Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Real world experience with HIDS

Re: Real world experience with HIDS

From: FinAckSyn <finacksyn_at_yahoo.co.uk>
Date: Fri, 3 Feb 2006 00:51:37 +0000 (GMT)

Hi Paul,

Don't take this the wrong way, but you're asking the
wrong questions! :)

> 1) Ease of install - can it be done through GPO?
> SMS? Login scripts?

Zero-day attack prevention is far more important than
ease of use. DON'T choose a
well-orchestrated/marketed product if it doesn't give
you the protection you need.

>
> 2) Usefulness of the information generated - have
> you detected any
> exploits? How were you notified? Etc.,
>

The whole point of HIDS/HIPS should be to give you a
last line of defence, once attackers/hackers/worms
have got through your perimeter security. Screw
detection at this point. You need active protection.

> 3) Centralized management - is there any? If so,
> how easy is it to use?
> Configurable at the host level? Or group of hosts
> level?
>

There aren't any commerical HIPS/HIDS products that
don't give you this.
 
> 4) Access to data - is it possible to restrict
> access to the data so that
> an administrator on the server would *not* be able
> to see the output of the
> HIDS?
>

Setup separate 'security administrator' accounts, that
separate day to day security event logging from day to
day account administration.

> 5) Interference with the server - does it consume
> lots of memory or CPU?

Only if they're badly written.

> Is it proactive or passive?
>

Ignore any passive products. If an attacker has got
through all your other protection (firewall, AV, IPS,
IDS) then a passive product is not going to help you.

> 6) Would you purchase again, if you had the option?
>
> PLEASE NOTE: Any vendor on this list who emails me
> suggesting their
> product will be automatically dropped from
> consideration, so be forewarned.
> You're welcome to respond on the list, if you like,
> but don't email me or you'll be eliminated from
> consideration.

I work for Cisco, Juniper, ISS, McAfee, Symantec,
Trend and Check Point, and recommend them all
throroughly. Does this mean you'll drop the whole
marketplace from consideration now ? :)

--- Paul Schmehl <pauls_at_utdallas.edu> wrote:

> I have some questions for real world users (not
> vendors) of HIDS products.
> If you are using HIDS products *and* you're happy
> with the results, please
> respond to the following quesitons.
>
> 1) Ease of install - can it be done through GPO?
> SMS? Login scripts?
>
> 2) Usefulness of the information generated - have
> you detected any
> exploits? How were you notified? Etc.,
>
> 3) Centralized management - is there any? If so,
> how easy is it to use?
> Configurable at the host level? Or group of hosts
> level?
>
> 4) Access to data - is it possible to restrict
> access to the data so that
> an administrator on the server would *not* be able
> to see the output of the
> HIDS?
>
> 5) Interference with the server - does it consume
> lots of memory or CPU?
> Is it proactive or passive?
>
> 6) Would you purchase again, if you had the option?
>
> PLEASE NOTE: Any vendor on this list who emails me
> suggesting their
> product will be automatically dropped from
> consideration, so be forewarned.
> You're welcome to respond on the list, if you like,
> but don't email me or
> you'll be eliminated from consideration.
>
> Paul Schmehl (pauls_at_utdallas.edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
>
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
>
------------------------------------------------------------------------
>
>

                
___________________________________________________________
Yahoo! Photos – NEW, now offering a quality print service from just 8p a photo http://uk.photos.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Feb 06 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos