Hi Guys, I have been in forum for quite sometime and was always interested in the topics everyone brought up. This site is the first thing I visit when I reach office. I have a question in mind and was quite confused....Here it goes: Firewall is for monitoring both incoming and outgoing traffic from a computer. So I assume anything, including threats such as keyloggers, will not be able to pass through the firewall. How will HIPS come into picture then? My understanding of HIPS is that it protects pc based on behaviours and monitors the process in the background. It will alert, just like a firewall, if a suspicious activity is detected. Now can someone please enlighten me if my understanding of these 2 technologies are correct and how they complement each other?
The primary purpose of a personal firewall is to act as a packet filter to control what traffic enters and leaves your computer. In that sense it is a guardian that sits at, and monitors, the gateway between your PC and the outside world. The packet filter by its nature does not detect threats such as keyloggers. Nor can it prevent malicious software from doing sneaky things to bypass the firewall's control of outbound applications. This is the job of HIPS. As you say HIPS monitors the processes within the computer itself. Decent firewalls that offer outbound application control will have a HIPS component in order to prevent leaks. In that sense most personal firewalls are a hybrid of two components: a packet filter used to control inbound and outbound network traffic, and a HIPS component to harden outbound application control to prevent leaks. It is the HIPS component that is responsible for detecting and preventing all kinds of potentially malicious behaviour within the PC. Firewalls (such as the one in ESET Smart Security for example) that do not have a HIPS component will be vulnerable to leaks.
Hi Pegr, Thank you very much for your reply. I have another question with regards to your answer. How do I know which Internet Security Suite's firewall includes HIPS (AVG, Symentec, Bitdefender, Kaspersky, etc)? AVG recently integrate Sana into their Internet Security. From my understanding, Sana is considered a HIPS. So can I conclude that the firewall in AVG does not have HIPS? Sorry but can you cite some examples of sneaky things that might bypass a firewall but not HIPS? I appreciate your answers and looking forward to them!! Thanks once again. Cheers!
Almost if not all that score high on matousec has a HIPS of some sort.. http://www.matousec.com/projects/firewall-challenge/results.php Thats a site that testes firewalls and hips, to see if the firewall leaks, is easy crashed and so on.. Top three is usually involving Comodo Internet Security, Outpost Security Suite and Online Armor Personal Firewall.. Those all have a strong HIPS component. And Are all good.. In my opinion.. Symentec, and kasp also have a hips component.. But its not top notch.
@Iam_me Matousec is interesting to read, but it is the opinion of many, myself included, that much of what is told on his site and many others really is nothing more than a marketing tool based on scare tactics. True, there is validity in testing firewalls and knowing which weaknesses they have and which strengths. I am only saying, firewalls performance from such sites, and your purchase/use based on those reviews does not mean they are full of absolute truth. That is why many come to Wilders, to talk to peeps who have more knowledge that can give real insight into the tools. But then too, even a place full of knowledgable folks like Wilders can house a lot of FUD. Just FYI for those reading this thread who might not know. Sul.
If you think of a firewall being able to control which applications can and how they can use the internet. Then this describes how software firewalls work for out bound protection. Now if you have enabled iexporer.exe to access the net on port 80. This does not mean that application abc.exe can or should be able to access the net on port 80. If you do not have hips protection then the application can hijack IE send over port 80 and skip your rules. So with out HIPS you can not trust that your rules are being followed. Also if they are able to terminate your firewall then no rules are in place. So it is protecting the integerity of the firewall. I think leakability and killabilty are important to a firewall, but the matousec results make them way more important then they should be.
Neoing, Maybe I can simplify this a bit for you. HIPS can be partially described as a firewall that controls applications and processes. Instead of controlling internet access, the application rules in HIPS control which executable files, applications, programs, etc are allowed to run. HIPS can also control how the different executables/processes interact, what other processes each one is allowed to start or be started by, and many other system functions. Most HIPS also monitor the more critical areas of the registry and the system services. Where firewalls use rules to control the internet access of individual applications, HIPS rules control their system activities.
