Host intrusion detection is being deployed as part of a security solution to satisfy regulatory compliance requirements e.g. SOX, HIPPA, and CISP.
The threat: HIDS concentrates on protecting the HP-UX operating environment from attacks by insiders, as well as from attacks initiated by outsiders that cannot be detected or prevented by network intrusion detection systems (NIDS), which monitor network traffic on your perimeter.
The HP-UX 11i builders are the best at detection: HP is in the best position to know the possible intrusion routes and take action upon the high-quality kernel audit data of the operating system. Third-party vendors are unable to integrate detection in the kernel the way HP does to offer the most complete analysis and detection.
HP detection template: HP detection templates guard and focus on areas vulnerable to attack. These are the areas in HP-UX 11i (as in any operating system) that intruders probe and try to exploit. When a profiled event is detected, it is passed to a correlation engine that determines whether vulnerability is being exploited. This unique and sophisticated approach to intrusion detection recognises most current attack scenarios and some future attacks yet to be invented.
HIDS monitors for the exploitation of the following vulnerabilities to detect attacks or misuse:
In addition to sending user notifications, response scripts can be used to carry out other tasks automatically such as restoring defaced web pages from a reliable source (e.g., read only media).Management features
The System Management GUI identifies what surveillance schedules are running on each host system. Combining one or more detection templates creates a surveillance group. Surveillance groups can form strategic protection for appropriate hosts such as application servers.
Surveillance groups or patterns that are mapped to schedule times create surveillance schedules.Surveillance schedules can be tailored based on the applications and activity on the host. Surveillance schedules might be created for backup operations, test operations, and maintenance and established for tagged surveillance groups of servers.HP OpenView OVO Smart Plug-in
Communication between the Administrative GUI and the HIDS sensors on the monitored hosts is secured, both for integrity and privacy, using the Secure Socket Layer (SSL) protocol.
Installation involves the following:
Certificate management is self-contained and does not require a pre-existing public key infrastructure (PKI).