“the effectiveness of mcafee host intrusion...
TRANSCRIPT
“The Effectiveness of McAfee Host Intrusion Prevention”
Crystal CummingsCPSC 6126
Columbus State UniversityColumbus, United States
Submitted November 9, 2009
1
Abstract— The purpose of this paper is to select
an intrusion detection system and suggest ways to
possibly improve it. In order to this, we need to
understand the purpose of intrusion detection
systems and know how to measure them. The
paper we chose to critique does just that, it
examines how to measure the performance of the
various types of intrusion systems. IT groups in
corporations are tasked every day to keep their
network safe and secure. Meanwhile, malware
attackers are working everyday to find a loophole
in the security of “secure networks”. The damage
could be catastrophic if the proper research was
not done by a corporation to choose the correct
intrusion detection system for their specific needs.
We will evaluate McAfee Host Intrusion
Prevention according to the proposed
measurement matrix. Lastly, we will comment on
what is next for McAfee Host Intrusion
Prevention, whether it is worth it to suggest
improvements or choose the latest technology
currently available.
Keywords- networks, intrusion systems, data
security, malware, performance.
I. INTRODUCTION
Intrusion detection systems are on the rise.
Technology is barely keeping up because of the
many malware attackers that are in existence today.
This is why corporations are desperately seeking a
“cure all” intrusion detection system. Does one
exist? If not, who comes close? Before we can
answer the questions we need to clearly define
what intrusion detection is and decide how to
measure it. The problem we will attempt to solve
is to identify one meaning of intrusion detection of
the many that are out there and to decide if McAfee
Host Intrusion Prevention is strong enough to
thrive in the virus prone networks of today. My
contribution will be to apply an intrusion detection
system to the measurement matrix proposed and to
identify if it can be improved to meet the changing
needs of a corporation or if a new way to secure
the network needs to be explored.
The measurement matrix proposed takes the
various types of outputs an intrusion system can
have and correlates it to the types of architecture in
which the intrusion system could potentially be
operating. The architectures are file, host, network,
and enterprise. As stated in our textbook, the
primary focus of computer security is intrusion
prevention, where the goal is to keep the bad guys
out of your system or network. The purpose of an
intrusion detection system is to detect attacks
before, during, and after they have occurred [1].
We will create a fictitious corporation to illustrate
the use of an intrusion detection system.
Corporation C uses McAfee Host Intrusion
Prevention as its intrusion detection system of
choice. Corporation C uses it to defend against any
unauthorized intrusion and zero-day attacks. To
improve the total cost of ownership, the company
decides to install it on every laptop along with
McAfee anti-virus software. The installation was
not customized; we just followed the defaulted
prompts. How does this corporation fit into the
intrusion systems model?
2
The main limitation of the chosen article is
that it does not mention any specific intrusion
system or software. It is very general and only
names the types of intrusion systems. It also does
not provide any real life examples as to the
application of the proposed solution. It also seems
to need additional work in relation to enterprise –
based networks.
The remainder of this paper is structured
as follows: Section 2 is an overview of my related
work. Section 3 details my proposed solution.
Section 4 concludes this paper.
II. RELATED WORK
We first have to decide what definition of
intrusion detection we would like to go with since
there are so many. One of the first definitions was
from Amoroso. His definition states intrusion
detection is, “the process of identifying and
responding to malicious activity targeted at
computing and networking resources” [2]. Ptacek
and Newsham defined intrusion as, “unauthorized
usage of or misuse of a computer system” [3].
Alessandri et al. defined intrusion as, “a malicious
activity threatening the security policy that leads
to a security failure, that is to a security policy
violation” [4]. Lastly, Bace and Mell defined
intrusion as, “attempts to compromise the
confidentiality, integrity, availability, or to bypass
the security mechanisms of a computer or
network” [5]. We will use a definition inspired by
Alessandri et al. Intrusion will be defined as an
activity that leads to the violation of the security
policy of a computer system. Since we have our
definition, analysis can begin. The types of outputs received from an
intrusion system are based on the work of Johnson
[6]. The article goes on to extend Johnson’s work
and define the “types of output” as the following:
Detection – indicates the occurrence of a
possible intrusion.
