Built-in intrusion prevention or HIPS – what is the best choice?

If you are managing a server and host various applications and services all of them are reachable for your users and customers. Quite often, they are also reachable for others – with malicious intent – wanting to gain access.  

To be cost effective, you could be using a Terminal Server (or Remote desktop Server) and you have also got an FTP server to ease file transfers. There is also a web interface for the remote applications and so on.

An possible attacker will start by port scan your server, search for open ports, and try to figure out what services and applications you are running on them. Even if you have changed the default ports, quite often the application will reveal itself in the header – what it is and what version it is.

What your applications reveals

To see what your applications reveal about themselves, you can simply do telnet session to the port in question.

Start a telnet client and connect to the port you are interested. For example, port 25 for SMTP (email) or port 21 for FTP. You will probably get at least some information on what is running on the server.

(I you wish to gather more detailed and complex information, you can use software like Nmap Security Scanner.)

The value of built-in intrusion prevention

After scanning your ports, the intruder will use automated scripts to try login in.

Some software, as FileZilla FTP Server, has brute force prevention built into them (although, is it not enabled by default). This will block the intruder, making them move on to the next port/service. The attack will continue since they have only been blocked on the FTP level so far (usually port 21).

If you are hosting a multiple software and services on a server and each of them have brute force prevention built in, they will only block the attack within their own part of the system. I.e. FileZilla will block the brute force on FTP but nothing else.

Protect everything with a HIPS

An effective Host Intrusion Prevention System (HIPS) blocks the attacker entirely on all ports if they trigger any of the detectors. As a result: the attacker will be unable to communicate with your server at all (even ping), thus automatically protecting every other service you might have running on it.

This would be similar to an intruder trying to unlock your door, triggering the alarm, and realizing that the building had “magically” disappeared.

In conclusion: Built-in intrusion prevention is good. A HIPS is better.