Self-monitoring processes and integrated integrity checking functions protect the components against modification of code and exchanged messages; authentication protects against impersonation and spoofing and signalling or polling enables detection of denial of service attacks. The underlying communication handlers should deal with confidentiality and hide the originator and destination of a message, its contents and may even provide traffic flow confidentiality.
Self-monitoring processes and default modes for operation in monitors and decision enforcement applications allow for the creation of various levels of fall-back in case of a malfunction or an attack. A single point of failure can be avoided. A successful attack on a network monitor does not yet eliminate the central management service or host-based monitors. Additional security management servers can be used in stand-by mode. Use of WORM storage prevents evidence from being erased. Separation of policy and mechanisms inherently makes it more difficult to change policy definitions: this requires the central management system to be compromised before it detects any other attack on the subsystems it is responsible for.