Re: Who actually has HIDS/HIPS deployed?

[Joey Peloquin <joeyp () cotse net>]

I don't meet all, or even part of your criteria, but will answer anyway, for
the benefit of the list.

astalavista.box.sk () gmail com wrote:
> We are rapidly approaching a demo/trial phase in HIDs/HIPs selection and
while we have our own very short list of products we are looking at I have
yet to get any actual concrete feedback from anyone with real production
deployment of HIDs/HIPs software....so this is my last ditch effort.

Been there, done that, with two products.  We tested Sygate on the desktop
before Symantec swallowed them up.  I was very displeased with the BoF
protection, which they were licensing from Determina at the time.  It blew
up on too many legit apps, and their recommended "fix" of whitelisting said
apps, and any others that blew up, doesn't sit well in a company with 150K
users.

The second we tested was directed toward servers, ISS Proventia, but they
have a desktop version as well.  With the bad taste left by Sygate, however,
we dialed the scope down to just DMZ servers and some high-value targets on
the LAN.  Proventia performed very well.

> Do you have any host based protection software deployed enterprise-wide?

No, upper management came to the conclusion that we wouldn't get a
sufficient ROI.  Our current AV vendor is doing a lot more than just AV with
it's client now, and much to my dismay, it looks like we are married to them
for life.  We may consider desktop HIPS again, but it will have to get more
mature first.

> If not enterprise-wide, how widely do you have it deployed?

Again, our deployment will be limited to DMZ servers and high-value LAN targets.

> What product are you using?

We'll be using ISS.

> What do you like/dislike about it?

Centrally managed, mature engine (black ice), proven to block attacks (I
threw everything I had at it in my lab.. nothing got by).

What I disliked was the lack of auditing and file integrity features.  I'd
prefer to not put more and more agents on my critical servers, so I would
like an all-in-one solution for them.  Server Sensor (another of their
products) has the auditing I am looking for, but running both agents is
neither desired, nor supported.

> Do you feel it has been a worthwhile investment?

I know it WILL be, else I wouldn't buy it.  If it gives attackers have the
trouble it's given me while trying to run pen-tests, vulnerability scans,
etc., from my tool server (I've had an agent there since day 1), I'll be a
happy camper.

> How long have you had it deployed?

Limited deployment in the DMZ for six months.

> How difficult was it to design your deployed configuration so as to
imrpove security but not dramatically increase helpdesk calls by
breaking something on the workstation?

Not at all.  Just turn things up slowly.  Any product you look at should
have highly configurable policies, giving you the ability to do this.
Deploy in "monitor mode", or the equivalent, and let it bake a while.
Resolve some issues and turn on a little blocking.. rinse and repeat.

> How easy is it to manage however many nodes you have it deployed on?
How valuable is the information collected from the agent on those nodes,
how accessible and easy to extract is the information you find yourself
looking for?

Any product you look at should be fairly easy, because every one of them
should have a central console.  If it doesn't, it's not an enterprise class
solution.  That said, all consoles are not created equal and despite a
recent rewrite, ISS' could be improved.  I mentioned Sygate earlier..
deployment was a PITA with them.  Deploying ISS is cake.

Deep packet inspection is a show-stopping requirement of mine (which ISS
meets), and not all agents can provide you with packet captures.  I highly
value the accessibility of packet captures from the host.

Between reporting and the console, I get all the information I need.

> Any other comments?

Sure.  If you're looking for peer reviews, hints, or information, why limit
yourself like you did with the statement below?  If you didn't want vendors
to reply, just say, "no vendors, please".  By the way, I work for a retailer.

> please only reply if you have a host based protection solution deployed
> enterprise-wide, or if you are providing a link to an unbiased review of
> a product by someone who does.
[snip]

HTH

-jp

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------