“The Effectiveness of McAfee Host Intrusion Prevention” Crystal Cummings CPSC 6126 Columbus State University Columbus, United States Cummings_crystal@colstate.edu Submitted November 9, 2009 1 Abstract— The purpose of this paper is to select an be to apply an intrusion detection system to the intrusion detection system and suggest ways to possibly measurement matrix proposed and to identify if it can be improve it. In order to this, we need to understand the improved to meet the changing needs of a corporation or purpose of intrusion detection systems and know how to if a new way to secure the network needs to be explored. measure them. The paper we chose to critique does just The measurement matrix proposed takes the various that, it examines how to measure the performance of the types of outputs an intrusion system can have and various types of intrusion systems. IT groups in correlates it to the types of architecture in which the corporations are tasked every day to keep their network intrusion system could potentially be operating. The safe and secure. Meanwhile, malware attackers are architectures are file, host, network, and enterprise. As working everyday to find a loophole in the security of stated in our textbook, the primary focus of computer “secure networks”. The damage could be catastrophic if security is intrusion prevention, where the goal is to keep the proper research was not done by a corporation to the bad guys out of your system or network. The purpose choose the correct intrusion detection system for their of an intrusion detection system is to detect attacks specific needs. We will evaluate McAfee Host Intrusion before, during, and after they have occurred [1]. We will Prevention according to the proposed measurement create a fictitious corporation to illustrate the use of an matrix. Lastly, we will comment on what is next for intrusion detection system. McAfee Host Intrusion Prevention, whether it is worth it Corporation C uses McAfee Host Intrusion to suggest improvements or choose the latest technology Prevention as its intrusion detection system of choice. currently available. Corporation C uses it to defend against any unauthorized Keywords- networks, intrusion systems, data security, intrusion and zero-day attacks. To improve the total cost malware, performance. of ownership, the company decides to install it on every I. INTRODUCTION laptop along with McAfee anti-virus software. The installation was not customized; we just followed the Intrusion detection systems are on the rise. Technology is barely keeping up because of the many malware attackers that are in existence today. This is why corporations are desperately seeking a “cure all” intrusion detection system. Does one exist? If not, who comes close? Before we can answer the questions we need to clearly define what intrusion detection is and decide how to measure it. The problem we will attempt to solve is to identify one meaning of intrusion detection of the many that are out there and to decide if McAfee Host Intrusion Prevention is strong enough to thrive in defaulted prompts. How does this corporation fit into the intrusion systems model? The main limitation of the chosen article is that it does not mention any specific intrusion system or software. It is very general and only names the types of intrusion systems. It also does not provide any real life examples as to the application of the proposed solution. It also seems to need additional work in relation to enterprise –based networks. The remainder of this paper is structured as follows: Section 2 is an overview of my related work. the virus prone networks of today. My contribution will 2 Section 3 details my proposed solution. Section 4 concludes this paper. II. Prosecution – indicates the identity of the originator of the intrusion [7]. RELATED WORK We also need to take into account the types of techniques that could potential correlate the type of We first have to decide what definition of intrusion detection we would like to go with since there are so many. One of the first definitions was from Amoroso. His definition states intrusion detection is, “the process of identifying and responding to malicious activity targeted at computing and networking resources” [2]. Ptacek and Newsham defined intrusion as, “unauthorized usage of or misuse of a computer system” [3]. Alessandri et al. defined intrusion as, “a malicious activity threatening the security policy that leads to a security failure, that is to a security policy violation” [4]. Lastly, Bace and Mell defined intrusion as, “attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network” [5]. We will use a definition inspired by Alessandri et al. Intrusion will be defined as an activity outputs to the type of architectures. Figure 1 shows a view of all the types discussed above. For example, file hashes can be used in intrusion detection systems operating at the file data level. In Figure 2, we see that McAfee, which would fall into the host-based category, would only protect against recognition and detection outputs. It is assumed that anomaly techniques were applied and we know that confirmation and identification are not achievable with any reasonable confidence levels in an anomaly-based system. However, host-based system using signature techniques are expected to work at the confirmation and identification level depending on the discrimination abilities of the signatures [1]. We will now look at what an actual customer of McAfee Host Intrusion Prevention had to say along with other case studies done on McAfee. that leads to the violation of the security policy of a computer system. Since we have our definition, analysis can begin. The types of outputs received from an intrusion system are based on the work of Johnson [6]. The article goes on to extend Johnson’s work and define the “types of output” as the following: