Defense in Depth Layer 5: Host Security

"We have only two modes - complacency and panic."
— James R. Schlesinger

The host layer of security focuses on keeping host operating systems and workstations secure.   A host is any device/computer/server with a unique Internet Protocol (IP) address that is interlinked with another machine through an Internet connection.  Security at this layer is especially challenging as these devices are designed to multitask and interact with multiple applications and services simultaneously.  The following is a list of measures to support host security.

1. Host Vulnerability Assessment and Management
Host-based scanners can recognize system-level vulnerabilities including incorrect file permissions, registry permissions, and software configuration errors.  They also ensure that target systems comply with predefined company security policies.  

2. Host-Based IDS/IPS
Host-based intrusion detection systems (HIDS) consist of software agents installed on individual computers within the system.  The HIDS analyze traffic to and from the specific computer on which it is installed.  The HIDS can monitor activities that only an administrator should be able to implement.  It is also able to monitor changes to key system files and any attempt to overwrite these files as well as prevent Trojan or backdoor installation.

Host-based intrusion prevention systems (HIPS) are used to protect servers and workstations through software that runs between the system's applications and operating system.  The software is preconfigured to determine the protection rules based on intrusion and attack signatures.  The HIPS will catch suspicious activity on the system and will either block or allow the event depending on predefined rules.  It also monitors activities including application or data requests, network connection attempts, and read/write attempts.

3. Access Control and Authentication
Host-based access control grants or denies access depending on the IP address of the machine that requested access.  This system is the least intrusive to users because access is granted on the basis of the machine address.  User authentication allows access control on an individual user basis by utilizing user and passwords lists to provide the necessary authentication.

4. Host-Based Anti-Virus Protection
Anti-virus protection should ensure that updates to the required signature files for addressing new forms of malware are delivered as soon as possible.  A signature file contains information that anti-virus programs use to detect malware during a scan.  Signature files are designed to be regularly updated by the anti-virus application vendors and downloaded to the client computer.

5. Host-Based Firewall
Host-based firewalls can be used to reduce the attack surface on servers as well as to remove unwanted services and applications.  Host-based firewalls control incoming and outgoing network traffic on individual hosts.  The firewalls check each packet's source, destination address, port, type, etc., and then determine whether to allow them into the machine.  Host-based firewall software must be enabled and configured to block all inbound traffic that is not clearly required for the intended use of the device.

6. Host Hardening
Host hardening works with intrusion detection and is an important part of a secure architecture. It is especially important when it comes to public-facing or Internet-enabled servers such as email, web, or DNS servers.  The main function of host hardening is to harden key servers to ensure the confidentiality and integrity of the systems.  Host hardening measures include:  disabling unused services and user accounts, tightening security settings of required services and file systems, replacing vulnerable services with more secure alternatives, and removing unused tools, libraries, and files.

7. Port Control
It is important to block any unnecessary ports, restrict access to necessary ports whenever possible, and audit open ports to determine if required ports are being abused or if unnecessary ports have been opened.

8. Patch and Security Update Management
It is important to keep up to date on all security related patches and updates. The most commonly exploited security vulnerabilities are widely known and already have patches and updates which address them.  The expected result is to reduce the time and money spent dealing with vulnerabilities and their exploitation.

9. Logging and Auditing
Critical areas of the host can be logged, and the logs can be audited for any unusual activity.  As hosts communicate with each other, the transferred packets are logged to the system log.  Logged information can be monitored for traffic analysis and debugging assistance.

10. Lockdown Mode
Lockdown mode is a security setting used to disable direct user access to a host.  When direct user access is disabled, the host must be managed from the server.  This ensures that the security policies and access controls defined on the server are always enforced, and users are not able to bypass security by logging into the host directly.

Next time, we’ll continue the Defense in Depth journey by discussing application layer security.

Thanks for reading!

Jen