Endpoint Protection and Management
Host and server based security components and technologies

It is critical to protect network hosts, such workstation PCs and servers. These hosts need to be secured as they are added to the network and updated with security patches as they become available. Additional steps can be taken to secure these hosts. Anti-virus, firewall, and intrusion detection are valuable tools that can be used to secure network hosts. Because many business resources may be contained on a single file server, it is especially important for servers to be accessible and available.

Device Hardening
When a new operating system is installed on a computer, the security settings are all set to the default values. In most cases this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems:

  • Default usernames and passwords should be changed immediately.
  • Access to the system resources should be restricted to only the individuals that are authorized to use those resources.
  • Any unnecessary services and applications should be turned off and uninstalled when possible.

Personal Firewall
Personal computers connected to the Internet through a dialup connection, DSL, or cable modems are as vulnerable as corporate networks . Personal firewalls reside on the user’s PC and attempt to prevent these attacks. Personal firewalls are not designed for LAN implementations such as appliance-based or server-based firewalls, and they may prevent network access if installed with other networking clients, services, protocols, or adapters. Some personal firewall software vendors include McAfee, Norton, Symantec, and Zone Labs.

Anti-virus Software
Install host antivirus software to protect against known viruses. Antivirus software can detect most viruses and many Trojan horse applications, and prevent them from spreading in the network.

Operating System Patches
The most effective way to mitigate any worm and its variants is to patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network, and even more troublesome if these systems are remotely connected to the network via a virtual private network (VPN) or remote access server (RAS). Administering numerous systems involves the creation of a standard software image that is deployed on new or upgraded systems. These images may not contain the latest patches, and the process of continually remaking the image in order to integrate the latest patch may quickly become administratively time-consuming. Pushing patches out to all systems requires that those systems be connected in some way to the network, which may not be possible. One solution to management of critical security patches is to create a central patch server that all systems must communicate with after a set period of time. Any patches that are not applied to a host that is available on the patch server would be automatically downloaded and installed without user intervention. However, determining which devices are exploitable can be simplified by the use of security auditing tools that look for vulnerabilities.

Intrusion Detection and Prevention
Intrusion detection is the ability to detect attacks against a network and send logs to a management console and provides the following defense mechanism .

  • Detection – Identifies malicious attacks on network and host resources.

On the other hand, Intrusion protection is the ability to prevent attacks against the network and should provide the following active defense mechanisms:

  • Detection – Identifies malicious attacks on network and host resources.
  • Prevention – Stops the detected attack from executing.
  • Reaction – Immunizes the system from future attacks from a malicious source.

Either technology can be implemented as a network level, host level, or both for maximum protection.

Host-based Intrusion Detection Systems
Host-based intrusion is typically implemented as inline or passive technology depending on the vendor. The passive technology, which was the first generation technology is called host-based intrusion detection (HIDS), which basically sends logs after the attack has occurred and the damage is done. The inline technology is called host-based intrusion prevention (HIPS), actually stops the attack and prevents damage and propagation of worms and viruses.

Active detection can be set to shut down the network connection or to stop the impacted services automatically. This has the benefit of being able to quickly analyze an event and take corrective action. Cisco provides HIPS using the Cisco Security Agent software.

Current host-based intrusion prevention software requires agent software to be installed on each host, either server or desktop, to monitor activity performed on and against the host. The Agent software performs the intrusion detection analysis, and prevention. The Agent software also sends logs and alerts to a centralized management/policy server.

The advantage of HIPS is that it can monitor operating system processes and protect critical system resources, including files that may exist only on that specific host. This means it can notify network managers when some external process tries to modify a system file in a way that may include a hidden back door program.

Figure illustrates a typical HIPS deployment. Agents are installed on publicly accessible servers and corporate mail and application servers. The Agents report events to a central Console server (CiscoWorks VMS) located inside the corporate firewall or can e-mail an administrator.