Facts About Host Based Firewalls In Cybersecurity

host based firewall

Host-based personal firewalls are standalone software programs that control traffic entering or leaving a computer. Firewall apps are also available for Android phones and tablets. In this article, I want to talk about some of the facts that you need to know about host based firewall in cybersecurity.


Host-based firewalls may use a set of predefined policies, or profiles, to control packets entering and leaving a computer. They also may have rules that can be directly modified or created to control access based on addresses, protocols, and ports. Host-based firewall applications can also be configured to issue alerts to users if suspicious behavior is detected. They can then offer the user the ability to allow an offending application to run or to be prevented from running in the future.

Logging varies depending on the firewall application. It typically includes the date and time of the event, whether the connection was allowed or denied, information about the source or destination IP addresses of packets, and the source and destination ports of the encapsulated segments. In addition, common activities such as DNS lookups and other routine events can show up in host-based firewall logs, so filtering and other parsing techniques are useful for inspecting large amounts of log data.

One approach to intrusion prevention is the use of distributed firewalls. Distributed firewalls combine features of host-based firewalls with centralized management. The management function pushes rules to the hosts and may also accept log files from the hosts.

Whether installed completely on the host or distributed, host-based firewalls are an important layer of network security along with network-based firewalls. Here are some examples of host-based firewalls:

  • Windows Defender Firewall – First included with Windows XP, Windows Firewall (now Windows Defender Firewall) uses a profile-based approach to firewall functionality. Access to public networks is assigned the restrictive Public firewall profile. The Private profile is for computers that are isolated from the internet by other security devices, such as a home router with firewall functionality. The Domain profile is the third available profile. It is chosen for connections to a trusted network, such as a business network that is assumed to have an adequate security infrastructure. Windows Firewall has logging functionality and can be centrally managed with customized group security policies from a management server such as System Center 2012 Configuration Manager.
  • iptables – This is an application that allows Linux system administrators to configure network access rules that are part of the Linux kernel Netfilter modules.
  • nftables – The successor to iptables, nftables is a Linux firewall application that uses a simple virtual machine in the Linux kernel. Code is executed within the virtual machine that inspects network packets and implements decision rules regarding packet acceptance and forwarding.
  • TCP Wrappers – This is a rule-based access control and logging system for Linux. Packet filtering is based on IP addresses and network services.

Host-Based Intrusion Detection

The distinction between host-based intrusion detection and intrusion prevention is blurred. In fact, some sources refer to host-based intrusion detection and prevention systems (HIPDS). Because the industry seems to favor the use of the acronym HIDS, we will use it in our discussion here.

A host-based intrusion detection system (HIDS) is designed to protect hosts against known and unknown malware. A HIDS can perform detailed monitoring and reporting on the system configuration and application activity. It can provide log analysis, event correlation, integrity checking, policy enforcement, rootkit detection, and alerting. A HIDS will frequently include a management server endpoint, as shown in the figure.


A HIDS is a comprehensive security application that combines the functionalities of antimalware applications with firewall functionality. A HIDS not only detects malware but also can prevent it from executing if it should reach a host. Because the HIDS software must run directly on the host, it is considered an agent-based system.


The figure shows a security team with two PCs up top with the word logs under one and alerts under the second one and a threat actor icon that has a circle with a line through it over the icon. Below that is a network that includes an email and intranet server that is in a coloured box and a symbol that indicates a host based intrusion detection agent on each server. There is a host based intrusion detection management server and arrows pointing toward the security team PCs. There are other devices that include a host based intrusion detection agent: two servers, two PCs, a laptop, a tablet, and a cell phone.

Host-based Intrusion Detection Architecture

HIDS Operation

It can be said that host-based security systems function as both detection and prevention systems because they prevent known attacks and detect unknown potential attacks. A HIDS uses both proactive and reactive strategies. A HIDS can prevent intrusion because it uses signatures to detect known malware and prevent it from infecting a system. However, this strategy is only good against known threats. Signatures are not effective against new, or zero-day, threats. In addition, some malware families exhibit polymorphism. This means that variations of a type, or family, of malware, may be created by attackers that will evade signature-based detections by changing aspects of the malware signature just enough so that it will not be detected. An additional set of strategies are used to detect the possibility of successful intrusions by malware that evades signature detection:

  • Anomaly-based – Host system behaviour is compared to a learned baseline model of normal behaviour. Significant deviations from the baseline are interpreted as the result of some sort of intrusion. If an intrusion is detected, the HIDS can log details of the intrusion, send alerts to security management systems, and take action to prevent the attack. The measured baseline is derived from both user and system behaviour. Because many things other than malware can cause system behaviour to change, anomaly detection can create many erroneous results which can increase the workload for security personnel and also lower the credibility of the system.
  • Policy-based – Normal system behaviour is described by rules, or the violation of rules, that are predefined. Violation of these policies will result in action by the HIDS. The HIDS may attempt to shut down software processes that have violated the rules and can log these events and alert personnel to violations. Most HIDS software comes with a set of predefined rules. With some systems, administrators can create custom policies that can be distributed to hosts from a central policy management system.

HIDS Products

There are a number of HIDS products on the market today. Most of them utilize the software on the host and some sort of centralized security management functionality that allows integration with network security monitoring services and threat intelligence. Examples are Cisco AMP, AlienVault USM, Tripwire, and Open Source HIDS SECurity (OSSEC).

OSSEC uses a central manager server and agents that are installed on individual hosts. Currently, agents are available for Mac, Windows, Linux, and Solaris platforms. The OSSEC server, or Manager, can also receive and analyze alerts from a variety of network devices and firewalls over syslog. OSSEC monitors system logs on hosts and also conducts file integrity checking. OSSEC can detect rootkits and other malware, and can also be configured to run scripts or applications on hosts in response to event triggers.

Action Point

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Download Our App.


CEHNigeria On Google Playstore

Download Our Blog App On Google Playstore.




Have a deeper understanding of Google Search Console. Joint SEOPOZ for free.

Join Our Whatsapp Group Here


Join Our Whatsapp Group

Follow Us On Twitter and I will Follow Back


Follow Us On Twitter

Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.

About Adeniyi Salau 897 Articles
I am an IT enthusiast and a man of many parts. I am a Certified Digital Marketer, Project Manager and a Real Estate Consultant. I love writing because that's what keeps me going. I am running this blog to share what I know with others. I am also a Superlife Stem Cell Distributor. Our Stem Cell Products can cure many ailments.

Be the first to comment

Leave a Reply

Your email address will not be published.


CommentLuv badge