FREE ELECTRONIC LIBRARY - Abstract, dissertation, book

Pages:   || 2 |

«Available as a Plug-In for OfficeScan™ 8 Network-Level HIPS at the Endpoint A Trend Micro White Paper | October 2008 INTRUSION DEFENSE FIREWALL ...»

-- [ Page 1 ] --

Intrusion Defense Firewall

Available as a Plug-In for OfficeScan™ 8

Network-Level HIPS

at the Endpoint

A Trend Micro White Paper | October 2008




Mobile computers that connect directly to the Internet outside of a company’s firewall can introduce risk into

the corporate network and thus require a higher level of security to protect against network intrusions. Host intrusion defense systems combine intrusion detection and prevention capabilities, and run on the host itself.

There are two main approaches to host intrusion defense: 1) system execution control; or 2) a network approach. The network approach offers several advantages by blocking malicious code before it impacts the host, targeting potential vulnerabilities and known exploits, in addition to providing proactive vulnerabilityfacing network inspection.

Using multiple techniques to filter both inbound and outbound traffic insures optimal efficiency and effectiveness. This blended approach includes deep packet inspection, exploit and vulnerability filters, and custom filters to protect custom applications. A tunable, flexible solution insures delivery of business-critical communications while protecting against unwanted network traffic.

This white paper examines a blended approach to host intrusion defense in search optimal security combined with an ideal balance between flexibility, control, and ease of management. Specific examples highlight the benefits and pitfalls of the many different filtering techniques.


Host intrusion defense systems combine intrusion detection and prevention capabilities, and run on the host itself. They complement existing network security mechanisms, acting as another layer of protection against attacks that now routinely bypass or penetrate perimeter defenses, and target vulnerabilities in software on the host.

Although there are many different host intrusion defense systems available to enterprises, there are two main styles or approaches. These two approaches are fundamentally different but share the same objective of keeping malware off the host. The challenge for any system is to achieve a high degree of accuracy by minimizing the number of false positives (blocking good data) and false negatives (allowing bad data). There is a certain amount of tuning that is necessary to make sure the system is operating optimally.

Style 1: System Execution Control System execution control is often referred to as a behavior-based approach. These systems learn what the “normal behavior” is for a host, and then they can identify and block strange or anomalous behavior.

Typically, this approach uses techniques such as system call interception, which monitors the interaction between application software and the operating system. Most first-generation host intrusion detection and prevention systems (IDS/IPS) tend to use the system execution control approach.

1 White Paper | Intrusion Defense Firewall



The advantage of this approach is that it provides a broad protection umbrella that covers any operational anomaly. These systems can, for example, protect more than just the network interface and can cover attacks launched from portable storage devices and the keyboard. System execution control systems, by design, also do not need signature updates since they provide zero-day protection once they are trained on “normal” behavior.

The disadvantage of system execution control systems is that they have relatively high care and feeding requirements. Each host must be trained to establish the rule set and continuously be retrained as software (including operating systems and enterprise and web applications) is updated. Another maintenance issue is the removal of malicious code. Even though malicious code might have been blocked from executing, the infected machine still needs to be cleaned.

Style 2: Network Approach A different approach to solving the same problem is the data network style. This approach uses traditional, proven network perimeter defenses such as firewall, IDS and IPS, but applies them at the network layer on the host. The enforcement point is typically kernel mode based. Although this approach has a smaller coverage umbrella compared to system execution control, it does cover the network interface, which is the attack vector of greatest concern, especially with today’s increase in blended web threats. In many cases, especially with mobile laptops, it is the highest priority concern.

In contrast to system execution control, the network approach is also more proactive: it stops malicious code before it gets on the host. It can, however, be challenging to understand the packet stream in enough detail to make accurate decisions on whether the data should be allowed or blocked. Instead of training, these systems are tuned with rule updates to control the blocking. These rules and signatures are different than malware signatures used by Trend Micro’s virus and spyware scan engines. They are proactive by covering the vulnerability, rather than individual exploits.


