The Host-based intrusion prevention system (HIPS) is very similar in concept to network intrusion prevention in terms of the logic of the tool. The primary difference is the network intrusion prevention tool is responsible for detecting as much as possible across multiple operating system platforms and applications while deployed on the network wire. This is a challenge even in finely-tuned environments because protection of the system asset is a configuration on the network, not the host itself. The host knows what is running, and if there is a network intrusion prevention misconfiguration, the host is still protected by the HIPS. Host-based intrusion prevention leverages being installed on the system it is protecting to actively mitigate threats against running services and applications. This additional awareness of running applications and services can reduce the footprint the HIPS requires because it will only be protecting what is running, not every possible combination, as the typical IPS is deployed. This will reduce alerts that need to be reviewed and confidence that protection moves with the system regardless of where it is moved.
Benefits of this implementation are protection regardless of the state of the network intrusion prevention system and specific protection for what is actually on the system. This reduces false positives and ensures intrusion protection. When there are multiple groups involved with implementing the security of the network and systems, misconfigurations can occur, and generally these occur in the network as the rate of change is generally greater than on a critical system. This is not to say that the network team is less competent, but the reality is security is not the focus of the network; it is moving packets as fast as possible across the infrastructure. A minor access control list tweak or route map modification can cause the complete bypass of the network-based security controls.
Host-based intrusion detection uses the same types of detection methods as the network-based counterpart, and in some cases, leverages application whitelisting techniques. The primary method is signature-based detection as this is the easiest method to implement on a host without taxing the operating system with true behavioral analysis. Though, it should be noted that a combination of methods should be employed for comprehensive protection.
In the current state of security, we have been tasked with installing several agents on systems to ensure they are secure or at least protected. Using a HIPS solution is an additional agent that must be installed unless it is a component of the anti-virus installed on the system. If this is the case, the effectiveness may need to be tested as anti-virus-based tools will only protect at a minimal-to-moderate level. This must be considered before HIPS is implemented or positioned as a primary host protection method. As with the intent of all security controls, monitoring and alerting capabilities need to be integrated into the existing response implementation. Another tool implemented requires operational considerations before implementation.