IDS mailing list archives
RE: host-based ips ?
From: "Chris Petersen" <chris () security-conscious com>
Date: Mon, 21 Apr 2003 20:42:57 -0400
Haven't looked at Entercept in awhile but if I were to compare the two, Entercept relies more on signature based analysis via kernel shim while Okena relies more on a behavior based approach (although Entercept also claims to do this). Okena models what typically occurs on the system (what programs are running, what files they access, run states, etc.) than applies rules when deviations occur (e.g., kill process). For instance, Okena can restrict the IIS process from accessing any other files/directories besides those specifically permitted (e.g., cmd.exe). In theory, this allows Okena to prevent unknown attacks. I would think Entercept a better solution when the protected system is changing frequently. I think Okena is promising for systems with a very defined function, fewer applications, and infrequent modifications such as web servers, mail servers, DNS servers, etc. I say this because if the system changes frequently, the behavior policy (Okena) would need to change frequently, this isn't the case with a signature based approach (Entercept). As far as Cisco buying Okena, not sure how much that really means. Cisco had been OEM'ng (reselling under their own name) Entercept prior to the Okena acquisition. Many factors go into an acquisition of this sort, quality of the technology being only one of them. Chris Petersen Security Conscious, Inc. www.security-conscious.com
-----Original Message----- From: Adam Powers [mailto:apowers () lancope com] Sent: Thursday, April 17, 2003 9:19 PM To: Quynh Nguyen Anh Cc: focus-ids () securityfocus com Subject: RE: host-based ips ? Assuming "ips" in this context is an acronym for "Intrusion Prevention Systems", yes: Okena and Entercept. Both are "shim" technologies that exist as an agent on the host itself. On the open source side, you could look into systrace. Not sure on Entercept but Okena's technology looks promising (Cisco thought so anyway). -----Original Message----- From: Quynh Nguyen Anh [mailto:quynh () sfc keio ac jp] Sent: Thursday, April 17, 2003 8:33 AM To: focus-ids () securityfocus com Subject: host-based ips ? hello, there are some nips (network based ips), but i never ever heard about host based ips. any body have known about this? thanh you a lot. -- Quynh -------------------------------------------------------------- ---------- ------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-> ids -------------------------------------------------------------- ---------------- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-> ids
------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- host-based ips ? Quynh Nguyen Anh (Apr 17)
- Re: host-based ips ? Huagang Xie (Apr 17)
- Re: host-based ips ? John Ruff (Apr 21)
- Re: host-based ips ? Mike Frantzen (Apr 21)
- <Possible follow-ups>
- RE: host-based ips ? Shimono, Toshio (ISS Tokyo) (Apr 17)
- RE: host-based ips ? Security News (Apr 21)
- RE: host-based ips ? Adam Powers (Apr 17)
- RE: host-based ips ? Chris Petersen (Apr 21)
- Re: host-based ips ? SB CH (Apr 21)
- Re: host-based ips ? Huagang Xie (Apr 21)
- Re: host-based ips ? Huagang Xie (Apr 17)