There are many trade-offs in determining the defense approach that is not only appropriate for your environment, but also for the risks and threats you face. The two main business drivers for host intrusion defense are, however, quite universal: 1) to protect particularly exposed endpoints; and 2) to provide protection until you can patch vulnerabilities. This is becoming more and more urgent in today’s world of fast moving attacks that hit before patches, assuming they’re available, can be downloaded, tested, and deployed. The bulk of malicious code and targeted attacks now occur soon after a software vulnerability becomes known. The vendor’s announcement of the patch update itself may start the race. You have to shield or patch as soon as possible. The vulnerability-shielding aspect of host intrusion defense offers immediate value since the shields can be updated without a system re-boot or the extensive testing required by a bundled patch update.

2 White Paper | Intrusion Defense Firewall



In short, a network approach to host intrusion defense with vulnerability-facing signature updates is an effective, proactive solution. Just having this host intrusion defense agent on exposed endpoints or on endpoints regularly handling compliance-relevant data can make your audit compliance negotiations much simpler. Logs that show blocking of specific attacks on critical and vulnerable applications are a fundamental part of demonstrating that your operations are secure, and they help justify the investment in host intrusion defense.


The Trend Micro™ Intrusion Defense Firewall plug-in for OfficeScan™ Client/Server Edition 8.0 is an advanced host intrusion defense system that uses multiple techniques to filter malware from the incoming and outgoing traffic stream (figure 1). It is the blending of multiple filters that offers an extremely efficient and broad range of protection against malware. The layered approach can be compared to sifting gravel through a series of increasingly finer grained screens. You don’t start with the fine screen because it would immediately get clogged up with larger stones.

–  –  –

3 White Paper | Intrusion Defense Firewall



Step 1—Stateful Firewall A stateful inspection packet filtering firewall allows traffic that is known to be good, and blocks everything else. This step dramatically reduces the attack surface area, as all ports are closed by default, and the firewall rules open up the specific ports required by the applications on the host.

Step 2—Deep Packet Inspection Next, the traffic that goes through the firewall is examined with deep packet inspection technology that looks for patterns in the payload. Each byte of the packet is examined just once to minimize performance impact, and the sequence of rule sets that control deep packet inspection filtering follow in parallel. While these steps execute in parallel, they follow the logical order shown in figure 1.

Step 3—Exploit Filters Here, known malware is efficiently detected and filtered out with exploit filters that use signatures for individual exploits that are well-known and widespread. This is similar to antivirus signature updates. A long list of specific malware signatures is not required, but selected high runner exploits get their own filter. In addition to efficiency in detection, this allows very specific reporting in the logs since the originating IP address and specific exploit can be recorded.

Step 4—Vulnerability Filters Vulnerability-facing filters have the greatest business benefit, as one filter will shield a particular vulnerability from an unlimited number of exploits. It may turn out that a new exploit can evade a current vulnerability signature, but if that ever happens, an updated exploit filter or vulnerability filter can be deployed. The update mechanism allows revised or new filters to be pushed out automatically whenever necessary.

Step 5—Smart Filters Smart filters provide enterprises with the ability to enforce corporate network policies for the use of certain applications. For example, administrators can control whether Instant Messaging applications are allowed, and if so, designate which Instant Messaging clients are supported. Administrators can also use smart filters to block peer-to-peer applications such as Skype and BitTorrent, and media streaming applications such as YouTube. In addition, smart filters can help determine which browsers—such as Internet Explorer, Safari, Firefox, and Opera—are supported in the enterprise. Mitigating actions include dropping the connection or selectively blocking or even modifying offending bytes in the packet.

Step 6—Custom Filters Custom filters can be developed to provide additional protection for specific protocols, and custom and legacy applications. They can also be designed to log application security events. Unlike behavior-based systems, which often have a closed design that does not allow for customization, the Intrusion Defense Firewall’s open design allows third parties and customers to create their own custom filters.

4 White Paper | Intrusion Defense Firewall




All intrusion defense systems need to be tuned for optimal operation in order to reduce false negatives and false positives. The firewall blocks a lot of traffic, but opening the door for port 80, for example, results in false negatives as malware embedded in HTTP traffic now gets a free ride into the network. Custom filters that are designed to lock down one particular application for example, can result in false positives. As the controls get tightened to only allow specifically formatted data, there would be little chance of missing exploit code, but a greater chance of rejecting good data. Exploit filters that stop a particular exploit specimen and vulnerability filters that shield a known vulnerability offer a good balance between the two error types.

