IDS mailing list archives
Re: Who actually has HIDS/HIPS deployed?
From: Joey Peloquin <joeyp () cotse net>
Date: Fri, 18 Aug 2006 08:32:37 -0500
I don't meet all, or even part of your criteria, but will answer anyway, for the benefit of the list. astalavista.box.sk () gmail com wrote:
We are rapidly approaching a demo/trial phase in HIDs/HIPs selection and
while we have our own very short list of products we are looking at I have yet to get any actual concrete feedback from anyone with real production deployment of HIDs/HIPs software....so this is my last ditch effort. Been there, done that, with two products. We tested Sygate on the desktop before Symantec swallowed them up. I was very displeased with the BoF protection, which they were licensing from Determina at the time. It blew up on too many legit apps, and their recommended "fix" of whitelisting said apps, and any others that blew up, doesn't sit well in a company with 150K users. The second we tested was directed toward servers, ISS Proventia, but they have a desktop version as well. With the bad taste left by Sygate, however, we dialed the scope down to just DMZ servers and some high-value targets on the LAN. Proventia performed very well.
Do you have any host based protection software deployed enterprise-wide?
No, upper management came to the conclusion that we wouldn't get a sufficient ROI. Our current AV vendor is doing a lot more than just AV with it's client now, and much to my dismay, it looks like we are married to them for life. We may consider desktop HIPS again, but it will have to get more mature first.
If not enterprise-wide, how widely do you have it deployed?
Again, our deployment will be limited to DMZ servers and high-value LAN targets.
What product are you using?
We'll be using ISS.
What do you like/dislike about it?
Centrally managed, mature engine (black ice), proven to block attacks (I threw everything I had at it in my lab.. nothing got by). What I disliked was the lack of auditing and file integrity features. I'd prefer to not put more and more agents on my critical servers, so I would like an all-in-one solution for them. Server Sensor (another of their products) has the auditing I am looking for, but running both agents is neither desired, nor supported.
Do you feel it has been a worthwhile investment?
I know it WILL be, else I wouldn't buy it. If it gives attackers have the trouble it's given me while trying to run pen-tests, vulnerability scans, etc., from my tool server (I've had an agent there since day 1), I'll be a happy camper.
How long have you had it deployed?
Limited deployment in the DMZ for six months.
How difficult was it to design your deployed configuration so as to
imrpove security but not dramatically increase helpdesk calls by breaking something on the workstation? Not at all. Just turn things up slowly. Any product you look at should have highly configurable policies, giving you the ability to do this. Deploy in "monitor mode", or the equivalent, and let it bake a while. Resolve some issues and turn on a little blocking.. rinse and repeat.
How easy is it to manage however many nodes you have it deployed on?
How valuable is the information collected from the agent on those nodes, how accessible and easy to extract is the information you find yourself looking for? Any product you look at should be fairly easy, because every one of them should have a central console. If it doesn't, it's not an enterprise class solution. That said, all consoles are not created equal and despite a recent rewrite, ISS' could be improved. I mentioned Sygate earlier.. deployment was a PITA with them. Deploying ISS is cake. Deep packet inspection is a show-stopping requirement of mine (which ISS meets), and not all agents can provide you with packet captures. I highly value the accessibility of packet captures from the host. Between reporting and the console, I get all the information I need.
Any other comments?
Sure. If you're looking for peer reviews, hints, or information, why limit yourself like you did with the statement below? If you didn't want vendors to reply, just say, "no vendors, please". By the way, I work for a retailer.
please only reply if you have a host based protection solution deployed enterprise-wide, or if you are providing a link to an unbiased review of a product by someone who does.
[snip] HTH -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Who actually has HIDS/HIPS deployed? astalavista . box . sk (Aug 15)
- Re: Who actually has HIDS/HIPS deployed? Joey Peloquin (Aug 18)