Host-Based Intrusion Prevention Systems

These attack blockers are on your side

Renee Munshi

February 27, 2006

4 Min Read
ITPro Today logo

If you're serious about keeping intruders out of your network and off your systems, you might want to consider a relatively new class of products: intrusion prevention systems (IPSs). These solutions go a step further than the more familiar intrusion detection systems (IDSs): Instead of just warning you of an attack, IPSs take steps to block it.

There are two types of IPSs: network-based and host-based. Network-based IPSs sit on your network, often in appliance form, and examine packets as they traverse the network. Host-based IPSs reside on servers and workstations; they examine application actions and calls to the system to look for anything prohibited or out of the ordinary. Both types stop "bad" activity. Our Buyer's Guide this month lists host-based IPSs.

Here's Your Host
Network-based IPSs can stop attacks that come in from the Internet and make it past the firewall. But they won't stop an attack levied from the inside against a particular machine on your network. If you're concerned about internal attacks, a host-based IPS installed on key servers and other systems might be what you need. Or you might deploy a host-based IPS along with a network-based IPS for multiple layers of protection.

Most of the host-based IPSs in this Buyer's Guide run on both Windows client and server systems. (Internet Security Systems'—ISS's—Proventia family has separate desktop and server versions.) Some of these products also run on other OSs, such as Linux or UNIX variants.

Host-based IPSs use various methods and combinations of methods to detect and prevent attacks. Some look for virus and other malware signatures. To protect against attacks for which signatures are not yet available, most also check for anomalous or irregular behavior on the system on which they're deployed. IPS vendors create policies that specify normal behavior for the OSs and applications they support. "Abnormal" behavior triggers an IPS's blocking mechanisms. Most host-based IPSs let customers create custom policies for applications or actions not covered by vendor-supplied policies. Several products also include built-in firewall capabilities.

The attacks that host-based IPSs protect against include viruses, spam, spyware, worms, Trojan horse programs, keyloggers, bots, buffer overflows, rootkits, and Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. Some vendors claim to protect the entire server or client system; others focus on specific applications, such as Microsoft IIS, Internet Explorer (IE), and Exchange Server.

Most vendors update their products regularly. Regular updates are especially crucial for products that use signature technology to detect attacks. Likewise, most of the listed products provide centralized management, which you'll want if you plan to deploy IPS software on many hosts. For more details about how host-based IPSs work, see the Windows IT Security article "NIPS and HIPS" March 2006, InstantDoc ID 49230 .

When deciding between host-based IPSs, you need to educate yourself about the kinds of attacks they protect against and make sure that the product you choose prevents the types of attacks that you're most concerned about. If you're looking at a signature-based IPS, you'll want to know that the product's signature database is updated frequently and, if you'll be installing the product on multiple hosts, that updates can be easily distributed to all your host machines. Also, look for a management interface that you feel comfortable with. You'll want a good window to the rules set by the vendor and a good mechanism for creating your own rules governing what actions are allowed on your hosts.

Finally, be aware that more isn't necessarily better when it comes to the number of warnings an IPS produces. It can be tempting for vendors to create extra checks or warning policies to inflate the number of attacks prevented or warnings produced.

Plan Ahead
Plan carefully before adding a host-based IPS to your environment. Because these products block, rather than just alert you to, potential attacks, they can stop legitimate processes and users dead in their tracks if you aren't careful. For any tool you purchase, you'll need to thoroughly understand the activities it blocks and probably do some fine-tuning for some or all of your users so that they can continue to work without unnecessary interruption. But host-based IPSs can be a good addition to the firewall and antivirus protection you already have on your network and computers.

The Buyer's Guide presents vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to

Click here to view the Buyer's Guide

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like