The error trade offs between a false positive and false negative also track the order in figure 1. As we move from Step 1 to Step 6, the chances of a false positive increase. As we move up from Step 6 to Step 1, the chances of a false negative increase. This again illustrates the importance of, and flexibility in, tuning. Using the right mix of filters is the secret to finding the optimal balance point.

The Intrusion Defense Firewall is bi-directional; it allows different rules to be applied to data entering or leaving the endpoint. This allows you to deal with both incoming attacks and outbound compliance issues.

For example, in an e-health patient record application, a custom rule could block a specific message type containing personal information from leaving the endpoint if it is not encrypted. In normal operation these messages should be encrypted, but maybe a configuration problem on a backend system allowed this data to go out unencrypted anywhere on the Internet, instead of being encrypted for only a select set of trusted endpoints.

The Intrusion Defense Firewall plug-in for OfficeScan is unique in that it not only can allow or block data, it can also modify data. Data modification rules are used sparingly, but they can be quite effective in neutralizing potentially malicious code without taking down the session and creating a false positive. One example of a simple data modification rule is to alter the response to banner scans. This can deflect some automated attacks that are looking for the signature of a particular system. The operation and flexibility of the different filter types is explained in more detail, with examples, in the next section.

5 White Paper | Intrusion Defense Firewall



–  –  –

Firewall There are two important considerations when implementing a host-based firewall: 1) having comprehensive controls over inbound and outbound traffic; and 2) making it manageable.

By controlling which traffic is allowed to access and leave a host, the attack surface of the host is minimized.

Implementing this with a relatively small rule set is essential to reducing management overhead and the chance of configuration errors. The Intrusion Defense Firewall rules employ an object re-use paradigm for rule construction, which allows the rule set to be compact. Restrictions on source and destination MAC and IP addresses can be used to ensure traffic is only coming from trusted hosts.

Pages:   || 2 |

Similar works:

«Cretaceous Research (1996) 17, 215 – 228 Two new mammalian teeth (Multituberculata and Peramura) from the Lower Cretaceous (Barremian) of Spain *Jose Ignacio Canudo and †Gloria Cuenca-Bescos ´ ´ ´ * Museo Paleontologico de la Universidad de Zaragoza, 50009 Zaragoza, Spain † Departamento de Ciencias de la Tierra, Universidad de Zaragoza, 50009 Zaragoza, Spain Revised manuscript accepted 14 November 1995 Early Cretaceous mammals of Spain are known only from the Galve and Una areas....»

«FACHHOCHSCHULE KÖLN Interkulturelle Öffnung der Internationalen Jugendarbeit Gesamtbericht der wissenschaftlichen Begleitung zum Modellprojekt JiVE „Jugendarbeit international Vielfalt erleben“ Projektleitung Prof. Dr. Andreas Thimmel Autor/-innen Yasmine Chehata Katrin Riß Andreas Thimmel FACHHOCHSCHULE KÖLN Zitation: Thimmel, Andreas / Chehata, Yasmine /Riß, Katrin (2011): Interkulturelle Öffnung der Internationalen Jugendarbeit. Gesamtbericht der wissenschaftlichen Begleitung zum...»

«Günter Kutscha (2006): Berufsbildungspolitik – Begriffliche und theoretische Grundlagen, Inhalt 3 Günter Kutscha (2006): Berufsbildungspolitik – Begriffliche und theoretische Grundlagen, Inhalt Günter Kutscha (2006): Berufsbildungspolitik – Begriffliche und theoretische Grundlagen, Inhalt Zielsetzungen der Moduleinheit Literaturverzeichnis Über den Autor 1 Berufsbildungspolitik im Differenzierungsprozess der Systeme 2 Was ist ‚Politik’? – Aspekte und Definitionsangebote 2.1...»

«32 Following the Thread: Arms and Ammunition Tracing in Sudan and South Sudan By Jonah Leff and Emile LeBrun Copyright Published in Switzerland by the Small Arms Survey © Small Arms Survey, Graduate Institute of International and Development Studies, Geneva 2014 First published in May 2014 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior permission in writing of the Small Arms Survey, or...»

«Interdisciplinary Journal of Information, Knowledge, and Management Volume 5, 2010 Collective Creativity and Brokerage Functions in Heavily Cross-Disciplined Innovation Processes Satu Parjanen and Vesa Harmaakorpi Tapani Frantsi Lappeenranta University of Consultancy Frantsi Ltd, Technology, Lahti School of Vierumäki, Finland Innovation, Lahti, Finland satu.parjanen@lut.fi; tapani@frantsi.com vesa.harmaakorpi@lut.fi Abstract The centres of collective creativity tend to be at the intersections...»

