts being monitored, they can impact host performance

because of the resources the agents consume. Installing an agent can also cause conflicts with existing host security controls, such as personal firewalls and VPN clients. Agent upgrades and some

configuration changes can also necessitate rebooting the monitored hosts.

Host-based IDPSs offer various intrusion prevention capabilities; these vary based on the detection techniques used by each product. Code analysis techniques can prevent code from being executed; this can be very effective at stopping both known and previously unknown attacks. Network traffic analysis can stop incoming and outgoing network traffic containing network, transport, or application layer attacks, wireless networking protocol attacks, and the use of unauthorized applications and protocols.

Network traffic filtering works as a host-based firewall and stops unauthorized access and acceptable use policy violations. Filesystem monitoring can prevent files from being accessed, modified, replaced, or deleted, which can stop malware installation and other attacks involving inappropriate file access. Other host-based IDPS detection techniques generally do not support prevention actions because they identify events well after they have occurred.

Some host-based IDPSs offer additional capabilities related to intrusion detection and prevention, such as enforcing restrictions on the use of removable media, detecting the activation or use of audiovisual devices, automatically hardening hosts on an ongoing basis, monitoring the status of running processes and restarting failed ones, and performing network traffic sanitization.