IDS mailing list archives

RE: Real world experience with HIDS

From: "Charles Heselton" <charles.heselton () gmail com>
Date: Fri, 3 Feb 2006 23:30:04 -0800

You being a vendor, and purposefully NOT mentioning a product sort of
defeats the purpose in my mind.  I think the fact he's asking the questions
he is implies that he's aware of the importance (and diversity) of each of
these aspects....

--
- Charlie
 
5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
 
 In memoriam:  http://www.militarycity.com/valor/1029976.html

-----Original Message-----
From: Pukhraj Singh [mailto:pukhraj.singh () gmail com] 
Sent: Thursday, February 02, 2006 6:07 AM
To: Paul Schmehl; focus-ids () securityfocus com
Subject: Re: Real world experience with HIDS

NOTE: I work for a HIPS company, but I am also an information security
enthusiast and a regular contributor to the list. I have some
experience in intrusion prevention which might help you in taking
right decisions. And you may want to  note that I have not mentioned
any vendor product in the response.

----

HIPS (or HIDS) have seen good technological progress in the last few
years. People have realized that HIPS is, in fact, the last line of
defense against attacks. Nowadays, they encompass number of features
and varying capabilities in order to provide proactive and reactive
defense mechanisms. Before answering your questions specifically, I
would suggest that you have a look at this paper written by Gartner:

Understanding the Nine Protection Styles of Host-Based 
Intrusion Prevention
http://www.gartner.com/DisplayDocument?doc_cd=127317

This will give you a good insight about the real scope of protection
and prevention using HIPS and what to look for when assessing them.

1) Ease of install - can it be done through GPO?  SMS?

Login scripts?

Yes, most HIPS (agents and management consoles) are quick software
installs and can be managed easily.

2) Usefulness of the information generated - have you detected any
exploits?  How were you notified?  Etc.,


Of course, it is useful. Most HIPS support good notification and
alerting techniques like central alert database, alert/log correlation
and exportation, SMS/Pager/e-mail notifications.

3) Centralized management - is there any?  If so, how easy

is it to use?

Yes. This is one of the most important features of a good HIPS. Most
Agents will be centrally controlled using a management console or web
interface. It should be intuitive and easily graspable, the reporting
should be compliant with standards, proper user-level access control
should be provided. It should have the ability to create server
profiles, detect software running and thus activating profiles
automatically.

Configurable at the host level?  Or group of hosts level?


Should be on the discretion of the administrator. Should support both.

4) Access to data - is it possible to restrict access to the data so
that an administrator on the server would *not* be able to see the
output of the HIDS?


Yes, as discussed, User-level access control.

5) Interference with the server - does it consume lots of

memory or CPU?

Yes. The agent should be as light as possible. Should consume minimal
resources. The control channel noise (between agents and managers)
should be minimal. The latency of the servers should be in
micro-seconds.

Is it proactive or passive?


As you see the Gartner paper. It should do both. It should have the
ability do to protocol anomaly detection, detect vulnerability
specific attacks, zero-day attacks. Should have the ability to
sanitize/normalize malicious data or edit sessions.

6) Would you purchase again, if you had the option?


Will leave that to you. :)
But personally, I see a good potential for HIPS as providing a good
host/server level protection. They can really be effective in
computing environments which have a lot of mobile hosts coming in and
coming out where network periphery is not the last fortification.

Thanks,
Pukhraj

--------------------------------------------------------------
----------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------
----------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Real world experience with HIDS Pukhraj Singh (Feb 02)
- RE: Real world experience with HIDS Charles Heselton (Feb 07)
- <Possible follow-ups>
- RE: Real world experience with HIDS Palmer, Paul (ISSAtlanta) (Feb 02)
- Re: Real world experience with HIDS FinAckSyn (Feb 06)
  - Re: Real world experience with HIDS Paul Schmehl (Feb 06)
    - RE: Real world experience with HIDS Gregg Earnhart (Feb 07)
    - Real world experience with Dlink Hotspot Max Kreimerman (Feb 07)
  - Re: Real world experience with HIDS lucien Fransman (Feb 07)
- RE: Real world experience with HIDS Sekurity Wizard (Feb 07)
- Re: Real world experience with HIDS Daniel Cid (Feb 13)
- Re: Real world experience with HIDS Sebastien Tricaud (Feb 14)