Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : Intrusion Detection System : Cisco Host Sensor

Cisco Host Sensor

Nov 24,2008 by admin

small font medium font large font
image

Cisco Host Sensor

Capable of running on various operating systems such as Windows or Solaris, the Cisco IDS Host Sensor integrates into the host OS to protect it from malicious intent. The Host Sensor not only inspects inbound traffic destined for the server, but also intercepts system calls, adding an extra and complete layer of security. This capability allows the sensor to understand the processes and users triggering the system call as well as the resources required for the call. Armed with this information, the sensor applies a combination of behavioral rules and attack signatures to determine whether the system activity is benign or malicious. Should abnormal activity be detected, the sensor has the power to terminate the system call and alert security administrators.

Due to the software design, the Host Sensor Standard Agent can prevent malicious activity in several ways. As we've discussed, the sensor uses known attack signatures to distinguish normal and harmful activity. Because Cisco maintains dedicated resources for the development of timely attack signatures, the Cisco Host Sensor will always be ready and able to detect the latest threats.

From Chapter 1, we know that signature-based detection systems are vulnerable during the time between new exploit discovery and protective signature development. To combat this issue, Cisco provides an additional layer of protection via behavior anomaly detection capabilities on the sensor. This helps detect and prevent previously unknown attacks until a signature can be developed. Should a call or action on a server violate predefined and normal behavioral patterns, the sensor can block the malicious activity and alert the security team.

Because the sensor software is fully integrated with the host operating system, the software can also prevent arbitrary code execution, possibly due to buffer overflow exploits. This functionality is critical since over 60 percent of Computer Emergency Response Team (CERT) security advisories result from buffer overflow exploits.

The tight integration also permits the host sensor to protect the operating system's critical resources and files such as configuration files, Registry settings, and binaries that are often the focus of an attack. Similarly, the sensor also prevents unauthorized privilege escalation by securing user permissions and configurations.

The Web Edition Agent includes all Standard Agent functionality, yet includes additional protective mechanisms to prevent web server–specific attacks. When installed, the Web Edition Agent automatically determines and adapts to the existing Apache, iPlanet, or IIS web server. It can then act as a protective element that parses HTTP streams, inspecting the TCP conversations for malicious logic and blocking potential attacks before they reach the server. Because the Agent sits on the server, it can examine web requests without obfuscation by application-level encryption techniques such as Secure Sockets Layer (SSL) thereby adding additional security that Network IDS cannot provide.


205 times read

Related news
» Cisco's Host Sensor Platforms
by admin posted on Nov 24,2008
» IDS MC and Signatures
by admin posted on Nov 26,2008
» IOS IDS vs. Cisco Secure IDS
by alperen posted on Sep 11,2009
» What Is Cisco Intrusion Detection?
by admin posted on Nov 24,2008
» Configuring Signatures and Alarms
by admin posted on Nov 26,2008
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

alperen

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.