Recognition – indicates the type of attack.
Identification – indicates declaring the
exploits used to achieve the intrusion.
Confirmation – indicates that an attack
plan is deduced.
Prosecution – indicates the identity of the
originator of the intrusion [7].
We also need to take into account the types
of techniques that could potential correlate the type
of outputs to the type of architectures. Figure 1
shows a view of all the types discussed above. For
example, file hashes can be used in intrusion
detection systems operating at the file data level.
In Figure 2, we see that McAfee, which would fall
into the host-based category, would only protect
against recognition and detection outputs. It is
assumed that anomaly techniques were applied and
we know that confirmation and identification are
not achievable with any reasonable confidence
levels in an anomaly-based system. However,
host-based system using signature techniques are
expected to work at the confirmation and
identification level depending on the
discrimination abilities of the signatures [1]. We
will now look at what an actual customer of
3
McAfee Host Intrusion Prevention had to say along
with other case studies done on McAfee.
Figure 1. – Intrusion System Matrix
Figure 2. – Intrusion System Footprint
In a McAfee Study, TeliaSonera AB - The
largest telecommunications provider in Sweden
and Finland, offering mobile and fixed network
services to the Nordic and Baltic countries
commented, “We think McAfee best meets our
need for central managing, and we agreed with
their future views on anti-virus technologies and
policies,” adds Larsson. “We knew we could
evolve easily with McAfee over time.” “The Host
Intrusion Prevention solution was one of our main
reasons for choosing McAfee,” adds Stenlund.
“From the beginning, we used it as a desktop
firewall product. Now that it has more
functionality, it integrates better with our Windows
and Microsoft applications and helps us secure our
patch update process” [8].
The Tolly Group conducted a study where
they found that McAfee provides lower Total Cost
of Ownership when compared to Symantec and
Trend Micro. It offered increased reliability and
availability by alleviating the need for in-house IT
infrastructure and resources. It is easy to deploy
and offers flexibility for company growth [9].
Lastly, Cascadian Labs also conducted a
study comparing McAfee, Symantec and Sophos.
They concluded McAfee is a comprehensive suite
targeted at very large enterprises. It has flexible
Active Directory support, a robust reporting
engine, and multi-server database roll-up features
that are useful for companies with thousands of
users and with multiple locations. The most recent
version includes a significant change to the
management console. However, as with previous
versions, McAfee’s installation, deployment, and
basic usability and management features are clearly
more complicated than those of Sophos and
Symantec. In testing, they used the default
configurations. McAfee had decent signature-
4
Techniques
Intr
usio
n Sy
stem
s
Architectures
based detection rates but its day-zero protection
was very poor. Some of this poor performance can
be attributed to the need to configure rules when
using its run-time HIPS configuration, a difficult
and time-consuming task for even a seasoned
security administrator [10].
There are challenges faced by all intrusion
systems. For example, the prosecution output type
requires that information be gathered with high
integrity and totally secured from change.
Although, this is a common requirement in secure
systems, it requires levels necessary to allow
criminal prosecution, within a system that has
intruders present [11]. For an enterprise system,
the technology challenge appears to be the
development of discriminates that will separate
intrusion and non-intrusion events in mixed-trust
data flows. These data flows will often be
occurring on equipments not owned by the
enterprise and therefore the ability to provide local
monitoring of the network will be limited. A view
of these interactions is shown in Figure 3.
Figure 3. – Challenging Areas
III. PROPOSED SOLUTIONS
We have already proposed a solution to the
first problem, which was to identify and adopt one
definition of an intrusion detection system. We
concluded that we would use the following
definition: “an activity that leads to the violation
of the security policy of a computer system”. The
second problem was to apply McAfee to the
measurement matrix proposed. It was determined
that since McAfee is a host- based system, but
uses signature and behavioral intrusion prevention,
it would be able to measure recognition, detection,
identification, and confirmation abilities. An
updated view of Figure 2 is shown below to
include the coverage of having signature based
host system. Lastly, we were tasked with
determining any potential improvements McAfee
could make to be more beneficial to a corporation
or to simply have it replaced.
Figure 2a. – Updated Intrusion System
Footprint
5
McAfee
Host Intrusion Systems
Three areas provide insight into the
performance of intrusion systems. They are the
number of outputs covered by the system, the
types of architecture supported by the intrusion
system, and any areas that overlap each other. We
can conclude that McAfee covers four out of five
outputs, two out of four architectures and produces
no overlap.
While this may be suitable for some
organizations, we doubt that it is suitable for most
given the current technological advancements
today with the various attacks and viruses. For
example, many corporations require some of their
employees to be mobile. It may be for
telecommuting or business related travel. The
employees, at some point, may need to work off-
the-network, in which case, they would need
access to a laptop that is not on the corporations’
network. When these remote employees log on to
the company network, it may be via VPN from a
Wi-Fi hotspot. Still, laptops issued by corporations
require a good intrusion detection system whether
out or in the network. We do not recommend
improving this software to make it more robust.
We will opt for a more advanced technology that
would give greater scalability. Desktop
virtualization is the latest technology that
practically eliminates the use of host intrusion
software at the endpoint or any other point on the
network except at the server level. Desktop
virtualization creates a virtual image on a desktop
or laptop. No data physically resides on the hard
drive; it resides on the server, so if someone were
to physically steal the end device it would be a
waste of time because there is no data to steal.
There are many desktop virtualization
vendors. The major players are VMware, Cisco,
Sun Microsystems, Citrix, and Microsoft. As of
now, no one vendor beats the other, it all depends
on the level of comfort and familiarity the IT
professionals in the corporation have with a
specific vendor. This is a subject area for further
research and next steps.
As for an ideal endpoint security suite, we
believe it should take ownership of the endpoint
security problem and not overly complicate the life
of the security administrator or end-user. It should
be simple, which means it should provide complete
protection with minimal management. It should
also be seamless to the end user and administrators
until it is actually needed and even then, it should
not affect the performance of the system. The
administrators would need to be able to maintain
the security policies through a user-friendly
interface. Every threat should be handled through
the signature database or by other protection
designed to handle outliers and new threats based
on their patterns or behaviors. Lastly, a good
notification system should be in place to alert
administrators about computers that need attention
and the threats it has uncovered [10].
IV. CONCLUSION
The most important impact of the proposed
solutions is the realization that corporations have to
stay ever vigilant in protecting their networks
regardless of the type of network or system chosen.
6
We can safely say that large footprints represent
intrusion systems that provide a broad range of
applicability, thus a wider range of output
information is gained during an intrusion. Smaller
footprints, however, are very specific in their
application. We can also conclude that McAfee is
good at what it does, but that is it, it does not lend
itself for much growth. As a result, removing local
desktops and using virtual hosts with their own
intrusion detection systems provides intruders with
a smaller, more closely-guarded target. However,
this particular solution may not be cost-effective or
reasonable in all cases.
The challenge in security is in keeping
pace with changing threats, as malware attackers
adapt to stay ahead of defenses. Signatures have
demonstrated their worth, but also their limitations
and other approaches have moved antivirus on
significantly. Using anti-malware experts’
experience to define easy to use behavioral
controls based on common threat behavior allows
antivirus tools to block malware proactively.
Signatures provide the ability to define the threat
and clear the damage. For the signature piece, time
remains a challenge when dealing with the
creation, testing and deployment of the system.
Most recently, in-the-cloud security linked the
customer and vendor. It uses the concept of
behavioral heuristics to identify potential threats,
allowing an informational fingerprint to be sent to
the security vendor and, if recognized, blocking the
threat.
