RE: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within)

["Andrew Plato" <andrew.plato () anitian com>]

(Disclaimer, I run a consulting firm that is an ISS reseller.)

You're perfect for an ISS deployment. ISS's network IPS's have some
pretty serious competition, but on the host, ISS is still very much a
leader. RealSecure Server Sensor is hands down the best server IPS. And
Proventia Desktop is still the best host IPS for desktops. These two
products have the most history behind them and a large install base.
Servers have a nice shim that sits in IIS or Apache to get encrypted
traffic before it hits the OS. 

eEye's solution isn't bad, but its pretty new. Cisco Security Agent also
isn't bad, but its expensive and very heavy on the system. I'd avoid
Sygate, it's a messy solution.

The install and deployment will be a little tricky - but that's true of
all host IPS. I'd encourage you to hire somebody who has done some large
ISS deployments as a consultant (Like Anitian!!! Sorry, shameless self
promotion.) 

Also, although not recommended by ISS, you can go cheap and use
Proventia Desktops on servers. Just have to do some extra tuning. 

Some suggestions with ISS - bite the bullet a purchase 3 or 4 years of
support up front. ISS will give you good deals if you prepurchase
support. I've swung 3 for the price of 2 deals. If you don't they jack
up the rates every year. Take this from an old, well worn ISS reseller.
Also, haggle with them on the desktops. If you have a good reseller or
are working with ISS direct, you can usually pummel them down on price.
Tell them you are also evaluating Symantec (even though Symantec's Host
IPS solution is garbage). 

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

GPG public key available at: http://www.anitian.com/corp/keys.htm 
 



-----Original Message-----
From: mark12_30 () hotmail com [mailto:mark12_30 () hotmail com] 
Sent: Friday, July 15, 2005 1:20 AM
To: focus-ids () securityfocus com
Subject: Host-Based Intrusion Detection/Prevention. Which will you
select? (Requirements within)

Hello,

I'm interested in the general feel from people about what should be used
in the following scenario:

- Large corporation (4000+ servers)
- Looking for Host-Based IDS/IPS for key servers
- Established 24x7 monitoring team
- Solution has to pick up common exploits (Buffer Overruns & API calls
etc)
- Has large, established network IDS
- Only deploying on windows win2k & 2003 servers (web, email, app, db
etc)
- Conservative windows server management group
- Implementing point solution SIEM (eg arcsight etc)

Given the above situation, what would you recomment?  I understand from
a lot of research that HIPS is gathering momentum.  Any thoughts would
be great, esp suggestions on products

Thank you

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------