Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: Real world experience with HIDS

RE: Real world experience with HIDS

From: Charles Heselton <charles.heselton_at_gmail.com>
Date: Fri, 3 Feb 2006 23:30:04 -0800

You being a vendor, and purposefully NOT mentioning a product sort of
defeats the purpose in my mind. I think the fact he's asking the questions
he is implies that he's aware of the importance (and diversity) of each of
these aspects.... 

--
- Charlie
 
5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
 
 In memoriam:  http://www.militarycity.com/valor/1029976.html
 
> -----Original Message-----
> From: Pukhraj Singh [mailto:pukhraj.singh_at_gmail.com] 
> Sent: Thursday, February 02, 2006 6:07 AM
> To: Paul Schmehl; focus-ids_at_securityfocus.com
> Subject: Re: Real world experience with HIDS
> 
> NOTE: I work for a HIPS company, but I am also an information security
> enthusiast and a regular contributor to the list. I have some
> experience in intrusion prevention which might help you in taking
> right decisions. And you may want to  note that I have not mentioned
> any vendor product in the response.
> 
> ----
> 
> HIPS (or HIDS) have seen good technological progress in the last few
> years. People have realized that HIPS is, in fact, the last line of
> defense against attacks. Nowadays, they encompass number of features
> and varying capabilities in order to provide proactive and reactive
> defense mechanisms. Before answering your questions specifically, I
> would suggest that you have a look at this paper written by Gartner:
> 
> Understanding the Nine Protection Styles of Host-Based 
> Intrusion Prevention
> http://www.gartner.com/DisplayDocument?doc_cd=127317
> 
> This will give you a good insight about the real scope of protection
> and prevention using HIPS and what to look for when assessing them.
> 
> > 1) Ease of install - can it be done through GPO?  SMS?  
> Login scripts?
> 
> Yes, most HIPS (agents and management consoles) are quick software
> installs and can be managed easily.
> 
> > 2) Usefulness of the information generated - have you detected any
> > exploits?  How were you notified?  Etc.,
> 
> Of course, it is useful. Most HIPS support good notification and
> alerting techniques like central alert database, alert/log correlation
> and exportation, SMS/Pager/e-mail notifications.
> 
> > 3) Centralized management - is there any?  If so, how easy 
> is it to use?
> 
> Yes. This is one of the most important features of a good HIPS. Most
> Agents will be centrally controlled using a management console or web
> interface. It should be intuitive and easily graspable, the reporting
> should be compliant with standards, proper user-level access control
> should be provided. It should have the ability to create server
> profiles, detect software running and thus activating profiles
> automatically.
> 
> > Configurable at the host level?  Or group of hosts level?
> 
> Should be on the discretion of the administrator. Should support both.
> 
> > 4) Access to data - is it possible to restrict access to the data so
> > that an administrator on the server would *not* be able to see the
> > output of the HIDS?
> 
> Yes, as discussed, User-level access control.
> 
> > 5) Interference with the server - does it consume lots of 
> memory or CPU?
> 
> Yes. The agent should be as light as possible. Should consume minimal
> resources. The control channel noise (between agents and managers)
> should be minimal. The latency of the servers should be in
> micro-seconds.
> 
> > Is it proactive or passive?
> 
> As you see the Gartner paper. It should do both. It should have the
> ability do to protocol anomaly detection, detect vulnerability
> specific attacks, zero-day attacks. Should have the ability to
> sanitize/normalize malicious data or edit sessions.
> 
> > 6) Would you purchase again, if you had the option?
> 
> Will leave that to you. :)
> But personally, I see a good potential for HIPS as providing a good
> host/server level protection. They can really be effective in
> computing environments which have a lot of mobile hosts coming in and
> coming out where network periphery is not the last fortification.
> 
> Thanks,
> Pukhraj
> 
> --------------------------------------------------------------
> ----------
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------
> ----------
> 
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Received on Feb 07 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos