IDS mailing list archives
RE: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within)
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Fri, 15 Jul 2005 10:03:00 -0700
(Disclaimer, I run a consulting firm that is an ISS reseller.) You're perfect for an ISS deployment. ISS's network IPS's have some pretty serious competition, but on the host, ISS is still very much a leader. RealSecure Server Sensor is hands down the best server IPS. And Proventia Desktop is still the best host IPS for desktops. These two products have the most history behind them and a large install base. Servers have a nice shim that sits in IIS or Apache to get encrypted traffic before it hits the OS. eEye's solution isn't bad, but its pretty new. Cisco Security Agent also isn't bad, but its expensive and very heavy on the system. I'd avoid Sygate, it's a messy solution. The install and deployment will be a little tricky - but that's true of all host IPS. I'd encourage you to hire somebody who has done some large ISS deployments as a consultant (Like Anitian!!! Sorry, shameless self promotion.) Also, although not recommended by ISS, you can go cheap and use Proventia Desktops on servers. Just have to do some extra tuning. Some suggestions with ISS - bite the bullet a purchase 3 or 4 years of support up front. ISS will give you good deals if you prepurchase support. I've swung 3 for the price of 2 deals. If you don't they jack up the rates every year. Take this from an old, well worn ISS reseller. Also, haggle with them on the desktops. If you have a good reseller or are working with ISS direct, you can usually pummel them down on price. Tell them you are also evaluating Symantec (even though Symantec's Host IPS solution is garbage). ___________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com ___________________________________ GPG public key available at: http://www.anitian.com/corp/keys.htm -----Original Message----- From: mark12_30 () hotmail com [mailto:mark12_30 () hotmail com] Sent: Friday, July 15, 2005 1:20 AM To: focus-ids () securityfocus com Subject: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within) Hello, I'm interested in the general feel from people about what should be used in the following scenario: - Large corporation (4000+ servers) - Looking for Host-Based IDS/IPS for key servers - Established 24x7 monitoring team - Solution has to pick up common exploits (Buffer Overruns & API calls etc) - Has large, established network IDS - Only deploying on windows win2k & 2003 servers (web, email, app, db etc) - Conservative windows server management group - Implementing point solution SIEM (eg arcsight etc) Given the above situation, what would you recomment? I understand from a lot of research that HIPS is gathering momentum. Any thoughts would be great, esp suggestions on products Thank you ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within) mark12_30 (Jul 15)
- Re: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within) Mark Teicher (Jul 18)
- <Possible follow-ups>
- RE: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within) Brunner, Mark (Jul 17)
- RE: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within) Andrew Plato (Jul 17)
- Message not available