Hi Paul, Don't take this the wrong way, but you're asking the wrong questions! :)
> 1) Ease of install - can it be done through GPO? > SMS? Login scripts? Zero-day attack prevention is far more important than ease of use. DON'T choose a well-orchestrated/marketed product if it doesn't give you the protection you need. > > 2) Usefulness of the information generated - have > you detected any > exploits? How were you notified? Etc., > The whole point of HIDS/HIPS should be to give you a last line of defence, once attackers/hackers/worms have got through your perimeter security. Screw detection at this point. You need active protection. > 3) Centralized management - is there any? If so, > how easy is it to use? > Configurable at the host level? Or group of hosts > level? > There aren't any commerical HIPS/HIDS products that don't give you this. > 4) Access to data - is it possible to restrict > access to the data so that > an administrator on the server would *not* be able > to see the output of the > HIDS? > Setup separate 'security administrator' accounts, that separate day to day security event logging from day to day account administration. > 5) Interference with the server - does it consume > lots of memory or CPU? Only if they're badly written. > Is it proactive or passive? > Ignore any passive products. If an attacker has got through all your other protection (firewall, AV, IPS, IDS) then a passive product is not going to help you. > 6) Would you purchase again, if you had the option? > > PLEASE NOTE: Any vendor on this list who emails me > suggesting their > product will be automatically dropped from > consideration, so be forewarned. > You're welcome to respond on the list, if you like, > but don't email me or you'll be eliminated from > consideration. I work for Cisco, Juniper, ISS, McAfee, Symantec, Trend and Check Point, and recommend them all throroughly. Does this mean you'll drop the whole marketplace from consideration now ? :) --- Paul Schmehl <[EMAIL PROTECTED]> wrote: > I have some questions for real world users (not > vendors) of HIDS products. > If you are using HIDS products *and* you're happy > with the results, please > respond to the following quesitons. > > 1) Ease of install - can it be done through GPO? > SMS? Login scripts? > > 2) Usefulness of the information generated - have > you detected any > exploits? How were you notified? Etc., > > 3) Centralized management - is there any? If so, > how easy is it to use? > Configurable at the host level? Or group of hosts > level? > > 4) Access to data - is it possible to restrict > access to the data so that > an administrator on the server would *not* be able > to see the output of the > HIDS? > > 5) Interference with the server - does it consume > lots of memory or CPU? > Is it proactive or passive? > > 6) Would you purchase again, if you had the option? > > PLEASE NOTE: Any vendor on this list who emails me > suggesting their > product will be automatically dropped from > consideration, so be forewarned. > You're welcome to respond on the list, if you like, > but don't email me or > you'll be eliminated from consideration. > > Paul Schmehl ([EMAIL PROTECTED]) > Adjunct Information Security Officer > University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/ir/security/ > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > ------------------------------------------------------------------------ > > ___________________________________________________________ Yahoo! Photos NEW, now offering a quality print service from just 8p a photo http://uk.photos.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
