RE: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within)

[Mark Teicher <mht3 () earthlink net>]

Disclaimer: I have implemented most of the solutions listed below, 
and have previously worked as an integrations solutions consultant 
for other products mentioned.

1. Depends on how many of the items listed in the initial thread one 
wants full coverage versus (yeah, it has some of those features but 
the User Interface is slick)
2.  Each product has an interesting log capabilities, some have 
adhered to standard SNMP and syslog formats versus providing a % 
human readable format with assistance from tech support or 3rd party 
logging and parsing utilities
3. Some of the products have good coverage for Buffer Overflows and 
other such features but lack significant coverage in other areas (i.e 
High Availability, limited to Windows platform coverage, etc)
4. Partial compability with other SIM (Security Information 
Management) products (i.e Arcsight, GuardedNet)
5. Price per desktop (how do they price it, the more you buy, the 
better the disocunt, or is it cheaper to purchase an enterprise license)
6. What do you mean by large deployment and in what period of 
time.  Some deployments have taken years and in the process have 
grown through many different revisions or versions to get all the 
features desired to work correctly.  (i.e support for customized 
versions of Windows platforms or Wise versus Installshield versus VPN coverage)
7. I agree hire a consultant who lots of hands-on expertise as in the 
reseller or product vendor has high regards for their expertise 
versus (probably can count the consultants who have proven hands-on 
expertise with them all)

At 01:03 PM 7/15/2005, Andrew Plato wrote:
> (Disclaimer, I run a consulting firm that is an ISS reseller.)
>
> You're perfect for an ISS deployment. ISS's network IPS's have some
> pretty serious competition, but on the host, ISS is still very much a
> leader. RealSecure Server Sensor is hands down the best server IPS. And
> Proventia Desktop is still the best host IPS for desktops. These two
> products have the most history behind them and a large install base.
> Servers have a nice shim that sits in IIS or Apache to get encrypted
> traffic before it hits the OS.
>
> eEye's solution isn't bad, but its pretty new. Cisco Security Agent also
> isn't bad, but its expensive and very heavy on the system. I'd avoid
> Sygate, it's a messy solution.
>
> The install and deployment will be a little tricky - but that's true of
> all host IPS. I'd encourage you to hire somebody who has done some large
> ISS deployments as a consultant (Like Anitian!!! Sorry, shameless self
> promotion.)
>
> Also, although not recommended by ISS, you can go cheap and use
> Proventia Desktops on servers. Just have to do some extra tuning.
>
> Some suggestions with ISS - bite the bullet a purchase 3 or 4 years of
> support up front. ISS will give you good deals if you prepurchase
> support. I've swung 3 for the price of 2 deals. If you don't they jack
> up the rates every year. Take this from an old, well worn ISS reseller.
> Also, haggle with them on the desktops. If you have a good reseller or
> are working with ISS direct, you can usually pummel them down on price.
> Tell them you are also evaluating Symantec (even though Symantec's Host
> IPS solution is garbage).
>
> ___________________________________
> Andrew Plato, CISSP
> President/Principal Consultant
> ANITIAN  ENTERPRISE  SECURITY
>
> 3800 SW Cedar Hills Blvd, Suite 280
> Beaverton, OR 97005
> 503-644-5656 Office
> 503-214-8069 Fax
> 503-201-0821 Mobile
> www.anitian.com
> ___________________________________
>
> GPG public key available at: http://www.anitian.com/corp/keys.htm
>
>
>
>
> -----Original Message-----
> From: mark12_30 () hotmail com [mailto:mark12_30 () hotmail com]
> Sent: Friday, July 15, 2005 1:20 AM
> To: focus-ids () securityfocus com
> Subject: Host-Based Intrusion Detection/Prevention. Which will you
> select? (Requirements within)
>
> Hello,
>
> I'm interested in the general feel from people about what should be used
> in the following scenario:
>
> - Large corporation (4000+ servers)
> - Looking for Host-Based IDS/IPS for key servers
> - Established 24x7 monitoring team
> - Solution has to pick up common exploits (Buffer Overruns & API calls
> etc)
> - Has large, established network IDS
> - Only deploying on windows win2k & 2003 servers (web, email, app, db
> etc)
> - Conservative windows server management group
> - Implementing point solution SIEM (eg arcsight etc)
>
> Given the above situation, what would you recomment?  I understand from
> a lot of research that HIPS is gathering momentum.  Any thoughts would
> be great, esp suggestions on products
>
> Thank you
>
> ------------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
> --
>
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------