Firewall Wizards mailing list archives

Re: HIPS experience

From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 16 May 2007 15:02:48 -0400

I am looking for feedback from those that have rolled out HIPS (host

intrusion prevention).

I am looking for both server and desktop based and would be interested in

which vendor was

chosen and why.  This far I have looked at SANA, Determina, and about to

look at ISS and

Macafee.  On the destop we are running xp sp2 with NAV, so I am wondering

if I want to use

hips that supply firewall/av capability.  SANA seems to have alot of bells

and whistles but

is a/confusing b/takes a while to train (esp on servers)


I've done several HIPS server roll-outs, all Entercept/McAfee.  I was only
involved in one comparo project, and it was Okena Stormwatch (now Cisco)
heads up against Entercept (now McAfee) and there was really no competition.
I've not looked at SANA or Determina beyond their cut sheets.

But here is my advice in rolling out HIPS, especially on servers.

1. Benchmark performance on the servers.  For Windows, using System Monitor
is fine.  Use the following Perf Objects:
Processor / % Processor Time
Memory / Pages/sec
Memory / Available Mbytes
Physical Disk / % Disk Time

Compare performance with and without HIPS.  Note where servers need more
hardware to accomidate HIPS.  Also keep an eye out for performance
conflicts.  HIPS is invasive and can screw things up.  This can be
especially true of vendor A's HIPS product trying to cohabitate with vendor
B's AV product.

2. Plan time for deployment and plan 4x that time for initial tuning.  One
thing Entercept did shortly before McAfee acquired them was to create a kind
of step-up policy configuration.  From deployment you can turn on their
'high' level events and then medium, and low and so on.  And you can do this
in a way that keeps you from being deluged with events from the time you
turn on the agent.  Of course, I think this probably also leads to most
deployments never 'stepping up' to more detailed detection.  Plan to 'step
up' and expect to spend lots of time tuning.  If your HIPS vendor doesn't
have a tiered protection/logging policy like Entercept does, well, make that
6x as much time.

3. When creating policy, logically group and deploy by application and
function, not by OS version.  A Win2K3 server running WebSphere is more like
a Win2K server running Jboss than it is like a Win2K3 domain controller.
Group them together because their policy and tuning should be similar.  (Of
course, a Solaris server running J2EE should not be tuned the same as a
Win2K server running Jboss.)

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

HIPS experience Mike LeBlanc (May 14)
- Re: HIPS experience roberto mizuuti (May 15)
- Re: HIPS experience Paul Melson (May 17)
- <Possible follow-ups>
- Re: HIPS experience Kristian Hermansen (May 17)
  - Re: HIPS experience stursa (May 18)
    - Re: HIPS experience Victor Williams (May 20)
    - Re: HIPS experience Paul Melson (May 23)
    - Re: HIPS experience stursa (May 23)
    - Re: HIPS experience Paul Melson (May 25)
  - Re: HIPS experience Paul Melson (May 20)
    - Re: HIPS experience Kristian Hermansen (May 18)
- Re: HIPS experience Kristian Hermansen (May 20)