General

Security Tools for the Budget Conscious ISP, Part III: Host Intrusion Detection Systems

by Lisa Phifer VP Core Competence, Inc. [February 6, 2004]

Host Intrusion Detection Systems
Most organizations build a layered defense that combines NIDS with Host Intrusion Detection Systems (HIDS). A HIDS keeps a watchful eye on what's happening on its computing platform, detecting and alerting you to signs of attack like overwriting or deletion of system files, suspicious processes, and unusual user activity.

Host-resident personal firewall software could be considered one aspect of HIDS. Products like ZoneLabs ZoneAlarm and Norton Personal Firewall can block suspicious incoming traffic and stop any process not on the authorized application list from sending traffic. For example, if a virus overwrites IE with a trojan horse, products like these can detect the executable has been modified and block network access.

Some HIDS are integrity management systems that repeatedly take cryptographic snapshots of OS and application and configuration files. Comparing these snapshots against known-good reference points can detect attempts to deface a website, add a new user, change file permissions, etc.. Other HIDS are system activity monitors that watch for errors or event sequences that might indicate a server is under attack or being used as a springboard to compromise other systems.

As with NIDS, there are many different approaches, and some products offer Host Intrusion Prevention in addition to Host Intrusion Detection. For a complete solution, you may need to combine several tools, and you should expect to spend time baselining each protected server. Here is an illustrative, non-exhaustive list of HIDS products:

• Cisco Security Agent (formerly Okena)
• CylantSecure
• Enterasys Dragon Host Sensor
• Finjan SurfinGuard
• GFI LANguard System Integrity Monitor
• Harris STAT Neutralizer
• Intrusion.com SecureHost
• McAfee Entercept Host Intrusion Prevention
• Symantec Host IDS
• Tripwire for Servers and Network Devices

A sampling of freely-available HIDS tools includes:

• AIDE (Advanced Intrusion Detection Environment) is an open source file integrity monitor for *NIX systems.
  
  
• Fcheck is a Perl-based open source tool that uses system snapshots to detect file system changes (modifications, deletions) on Win32 and *NIX hosts.
  
  
• FTimes is an open source system baselining tool that can be used in single-system or client-server modes, and can be compiled on Win32 and most *NIX platforms.
  
  
• Integrit is a compact open source file system integrity checker for POSIX-compliant systems.
  
  
• MD5deep is a checksum-based cross-platform file integrity checker freely available in Win32 binary and Windows/*NIX open source formats. To view sample md5deep output, click here.
  
  
• OSIRIS is an open source HIDS that detects any change made to file systems by comparing periodic snapshots. OSIRIS runs on Windows and *NIX hosts.
  
  
• Samhain is an open source HIDS for *NIX detects file modification and spots SUID executables and root kits on Linux and FreeBSD. Events can be consolidated and viewed through a companion console tool, Beltane.
  
  
• SWATCH is a Perl-based "watchdog" program that monitors any log file for specified strings that indicate possible intrusion and takes corresponding action (e.g., execute program, call pager, e-mail sysadmin).
  
  
• Tripwire, a popular system integrity checker, is freely-available in open source and RedHat RPM formats. Tripware sells commercial products for other *NIX and Win32 platforms.

.

Security Tools for the Budget Conscious ISP, Part III: Analysis and Forensics

Security Tools for the Budget Conscious ISP, Part III: Network Intrusion Detection Systems

Security Tools for the Budget Conscious ISP, Part III: Host Intrusion Detection Systems

>Security Tools for the Budget Conscious ISP, Part III: System Forensics Tools

Security Tools for the Budget Conscious ISP, Part III: Network Forensics Tools and Conclusion