RE: HIDS/HIPS Selection Process

["Andrew Plato" <andrew.plato () anitian com>]

DISCLAIMER: I sell almost everything I praise (and knock) in this email.


I would include ISS Proventia Desktop and ServerSensor in your
evaluations as well. They're a worthy host-based IPS product. Sygate
just got acquired by Symantec...I have a bad feeling about that.
SanaSecurity never impressed me very much. McAfee Entercept is
interesting, and worthy of looking at. 

Having done zillions of HIPS deployments, here are my suggestions. I do
have a paper on this - but its part of our consulting practices so I
can't release it to the public. But I can distill the components of the
HIPS testing and install. 

SERVERS: You'll want to test the HIPS on as many variants of OS as you
have. For example, if you run Windows 2000 and 2003, test it on both.
Ideally, pick a low-priority, production server to use. 

DESKTOPS: Identify  3 to 10 "guinea pigs" in your company. Its better to
test on live systems than pristine lab systems, so you can get a real
good idea of how the software works in the wild. Make sure, as part of
the test, you instruct the users on how to disable the software.  That
way, if the users get into trouble, they can remove the software from
the machine. Use a policy that is reasonable, but not overly
restrictive. 

MANAGEMENT: Make sure to set up the management system. Use it to perform
basic tasks, such as deploying agents, reviewing data, updating
signatures. Since the majority of your interaction with the technology
is through the management interface, it's a good idea to spend your time
getting to know it. 

TESTING: Scanning the systems is not a valuable as running specific,
known exploits FROM the system.  A nessus scan against a HIPS will
generate lots of events, but none to interesting. A real test of a HIPS
is how well it can contain itself from intrusion. Ideally, a test should
include these steps;

1. Application Compatibility: Have users run as many "normal"
applications as possible. Note any problems. 
2. Exploit Containment: Locate a payload you can run FROM the system.
For example, I typically use something simple like submitting a huge URL
string to a web server. Even a code red string (an easily identifiably
exploit) works.  A good HIPS should not only detect inbound attacks, but
also contain exploits outbound. 
3. Exploit Prevention: Download a copy of Metasploit. Use this to run a
few exploits on target machines. Ensure they are detected and named
properly based on the exploit. 

I wouldn't spend a LOT of time on running exploits. Its likely to just
eat up time and not be terribly productive. Most HIPS products are going
to stop anything you can realistically throw at them that is a known
exploit. It's the unknown stuff that is the real problem - and there is
no practical way to test for that. 

The key issues you should consider:

Manageability. Doesn't matter how swell the product is, if it's a pain
to manage you'll hate it in a few weeks. 
Compatibility: If the agent kills your servers every time there is an
update, you'll hate it even more in a few weeks. 

Avoid getting mired into nitpicking on such a evaluation. The vendors
LOVE to degrade these evaluations into little wars over features. I'd
focus on the usability  and management - as that has a more profound
impact on your long-term success with the product. 

That much said, my experience is that ISS and Cisco lead the pack in
this space. 

_____________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
_____________________________________


-----Original Message-----
From: astalavista.box.sk () gmail com [mailto:astalavista.box.sk () gmail com]

Sent: Monday, January 09, 2006 9:59 AM
To: focus-ids () securityfocus com
Subject: HIDS/HIPS Selection Process

Our company is about to embark on a search for a HIDS/HIPS solution.
We would like something that can be deployed to servers but our primary
interest is being able to roll it out to all user laptops and possibly
even all desktops as well.

I am most aware of (I wouldnt say I am familiar with them) Cisco's CSA
and Eeye's Blink offering and am trying to build some sort of
methodology for testing various HIDS/HIPS options and comparing them
against one another.
My initial thought is to have a number of workstations, each installed
with its own HIDS but an identical image other than that.  I will use
our standard desktop image which is missing a couple MS Patches and
anticipate testing the results across all the workstations of working
metasploit against known vulnerabilities and maybe installing a worm
onto a separate machine in this isolated environment to see how each
deals with it.  Probably also subject each host to a nessus or retina
scan to see not only what it reveals but also how it handles a scan.

Does anyone know if such a document/framework/plan exists (like in the
SANS reading room or somewhere)?
Do you have any suggestions as to what I should include in my process?
I have a basic idea as outlined above which I will begin to refine but
the more input you can offer me as to what specific measurable
constructs I should apply in each facet of testing would be appreciated.
Any other products that you would reccomend we include in the product
survey?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------