RE: Entercept HIDS Question

[<Josh.Berry () compucom com>]

This is one of those it depends on your network and application
environment questions because we had terrible performance numbers with
Okena also.  Okena's rules configuration and push-out technology was
very cumbersome and we had odd anomalous issues on the desktop systems
that we tested it on (for instance one user couldn't download anything
faster than 27k until we disabled the agent).

Signature based systems on the host end are hard to manage at a large
scale on heterogeneous systems.

-----Original Message-----
From: gatekeeper [mailto:gatekeeper () globenet com ph] 
Sent: Wednesday, March 03, 2004 5:54 PM
To: Berry, Josh (jberry); sam () neuroflux com
Cc: focus-ids () securityfocus com
Subject: Re: Entercept HIDS Question

We bought Entercept along with Cisco IDS 4250 appliance (Entercept used
to
be Cisco HIDS, now Cisco packaged the Okena HIDs). We had it running
both
for Windows and Solaris. No issues on Windows we have our signature
fine-tuned via Console Manager. On Unix, process penalty is about 3-4%
on
normal operation. I say normal because one have to understand that
Entercept
sits around the kernel. It catches sys call from apps and validates them
against specific signature (for known attacks) or generic signature (use
to
catch unknown attacks). This works because sys calls are clearly
documented
in such a way that a deviation would surely be tagged as malicious. So
the
process would depend on the number of such calls.

I think this concept is nothing different to a hacker methodology of
redirecting sys calls to a trojaned binary, only it is being used here
in a
noble way ;-)

You can find evaluation report at www.nss.co.uk

regards,
jun g.
"hiding in plain sight"

----- Original Message ----- 
From: <Josh.Berry () compucom com>
To: <sam () neuroflux com>
Cc: <focus-ids () securityfocus com>
Sent: Wednesday, March 03, 2004 2:25 AM
Subject: RE: Entercept HIDS Question


My company bought Entercept and then immediately removed it from
production if that tells you anything.  It caused blue-screen's like
crazy, huge performance issues, and blocked an inordinate amount of
allowed traffic.  This was even in detect only mode.

-----Original Message-----
From: sam () neuroflux com [mailto:sam () neuroflux com]
Sent: Tuesday, March 02, 2004 11:31 AM
To: focus-ids () securityfocus com
Subject: Entercept HIDS Question

Hello..  We are currently in the process of selecting a HIDS based
product, and according to the Entercept sales person, they claim that
the
product has a feature that works very much like Tripwire.

My question here, is how much overhead does it add to a server, to watch
the filesystem in real time?  And, if we already have Tripwire, would
their File Integrity checking process be enough to replace Tripwire?

And, if anyone is currently using the Entercept HIDS product, I'm
wondering how easily it can be managed (not only from the HIDS piece,
but
from the file integrity standpoint -- excluding files, creating
policies,
etc.)

Thanks!
-Sam



------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total
cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
------------------------------------------------------------------------
---




------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total
cost
of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
------------------------------------------------------------------------
---



------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total
cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
---------------------------------------------------------------------------