IDS mailing list archives
RE: Entercept HIDS Question
From: <Josh.Berry () compucom com>
Date: Thu, 4 Mar 2004 14:21:08 -0600
This is one of those it depends on your network and application environment questions because we had terrible performance numbers with Okena also. Okena's rules configuration and push-out technology was very cumbersome and we had odd anomalous issues on the desktop systems that we tested it on (for instance one user couldn't download anything faster than 27k until we disabled the agent). Signature based systems on the host end are hard to manage at a large scale on heterogeneous systems. -----Original Message----- From: gatekeeper [mailto:gatekeeper () globenet com ph] Sent: Wednesday, March 03, 2004 5:54 PM To: Berry, Josh (jberry); sam () neuroflux com Cc: focus-ids () securityfocus com Subject: Re: Entercept HIDS Question We bought Entercept along with Cisco IDS 4250 appliance (Entercept used to be Cisco HIDS, now Cisco packaged the Okena HIDs). We had it running both for Windows and Solaris. No issues on Windows we have our signature fine-tuned via Console Manager. On Unix, process penalty is about 3-4% on normal operation. I say normal because one have to understand that Entercept sits around the kernel. It catches sys call from apps and validates them against specific signature (for known attacks) or generic signature (use to catch unknown attacks). This works because sys calls are clearly documented in such a way that a deviation would surely be tagged as malicious. So the process would depend on the number of such calls. I think this concept is nothing different to a hacker methodology of redirecting sys calls to a trojaned binary, only it is being used here in a noble way ;-) You can find evaluation report at www.nss.co.uk regards, jun g. "hiding in plain sight" ----- Original Message ----- From: <Josh.Berry () compucom com> To: <sam () neuroflux com> Cc: <focus-ids () securityfocus com> Sent: Wednesday, March 03, 2004 2:25 AM Subject: RE: Entercept HIDS Question My company bought Entercept and then immediately removed it from production if that tells you anything. It caused blue-screen's like crazy, huge performance issues, and blocked an inordinate amount of allowed traffic. This was even in detect only mode. -----Original Message----- From: sam () neuroflux com [mailto:sam () neuroflux com] Sent: Tuesday, March 02, 2004 11:31 AM To: focus-ids () securityfocus com Subject: Entercept HIDS Question Hello.. We are currently in the process of selecting a HIDS based product, and according to the Entercept sales person, they claim that the product has a feature that works very much like Tripwire. My question here, is how much overhead does it add to a server, to watch the filesystem in real time? And, if we already have Tripwire, would their File Integrity checking process be enough to replace Tripwire? And, if anyone is currently using the Entercept HIDS product, I'm wondering how easily it can be managed (not only from the HIDS piece, but from the file integrity standpoint -- excluding files, creating policies, etc.) Thanks! -Sam ------------------------------------------------------------------------ --- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- Entercept HIDS Question sam (Mar 02)
- <Possible follow-ups>
- RE: Entercept HIDS Question Josh.Berry (Mar 03)
- Re: Entercept HIDS Question gatekeeper (Mar 04)
- RE: Entercept HIDS Question Zach Forsyth (Mar 03)
- RE: Entercept HIDS Question dlimanov (Mar 04)
- RE: Entercept HIDS Question Josh.Berry (Mar 08)
- RE: Entercept HIDS Question Ralph H. Chapman (Mar 08)
- RE: Entercept HIDS Question dlimanov (Mar 08)
- Re: Entercept HIDS Question greg gonzalez (Mar 12)
- Re: Entercept HIDS Question counterveil (Mar 12)
- RE: Entercept HIDS Question simonis (Mar 12)
- Re: Entercept HIDS Question John Bedrick (Mar 12)
- RE: Entercept HIDS Question Ralph H. Chapman (Mar 15)
- Re: Entercept HIDS Question Johann_van_Duyn (Mar 16)