RE: host-based ips ?

["Chris Petersen" <chris () security-conscious com>]

Haven't looked at Entercept in awhile but if I were to compare the two,
Entercept relies more on signature based analysis via kernel shim while
Okena relies more on a behavior based approach (although Entercept also
claims to do this).  Okena models what typically occurs on the system
(what programs are running, what files they access, run states, etc.)
than applies rules when deviations occur (e.g., kill process).  For
instance, Okena can restrict the IIS process from accessing any other
files/directories besides those specifically permitted (e.g., cmd.exe).
In theory, this allows Okena to prevent unknown attacks.

I would think Entercept a better solution when the protected system is
changing frequently.  I think Okena is promising for systems with a very
defined function, fewer applications, and infrequent modifications such
as web servers, mail servers, DNS servers, etc.  I say this because if
the system changes frequently, the behavior policy (Okena) would need to
change frequently, this isn't the case with a signature based approach
(Entercept).

As far as Cisco buying Okena, not sure how much that really means.
Cisco had been OEM'ng (reselling under their own name) Entercept prior
to the Okena acquisition.  Many factors go into an acquisition of this
sort, quality of the technology being only one of them.  

Chris Petersen
Security Conscious, Inc.
www.security-conscious.com

> -----Original Message-----
> From: Adam Powers [mailto:apowers () lancope com] 
> Sent: Thursday, April 17, 2003 9:19 PM
> To: Quynh Nguyen Anh
> Cc: focus-ids () securityfocus com
> Subject: RE: host-based ips ?
>
>
> Assuming "ips" in this context is an acronym for "Intrusion 
> Prevention Systems", yes: Okena and Entercept.
>
> Both are "shim" technologies that exist as an agent on the 
> host itself.
>
> On the open source side, you could look into systrace.
>
>
> Not sure on Entercept but Okena's technology looks promising 
> (Cisco thought so anyway).
>
>
>
>
> -----Original Message-----
> From: Quynh Nguyen Anh [mailto:quynh () sfc keio ac jp] 
> Sent: Thursday, April 17, 2003 8:33 AM
> To: focus-ids () securityfocus com
> Subject: host-based ips ?
>
> hello,
>
> there are some nips (network based ips), but i never ever heard about 
> host based ips. any body have known about this?
>
> thanh you a lot.
> -- 
> Quynh
>
>
> --------------------------------------------------------------
> ----------
> ------
> INTRUSION PREVENTION: READY FOR PRIME TIME?
>  
> IntruShield now offers unprecedented Intrusion IntelligenceTM 
> capabilities - 
> including intrusion identification, relevancy, direction, 
> impact and analysis - enabling a path to prevention. 
>  
> Download the latest white paper "Intrusion Prevention: Myths, 
> Challenges, and Requirements" at: 
> http://www.securityfocus.com/IntruVert-focus-> ids
>
>
>
>
>
>
> --------------------------------------------------------------
> ----------------
> INTRUSION PREVENTION: READY FOR PRIME TIME?
>  
> IntruShield now offers unprecedented Intrusion IntelligenceTM 
> capabilities - 
> including intrusion identification, relevancy, direction, 
> impact and analysis - enabling a path to prevention. 
>  
> Download the latest white paper "Intrusion Prevention: Myths, 
> Challenges, and Requirements" at: 
> http://www.securityfocus.com/IntruVert-focus-> ids


------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids