IDS mailing list archives
RE: Real world experience with HIDS
From: "Charles Heselton" <charles.heselton () gmail com>
Date: Fri, 3 Feb 2006 23:30:04 -0800
You being a vendor, and purposefully NOT mentioning a product sort of defeats the purpose in my mind. I think the fact he's asking the questions he is implies that he's aware of the importance (and diversity) of each of these aspects.... -- - Charlie 5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF In memoriam: http://www.militarycity.com/valor/1029976.html
-----Original Message----- From: Pukhraj Singh [mailto:pukhraj.singh () gmail com] Sent: Thursday, February 02, 2006 6:07 AM To: Paul Schmehl; focus-ids () securityfocus com Subject: Re: Real world experience with HIDS NOTE: I work for a HIPS company, but I am also an information security enthusiast and a regular contributor to the list. I have some experience in intrusion prevention which might help you in taking right decisions. And you may want to note that I have not mentioned any vendor product in the response. ---- HIPS (or HIDS) have seen good technological progress in the last few years. People have realized that HIPS is, in fact, the last line of defense against attacks. Nowadays, they encompass number of features and varying capabilities in order to provide proactive and reactive defense mechanisms. Before answering your questions specifically, I would suggest that you have a look at this paper written by Gartner: Understanding the Nine Protection Styles of Host-Based Intrusion Prevention http://www.gartner.com/DisplayDocument?doc_cd=127317 This will give you a good insight about the real scope of protection and prevention using HIPS and what to look for when assessing them.1) Ease of install - can it be done through GPO? SMS?Login scripts? Yes, most HIPS (agents and management consoles) are quick software installs and can be managed easily.2) Usefulness of the information generated - have you detected any exploits? How were you notified? Etc.,Of course, it is useful. Most HIPS support good notification and alerting techniques like central alert database, alert/log correlation and exportation, SMS/Pager/e-mail notifications.3) Centralized management - is there any? If so, how easyis it to use? Yes. This is one of the most important features of a good HIPS. Most Agents will be centrally controlled using a management console or web interface. It should be intuitive and easily graspable, the reporting should be compliant with standards, proper user-level access control should be provided. It should have the ability to create server profiles, detect software running and thus activating profiles automatically.Configurable at the host level? Or group of hosts level?Should be on the discretion of the administrator. Should support both.4) Access to data - is it possible to restrict access to the data so that an administrator on the server would *not* be able to see the output of the HIDS?Yes, as discussed, User-level access control.5) Interference with the server - does it consume lots ofmemory or CPU? Yes. The agent should be as light as possible. Should consume minimal resources. The control channel noise (between agents and managers) should be minimal. The latency of the servers should be in micro-seconds.Is it proactive or passive?As you see the Gartner paper. It should do both. It should have the ability do to protocol anomaly detection, detect vulnerability specific attacks, zero-day attacks. Should have the ability to sanitize/normalize malicious data or edit sessions.6) Would you purchase again, if you had the option?Will leave that to you. :) But personally, I see a good potential for HIPS as providing a good host/server level protection. They can really be effective in computing environments which have a lot of mobile hosts coming in and coming out where network periphery is not the last fortification. Thanks, Pukhraj -------------------------------------------------------------- ---------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------- ----------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Real world experience with HIDS Pukhraj Singh (Feb 02)
- RE: Real world experience with HIDS Charles Heselton (Feb 07)
- <Possible follow-ups>
- RE: Real world experience with HIDS Palmer, Paul (ISSAtlanta) (Feb 02)
- Re: Real world experience with HIDS FinAckSyn (Feb 06)
- Re: Real world experience with HIDS Paul Schmehl (Feb 06)
- RE: Real world experience with HIDS Gregg Earnhart (Feb 07)
- Real world experience with Dlink Hotspot Max Kreimerman (Feb 07)
- Re: Real world experience with HIDS lucien Fransman (Feb 07)
- Re: Real world experience with HIDS Paul Schmehl (Feb 06)
- RE: Real world experience with HIDS Sekurity Wizard (Feb 07)
- Re: Real world experience with HIDS Daniel Cid (Feb 13)
- Re: Real world experience with HIDS Sebastien Tricaud (Feb 14)