The Effectiveness of McAfee Host Intrusion Prevention

Download 38.51 Kb.

Date	31.01.2017
Size	38.51 Kb.
	#12827

“The Effectiveness of McAfee Host Intrusion Prevention”

Crystal Cummings

CPSC 6126

Columbus State University

Columbus, United States

Cummings_crystal@colstate.edu

Submitted November 9, 2009

Abstract— The purpose of this paper is to select an intrusion detection system and suggest ways to possibly improve it. In order to this, we need to understand the purpose of intrusion detection systems and know how to measure them. The paper we chose to critique does just that, it examines how to measure the performance of the various types of intrusion systems. IT groups in corporations are tasked every day to keep their network safe and secure. Meanwhile, malware attackers are working everyday to find a loophole in the security of “secure networks”. The damage could be catastrophic if the proper research was not done by a corporation to choose the correct intrusion detection system for their specific needs. We will evaluate McAfee Host Intrusion Prevention according to the proposed measurement matrix. Lastly, we will comment on what is next for McAfee Host Intrusion Prevention, whether it is worth it to suggest improvements or choose the latest technology currently available.

Keywords- networks, intrusion systems, data security, malware, performance.

Introduction

Intrusion detection systems are on the rise. Technology is barely keeping up because of the many malware attackers that are in existence today. This is why corporations are desperately seeking a “cure all” intrusion detection system. Does one exist? If not, who comes close? Before we can answer the questions we need to clearly define what intrusion detection is and decide how to measure it. The problem we will attempt to solve is to identify one meaning of intrusion detection of the many that are out there and to decide if McAfee Host Intrusion Prevention is strong enough to thrive in the virus prone networks of today. My contribution will be to apply an intrusion detection system to the measurement matrix proposed and to identify if it can be improved to meet the changing needs of a corporation or if a new way to secure the network needs to be explored.

The measurement matrix proposed takes the various types of outputs an intrusion system can have and correlates it to the types of architecture in which the intrusion system could potentially be operating. The architectures are file, host, network, and enterprise. As stated in our textbook, the primary focus of computer security is intrusion prevention, where the goal is to keep the bad guys out of your system or network. The purpose of an intrusion detection system is to detect attacks before, during, and after they have occurred [1]. We will create a fictitious corporation to illustrate the use of an intrusion detection system.

Corporation C uses McAfee Host Intrusion Prevention as its intrusion detection system of choice. Corporation C uses it to defend against any unauthorized intrusion and zero-day attacks. To improve the total cost of ownership, the company decides to install it on every laptop along with McAfee anti-virus software. The installation was not customized; we just followed the defaulted prompts. How does this corporation fit into the intrusion systems model?

The main limitation of the chosen article is that it does not mention any specific intrusion system or software. It is very general and only names the types of intrusion systems. It also does not provide any real life examples as to the application of the proposed solution. It also seems to need additional work in relation to enterprise –based networks.

The remainder of this paper is structured as follows: Section 2 is an overview of my related work. Section 3 details my proposed solution. Section 4 concludes this paper.

Related Work

We first have to decide what definition of intrusion detection we would like to go with since there are so many. One of the first definitions was from Amoroso. His definition states intrusion detection is, “the process of identifying and responding to malicious activity targeted at computing and networking resources” [2]. Ptacek and Newsham defined intrusion as, “unauthorized usage of or misuse of a computer system” [3]. Alessandri et al. defined intrusion as, “a malicious activity threatening the security policy that leads to a security failure, that is to a security policy violation” [4]. Lastly, Bace and Mell defined intrusion as, “attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network” [5]. We will use a definition inspired by Alessandri et al. Intrusion will be defined as an activity that leads to the violation of the security policy of a computer system. Since we have our definition, analysis can begin.

The types of outputs received from an intrusion system are based on the work of Johnson [6]. The article goes on to extend Johnson’s work and define the “types of output” as the following:

Detection – indicates the occurrence of a possible intrusion.
Recognition – indicates the type of attack.
Identification – indicates declaring the exploits used to achieve the intrusion.
Confirmation – indicates that an attack plan is deduced.
Prosecution – indicates the identity of the originator of the intrusion [7].

We also need to take into account the types of techniques that could potential correlate the type of outputs to the type of architectures. Figure 1 shows a view of all the types discussed above. For example, file hashes can be used in intrusion detection systems operating at the file data level. In Figure 2, we see that McAfee, which would fall into the host-based category, would only protect against recognition and detection outputs. It is assumed that anomaly techniques were applied and we know that confirmation and identification are not achievable with any reasonable confidence levels in an anomaly-based system. However, host-based system using signature techniques are expected to work at the confirmation and identification level depending on the discrimination abilities of the signatures [1]. We will now look at what an actual customer of McAfee Host Intrusion Prevention had to say along with other case studies done on McAfee.

