Karel Chwistek wrote:
For HIDS's, there appears to be three main categories: monitoring the
host's file system, the host's network connections, and the host's log
files.
--Host's file system: I'm looking at Tripwire Manager, Tripwire for
Servers, and Tripwire for Network Devices.
Slightly OT - but are the days of filesystem monitoring over? I mean,
systems must move towards automated updates (e.g. Windows Update, YUM) -
which means that "the system" can and will change OS files at will. A
filesystem integrity checking solution will go off nearly daily in such
an environment.
Or am I just out of touch, and the commercial ones take that into
account somehow (it would be easy enough on RPM-based Linux systems -
they could interrogate the RPM database to see if something was recently
upgraded. Hmmm - but how could they tell it wasn't done by a hacker?)
I know this list is full of people who do InfoSec for a living - but the
cold reality is that 99.9% of business isn't represented here - they
need security solutions that work and don't require a lot of interaction
(I am forever hearing from people about their failed NIDS rollouts
because they didn't appreciate the amount of personnel time and effort
was required to maintain it). HIDS - like NIDS - need lots of
interaction (how many of our Mums can run ZoneAlarm comprehensively?)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
