2012年軟考入侵防護:基于主機的IPS保衛(wèi)端點

2012軟考入侵防護：基于主機的IPS保衛(wèi)端點
    Host-based IPS guards endpoints
    As network threats continue to grow in number and sophistication， a new technology offers an additional layer of protection. Host-based intrusion-prevention system （HIPS） technology protects endpoints behind the network perimeter. It combats infections and attacks at the device and server level of a network， providing a layered approach that complements investments in network-based IPS without relying on signatures that require near-constant updates.
    HIPS technology is extremely accurate. It works by enforcing a set of basic software conventions that never changes called the Application Binary Interface （ABI）。 The ABI sits one step beyond the application program interface （API） and defines the API plus the machine language for a particular CPU family. Because these conventions are universal among compiled applications， it is nearly impossible to hijack an application without violating the ABI.
    HIPS deployments generally involve two components， a series of agents and a management and reporting interface. Installed on servers， HIPS agents are designed to run indefinitely with little or no administrative overhead， and prevent malicious code that enters a machine from being executed without the need for a check against threat signatures.
    In practice， agents continually verify the validity of application instructions by performing checks against their origin， preventing unintended injected code from being executed. They also catch malicious code masquerading as user data. In addition， they perform checks on program control to ensure that control transfer always conforms to the ABI. This prevents applications from being tricked into handing over control to external injected code. It also catches code-reuse attacks that are emerging as the next generation of advanced attack techniques worrying security professionals.
    The HIPS management and reporting interface enables thousands of agents to be deployed， managed and upgraded across an enterprise network. The interface， which is often Web-based to provide universal accessibility， allows network and security staff to perform configuration changes， monitor alerts and view reports. Many interfaces notify security professionals of issues via SMTP or other alerts. The interface also is key for analyzing trend reports， assigning users and roles according to policy， and maintaining a comprehensive audit trail.
    An HIPS deployment could block the threat of the Sasser worm. The worm exploited a memory flaw in Microsoft operating systems to cause billions of dollars of damage worldwide. The previously unknown Sasser code passed through unpatched firewalls undetected， reaching unprotected servers. As the code entered the memory of the unprotected server， it immediately executed a buffer overflow that gave a remote host system-level control of that server， enabling further attacks from within an enterprise network.
    In contrast， the protected server’s HIPS agent can examine， for example， the Sasser code as it enters the server’s memory. The agent’s real-time check of the code reveals the buffer overflow mechanism， a process that violates the ABI. It immediately stops the code from execution without affecting the server’s performance， and notifies the management component that an attack is underway so that network and security staff can begin remediation efforts.
    基于主機的IPS保衛(wèi)端點
    由于網(wǎng)絡(luò)威脅在數(shù)量上和復(fù)雜度上繼續(xù)加強，一項新技術(shù)提供了又一層的保護?；谥鳈C的入侵防護系統(tǒng)（HIPS）技術(shù)保護網(wǎng)絡(luò)邊界內(nèi)的端點。它在網(wǎng)絡(luò)設(shè)備和服務(wù)器層面上與（病毒）感染和攻擊做斗爭，在不依靠需要不斷更新特征的情況下，提供一種分層的方法，對基于網(wǎng)絡(luò)的IPS（入侵防護系統(tǒng)）的投資起到互補的作用。
    HIPS技術(shù)極其精確。它通過實施一組基礎(chǔ)的軟件協(xié)議而起作用，這個叫做應(yīng)用二進位接口（ABI）的軟件協(xié)議從未改變過。ABI緊跟在應(yīng)用編程接口（API）之后，定義API加上特定CPU的機器語言。由于這些協(xié)議在編譯過的應(yīng)用程序中是通用的，所以想在遵循ABI的情況下劫持應(yīng)用程序幾乎是不可能的。
    部署HIPS通常涉及兩部分：一組代理和一個管理和報告界面。HIPS代理是安裝在服務(wù)器上，設(shè)計在不需要或者只需一點點管理開銷的情況下無限定地運行，不需要針對威脅特征進行檢查的情況下，防止進入機器的惡意程序被執(zhí)行。
    實際中，代理通過針對原件進行檢查，連續(xù)驗證應(yīng)用程序指令的正確性，防止了無意中被感染的程序代碼被執(zhí)行。它們也捕捉偽裝成用戶數(shù)據(jù)的惡意代碼。此外，它們也進行對程序控制的檢查，以確?？刂频霓D(zhuǎn)換總是符合ABI。這就防止了應(yīng)用程序受騙，將控制交給外部入侵的代碼。它還捕捉代碼復(fù)用攻擊，這是新出現(xiàn)的困擾安全專業(yè)人士的下一代先進攻擊技術(shù)。
    HIPS管理和報告界面能實現(xiàn)成千上萬的代理在整個企業(yè)網(wǎng)絡(luò)上的部署、管理和更新。此界面常常是基于Web的，以提供通用的訪問能力，它允許網(wǎng)絡(luò)和安全工作人員執(zhí)行配置修改、監(jiān)視警告和查看視圖報告。很多界面通過SMTP告知專業(yè)人士存在的問題或其他警告。該界面也是分析趨勢報告、按策略指定用戶和角色、以及保存綜合審計追蹤的關(guān)鍵。
    部署HIPS能阻止如Sasser蠕蟲的威脅。該蠕蟲利用了微軟操作系統(tǒng)中存儲器缺陷，造成了全世界幾十億美元的損失。這個以前未知的Sasser代碼穿過未打補丁的防火墻，到達(dá)沒有防護的服務(wù)器。當(dāng)代碼進入沒有防護服務(wù)器的內(nèi)存時，它馬上執(zhí)行緩存器溢出，將服務(wù)器系統(tǒng)級的控制權(quán)交給了遠(yuǎn)端的主機，實現(xiàn)在企業(yè)網(wǎng)內(nèi)的進一步攻擊。
    相反，當(dāng)Sasser進入服務(wù)器內(nèi)存時，被保護的服務(wù)器中的HIPS代理能檢查出Sasser代碼。代理對此代碼的實時檢查揭示出緩存器溢出機制，這是一個違背ABI的過程。在不影響服務(wù)器性能的情況下，它馬上停止代碼的執(zhí)行，并通知管理組件攻擊存在，因而網(wǎng)絡(luò)和安全人員就能開始修補工作。