Detection – indicates the occurrence of a possible intrusion. Recognition – indicates the type of attack. Identification – indicates declaring the exploits used to achieve the intrusion. Confirmation – indicates that an attack plan is deduced. Figure 1. – Intrusion System Matrix 3 Lastly, Cascadian Labs also conducted a study comparing McAfee, Symantec and Sophos. They concluded McAfee is a comprehensive suite targeted at very large enterprises. It has flexible Active Directory support, a robust reporting engine, and multi-server database roll-up features that are useful for companies with thousands of users and with multiple locations. The most recent version includes a significant change to the management console. However, as with previous versions, McAfee’s installation, deployment, and basic usability and management features are clearly more Figure 2. – Intrusion System Footprint complicated than those of Sophos and Symantec. In testing, they used the default configurations. McAfee In a McAfee Study, TeliaSonera AB - The had decent signature-based detection rates but its day- largest telecommunications provider in Sweden and zero protection was very poor. Some of this poor Finland, offering mobile and fixed network services to performance can be attributed to the need to configure the Nordic and Baltic countries commented, “We think rules when using its run-time HIPS configuration, a McAfee best meets our need for central managing, and difficult and time-consuming task for even a seasoned we agreed with their future views on anti-virus security administrator [10]. technologies and policies,” adds Larsson. “We knew we There are challenges faced by all intrusion could evolve easily with McAfee over time.” “The Host systems. For example, the prosecution output type Intrusion Prevention solution was one of our main requires that information be gathered with high integrity reasons for choosing McAfee,” adds Stenlund. “From the and totally secured from change. Although, this is a beginning, we used it as a desktop firewall product. Now common requirement in secure systems, it requires levels that it has more functionality, it integrates better with our necessary to allow criminal prosecution, within a system Windows and Microsoft applications and helps us secure that has intruders present [11]. For an enterprise system, our patch update process” [8]. the technology challenge appears to be the development The Tolly Group conducted a study where they of discriminates that will separate intrusion and non- found that McAfee provides lower Total Cost of intrusion events in mixed-trust data flows. These data Ownership when compared to Symantec and Trend flows will often be occurring on equipments not owned Micro. It offered increased reliability and availability by by the enterprise and therefore the ability to provide alleviating the need for in-house IT infrastructure and local monitoring of the network will be limited. A view resources. It is easy to deploy and offers flexibility for of these interactions is shown in Figure 3. company growth [9]. 4 Figure 2a. – Updated Intrusion System Footprint Figure 3. – Challenging Areas Three areas provide insight into the III. PROPOSED SOLUTIONS We have already proposed a solution to the first performance of intrusion systems. They are the number of outputs covered by the system, the types of problem, which was to identify and adopt one definition architecture supported by the intrusion system, and any of an intrusion detection system. We concluded that we areas that overlap each other. We can conclude that would use the following definition: “an activity that McAfee covers four out of five outputs, two out of four leads to the violation of the security policy of a computer architectures and produces no overlap. system”. The second problem was to apply McAfee to While this may be suitable for some the measurement matrix proposed. It was determined organizations, we doubt that it is suitable for most given that since McAfee is a host- based system, but uses the current technological advancements today with the signature and behavioral intrusion prevention, it would various attacks and viruses. For example, many be able to measure recognition, detection, identification, corporations require some of their employees to be and confirmation abilities. An updated view of Figure 2 mobile. It may be for telecommuting or business related is shown below to include the coverage of having travel. The employees, at some point, may need to work signature based host system. Lastly, we were tasked off-the-network, in which case, they would need access with determining any potential improvements McAfee to a laptop that is not on the corporations’ network. could make to be more beneficial to a corporation or to When these remote employees log on to the company simply have it replaced. network, it may be via VPN from a Wi-Fi hotspot. Still, laptops issued by corporations require a good intrusion detection system whether out or in the network. We do not recommend improving this software to make it more robust. We will opt for a more advanced technology that would give greater scalability. Desktop virtualization is the latest technology that practically eliminates the use 5 of host intrusion software at the endpoint or any other the type of network or system chosen. We can safely say point on the network except at the server level. Desktop that large footprints represent intrusion systems that virtualization creates a virtual image on a desktop or provide a broad range of applicability, thus a wider range laptop. No data physically resides on the hard drive; it of output information is gained during an intrusion. resides on the server, so if someone were to physically Smaller footprints, however, are very specific in their steal the end device it would be a waste of time because application. We can also