Cisco's Host Sensor Platforms
Cisco also offers Host IDS to protect the service endpoints distributed in the network. The Cisco HIDS solution is based on Entercept functionality and augments Cisco's NIDS capabilities as proscribed in the AVVID architecture and SAFE blueprint. Two forms of the sensor are available, the Standard Agent and the Web Edition Agent. While both lend critical, focused functionality to the protection of host systems, the Web Edition includes all Standard Agent functionality and adds protective measures specifically for web servers. We'll discuss both of these agents next.
The software is distributed to the critical systems on the network, yet is controlled via a centralized, secure console for ease of management. From the Cisco IDS Host Sensor Console, administrators can configure and manage all sensors in the network. For instance, as new attack signatures are regularly made available by the Cisco Countermeasures Research Team (C-CRT), security administrators simply download the new signatures to the console, then upload them to the various NIDSs via a centralized process. Additionally, the Cisco VMS software can be used should administrators already be running CiscoWorks to manage other NIDS and security devices in the network. The Cisco IDS Host Sensor software is capable of protecting the following platforms:
-
Standard Agent:
-
Windows 2000 Server and Advanced Server (up to Service Pack 2)
-
Windows NT v4.0 Server and Enterprise Server (Service Pack 4 or later)
-
Solaris 2.6 SPARC architecture 4u (32-bit kernel)
-
Solaris 7 SPARC architecture 4u (32- and 64-bit kernel)
-
Solaris 8 SPARC architecture 4u (32- and 64-bit kernel)
-
-
Web Edition Agent (includes all Standard Agent functionality):
-
Web servers as follows:
-
Microsoft IIS v4.0 and v5.0
-
Apache v1.3.6 through v1.3.24 for Solaris SPARC (Apache on Windows NT/2000 and LINUX is not supported)
-
Planet Web Server v4.0 and v4.1 and v6 for Solaris SPARC
-
Netscape Enterprise Server v3.6 for Solaris SPARC
-
-
Console Agent:
-
Windows 2000 Server and Advanced Server (SP1 and SP2)
-
Microsoft Windows NT Server (SP6a)
-
Cisco Host Sensor
Capable of running on various operating systems such as Windows or Solaris, the Cisco IDS Host Sensor integrates into the host OS to protect it from malicious intent. The Host Sensor not only inspects inbound traffic destined for the server, but also intercepts system calls, adding an extra and complete layer of security. This capability allows the sensor to understand the processes and users triggering the system call as well as the resources required for the call. Armed with this information, the sensor applies a combination of behavioral rules and attack signatures to determine whether the system activity is benign or malicious. Should abnormal activity be detected, the sensor has the power to terminate the system call and alert security administrators.
Due to the software design, the Host Sensor Standard Agent can prevent malicious activity in several ways. As we've discussed, the sensor uses known attack signatures to distinguish normal and harmful activity. Because Cisco maintains dedicated resources for the development of timely attack signatures, the Cisco Host Sensor will always be ready and able to detect the latest threats.
From Chapter 1, we know that signature-based detection systems are vulnerable during the time between new exploit discovery and protective signature development. To combat this issue, Cisco provides an additional layer of protection via behavior anomaly detection capabilities on the sensor. This helps detect and prevent previously unknown attacks until a signature can be developed. Should a call or action on a server violate predefined and normal behavioral patterns, the sensor can block the malicious activity and alert the security team.
Because the sensor software is fully integrated with the host operating system, the software can also prevent arbitrary code execution, possibly due to buffer overflow exploits. This functionality is critical since over 60 percent of Computer Emergency Response Team (CERT) security advisories result from buffer overflow exploits.
The tight integration also permits the host sensor to protect the operating system's critical resources and files such as configuration files, Registry settings, and binaries that are often the focus of an attack. Similarly, the sensor also prevents unauthorized privilege escalation by securing user permissions and configurations.
The Web Edition Agent includes all Standard Agent functionality, yet includes additional protective mechanisms to prevent web server–specific attacks. When installed, the Web Edition Agent automatically determines and adapts to the existing Apache, iPlanet, or IIS web server. It can then act as a protective element that parses HTTP streams, inspecting the TCP conversations for malicious logic and blocking potential attacks before they reach the server. Because the Agent sits on the server, it can examine web requests without obfuscation by application-level encryption techniques such as Secure Sockets Layer (SSL) thereby adding additional security that Network IDS cannot provide.