So if you have HIPS and assuming you have a router to provide a hardware firewall to keep stuff from coming in from the outside, why do you need a software firewall?
Well, you may not need a SW FW at all! It depends on your list of needs and concerns. What are your security requirements? At the top of this forum on other FW's are some excellent sticky threads with a definition of what a FW is. Have a look at those and come back with a bit more detail on where you are going here. For example, a 3rd party FW allows users to allow or not certain applications to access the www. I want some to access others not. This for some is also a matter of privacy of information leaving their PC's without permission by you. If you don't care that's fine. Allow all. For me HIPS vs FW is a false choice. The SW FW can manages IN packets and if you want Outbound packets. The HIPS manages/ looks for bad exe's that slip past your FW defenses. The lock on your house may fail and then you have to search and deal with the burgler. It's not a question of one versus the other. Hope this helps you
Identity Protection Thank you guys for all the wonderful replies. I now have a deeper understanding, or rather, the functions of firewalls and hips. My company uses AVG Network edition in all pc. So i would like to understand a little bit more on Sana, which I believe it is HIPS. It says that it can protect identity, keep personal information secure, for banking online, etc. Doesn't all these go under spywares, where the can hijack your browser, get personal information, keyloggers, etc. How does Sana, as a HIPS, comes into picture for this case? I am guessing, is it blocking and protecting against those new spywares which are not in the signature? Apart from Sana / AVG, some other internet security suites also offers theft identification such as Trend Micro, Mcafee. Does their theft identifcation = HIPS ?? Looking forward to wonderful replies!! Many thanks in advance...
Re: Identity Protection In simplest form, a firewall monitors network activity while a HIPS monitors system activity. I don't know how how Sana/AVG works, but a HIPS in general will alert on any unknown process that attempts to execute on the protected machine, so if a keylogger or rogue executable attempts to launch, the HIPS will halt the process and alert the user to the yet-to-be qualified action. The user then makes the decision to allow it to progress or stop it cold. There is software that will simply halt unapproved processes - no questions asked - and this type of software is generally favored in institutions or businesses where the vast potential for user error is eliminated.
Thanks wat0114 for your reply. My understanding of HIPS is getting clearer with all response from you guys. Now I would like to find out more on my AVG 8.5 with SANA. The HIPS seems to sit there and idle and I do not know how to test it to ensure that it is working... Or maybe I should leave it the way? But no...I really want to find out so that I can use AVG at home too! Guys, AVG 8.5 with SANA? Anyone
ID Protection = BB(Behaviour Blocker) wich is a subset of HIPS, HIPS in the general sense is classical and alot more powerfull though not suited for the novice, it will allert on practicly all traffic,activities malicious,suspicious or totally legit. Sana will try n guess whats malware wich is a nice n called an intelligent approach but certainly not a strong one.
Hello there, As someone already mentioned, and quite well, one thing is a firewall, which will keep bad people out of your system, or do it's best. One other thing is a HIPS, which stands for Host Intrusion Prevention System, though the Prevention part is only as good as the user behind such tools. There are HIPS that are easier to work with, as they provide a huge database of well-know and digitally signed trusted vendors, hence making it easy to apply rules. The one I use, even offers predefined rules, which I then change this or that to my own taste. Once it's set (you start using your known applications, etc), you practically will see no popup, unless something abnormal is happening and the HIPS knows nothing about the process starting such abornmal behavior. The application from SANA, now part of AVG, and that goes by the name of AVG IDP (Identity Protection) is a behavior blocker, in the pure sense of those two words, unlike other tools they vendors claim to be behavior blockers, but, are more like lighter HIPS, requiring, still, human action, whether or not a process is malicious. AVG IDP will monitor behaviors, which are considered abnormal. I like this approach, as it will require practically no knowledge from the user, unlike a HIPS or one of those behavior blockers wannabe.
Yeap, saw that already but it did not mention much on the technical aspect though. Only feedbacks after installation
