Firewall Wizards mailing list archives
Re: HIPS experience
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 16 May 2007 15:02:48 -0400
I am looking for feedback from those that have rolled out HIPS (host
intrusion prevention).
I am looking for both server and desktop based and would be interested in
which vendor was
chosen and why. This far I have looked at SANA, Determina, and about to
look at ISS and
Macafee. On the destop we are running xp sp2 with NAV, so I am wondering
if I want to use
hips that supply firewall/av capability. SANA seems to have alot of bells
and whistles but
is a/confusing b/takes a while to train (esp on servers)
I've done several HIPS server roll-outs, all Entercept/McAfee. I was only involved in one comparo project, and it was Okena Stormwatch (now Cisco) heads up against Entercept (now McAfee) and there was really no competition. I've not looked at SANA or Determina beyond their cut sheets. But here is my advice in rolling out HIPS, especially on servers. 1. Benchmark performance on the servers. For Windows, using System Monitor is fine. Use the following Perf Objects: Processor / % Processor Time Memory / Pages/sec Memory / Available Mbytes Physical Disk / % Disk Time Compare performance with and without HIPS. Note where servers need more hardware to accomidate HIPS. Also keep an eye out for performance conflicts. HIPS is invasive and can screw things up. This can be especially true of vendor A's HIPS product trying to cohabitate with vendor B's AV product. 2. Plan time for deployment and plan 4x that time for initial tuning. One thing Entercept did shortly before McAfee acquired them was to create a kind of step-up policy configuration. From deployment you can turn on their 'high' level events and then medium, and low and so on. And you can do this in a way that keeps you from being deluged with events from the time you turn on the agent. Of course, I think this probably also leads to most deployments never 'stepping up' to more detailed detection. Plan to 'step up' and expect to spend lots of time tuning. If your HIPS vendor doesn't have a tiered protection/logging policy like Entercept does, well, make that 6x as much time. 3. When creating policy, logically group and deploy by application and function, not by OS version. A Win2K3 server running WebSphere is more like a Win2K server running Jboss than it is like a Win2K3 domain controller. Group them together because their policy and tuning should be similar. (Of course, a Solaris server running J2EE should not be tuned the same as a Win2K server running Jboss.) PaulM _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- HIPS experience Mike LeBlanc (May 14)
- Re: HIPS experience roberto mizuuti (May 15)
- Re: HIPS experience Paul Melson (May 17)
- <Possible follow-ups>
- Re: HIPS experience Kristian Hermansen (May 17)
- Re: HIPS experience stursa (May 18)
- Re: HIPS experience Victor Williams (May 20)
- Re: HIPS experience Paul Melson (May 23)
- Re: HIPS experience stursa (May 23)
- Re: HIPS experience Paul Melson (May 25)
- Re: HIPS experience stursa (May 18)
- Re: HIPS experience Paul Melson (May 20)
- Re: HIPS experience Kristian Hermansen (May 18)