You being a vendor, and purposefully NOT mentioning a product sort of defeats the purpose in my mind. I think the fact he's asking the questions he is implies that he's aware of the importance (and diversity) of each of these aspects....
-- - Charlie 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF In memoriam: http://www.militarycity.com/valor/1029976.html > -----Original Message----- > From: Pukhraj Singh [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 02, 2006 6:07 AM > To: Paul Schmehl; [email protected] > Subject: Re: Real world experience with HIDS > > NOTE: I work for a HIPS company, but I am also an information security > enthusiast and a regular contributor to the list. I have some > experience in intrusion prevention which might help you in taking > right decisions. And you may want to note that I have not mentioned > any vendor product in the response. > > ---- > > HIPS (or HIDS) have seen good technological progress in the last few > years. People have realized that HIPS is, in fact, the last line of > defense against attacks. Nowadays, they encompass number of features > and varying capabilities in order to provide proactive and reactive > defense mechanisms. Before answering your questions specifically, I > would suggest that you have a look at this paper written by Gartner: > > Understanding the Nine Protection Styles of Host-Based > Intrusion Prevention > http://www.gartner.com/DisplayDocument?doc_cd=127317 > > This will give you a good insight about the real scope of protection > and prevention using HIPS and what to look for when assessing them. > > > 1) Ease of install - can it be done through GPO? SMS? > Login scripts? > > Yes, most HIPS (agents and management consoles) are quick software > installs and can be managed easily. > > > 2) Usefulness of the information generated - have you detected any > > exploits? How were you notified? Etc., > > Of course, it is useful. Most HIPS support good notification and > alerting techniques like central alert database, alert/log correlation > and exportation, SMS/Pager/e-mail notifications. > > > 3) Centralized management - is there any? If so, how easy > is it to use? > > Yes. This is one of the most important features of a good HIPS. Most > Agents will be centrally controlled using a management console or web > interface. It should be intuitive and easily graspable, the reporting > should be compliant with standards, proper user-level access control > should be provided. It should have the ability to create server > profiles, detect software running and thus activating profiles > automatically. > > > Configurable at the host level? Or group of hosts level? > > Should be on the discretion of the administrator. Should support both. > > > 4) Access to data - is it possible to restrict access to the data so > > that an administrator on the server would *not* be able to see the > > output of the HIDS? > > Yes, as discussed, User-level access control. > > > 5) Interference with the server - does it consume lots of > memory or CPU? > > Yes. The agent should be as light as possible. Should consume minimal > resources. The control channel noise (between agents and managers) > should be minimal. The latency of the servers should be in > micro-seconds. > > > Is it proactive or passive? > > As you see the Gartner paper. It should do both. It should have the > ability do to protocol anomaly detection, detect vulnerability > specific attacks, zero-day attacks. Should have the ability to > sanitize/normalize malicious data or edit sessions. > > > 6) Would you purchase again, if you had the option? > > Will leave that to you. :) > But personally, I see a good potential for HIPS as providing a good > host/server level protection. They can really be effective in > computing environments which have a lot of mobile hosts coming in and > coming out where network periphery is not the last fortification. > > Thanks, > Pukhraj > > -------------------------------------------------------------- > ---------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > -------------------------------------------------------------- > ---------- > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
