|
IDS
mailing list archives
Re: HIDS/HIPS Selection Process
From: "Drew Simonis" <simonis () myself com>
Date: Tue, 17 Jan 2006 10:46:24 -0500
If I were going to deploy a host product as broadly as you have indicated,
I would also look at things like ease of agent management, policy development
and deployment, integration with SIM products or integration with my response
process. I would also evaluate the security relevant application specifics,
such as the context the application runs in, can the user disable it, how
does it handle crashes, etc. From a performance aspect, I might want to know
the load the application puts on my systems, how chatty is it on the network
and are the communications compressed and encrypted.
I'd also test local attacks and see how the system responds to them.
-Drew
----- Original Message -----
From: astalavista.box.sk () gmail com
To: focus-ids () securityfocus com
Subject: HIDS/HIPS Selection Process
Date: 9 Jan 2006 17:58:57 -0000
Our company is about to embark on a search for a HIDS/HIPS solution.
We would like something that can be deployed to servers but our
primary interest is being able to roll it out to all user laptops
and possibly even all desktops as well.
I am most aware of (I wouldnt say I am familiar with them) Cisco's
CSA and Eeye's Blink offering and am trying to build some sort of
methodology for testing various HIDS/HIPS options and comparing
them against one another.
My initial thought is to have a number of workstations, each
installed with its own HIDS but an identical image other than that.
I will use our standard desktop image which is missing a couple
MS Patches and anticipate testing the results across all the
workstations of working metasploit against known vulnerabilities
and maybe installing a worm onto a separate machine in this
isolated environment to see how each deals with it. Probably also
subject each host to a nessus or retina scan to see not only what
it reveals but also how it handles a scan.
Does anyone know if such a document/framework/plan exists (like in
the SANS reading room or somewhere)?
Do you have any suggestions as to what I should include in my
process? I have a basic idea as outlined above which I will begin
to refine but the more input you can offer me as to what specific
measurable constructs I should apply in each facet of testing would
be appreciated.
Any other products that you would reccomend we include in the product survey?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
___________________________________________________
Play 100s of games for FREE! http://games.mail.com/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
