Guide to Host-based Intrusion Prevention Systems
Is a HIPS the Best PC Antivirus for Internet Security Protection?
Sep 21, 2009
A Host Intrusion Prevention System (HIPS, Host IPS, or Host-based IPS) is a security program that protects individual computers (hosts) against viruses and other Internet malware. This is in contrast to:
- Network Intrusion Prevention Systems (Network IPS), which can protect against network attacks but not other sources of attacks (such as an infected program in a removable USB thumbdrive).
- Host Intrusion Detection Systems (Host IDS), which only detects but does not stop attacks.
Unlike a conventional antivirus program, a HIPS does not use virus signatures or patterns to detect malicious software. Instead, it keeps a list of trusted programs and records what each program is allowed to do. A program that oversteps its permissions is blocked from carrying out unapproved actions.
Examples of HIPS (or firewalls and antivirus software that also contain a HIPS) include IBM Proventia, Cisco Security Agent, McAfee Host Intrusion Prevention, System Safety Monitor, Privacyware Privatefirewall, Comodo and Network-1 CyberwallPLUS.
- IBM, Cisco, Comodo and McAfee support Windows and Linux.
- Comodo and Privatefirewall are free (no license fee required).
- There is a free edition of System Safety Monitor.
How Host Intrusion Prevention Systems Work
A HIPS is like a super firewall for requests made by an application program to the operating system (Linux, Windows or MacOS) in which it is running.
A HIPS creates low level hooks into the operating system. Whenever a program asks the operating system for services, the HIPS intercepts the request and checks to see if the program is allowed to proceed. A whitelist is typically used: any program not on the list is considered untrusted.
A HIPS can be configured to control:
- Which programs are allowed to run. An unidentified virus can be blocked from running. The HIPS doesn't need to know that the program is a virus. It just needs to know that the program is not on the approved list.
- How much CPU time a program can use. Viruses typically use up a lot of CPU time, continuously trying to infect other files on the computer or other computers on the network.
- Which files a program can write to. A HIPS will typically restrict access to operating system executable files (c:\windows in Windows, /usr and /bin in Linux) and configuration files (the registry in Windows, /etc in Linux).
- Network access. Like a firewall, a HIPS can control access to and from the network.
- Process termination. Some viruses will try to shut down firewalls and antivirus programs. A HIPS can control which programs can stop other programs.
Advantages of HIPS
From the above description, it can be seen that virus signatures are not used:
- A paid subscription is not needed because there are no virus signature updates.
- New, unidentified viruses can be stopped immediately (on "day zero") without having to wait for new virus signatures (after "day zero").
Disadvantages of HIPS
The main issue with a HIPS is deciding which programs can be trusted.
A common strategy is to assume that a new computer does not contain any viruses or other malicious programs. The HIPS creates a list of programs that are running and their actions (CPU usage, network access etc).
After a learning period of, say a week, any deviations from this list is flagged as suspicious. The HIPS will then tell the user that a particular program is trying to do something potentially dangerous, and ask the user whether or not to allow it to proceed.
The problem is that:
- The computer might already have been infected by a virus before the learning period.
- The user needs to decide whether or not to approve the action. Not all users have the necessary knowledge to decide. Even IT professionals can make mistakes.
- If the computer is running unattended (typical for servers), there will be no one there to approve the suspect program's action. Most HIPS will then deny the action after a few minutes, possibly disrupting a vital server function (such as a periodic backup program).
Another issue is that unlike an anti-virus solution, a HIPS will likely need to be custom configured for each desktop PC or server.
Should a Host Intrusion Prevention System be Deployed?
A properly configured HIPS can provide significantly increased security protection from Internet and other security threats, compared to using only a conventional antivirus program. It does not completely replace an antivirus solution but complements it. An signature-based antivirus program can detect viruses that have been placed on the HIPS approved list by mistake. A Host IDS also works well with a HIPS.
The problem with a HIPS is that some basic IT knowledge is required to safely configure the permission rules. The user needs to recognize which programs and processes can be trusted, and with which permissions.
A HIPS is therefore a good choice for IT professionals and power users, but not for the average PC user.
Corporate IT departments should consider deploying a Network IDS/IPS.
 |
