Jump to content New Zealand-English
HP.com New Zealand home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
HP.com New Zealand home
 HP-UX 11i

HP-UX 11i Host Intrusion Detection System (HIDS)
» 

HP-UX 11i
» Latest release
» Virtualization
» Security
» High availability
» Disaster tolerance
» Management
» Software development
» Internet & networking
» Open source software
» Packaging - OEs
» Products index

Leadership UNIX

» Lowest UNIX TCO
» Run it on blades
» Performance 
» Customer and ISV quotes
» The Real Story

Learn more:
» Information library
» Executive update
» Customer successes
» Knowledge-on-Demand technical Webcasts
» Transition from other environments

Related products
» Services
» HP-UX 11i storage
» HP Integrity servers
» HP 9000 servers
» Integrity solutions

Get what you need:
» Releases & media
» HP software from Software Depot
» HP-UX technical forum
» Technical documentation
» Training courses
» Events & user forums
» Section map
Content starts here
server room

Alarm your safe - protect the jewels!

You have set up security systems for your HP-UX 11i server to ward off security breaches from the outside through the Internet. And you have implemented security policies and systems inside your network on the intranet. But how effectively protected are you?

HP's Host Intrusion Detection System (HIDS) alerts you about hackers who have reached the HP-UX 11i operating environment and are about to do harm in the places most critical to your computing environment... the operating system and applications.

Downloads
» HP-UX HIDS v4.1
» OpenView HIDS SPI

Documentation
» Admin Guide, Release Notes, Tuning/Sizing Paper
» HIDS OVO SPI Admin and User Manual

Customer References
» Campana
» Menlo

Related Links
» HP-UX 11i security
HP-UX 11i security containment

Host intrusion detection is being deployed as part of a security solution to satisfy regulatory compliance requirements e.g. SOX, HIPPA, and CISP. For example, Campana has deployed HIDS to help comply with PCI standards, while Menlo Worldwide has deployed HIDS to help satisfy SOX requirements.

Internal surveillance

Host intrusion detection complements other security policies and systems you have in place. If you think of firewalls as fences with gates to let authorized personnel in, host intrusion detection is the video surveillance and burglar alarm systems that are set off when someone scales the fence or crashes the gate, and is now intent on capturing the central control system. In fact, the major threats are already inside, lurking and plotting the overthrow of your operating system and applications.

The threat

HIDS concentrates on protecting the HP-UX 11i operating environment from attacks by insiders, as well as from attacks initiated by outsiders that can not be detected or prevented by network intrusion detection systems (NIDS), that monitor network traffic on your perimeter. An FBI survey reports that insider attacks are about as common as outsider attack, supporting the claim that HIDS is absolutely necessary to fully protect mission-critical servers.

The HP-UX 11i builders are the best at detection

HP is in the best position to know the possible intrusion routes and take action upon the high-quality kernel audit data of the operating system. Third-party vendors are unable to integrate detection in the kernel the way HP does to offer the most complete analysis and detection.

HP detection template

HP has adopted a different approach to intrusion detection. HP detection templates guard and focus on areas vulnerable to attack. These are the areas in HP-UX 11i (as in any operating system) that intruders probe and try to exploit. When a profiled event is detected, it is passed to a correlation engine, that determines whether vulnerability is being exploited. This unique and sophisticated approach to intrusion detection recognizes most current attack scenarios and some future attacks yet to be invented.

The break-in list

HIDS monitors for the exploitation of the following vulnerabilities to detect attacks or misuse:

Vulnerability: Poorly written privileged programs
HIDS monitors: Buffer overflows and race conditions

Vulnerability: Unauthorized File Modification
HIDS monitors: Critical system and application programs and 
                             Configuration files
                             System and application log files
                             File additions and deletion 
                             Critical files made world writable 
                             Privileged "setuid" programs created
                             Files modified by non-owners

Vulnerability: Weak password or unauthorized access
HIDS monitors: Logins/Logouts

Vulnerability: Password guessing
HIDS monitors: Failed logins and failed su attempts

Near-real-time detection and alerts

Intrusions are detected as they occur and alerts are provided immediately. Alerts are logged to the Alert Browser in color, based on three levels of severity. Alerts provide detailed information about what triggered the alert. For example, an alert for the unauthorized modification of a critical file includes the attributes of the critical file (full pathname, inode, owner, type, mode, device), the pathname of the program that triggered the alert, as well as the user ID, group ID, process ID, and parent process ID associated with the execution of the program. An alert triggered by a successful login contains the name and IP address of the remote host from which the login was made, as well as the pseudo device associated with the login session. This is helpful in identifying attackers for action based on security policy.

Alerts are also written to a local log file for archiving and to allow the Administrative GUI to retrieve missed alerts that were generated when it was either not running or could not connect to HIDS sensors on the monitored host(s).

Automating alert responses

Alerts can also trigger execution of user defined actions. For example, users can have specific alerts result in e-mail or pager notifications being sent out. This response mechanism is provided by way of execution of a user specified executable (a shell script or a binary executable).

In addition to sending user notifications, response scripts can be used to carry out other tasks automatically such as restoring defaced web pages from a reliable source (e.g., read only media).

Management features

The Host Management GUI allows the user to manage multiple host systems, run surveillance schedules and categorize multiple host systems. For example, a surveillance group of hosts might be tagged as application servers or database servers. Subsequent selection of all application servers allows closer monitoring or running specific surveillance schedules for that class of server.

The System Management GUI identifies what surveillance schedules are running on each host system. Combining one or more detection templates creates a surveillance group. Surveillance groups can form strategic protection for appropriate hosts such as application servers. Surveillance groups or patterns that are mapped to schedule times create surveillance schedules. Surveillance schedules can be tailored based on the applications and activity on the host. For example, HIDS on a host running a database application can be configured to run a surveillance schedule to generate high severity alerts for all logins except those by the database administrator when the host is in maintenance mode and only the administrator is expected to login. Surveillance schedules might be created for backup operations, test operations, and maintenance. Surveillance schedules can be established for tagged surveillance groups of servers such as application servers or for individual hosts.

HP OpenView OVO Smart Plug-in

The system can also be integrated with HP OpenView Operations (OVO) by using the smart plug-in for HIDS. OVO templates are used to monitor important log files, vital processes and near real-time alerts. OVO:
  • Reports the overall availability of the HIDS applications
  • Uses an application bank to configure and manage the software.
  • Provides for role-based monitoring and administration based on user profiles.

Detection 'out-of-the-box'

As soon as the HIDS application is installed, it immediately provides intrusion detection. HIDS provides pre-configured detection templates, surveillance groups, and surveillance schedules. You will want to tailor these to your operating environment, but basic detection and alerting are available immediately.

Data sources monitored

Data sources monitored by HIDS on the host include:
  • Kernel audit data that is generated by an audit system specifically designed for HIDS.
  • System log files containing records for login (ssh, ftp, telnet, rlogin, etc.,....), logout, and switch-user (su) sessions, as well as for unsuccessful login and su attempts.
Communication between the Administrative GUI and the HIDS sensors on the monitored hosts is secured, both for integrity and privacy, using the Secure Socket Layer (SSL) protocol.

Easy installation

Installation involves (1) installing the administrative software GUI, (2) installing agent software on each host system requiring intrusion detection, and (3) generating and distributing X.509 Certificates.

Certificate management is self-contained and does not require a pre-existing public key infrastructure (PKI). Manpages are included with the product bits; a User's Guide and Release Notes are available from the Instant Information CD and also docs.hp.com.

»  HIDS is available at no charge from Software Depot.
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.