Standalone “HIPS” vs. Firewall “HIPS” : Any Difference?

Discussion in 'other anti-malware software' started by chinook9, Nov 26, 2009.

Thread Status:
Not open for further replies.
  1. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    it is better if some one call me paranoid because i use a hips program rather than calling a loser:D
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Agreed. A unpleasant thread with precious little substance.
     
  3. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Re: Standalone “HIPS” vs. Firewall “HIPS” : Any Difference?

    May be you are not able to explain or to prove your point...:D but I won't flame with you. As already said, we would prefer any substance.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The argument that users who understand their systems and HIPS well enough to use them to their potential are the ones who don't need them doesn't hold true. This is particularly true for those who don't use the most recent versions of Windows (Vista and 7).
    An example I'm sure many here remember:
    0day: PDF pwns Windows.
    Yes, this PDF vulnerability has long been patched, but all apps have potentially exploitable vulnerabilities. We'll see more of these. We just don't know when or in what application they'll be found. In this POC, code in the PDF document could be used to open and send instructions to other apps or system components, which they gladly executed with no help from the user other than opening the document or visiting a page containing a document with such code. The POC just launched Calculator, but it could just as easily registered a DLL, edited the registry, or gave instructions to download and execute something else, without the user clicking on anything. Windows built in tools do not have the ability to regulate this type of interprocess activity. They can prevent the execution of a downloaded payload but they can't protect against the malicious use of legitimate apps and components on pre-Vista systems.

    With HIPS, especially the classic HIPS, code like that POC can be intercepted at multiple points, eg when the code launched the mail handler, when the mail handler launched calculator. In situations like this, HIPS can effectively prevent the compromised app from gaining access to the rest of the system by enforcing a policy of isolation. This makes the exploit code ineffective as the attacker gains no control or additional access to the system. I've applied this policy to all attack surface applications (all apps that open internet content or files from outside sources) as a proactive defense against future exploits in addition to a default-deny policy.

    Having used SSM for years, I haven't tried DW, but if I understand it correctly, the basic philosophy of its design is very similar to this. Given the user base it has here and the support I've seen Ilya give, I have no doubt that it's very good. If I wasn't completely satisfied with SSM, DW would be the next HIPS I'd try.

    To the original poster:
    I can't help with the brand specific questions or with comparing them. Regarding the free standing HIPS vs those integrated into a firewall, this is largely a matter of preference. Using separate HIPS and firewalls allows you to select and update the components of your choice. It's also true that apps designed to do one thing usually do it better than those that are components in a suite or package. DW and SSM are good examples of this. Separate apps usually run lighter than the equivalent in security suites or packages. The combination I'm using on this unit, Kerio 2.1.5 and SSM Pro is using 4,400K of memory combined, which is far less than any AV or security suite.

    The downside of using separate apps:
    The user needs to be more knowledgeable when building their own package, both to insure complete coverage and to keep overlap to a minimum. If the apps use kernel level components, (most HIPS do) the possibility of them conflicting increases. If any of them update automatically, this can happen without warning. Example: Some time ago, AntiVir added a rootkit module to their AV. The first release got along fine with SSM. When they updated the module as part of the normal update process, the new module conflicted with SSM, leaving the system unusable. This was on a clients PC. Worked fine the last evening, and BSODs in the morning. I had to remove the AVs rootkit module. If you're going to use separate apps, make system backups or images as you go using real backup or imaging software, not the built in tools.

    Separate apps require more configuring and/or rule making. More work for the user but more potential for finer control. Again, it's back to your needs or preferences.

    Separate apps don't work together or interact the way the can in a suite. Depending on your security policy, this may or may not be a disadvantage. The better HIPS can interact with other security apps to a degree. for instance, SSM can prevent a separate firewall from being terminated and can protect it from being accessed by other applications. The downside to the interaction of components lies in their interdependency. In a suite or package, they'll share components along with any flaws or vulnerabilities they may have. On the remote chance that a succesful attack is found against a security suite, it will likely affect all components. While rare, it has happened. With separate freestanding apps, each can protect and monitor the other. Since it faces the internet, the firewall is naturally part of the attack surface, aka directly targetable. If the HIPS is part of the package, it is also part of the attack surface. When separated, the HIPS defends the attack surface but isn't actually part of it. In order to be attacked, the attack would have to come through something else. Again, a matter of preference as most HIPS are very resistant to attack.

    Instead of comparing features, abilities etc, try approaching this from the opposite direction. Start with outlining your basic security policy (eg default-deny, isolation, signature based, etc). Figure in how the PC will be used and the ability and trust you have in those users, then select the apps that best fill those needs. It takes some time and planning.
     
  5. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    444
    Wow! I didn't realize how easy it would be to stir up interest! .....actually, I was thinking "hornets' nest"

    Thank you all for your input....and especially to noone_particular who's well articulated and concise response appears to summarize the situation very well. I now realize there is no simple answer. I will analyze my situation and act accordingly.

    Thank you again! You all provide an invaluable resource to those like myself who are searching for help from others much more knowledgeable than we are.
     
  6. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,869
    @noone
    that issue is rather old.
    anyway - you show up two points:
    * old and not fixed/updated software is potential dangerous
    * dont open files from unknown sources in unsafe conditions
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Yes, I did say that this was long since fixed. I used it strictly as an example. It's by no means the only such vulnerability in a user app and definitely not the last one we'll see.
    Not possible in practice. Any file not originating from your own PC is for all purposes an unknown and could potentially be infected. It is also no longer possible to truly trust any website. Legitimate sites are being compromised daily. Almost any site can be compromised. Software and/or services that supposedly check the safety of sites are unreliable and incomplete. Even the DNS service/servers were shown to be vulnerable. It's entirely possible to end up somewhere completely different than where you wanted to go if a DNS server is compromised. If that happens, it's almost guaranteed that the site you end up at will be malicious. With good habits and common sense, a user can avoid the majority of potentially dangerous sites and files but not all of them.

    IMO, a users security policy should acknowledge that the internet is hostile, that malicious code can be found in unexpected places, and that some of that code won't be identified by conventional AV based security apps. The users system and the software that enforces the security policy should be configured with that reality in mind. That policy should also take into account that any user app can be exploited and most any type of file can contain malicious code. This isn't an old issue or paranoia. It's the present reality.
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    Re: Standalone “HIPS” vs. Firewall “HIPS” : Any Difference?

    Quote. It means, IMHO, that HIPS are indispensable - definitely not the only one - security softwares.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.