|
Protecting desktop and server - or "host" - systems has rapidly become a high priority for organizations that want to ensure uptime and the availability of day-to-day business applications. In 2003, the average cost of a virus disaster's impact rose approximately 23 percent, to $99,9001, a figure that's increased for eight consecutive years. Today's hybrid threats are growing faster, more complex and more destructive. Only Internet Security Systems (ISS) provides a multi-layered security solution that can provide the preemptive protection needed to stop these threats before they impact business operations.
Firewall and vulnerability-centric intrusion prevention provide protection for attacks that originate at the network level, while behavior-based, application-level protection is needed to stop buffer overflow exploits and malicious programs spread via e-mail, Web browsing and other file-centric threat vectors. The market's inability to identify and distinguish between these two primary threat vectors has resulted in confusion over which technologies can most effectively prevent a particular attack on the host.
Proventia Desktop software protects host systems using a combination of personal firewall, intrusion prevention, buffer overflow exploit prevention, application control and virus prevention (VPS) - a brand new technology that uses patent-pending behavioral analysis to prevent worms, viruses, Trojans, and spyware. VPS technology fills the gap left open by traditional signature-based antivirus technology by stopping viruses and worms without needing a signature update.
This whitepaper will identify common problems associated with effectively protecting host systems and define the components of ISS' Proventia Desktop - a comprehensive solution offering a superior level of host protection.
Understanding Modern Threats to the Host
When researching threats to host systems, it is important to understand the primary phases of a successful attack. In one popular model, attacks on the host are broken into three phases - penetration, launch and propagation - as shown in Figure 1.
Protecting hosts from threats used to be much simpler. Because hosts are now so interconnected, they have become susceptible to many more types of attacks that threaten real-time business.
Attacks target host systems using one of two major threat vectors: the network vector and the application vector, as illustrated in Figure 2. Similar to the spread of disease in biological pathology, attacks are carried by vectors to their targets.
The Network Threat Vector
Network-based attacks utilize malicious network traffic to remotely compromise their target systems. Unlike other threats, network-based attacks can penetrate, launch and propagate without human intervention. Network-based attacks on the host predominantly exploit vulnerabilities in protocols and network-aware processes. These vulnerabilities are typically the result of programming errors which provide opportunities for a buffer overflow. Exploit types include, but are not limited to: direct hacking and theft, network-based worms, denial of service (DoS) attacks, and the installation of remote access backdoors and robot (bot) footholds for future use by the hacker.
To protect host systems from these attacks, a complete solution includes firewall, intrusion prevention systems (IPS) and buffer overflow exploit prevention (BOEP), which stops worms from propagating and prevents hackers from using buffer overflows to run arbitrary code on the desktop.
Network Attack Prevention
Three main technologies work to defend host systems against network-based attacks, including personal firewalls, intrusion prevention systems and buffer overflow exploit prevention. A subset of network-based attacks can utilize file executables to further propagate from the host. In such cases, application-based prevention technologies may provide detection post-launch and prevent attack propagation.
Personal Firewalls
Personal firewalls (PFW) represent first-generation technology sometimes known as distributed firewall technology or managed personal firewall technology. Personal firewalls are the most commonly understood and deployed form of host protection, and defend against attacks using network threat vectors in the pre-launch phase before they affect the system. Through overall security policy choices, a personal firewall can reduce, but not eliminate, risk exposure introduced by internetworking hosts. By blocking access to ports, single IP addresses or ranges of IP addresses, protocols and services not needed for legitimate business, personal firewall technology can prevent attacks targeting those resources.
Example: If your business security policy prohibits employees from using FTP (File Transfer Protocol), you could implement firewall rules by port or protocol to block FTP traffic. This type of business policy decision would make the host system immune to network attacks which targeted FTP.
|
