As.network threats continue to grow in number and sophistication, a new technology offers an additional layer of protection. Host-based intrusion-prevention system (HIPS) technology protects endpoints behind the network perimeter. It combats infections and attacks at the device and server level of a network, providing a layered approach that complements investments in network-based IPS without relying on signatures that require near-constant updates.
HIPS technology is extremely accurate. It works by enforcing a set of basic software conventions that never changes called the Application Binary Interface (ABI). The ABI sits one step beyond the application program interface (API) and defines the API plus the machine language for a particular CPU family. Because these conventions are universal among compiled applications, it is nearly impossible to hijack an application without violating the ABI.
HIPS deployments generally involve two components, a series of agents and a management and reporting interface. Installed on servers, HIPS agents are designed to run indefinitely with little or no administrative overhead, and prevent malicious code that enters a machine from being executed without the need for a check against threat signatures.
In practice, agents continually verify the validity of application instructions by performing checks against their origin, preventing unintended injected code from being executed. They also catch malicious code masquerading as user data. In addition, they perform checks on program control to ensure that control transfer always conforms to the ABI. This prevents applications from being tricked into handing over control to external injected code. It also catches code-reuse attacks that are emerging as the next generation of advanced attack techniques worrying security professionals.
The HIPS management and reporting interface enables thousands of agents to be deployed, managed and upgraded across an enterprise network. The interface, which is often Web-based to provide universal accessibility, allows network and security staff to perform configuration changes, monitor alerts and view reports. Many interfaces notify security professionals of issues via SMTP or other alerts. The interface also is key for analyzing trend reports, assigning users and roles according to policy, and maintaining a comprehensive audit trail.
An HIPS deployment could block the threat of the Sasser worm. The worm exploited a memory flaw in Microsoft operating systems to cause billions of dollars of damage worldwide. The previously unknown Sasser code passed through unpatched firewalls undetected, reaching unprotected servers. As the code entered the memory of the unprotected server, it immediately executed a buffer overflow that gave a remote host system-level control of that server, enabling further attacks from within an enterprise network.
In contrast, the protected server’s HIPS agent can examine, for example, the Sasser code as it enters the server’s memory. The agent’s real-time check of the code reveals the buffer overflow mechanism, a process that violates the ABI. It immediately stops the code from execution without affecting the server’s performance, and notifies the management component that an attack is underway so that network and security staff can begin remediation efforts.
基于主机的IPS保卫端点
由于网络威胁在数量上和复杂度上继续加强,一项新技术提供了又一层的保护。基于主机的入侵防护系统(HIPS)技术保护网络边界内的端点。它在网络设备和服务器层面上与(病毒)感染和攻击做斗争,在不依靠需要不断更新特征的情况下,提供一种分层的方法,对基于网络的 IPS(入侵防护系统)的投资起到互补的作用。
HIPS技术极其精确。它通过实施一组基础的软件协议而起作用,这个叫做应用二进位接口(ABI)的软件协议从未改变过。ABI紧跟在应用编程接口(API)之后,定义API加上特定CPU的机器语言。由于这些协议在编译过的应用程序中是通用的,所以想在遵循ABI的情况下劫持应用程序几乎是不可能的。
部署HIPS通常涉及两部分:一组代理和一个管理和报告界面。HIPS代理是安装在服务器上,设计在不需要或者只需一点点管理开销的情况下无限定地运行,不需要针对威胁特征进行检查的情况下,防止进入机器的恶意程序被执行。
实际中,代理通过针对原件进行检查,连续验证应用程序指令的正确性,防止了无意中被感染的程序代码被执行。它们也捕捉伪装成用户数据的恶意代码。此外,它们也进行对程序控制的检查,以确保控制的转换总是符合ABI。这就防止了应用程序受骗,将控制交给外部入侵的代码。它还捕捉代码复用攻击,这是新出现的困扰安全专业人士的下一代先进攻击技术。
HIPS管理和报告界面能实现成千上万的代理在整个企业网络上的部署、管理和更新。此界面常常是基于Web的,以提供通用的访问能力,它允许网络和安全工作人员执行配置修改、监视警告和查看视图报告。很多界面通过SMTP告知专业人士存在的问题或其他警告。该界面也是分析趋势报告、按策略指定用户和角色、以及保存综合审计追踪的关键。
部署HIPS能阻止如Sasser蠕虫的威胁。该蠕虫利用了微软操作系统中存储器缺陷,造成了全世界几十亿美元的损失。这个以前未知的Sasser代码穿过未打补丁的防火墙,到达没有防护的服务器。当代码进入没有防护服务器的内存时,它马上执行缓存器溢出,将服务器系统级的控制权交给了远端的主机,实现在企业网内的进一步攻击。
相反,当Sasser进入服务器内存时,被保护的服务器中的HIPS代理能检查出Sasser代码。代理对此代码的实时检查揭示出缓存器溢出机制,这是一个违背ABI的过程。在不影响服务器性能的情况下,它马上停止代码的执行,并通知管理组件攻击存在,因而网络和安全人员就能开始修补工作。
文章来源于领测软件测试网 https://www.ltesting.net/