لطفا منتظر باشید ...
Host-Based IDSs
By now, all network administrators are aware that network security should be seen as a continuous process built around the security policy. This process is a four-step method, as described in Chapter 5: Secure the system, monitor the network, test the effectiveness of the solution, and improve the security implementation. Testing the effectiveness of the IDS host sensor is an integral part of the monitoring step.A host IDS can be described as a distributed agent residing on each server of the network that monitors the network activity in real time. The host IDS detects the security violations and can be configured so that an automatic response prevents the attack from causing any damage before it hits the system. The section that follows focuses on the Cisco Secure Agent.
Host Sensor Components and Architecture
The Cisco Intrusion Detection Host sensor has two main components:
- Cisco Secure Agent
- Cisco Secure Agent Manager
NOTEThe Cisco Secure Agent Manager is now an integral part of the CiscoWorks VMS Suite. More information can be found at the following URL:http://www.cisco.com/en/US/products/sw/cscowork/ps5212/169.
Cisco Secure Agent
The Cisco Secure Agent is a software package that runs on each individual server or workstation to protect these hosts against attacks.The Cisco IDS sensor (based on Entercept Security technology) provides real-time analysis and reaction to intrusion attempts. The host sensor processes and analyzes each and every request to the operating system and application programming interface (API) and proactively protects the host if necessary. The next generation Cisco Secure Agents (based on Okena's technology) extend these capabilities even further by automating the analysis function and creating protective policies for the operating system and applications. These agents control all events on files, network buffers, registry, and COM access. The architecture of the Cisco Secure Agent is the Security Agent's Intercept Correlate Rules Engine (INCORE) architecture.Host IDSs are nowadays referred to as Host Intrusion Protection Systems (HIPS). Figure 10-7 illustrates the architecture of the Host Sensor Agent based on the Entercept technology.
Figure 10-7. Architecture of the Host Sensor Agent
Response to Events and Alerts."
Cisco Secure Agent Manager
The Cisco Secure Agent Manager is responsible for managing the Cisco Secure Agent and communication with the agent. The Cisco Secure Agent Manager provides all management functions for all agents in a centralized manner. It also has components that notify security personnel in case of an attack and that generate reports. This management session should use data encryption technologies to be robust, private, and secure. The Cisco Secure Agent Manager has three main components: the graphical user interface (GUI), the server, and the notification handler. Both the GUI and the server are linked to a database where the configuration information is stored.The agents are directly connected with the server. When an agent sends an alarm to the server, the server is responsible for instructing the notification handler to take care of all configured notification requests such as e-mail and pager notification.
Deploying Host-Based Intrusion Detection in the Network
The deployment of host-based IDSs throughout the organization's network requires a very well-thought-out design. A few design and deployment considerations are discussed in this section, but details on deploying host-based IDSs are far beyond the scope of this book.Organizational Issues and Complications" earlier in this chapter.Figure 10-8 illustrates the host IDS deployment for a company with remote users connecting over a public infrastructure to the corporate network.
