Tuesday, April 24, 2007

What is a Host IPS?

The term Host IPS is used mostly to denote endpoint software that monitors execution of applications and looks for intrusions. Interestingly, the term Host IPS implies the absence of signatures whereas the term network IPS generally implies the presence of them :) Of course, Host IPS is generally supposed to complement signature based anti-virus and contemporary network IPS's utilize more techniques in addition to signatures.

Most host IPS's use a mix of the following techniques to monitor program execution (sometimes called program "behavior"):
- intercept system calls
- intercept access to resources like registry, file system, libraries(DLLs)
- track origin of the code being executed
- execute the program in a sandbox...the extreme case is interpreting the program instruction by instruction instead of running it directly on the processor.

There are several compile time tools for making the stack difficult to overflow. These defend(not foolproof) against buffer overflows on a stack:
- stack guard
- stack shield
- stack ghost

...and a run time method
- program shepherding

Some commercially available Host IPS products are:
- McFee
- Cisco
- Symantec
- Determina

Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites