EH-Net

Hi all,

I just need your guys opinion about HIPS and pc firewalls. We have some servers (windows 2003 and 2008) that we need to further protect with either or both of above mentioned systems. This is just a recommendation from our IS deptt and we need to give them a reliable demo to see if this actually works. Basically the point is, our servers may (and in most cases will) run vulnerable services but we need to place some sort of pc based security solution that can stop malicious attempts. I know the requirement is bit vague but when i searched the internet, there were few pc based firewalls but i found very little information of any famous HIPS. But since we need to monitor applications behaviour (like http, sql etc) we need some sort of application level monitoring for malicious packets, and the biggest requirement of all, we need to customize or even create or own rules/signatures to prevent from attacks.

Now i know of snort, sorry for my 2 stupid questions
1) can it prevent from attacks also
2) can it be used ideally as HIPS ?

Anyone has any suggestions for any powerful host based security solutions, almost impenetrablea :-)

You can run Snort inline to function as a NIPS but it's network based, not host based.

The issue with HIPS is that they are notoriously difficult to tune, very time consuming. I usually recommend something like Tripwire or OSSEC on sensitive assets or systems that have trust relationships with sensitive assets but not as a global control due to the time required in configuration and tuning. I get better mileage usually from network based solutions.

Honestly I rarely run host based firewalls at all on servers, usually use primarily for desktops and especially for laptops. The issue on servers has more to do with team dynamics with server team and security team conflicts over blame. I have a tendency to create security zones with network firewalls and place servers within those zones.

When I do run host based firewalls I tend to use the built-in tools, iptables, Windows firewall, etc. On the Windows front I do this largely because it's easier to manage with things like GPO. The only notable exception to this is I used to run a large installation base (20,000+ clients) of Trend Micro Officescan and I did enable host based firewall functionality in the suite, but that was primarily for quarantine groups for fast and easy isolation of infected machines, and then rules to block inbound on laptops when not connected to the domain. (No split tunneling on VPN either)

For 2008 Servers you can utilize the Windows Firewall with IPSEC rules.  It is manageable via GPO/IPSEC policies.  You can also evaluate the options you have for AV.  If you run Symantec Endpoint it has firewall and IPS features which work pretty well so long as they are configured properly.  You can run them both in a logging only mode so you can assess what ports will be required to open and what applications will be allowed in and out.  It is centrally managed so creating separate policies for different sets of servers is possible. 

2003 servers I would stick with something similar to the SEP option since the 2003 Windows Firewall and IPSEC support is no where near as robust as the 2008.  Remember though, any Host based solution will put additional performance loads on the server so the box should be configured accordingly (RAM/CPU/HDD). 

There is nothing wrong going to a Networked based solution either.  Might cost you a bit more but at least the servers won't take a hit in performance.  Pop the servers on their own VLAN or Physical LAN and firewall it off.  Utilize a firewall that has some IPS capability to get the most bang for the buck.  The IPS of choice (NIPS or HIPS) should be tested in a logging mode so a proper baseline can be set.  Once you know what valid traffic looks like, then its time to tweak the rules accordingly, log the activity and then look at working with a report card of sorts.  Any changes made to the infrastructure should always be logged and a report card completed.  Once all activity has been confirm, time to turn on the IPS to block possible attacks.  Again set a baseline and tweak.

Don't forget to turn off definitions that don't apply to your environment.  If you don't run Oracle DBs, don't monitor for attacks related to Oracle databases.  And so on... 

Good luck!

Dear Sir,

Thanks for both wonderful replies, i really cant thank enough since hearing from experts and their opinions are always worthwile.

There are 2 things i want to ask, one of them being OT.

1) Sir, i was thinking that if we can tune our HIPS properly ( i know time consuming) then it can turn a vulenrable server into impenetrable machine. Is this practically possible

2) Second may seem OT but its basically related to above. If proper measures are taken, can we say practically the desktop machine is now secure ? or the chance that it can be hacked will always be there

Never promise something is 100% secure.  There is always a way through something.  If someone wants the information bad enough, they will get it.  All you can promise is that you will do your best to prevent this from happening or will at least be able to determine who/what/where/when/how. 

The popular phrase out in the InfoSec world is "there are two types of companies out there...  Those who have been breached and those who know they've been breached..."  get it?  At best we can try to put as many obstacles in the way of an attacker to either delay them from attaining their goal or frustrate the crap out of them that they will give up and go elsewhere.  Though most likely the latter will occur since they are being paid well to get said information.

Too many exec and non-technical folks believe that the shiny boxes with blinking lights makes their network impervious to attacks.  All you need to do to prove against it is mention RSA and EMC.  :D

My knowledge and experience pales in comparison to these individuals, I just would say avoid McAfee HIPS at all costs. If you can, avoid McAfee at all costs.