Figure 1. – Intrusion System Matrix

Figure 2. – Intrusion System Footprint

In a McAfee Study, TeliaSonera AB - The largest telecommunications provider in Sweden and Finland, offering mobile and fixed network services to the Nordic and Baltic countries commented, “We think McAfee best meets our need for central managing, and we agreed with their future views on anti-virus technologies and policies,” adds Larsson. “We knew we could evolve easily with McAfee over time.” “The Host Intrusion Prevention solution was one of our main reasons for choosing McAfee,” adds Stenlund. “From the beginning, we used it as a desktop firewall product. Now that it has more functionality, it integrates better with our Windows and Microsoft applications and helps us secure our patch update process” [8].

The Tolly Group conducted a study where they found that McAfee provides lower Total Cost of Ownership when compared to Symantec and Trend Micro. It offered increased reliability and availability by alleviating the need for in-house IT infrastructure and resources. It is easy to deploy and offers flexibility for company growth [9].

Lastly, Cascadian Labs also conducted a study comparing McAfee, Symantec and Sophos. They concluded McAfee is a comprehensive suite targeted at very large enterprises. It has flexible Active Directory support, a robust reporting engine, and multi-server database roll-up features that are useful for companies with thousands of users and with multiple locations. The most recent version includes a significant change to the management console. However, as with previous versions, McAfee’s installation, deployment, and basic usability and management features are clearly more complicated than those of Sophos and Symantec. In testing, they used the default configurations. McAfee had decent signature-based detection rates but its day-zero protection was very poor. Some of this poor performance can be attributed to the need to configure rules when using its run-time HIPS configuration, a difficult and time-consuming task for even a seasoned security administrator [10].

There are challenges faced by all intrusion systems. For example, the prosecution output type requires that information be gathered with high integrity and totally secured from change. Although, this is a common requirement in secure systems, it requires levels necessary to allow criminal prosecution, within a system that has intruders present [11]. For an enterprise system, the technology challenge appears to be the development of discriminates that will separate intrusion and non-intrusion events in mixed-trust data flows. These data flows will often be occurring on equipments not owned by the enterprise and therefore the ability to provide local monitoring of the network will be limited. A view of these interactions is shown in Figure 3.

Figure 3. – Challenging Areas

Proposed Solutions

We have already proposed a solution to the first problem, which was to identify and adopt one definition of an intrusion detection system. We concluded that we would use the following definition: “an activity that leads to the violation of the security policy of a computer system”. The second problem was to apply McAfee to the measurement matrix proposed. It was determined that since McAfee is a host- based system, but uses signature and behavioral intrusion prevention, it would be able to measure recognition, detection, identification, and confirmation abilities. An updated view of Figure 2 is shown below to include the coverage of having signature based host system. Lastly, we were tasked with determining any potential improvements McAfee could make to be more beneficial to a corporation or to simply have it replaced.

Figure 2a. – Updated Intrusion System Footprint

Three areas provide insight into the performance of intrusion systems. They are the number of outputs covered by the system, the types of architecture supported by the intrusion system, and any areas that overlap each other. We can conclude that McAfee covers four out of five outputs, two out of four architectures and produces no overlap.

While this may be suitable for some organizations, we doubt that it is suitable for most given the current technological advancements today with the various attacks and viruses. For example, many corporations require some of their employees to be mobile. It may be for telecommuting or business related travel. The employees, at some point, may need to work off-the-network, in which case, they would need access to a laptop that is not on the corporations’ network. When these remote employees log on to the company network, it may be via VPN from a Wi-Fi hotspot. Still, laptops issued by corporations require a good intrusion detection system whether out or in the network. We do not recommend improving this software to make it more robust. We will opt for a more advanced technology that would give greater scalability. Desktop virtualization is the latest technology that practically eliminates the use of host intrusion software at the endpoint or any other point on the network except at the server level. Desktop virtualization creates a virtual image on a desktop or laptop. No data physically resides on the hard drive; it resides on the server, so if someone were to physically steal the end device it would be a waste of time because there is no data to steal.

There are many desktop virtualization vendors. The major players are VMware, Cisco, Sun Microsystems, Citrix, and Microsoft. As of now, no one vendor beats the other, it all depends on the level of comfort and familiarity the IT professionals in the corporation have with a specific vendor. This is a subject area for further research and next steps.

As for an ideal endpoint security suite, we believe it should take ownership of the endpoint security problem and not overly complicate the life of the security administrator or end-user. It should be simple, which means it should provide complete protection with minimal management. It should also be seamless to the end user and administrators until it is actually needed and even then, it should not affect the performance of the system. The administrators would need to be able to maintain the security policies through a user-friendly interface. Every threat should be handled through the signature database or by other protection designed to handle outliers and new threats based on their patterns or behaviors. Lastly, a good notification system should be in place to alert administrators about computers that need attention and the threats it has uncovered [10].

