IDS mailing list archives
RE: HIDS/HIPS Selection Process
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Tue, 10 Jan 2006 16:01:48 -0800
DISCLAIMER: I sell almost everything I praise (and knock) in this email. I would include ISS Proventia Desktop and ServerSensor in your evaluations as well. They're a worthy host-based IPS product. Sygate just got acquired by Symantec...I have a bad feeling about that. SanaSecurity never impressed me very much. McAfee Entercept is interesting, and worthy of looking at. Having done zillions of HIPS deployments, here are my suggestions. I do have a paper on this - but its part of our consulting practices so I can't release it to the public. But I can distill the components of the HIPS testing and install. SERVERS: You'll want to test the HIPS on as many variants of OS as you have. For example, if you run Windows 2000 and 2003, test it on both. Ideally, pick a low-priority, production server to use. DESKTOPS: Identify 3 to 10 "guinea pigs" in your company. Its better to test on live systems than pristine lab systems, so you can get a real good idea of how the software works in the wild. Make sure, as part of the test, you instruct the users on how to disable the software. That way, if the users get into trouble, they can remove the software from the machine. Use a policy that is reasonable, but not overly restrictive. MANAGEMENT: Make sure to set up the management system. Use it to perform basic tasks, such as deploying agents, reviewing data, updating signatures. Since the majority of your interaction with the technology is through the management interface, it's a good idea to spend your time getting to know it. TESTING: Scanning the systems is not a valuable as running specific, known exploits FROM the system. A nessus scan against a HIPS will generate lots of events, but none to interesting. A real test of a HIPS is how well it can contain itself from intrusion. Ideally, a test should include these steps; 1. Application Compatibility: Have users run as many "normal" applications as possible. Note any problems. 2. Exploit Containment: Locate a payload you can run FROM the system. For example, I typically use something simple like submitting a huge URL string to a web server. Even a code red string (an easily identifiably exploit) works. A good HIPS should not only detect inbound attacks, but also contain exploits outbound. 3. Exploit Prevention: Download a copy of Metasploit. Use this to run a few exploits on target machines. Ensure they are detected and named properly based on the exploit. I wouldn't spend a LOT of time on running exploits. Its likely to just eat up time and not be terribly productive. Most HIPS products are going to stop anything you can realistically throw at them that is a known exploit. It's the unknown stuff that is the real problem - and there is no practical way to test for that. The key issues you should consider: Manageability. Doesn't matter how swell the product is, if it's a pain to manage you'll hate it in a few weeks. Compatibility: If the agent kills your servers every time there is an update, you'll hate it even more in a few weeks. Avoid getting mired into nitpicking on such a evaluation. The vendors LOVE to degrade these evaluations into little wars over features. I'd focus on the usability and management - as that has a more profound impact on your long-term success with the product. That much said, my experience is that ISS and Cisco lead the pack in this space. _____________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ -----Original Message----- From: astalavista.box.sk () gmail com [mailto:astalavista.box.sk () gmail com] Sent: Monday, January 09, 2006 9:59 AM To: focus-ids () securityfocus com Subject: HIDS/HIPS Selection Process Our company is about to embark on a search for a HIDS/HIPS solution. We would like something that can be deployed to servers but our primary interest is being able to roll it out to all user laptops and possibly even all desktops as well. I am most aware of (I wouldnt say I am familiar with them) Cisco's CSA and Eeye's Blink offering and am trying to build some sort of methodology for testing various HIDS/HIPS options and comparing them against one another. My initial thought is to have a number of workstations, each installed with its own HIDS but an identical image other than that. I will use our standard desktop image which is missing a couple MS Patches and anticipate testing the results across all the workstations of working metasploit against known vulnerabilities and maybe installing a worm onto a separate machine in this isolated environment to see how each deals with it. Probably also subject each host to a nessus or retina scan to see not only what it reveals but also how it handles a scan. Does anyone know if such a document/framework/plan exists (like in the SANS reading room or somewhere)? Do you have any suggestions as to what I should include in my process? I have a basic idea as outlined above which I will begin to refine but the more input you can offer me as to what specific measurable constructs I should apply in each facet of testing would be appreciated. Any other products that you would reccomend we include in the product survey? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- HIDS/HIPS Selection Process astalavista . box . sk (Jan 10)
- <Possible follow-ups>
- RE: HIDS/HIPS Selection Process Andrew Plato (Jan 11)
- Re: HIDS/HIPS Selection Process Drew Simonis (Jan 17)
- RE: HIDS/HIPS Selection Process Spyro Malaspinas (Jan 20)