Jump to content

HP-UX 11i

Products & Services
Support & Drivers
Solutions

HP-UX 11i Security: Host Intrusion Detection System (HIDS)

Addresses protection of information from unauthorised disclosure, modification, or loss of use.
Data Centre Operating Environment
Content starts here
HP-UX 11i Host Intrusion Detection System

Alarm your safe: protect the jewels!

You have set up security systems for your HP-UX 11i server to ward off security breaches from the outside through the Internet. You have also implemented security policies and systems inside your network on the intranet. But how effectively protected are you?

HP's Host Intrusion Detection System (HIDS) alerts you about hackers who have reached the HP-UX 11i operating environment and are about to do harm in the places most critical to your computing environment... the operating system and applications.

Host intrusion detection is being deployed as part of a security solution to satisfy regulatory compliance requirements e.g. SOX, HIPPA, and CISP. For example, Campana has deployed HIDS to help comply with PCI standards.

Internal surveillance

Host intrusion detection complements other security policies and systems you have in place. If you think of firewalls as fences with gates to let authorised staff members in, host intrusion detection is the video surveillance and burglar alarm systems that are set off when someone scales the fence or crashes the gate, and is now intent on capturing the central control system. In fact, the major threats are already inside, lurking and plotting the overthrow of your operating system and applications.

The threat and HP’s solution

The threat: HIDS concentrates on protecting the HP-UX 11i operating environment from attacks by insiders, as well as from attacks initiated by outsiders that cannot be detected or prevented by network intrusion detection systems (NIDS), that monitor network traffic on your perimeter. An FBI survey Non-HP site reports that insider attacks are about as common as outsider attacks, supporting the claim that HIDS is absolutely necessary to fully protect mission-critical servers.

The HP-UX 11i builders are the best at detection: HP is in the best position to know the possible intrusion routes and take action upon the high-quality kernel audit data of the operating system. Third-party vendors are unable to integrate detection in the kernel the way HP does to offer the most complete analysis and detection.

HP detection template: HP detection templates guard and focus on areas vulnerable to attack. These are the areas in HP-UX 11i (as in any operating system) that intruders probe and try to exploit. When a profiled event is detected, it is passed to a correlation engine that determines whether vulnerability is being exploited. This unique and sophisticated approach to intrusion detection recognises most current attack scenarios and some future attacks yet to be invented.

The break-in list

HIDS monitors for the exploitation of the following vulnerabilities to detect attacks or misuse:
Vulnerability What HIDS monitors
Poorly written privileged programs Poorly written privileged programs
Unauthorised File Modification Critical system and application programs and Configuration files System and application log files File additions and deletion Critical files made world writable Privileged 'setuid' programs created Files modified by non-owners
Weak password or unauthorised access Logins/Logouts
Password guessing Failed logins and failed switch-user attempts

Near-real-time detection and alerts

Intrusions are detected as they occur and alerts are provided immediately. Alerts are logged to the Alert Browser in colour, based on three levels of severity. Alerts provide detailed information about what triggered the alert. For example, an alert for the unauthorised modification of a critical file includes the attributes of the critical file, the pathname of the program that triggered the alert, as well as the user ID, group ID, process ID, and parent process ID associated with the execution of the program.

An alert triggered by a successful login contains the name and IP address of the remote host from which the login was made, as well as the pseudo device associated with the login session. This is helpful in identifying attackers for action based on security policy.

Alerts are also written to a local log file for archiving and to allow the Administrative GUI to retrieve missed alerts that were generated when it was either not running or could not connect to HIDS sensors on the monitored host(s).

 

 

 

 

 

Automating alert responses

Alerts can also trigger execution of user defined actions. For example, users can have specific alerts result in e-mail or pager notifications being sent out. This response mechanism is provided by way of execution of a user specified executable (a shell script or a binary executable).

In addition to sending user notifications, response scripts can be used to carry out other tasks automatically such as restoring defaced web pages from a reliable source (e.g., read only media).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Management features     

The Host Management GUI allows the user to manage multiple host systems, run surveillance schedules and categorise multiple host systems. For example, a surveillance group of hosts might be tagged as application servers or database servers. Subsequent selection of all application servers allows closer monitoring or running specific surveillance schedules for that class of server.

The System Management GUI identifies what surveillance schedules are running on each host system. Combining one or more detection templates creates a surveillance group. Surveillance groups can form strategic protection for appropriate hosts such as application servers.

Surveillance groups or patterns that are mapped to schedule times create surveillance schedules.

Surveillance schedules

Surveillance schedules can be tailored based on the applications and activity on the host. For example, HIDS on a host, running a database application can be configured to run a surveillance schedule to generate high severity alerts for all logins except those by the database administrator. Surveillance schedules might be created for backup operations, test operations, and maintenance and established for tagged surveillance groups of servers.

HP OpenView OVO Smart Plug-in

The system can also be integrated with HP OpenView Operations (OVO) by using the smart plug-in for HIDS. OVO templates are used to monitor important log files, vital processes and near real-time alerts. OVO:
  • Reports the overall availability of the HIDS applications
  • Uses an application bank to configure and manage the software.

Provides for role-based monitoring and administration based on user profiles.

 

 

Detection 'out-of-the-box'

As soon as the HIDS application is installed, it immediately provides intrusion detection. HIDS provides pre-configured detection templates, surveillance groups, and surveillance schedules. You will want to tailor these to your operating environment, but basic detection and alerting are available immediately.

 

 

 

 

 

Data sources monitored   

Data sources monitored by HIDS on the host include:
  • Kernel audit data that is generated by an audit system specifically designed for HIDS.
  • System log files containing records for login (ssh, ftp, telnet, rlogin, etc.), logout, and switch-user (su) sessions, as well as for unsuccessful login and su attempts.

Communication between the Administrative GUI and the HIDS sensors on the monitored hosts is secured, both for integrity and privacy, using the Secure Socket Layer (SSL) protocol.

Easy installation

Installation involves the following:
  1. Installing the administrative software GUI;
  2. Installing agent software on each host system requiring intrusion detection; and
  3. Generating and distributing X.509 Certificates.

Certificate management is self-contained and does not require a pre-existing public key infrastructure (PKI). Manpages are included with the product bits; a User's Guide and Release Notes are available from the Instant Information CD and also HP’s documents site.

» Obtain HIDS at no charge from Software Depot.