Blending reactive and proactive controls
provides the best of both worlds: proactive
behavioral detection that can be easily
implemented to defend against the unknown and
signature-based detection to give an understanding
of the attack and its implications. In-the-cloud
security has continued the progress along this
evolutionary path, virtually closing the gap
between discovery and signature defense [12].
Future work includes but not limited to a
deeper comparison of the measurement matrix,
which includes an examination of all the
performance metrics at all points of overlap on the
intrusion footprint. Likewise, it would be
beneficial to understand the additional benefits that
could be realized at points where there is no
overlap.
REFERENCES
[1] Stamp, M. (2005). Information Security:
Principles and Practice. Wiley-Interscience.
[2] Amoroso, E.G. (1998), Intrusion Detection:
An Introduction to Internet Surveillance,
Correlation, Traps, Trace Back, and
Response, Intrusion.Net Books, Sparta, NJ.
[3] Ptacek, T.H. and Newsham, T.N. (1998),
Insertion, Evasion, and Denial of Service:
Eluding Network Intrusion Detection, Secure
Networks Inc., Syracuse, NY.
[4] Alessandri, D., Cachin, C., Dacier, M., Deak,
O., Julisch, K., Randell, B. and Riordan, J.
(2001), Towards a Taxonomy of Intrusion
Detection Systems and Attacks, IBM Research,
Zurich Research Laboratory, Zurich.
7
[5] Bace, R. and Mell, P. (2001), Intrusion
Detection Systems, NIST Special Publication
on Intrusion Detection System, NIST,
Gaithersburg, MD.
[6] Johnson, J. (1958), “Analysis of image
forming systems”, Proceedings of the Image
Intensifier Symposium, US Army Engineering
Research Development Laboratories, Fort
Belvoir, VI
[7] Tucker, C., Fumell, S., Ghita, B., & Brooke, P.
(2007). A new taxonomy for comparing
intrusion detection systems. Internet Research,
17(1), 88-98. http://search.ebscohost.com,
doi:10.1108/10662240710730515
[8] http://www.mcafee.com/us/local_content/
case_studies/library/cs_teliasonera_ab_s.pdf
[9] Tolly Group, The. (2008, February 27). TCO
Evaluation of McAfee Total Protection
Service vs. Symantec Endpoint Protection
Small Business Edition 11.0 and Trend Micro
Client Sever Messaging Security for SMB.
McAfee, Inc. Retrieved from
http://www.tolly.com/DocDetail.aspx?
DocNumber=208255
[10] Cascadia Labs. ( 2007, November). Endpoint
Securities for Enterprise. Sophos. Retrieved
from
http://www.sophos.com/sophos/docs/eng/mark
eting_material/cascadia-sesc-review.pdf
[11] Sommer, P. (1999), “Intrusion detection
systems as evidence”, Computer Networks –
TheInternational Journal of Computer and
Telecommunications Networking, Vol. 31, pp.
2477-87.
[12] Potter, B., & Day, G. (2009). The
effectiveness of anti-malware tools. Computer
Fraud & Security, 2009(3), 12-13.
http://search.ebscohost.com,
doi:10.1016/S1361-3723(09)70033-8
Images:
Figure 1. Intrusion System Matrix. Source:
Article by Tucker, C., Fumell, S., Ghita, B., &
Brooke, P. in Internet Research (2007).
8
Techniques
Intr
usio
n Sy
stem
s
Architectures
Figure 2. Intrusion System Footprint. Source:
Article by Tucker, C., Fumell, S., Ghita, B., &
Brooke, P. in Internet Research (2007).
Figure 2a. Updated Intrusion System Footprint.
Source: Article by Tucker, C., Fumell, S., Ghita,
B., & Brooke, P. in Internet Research (2007).
Figure 3. Challenging Areas. Source: Article by
Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in
Internet Research (2007).
9
McAfee
Host Intrusion Systems