In-Depth

Host Intrusion Prevention: A New Approach to Keeping Systems Safe

Host-based intrusion prevention runs as a software agent on a user's system, looking for unauthorized actions

• By Mathew Schwartz
• 05/05/2004

An emerging complement to traditional protection is host-based intrusion prevention. With this technology, a software agent runs on a machine and watches what the machine is doing. If something unauthorized occurs—say an unknown worm gets onto the PC and begins installing a TCP server—the software blocks it, then alerts security managers.

To discuss the state of host intrusion prevention, Security Strategies spoke with Homayoon "TJ" Tajalli, president and CEO of software vendor Platform Logic.

What’s the state of host intrusion prevention?

Host intrusion prevention means different things to different people, and the way we like to address this is: a piece of software on the machine itself, able to address attacks, or at the very least substantially contain what the attack is going to be able to do on the machine and [before it] propagates onto other systems.

That’s the problem we’re trying to solve. We want the security manager’s job to not be so event-driven --- patch of the day, endless misconfigurations—by … having policies on various machines that basically identify the applications that can run on these machines, or the user.

So we’re … deciding which applications to run, and what kinds of resources those applications can access under normal operating conditions in a way that the user can do the job they need to do on the machine but the admin can ensure that the machine isn’t going to be compromised by the attack of the day—or week.

What’s your company’s security background?

[Some of the team] helped build the Gauntlet Firewall … the team has a lot of expertise in network security as well as building highly trusted operating systems for the Department of Defense, and other organizations.

Where is this sort of “what is the software permitted to do” work occurring—more at the operating system level or with network security?

Security problems are going to show up in both places, and you really need to be on both sides to address all the security issues. Eventually any attack is going to be targeted to a [specific] machine.

Are attacks companies face today getting more sophisticated?

The attacks we’re seeing today were theoretical a few years ago.

Can host intrusion prevention software replace antivirus software?

There are certain types of attacks, ones attacking data on your machine, that you need antivirus for, but for the majority of attacks that are really out there and trying to be disruptive to an organization … you need another type of system which is a containment system, and that’s what we have.

What role could a “trusted operating system” play in restricting applications’ behavior?

These secure OSes were built with principles saying, these applications should not be able to go wild on the system, which is what’s happening today.

The firewalls we have today… [come from] those concepts. A lot of them come from the safe principles and paradigms. Even a trusted operating system has two principles: a principle of least privilege, and then mandatory access control for an application. But an application can still be compromised … what you want to make sure is the damage is contained.

So nothing is absolutely secure?

As we know, people who write code, they’re not perfect, and as applications and OSes get more and more complex, you are going to find flaws. Attackers are going to find holes, and once that application has any capability beyond what it needs on the system, that application is going to be compromised. And if we count on a user to not take [security] advice … that’s how viruses and worms get around. People are not perfect either. So host intrusion prevention helps ensure these things don’t get around

Is your host intrusion prevention an appliance?

No—one part can be an appliance, a security management part, controlling the software that’s running on the various machines … but we haven’t chosen to do that. It’s software that you install on any system.

Does running an agent on a computer gobble resources?

We are looking at particular system calls that have to do with accessing resources. We don’t necessarily care once a resource has been opened what data you’re putting in there—in most cases. So we’re generally taking less than one to two percent of the CPU … and as you know that’s substantially less than an antivirus package which has to look at all that data and compare it with thousands of signatures.

Do you have pre-built intrusion detection tie-ins to applications?

Absolutely. What we’ve said is, if we need to send this to people and if they have to tune that, no one’s going to be able to [use] this out of the box. Out of the box, we have presets for the OS functionality, including RPC Service, DNS—that’s where a lot of these attacks have started. We also have presets for Exchange, Apache on Unix, SQL Server, [and] things like Outlook [and] Office applications. So out of the box, we’re giving them policy assistance they should be able to put on 90 percent of systems without tweaking at all, though [they can do that too]; that’s mostly for larger companies.

Let’s say a worm hits, what does your software do?

Your company could have set your machine up so that out of the box, you were prevented from opening that virus or worm or even downloading it. Alternately, the system could have been set up so that you could download or put anything on there, but once you started running it, the software would have been confined enough so that it wouldn’t be able to do any damage.

If you wanted something to be in a strictly controlled environment, we have a policy. [In fact] we have a least-contained policy—[it] allows one to do the most things, including downloading and running any programs. Then there’s limited execution, then a strict policy—which allows any of the programs which have been loaded onto the machine to run, but new downloads cannot run. And then the most contained, which only allows users to run programs defined by the IT department.

What’s one example of a recent attack your software will stop?

Privilege escalation—whether it’s done by misusing your program or [by] creating a buffer overflow.

What are common customer questions vis-à-vis host intrusion prevention?

Customers are getting very confused out there as to where I put these security solutions—in front of the perimeter, on the PC, behind the perimeter. We believe, don’t get rid of what you have at the network level. Don’t get rid of the antivirus. But you do need another kind of software on your machine to protect it.

For example, if you have [a software firewall] on your machines, they are only looking at network traffic, and based on that, they’re no better than a firewall on the network. You’re still open to attacks that the firewall doesn’t catch.

We look beyond that to everything applications on the machine can and cannot do. We just want people to understand that a personal firewall on the machine is different in terms of what it can or cannot stop.

So customers often conflate host intrusion prevention with firewalls?

Yes, until we explain the difference to them: a firewall is … not putting a policy on the machine saying what it can or cannot do, not restraining each routine to the least privilege it needs to have.

Where does host intrusion prevention go from here?

We’ll have more protection modules as time goes on, and … [more capability to] choose which programs they do or do not want to run in their environment. Right now, for example, if you don’t have a profile, and something happens, it can be contained by generic controls, but customers want more control over what happens in these cases, including reporting capabilities, things like that, and it’s our responsibility to integrate with event monitors—[such as from] Computer Associates, to do event monitoring, logging, security monitoring, and with security consoles for managing [it all]. So you’ll see more and more seamless integration as time goes on.