conclude that McAfee is good there is no data to steal. at what it does, but that is it, it does not lend itself for There are many desktop virtualization vendors. much growth. As a result, removing local desktops and The major players are VMware, Cisco, Sun using virtual hosts with their own intrusion detection Microsystems, Citrix, and Microsoft. As of now, no one systems provides intruders with a smaller, more closely- vendor beats the other, it all depends on the level of guarded target. However, this particular solution may not comfort and familiarity the IT professionals in the be cost-effective or reasonable in all cases. corporation have with a specific vendor. This is a subject area for further research and next steps. As for an ideal endpoint security suite, we The challenge in security is in keeping pace with changing threats, as malware attackers adapt to stay ahead of defenses. Signatures have demonstrated their believe it should take ownership of the endpoint security worth, but also their limitations and other approaches problem and not overly complicate the life of the security have moved antivirus on significantly. Using anti- administrator or end-user. It should be simple, which malware experts’ experience to define easy to use means it should provide complete protection with behavioral controls based on common threat behavior minimal management. It should also be seamless to the allows antivirus tools to block malware proactively. end user and administrators until it is actually needed and Signatures provide the ability to define the threat and even then, it should not affect the performance of the clear the damage. For the signature piece, time remains a system. The administrators would need to be able to challenge when dealing with the creation, testing and maintain the security policies through a user-friendly deployment of the system. Most recently, in-the-cloud interface. Every threat should be handled through the security linked the customer and vendor. It uses the signature database or by other protection designed to concept of behavioral heuristics to identify potential handle outliers and new threats based on their patterns or threats, allowing an informational fingerprint to be sent to behaviors. Lastly, a good notification system should be the security vendor and, if recognized, blocking the in place to alert administrators about computers that need threat. attention and the threats it has uncovered [10]. Blending reactive and proactive controls provides the best of both worlds: proactive behavioral IV. CONCLUSION The most important impact of the proposed detection that can be easily implemented to defend against the unknown and signature-based detection to solutions is the realization that corporations have to stay give an understanding of the attack and its implications. ever vigilant in protecting their networks regardless of In-the-cloud security has continued the progress along 6 this evolutionary path, virtually closing the gap between [7] discovery and signature defense [12]. Tucker, C., Fumell, S., Ghita, B., & Brooke, P. (2007). A new taxonomy for comparing intrusion Future work includes but not limited to a deeper detection systems. Internet Research, 17(1), 88-98. comparison of the measurement matrix, which includes http://search.ebscohost.com, an examination of all the performance metrics at all doi:10.1108/10662240710730515 points of overlap on the intrusion footprint. Likewise, it [8] would be beneficial to understand the additional benefits that could be realized at points where there is no overlap. http://www.mcafee.com/us/local_content/case_studi es/library/cs_teliasonera_ab_s.pdf [9] Tolly Group, The. (2008, February 27). TCO Evaluation of McAfee Total Protection Service vs. Symantec Endpoint Protection Small Business Edition 11.0 and Trend Micro Client Sever REFERENCES [1] Messaging Security for SMB. McAfee, Inc. Stamp, M. (2005). Information Security: Principles Retrieved from and Practice. Wiley-Interscience. [2] http://www.tolly.com/DocDetail.aspx?DocNumber= Amoroso, E.G. (1998), Intrusion Detection: An 208255 Introduction to Internet Surveillance, Correlation, Traps, Trace Back, and Response, Intrusion.Net [10] Securities for Enterprise. Sophos. Retrieved from Books, Sparta, NJ. [3] http://www.sophos.com/sophos/docs/eng/marketing_ Ptacek, T.H. and Newsham, T.N. (1998), Insertion, material/cascadia-sesc-review.pdf Evasion, and Denial of Service: Eluding Network Intrusion Detection, Secure Networks Inc., Syracuse, [11] Journal of Computer and Telecommunications Alessandri, D., Cachin, C., Dacier, M., Deak, O., Networking, Vol. 31, pp. 2477-87. Julisch, K., Randell, B. and Riordan, J. (2001), Towards a Taxonomy of Intrusion Detection Systems and Attacks, IBM Research, Zurich Research Laboratory, Zurich. [5] Bace, R. and Mell, P. (2001), Intrusion Detection Systems, NIST Special Publication on Intrusion Sommer, P. (1999), “Intrusion detection systems as evidence”, Computer Networks – TheInternational NY. [4] Cascadia Labs. ( 2007, November). Endpoint [12] Potter, B., & Day, G. (2009). The effectiveness of anti-malware tools. Computer Fraud & Security, 2009(3), 12-13. http://search.ebscohost.com, doi:10.1016/S1361-3723(09)70033-8 Images: Detection System, NIST, Gaithersburg, MD. [6] Johnson, J. (1958), “Analysis of image forming systems”, Proceedings of the Image Intensifier Symposium, US Army Engineering Research Development Laboratories, Fort Belvoir, VI 7 Figure 2a. Updated Intrusion System Footprint. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007). Figure 1. Intrusion System Matrix. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007). Figure 3. Challenging Areas. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007). Figure 2. Intrusion System Footprint. Source: Article by Tucker, C., Fumell, S., Ghita, B., & Brooke, P. in Internet Research (2007). 8