«Access to an Online Tutorial Service: College Algebra Student Outcomes Jeff Barber, University of South Florida Gladis Kersaint, University of South Florida 4202 E. Fowler Ave, EDU105, 4202 E. Fowler Ave, EDU105, Tampa, FL 33620-5650 Tampa, FL 33620-5650 jabarber@coedu.usf.edu Kersaint@coedu.usf.edu 813-974-3533 (Office), 813-974-3837 (Fax) 813-974-1644 (Office), 813-974-3837 (Fax) James Dogbey, Clemson University David Kephart, Link-Systems International, Inc. Clemson University, 4515 George...»

«Bachelorarbeit Expression, Reinigung und funktioneller Test von rekombinantem TNFR2-spezifischen TNF 1. Gutachter: Prof. Dr. Gesine Cornelissen (HAW Hamburg) 2. Gutachter: Prof. Dr. Daniela Männel (Universität Regensburg) Hochschule für Angewandte Wissenschaften Hamburg Fakultät Life Sciences Department Biotechnologie Abgabetermin: 11.06.2014 Eingereicht von Christine Hirl aus Regensburg Inhaltsverzeichnis 1. Einleitung 1.1 Das Immunsystem 1.2 Cytokine und deren Rezeptoren 1.2.1 Allgemeines...»

«Trendbericht Elektromobilität in Japan Februar 2014 Elektromobilität in Japan Impressum Autoren: VDI/VDE-IT: AHK Japan: Dr. Frauke Bierau Bastian Lidzba Dr. Beate Müller Marcus Schürmann Dr. Gereon Meyer VDI/VDE Innovation + Technik GmbH Deutsche IndustrieSteinplatz 1 und Handelskammer in Japan 10623 Berlin Sanbancho KS 5F, 2-4 Sanbancho, Chiyoda-ku 102-0075 Tokyo Layout: VDI/VDE-IT, Anita Theel Haftungsausschluss: Das Werk einschließlich aller seiner Teile ist urheberrechtlich geschützt....»

«Standard Summary Project Fiche – IPA Centralised Programmes Project number 17: MEGLIP – Municipal Environmental Grant-Loan Investment Programme 1. BASIC INFORMATION 1.1 CRIS Number: 2011/022-585 1.2 Title: MEGLIP – Municipal Environmental Grant-Loan Investment Programme 1.3 ELARG statcode: 03.27 European Standards. Environment 1.4 Location: Republic of Serbia Implementing arrangements: 1.5 Contracting Authority: EU Delegation to the Republic of Serbia 1.6 Implementing Agency: KfW –...»

«MASARYK-UNIVERSITÄT PÄDAGOGISCHE FAKULTÄT Lehrstuhl für deutsche Sprache und Literatur Spielerische Wortschatzarbeit im situativen Kontext Bachelorarbeit Brünn 2014 Verfasserin: Eliška Zemánková Betreuerin: PhDr. Alice Brychová, Ph.D. Erklärung Ich versichere, dass ich die vorliegende Arbeit selbständig verfasst habe und keine andere als die angegebenen Quellen und Hilfsmittel benutzt habe. Ich bin damit einverstanden, dass meine Arbeit an der Masaryk Universität in Brünn in der...»

«           Originally published as:          Kuhn, P. P., Echtler, H., Littke, R., Alfaro, G. (2010): Thermal basin modelling of the Arauco forearc  basin, south central Chile — Heat flow and active margin tectonics. ‐ Tectonophysics, 495, 1‐2, 111‐ 128   DOI: 10.1016/j.tecto.2009.07.026  Thermal Basin Modelling of the Arauco Forearc Basin, South Central Chile – Heat Flow and Active Margin Tectonics Philipp P. Kuhna, b), Helmut...»

«of Journal Volume XIX 2010 Mission and Goals • 1 Colorado State University Journal of Student Affairs Mission Statement The mission of the Colorado State University Journal of Student Affairs is to develop and produce a scholarly publication that reflects current national and international education issues and the professional interests of student affairs practitioners. Goals • The Journal will promote scholarly work and perspectives from graduate students and student affairs professionals,...»

<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.