Conclusion

The most important impact of the proposed solutions is the realization that corporations have to stay ever vigilant in protecting their networks regardless of the type of network or system chosen. We can safely say that large footprints represent intrusion systems that provide a broad range of applicability, thus a wider range of output information is gained during an intrusion. Smaller footprints, however, are very specific in their application. We can also conclude that McAfee is good at what it does, but that is it, it does not lend itself for much growth. As a result, removing local desktops and using virtual hosts with their own intrusion detection systems provides intruders with a smaller, more closely-guarded target. However, this particular solution may not be cost-effective or reasonable in all cases.

The challenge in security is in keeping pace with changing threats, as malware attackers adapt to stay ahead of defenses. Signatures have demonstrated their worth, but also their limitations and other approaches have moved antivirus on significantly. Using anti-malware experts’ experience to define easy to use behavioral controls based on common threat behavior allows antivirus tools to block malware proactively. Signatures provide the ability to define the threat and clear the damage. For the signature piece, time remains a challenge when dealing with the creation, testing and deployment of the system. Most recently, in-the-cloud security linked the customer and vendor. It uses the concept of behavioral heuristics to identify potential threats, allowing an informational fingerprint to be sent to the security vendor and, if recognized, blocking the threat.

Blending reactive and proactive controls provides the best of both worlds: proactive behavioral detection that can be easily implemented to defend against the unknown and signature-based detection to give an understanding of the attack and its implications. In-the-cloud security has continued the progress along this evolutionary path, virtually closing the gap between discovery and signature defense [12].

Future work includes but not limited to a deeper comparison of the measurement matrix, which includes an examination of all the performance metrics at all points of overlap on the intrusion footprint. Likewise, it would be beneficial to understand the additional benefits that could be realized at points where there is no overlap.

References

Stamp, M. (2005). Information Security: Principles and Practice. Wiley-Interscience.

Amoroso, E.G. (1998), Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traps, Trace Back, and Response, Intrusion.Net Books, Sparta, NJ.

Ptacek, T.H. and Newsham, T.N. (1998), Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Secure Networks Inc., Syracuse, NY.

Alessandri, D., Cachin, C., Dacier, M., Deak, O., Julisch, K., Randell, B. and Riordan, J. (2001), Towards a Taxonomy of Intrusion Detection Systems and Attacks, IBM Research, Zurich Research Laboratory, Zurich.

Bace, R. and Mell, P. (2001), Intrusion Detection Systems, NIST Special Publication on Intrusion Detection System, NIST, Gaithersburg, MD.

Johnson, J. (1958), “Analysis of image forming systems”, Proceedings of the Image Intensifier Symposium, US Army Engineering Research Development Laboratories, Fort Belvoir, VI

Tucker, C., Fumell, S., Ghita, B., & Brooke, P. (2007). A new taxonomy for comparing intrusion detection systems. Internet Research, 17(1), 88-98. http://search.ebscohost.com, doi:10.1108/10662240710730515

http://www.mcafee.com/us/local_content/case_studies/library/cs_teliasonera_ab_s.pdf

Tolly Group, The. (2008, February 27). TCO Evaluation of McAfee Total Protection Service vs. Symantec Endpoint Protection Small Business Edition 11.0 and Trend Micro Client Sever Messaging Security for SMB. McAfee, Inc. Retrieved from http://www.tolly.com/DocDetail.aspx?DocNumber=208255

Cascadia Labs. ( 2007, November). Endpoint Securities for Enterprise. Sophos. Retrieved from http://www.sophos.com/sophos/docs/eng/marketing_material/cascadia-sesc-review.pdf

Sommer, P. (1999), “Intrusion detection systems as evidence”, Computer Networks – TheInternational Journal of Computer and Telecommunications Networking, Vol. 31, pp. 2477-87.

Potter, B., & Day, G. (2009). The effectiveness of anti-malware tools. Computer Fraud & Security, 2009(3), 12-13. http://search.ebscohost.com, doi:10.1016/S1361-3723(09)70033-8

Images:
Figure 1. Intrusion System Matrix. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007).

Figure 2. Intrusion System Footprint. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007).

Figure 2a. Updated Intrusion System Footprint. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007).

Figure 3. Challenging Areas. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007).

Directory: cae-ia -> studentpapers
studentpapers -> Abstract The various services used to manage enterprise networks can take a toll on network operators. The fragility and cumbersome task of updating code can cause a type of overhead all to itself that can hinder a network operators time

Download 38.51 Kb.

Share with your friends: