IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: host-based ips ?

From: "Andrew Plato" <aplato () anitian com>
Date: Wed, 30 Apr 2003 19:02:12 -0700


there are some nips (network based ips), but i never ever heard about 
host based ips. any body have known about this?


Host-based IPS is actually been around even longer than network IPS. The
first commercial IPS product (that is an IDS matched with a firewall)
was the BlackICE product from Network ICE, which is now RealSecure
Server Sensor and Desktop Protector. The big breakthrough with BlackICE
was that it was both a protocol analysis-based IDS and could respond in
*near* real time and block intruders. 

Since then others have joined that market. 

Cisco Secure Agent (formerly Okena StormWatch) is a lot like BlackICE/RS
Desktop in that it's a protocol analysis-based IDS & firewall. It's a
very capable and powerful product. Cisco's acquisition of Okena was
arguably one of the smarter moves Cisco has made in while. I like it
because it has a similar look and feel to ISS's ICEcap and I am a bit of
an ICEcap junkie. 

Entercept is more of a OS-level monitor. Its an interesting product, but
its rather heavy on the system. My company used to sell Entercept and we
had a very hard time getting customers interested in it. In comparison
to other products, Entercept has a very high memory & CPU footprint.

Sygate has a host IPS. I've played with it a bit. Its okay. It does not
have a very large market penetration. 

Symantec's secure agent is not much more than a "personal firewall."
Which is an important distinction. Some people call ZoneAlarm an IPS. I
wouldn't. In my book, an IPS has to be an IDS & a firewall combination.
ZoneAlarm, Symantec, and the other "personal firewalls" do not possess
IDS capabilities (or very rudimentary IDS capabilities). 

If you are evaluating host IPS, make sure you try out Okena and
RealSecure desktop. I feel they are the best of lot. However, I am a
reseller of both, so naturally I would have a preference for them. 

There are some open-source solutions in this space. Sounds like others
have pointed them out.

SHAMELESS PLUG: If you happen to be in Seattle, Washington on June, 10
2003. I will be giving a talk on IPS technologies. I will be discussing
the use of host-IPS as well as network-IPS. Details at:
http://www.anitian.com/seminars/ips.htm 

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Enterprise Security
 
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com 
___________________________________

-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No?
No wonder why you're swamped with false positives!
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: