Q&A: Sorting Out Desktop Protection Technologies

The differences between signature-based, access control, and intrusion prevention products

For securing desktops and servers against spyware, viruses, and common vulnerabilities, companies can choose between signature-based, intrusion prevention, and access control products. So what’s the difference?

To discuss these technologies, Security Strategies spoke with Scott Olson, vice president of marketing at Mirage Networks.

How prevalent are host-based intrusion prevention systems (HIPS) on the desktop?

We run across HIPS solutions quite a bit. What generally happens is, the promise of HIPS is pretty good. It’s basically saying I’m going to wrap around your OS [operating system], I’m going to behaviorally detect certain types of attacks, such as buffer overflows, and I’ll block anything bad.

How did HIPS come about?

If you look at the evolution of HIPS, what [developers] really came up with was a way to protect servers, as a way to baseline — what kind of application activity you have on your system.

So take a mail server, database server — [or later] what was really driving this was — IP telephony. Take Cisco’s acquisition of Okena [in 2003]. One of the main reasons they were looking at HIPS solutions—this is all my opinion—was they were looking at VoIP infrastructure and — there were still PCs that could be vulnerable to worms and outbreaks, and if your phone server went down, your telephony went down.

What’s the difference between HIPS on a server and a desktop?

On servers, after a little time for creating a baseline, HIPS works great—you can determine which applications are supposed to run, because there’s no variety. — And for company-owned appliance servers, like a call manager, you don’t need to baseline it, because you know already which applications and processes are supposed to run on there, and anything outside that is going to be blocked.

[Meanwhile] HIPS on the desktop creates a good protection against things like buffer overflows, but for social-engineering attacks — it doesn’t prevent the user from downloading a malicious file, for example. — Also the overhead of managing HIPS on the desktop just doesn’t provide the return people are looking for. The benefits are less [on desktops] and the overhead is always way more than people expect. —

How mature is HIPS on the desktop?

Sana is a good example of a HIPS provider. Up until six months ago they didn’t even have a desktop version. — The problem is, in a desktop version, HIPS loses a lot of its effectiveness because it doesn’t know which applications should be running. Even in a small company, variety is huge. — So a lot of what happens is you have to take proactive capabilities out of HIPS, or else you flood the help desk — or else you have to pop up a number of screens asking the user if something should or should not run, and eventually you just say yes.

What other HIPS software is available?

You have programs like Intercept from McAfee and CSA [Cisco Security Agent] from Cisco. You have personal firewalls, like Checkpoint and Sygate. The main difference between HIPS and personal firewalls is the personal firewalls wrap around services—FTP, telnet—whereas the HIPS take that a level deeper. They wrap around the OS, and wrap around the system calls that are going into the OS.

Beyond HIPS, what else are organizations using to combat such threats as spyware and viruses?

At a higher level, you have signature-based solutions looking for threats and to remediate those threats, and to date they have had the widest adoption and use because they don’t have false positives. —

What IT managers are really most concerned about is protecting the network from one PC; they’re not as concerned about the one infected PC itself. (Though if I define it as an infected PC, I can isolate and clean it.) [Yet] HIPS is really intended to lock down and protect a single PC from the rest of the world. It will never work for contractors and other people coming into your network, and even within your company, there will be variations.

How does Mirage approach the problem?

We monitor the traffic on any given VLAN [virtual LAN], and provide the access control for any assets on that VLAN, such that if they’re [seen as threat] — we can remove them.

This is a pretty important category that’s emerging, especially as more threats today are coming from the users’ endpoints, not from outside the network. — We look for things like worms, mass-mailer viruses, and other security violations inside the network.

Which VLANs do you work with?

It applies to all network switches, whether it’s Foundry, Extreme, Cisco—your whole slew of switches. We work with those, and we can work either off a spam port, or a rewrite port. We actually use behavioral detection, we do not use signatures. —

Many attacks are really concerned with making use of the unused IP addresses in your network, so we [monitor] which IP addresses [should be] used or unused.

What’s an example of what you can spot?

Anything that is trying to propagate and find targets for propagation, we will catch, because by necessity they will touch a number of unused IP addresses. — We actually respond on behalf of those unused IP addresses, and — can slow [attackers] down, through what we call snaring. Or if it’s a TCP/IP handshake, then we actually complete that, and keep the packet size very small, and the delay very long. Or there’s cloaking, where we completely take a PC off the network.

How does cloaking work?

First there’s a detection event—[something] is violating a security policy. Then we change the ARP [address resolution protocol] table so it essentially takes that computer off the network. Then the notification is through the management console itself — and the IP and MAC addresses are provided to the IT manager.

So how do you avoid having agents on every PC?

We don’t reconfigure ACLs [access control lists] on the switches. We — change the ARP table so the attacker needs to route all communications through us; then — for any responding device, we change the ARP tables so that any PC that wants to communicate does so through us.

How many appliances does this require?

One appliance can cover up to 1,000 endpoints and 32 VLANs. That’s about a gigabit of traffic.

Related Articles:

Ignorance of Spyware in the Enterprise Still High

New Enterprise Tools Attack Spyware

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.