Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: HIDS/HIPS Selection Process

from [Spyro Malaspinas] Network Security [Permanent Link]
Subject: RE: HIDS/HIPS Selection Process
Date: Tue, 17 Jan 2006 15:42:13 -0700 
There is a good article which can be found in security focus in Nov 2005,
(http://informationsecurity.techtarget.com/magLogin/1,291245,sid42_gci113792
5,00.html) where they did a bake off of IPS solutions, though they are
network based, many of the same considerations are suggested.

Specifically you want to be wary of 

1. The ability of the HIPS/HIDS solution to work with the applications that
you have running on your network.  Many custom apps are written which do not
abide by RFC specifications and may make unusually system calls etc.  

2.  Next look to ensure that they support the variety of platforms that you
have in production, their obligation to support new OS (Solaris 10, Vista,
etc.).

3. Length of time it takes to tune policies, the management interface that
the solution provides. 

4. Its ability to tie into current SIMs if any are present.

5. Ability to push patches from management console instead of requiring an
administrator to go out and touch each installed agent.

6. Are the solutions anomaly based or signature based or both?

-Spyro Malaspinas


-----Original Message-----
From: Drew Simonis [mailto:simonis@myself.com] 
Sent: Tuesday, January 17, 2006 8:46 AM
To: astalavista.box.sk@gmail.com; focus-ids@securityfocus.com
Subject: Re: HIDS/HIPS Selection Process

If I were going to deploy a host product as broadly as you have indicated, 
I would also look at things like ease of agent management, policy
development
and deployment, integration with SIM products or integration with my
response
process.  I would also evaluate the security relevant application specifics,
such as the context the application runs in, can the user disable it, how 
does it handle crashes, etc.  From a performance aspect, I might want to
know
the load the application puts on my systems, how chatty is it on the network

and are the communications compressed and encrypted.

I'd also test local attacks and see how the system responds to them.  

-Drew


----- Original Message -----
From: astalavista.box.sk@gmail.com
To: focus-ids@securityfocus.com
Subject: HIDS/HIPS Selection Process
Date: 9 Jan 2006 17:58:57 -0000



Our company is about to embark on a search for a HIDS/HIPS solution.
We would like something that can be deployed to servers but our 
primary interest is being able to roll it out to all user laptops 
and possibly even all desktops as well.

I am most aware of (I wouldnt say I am familiar with them) Cisco's 
CSA and Eeye's Blink offering and am trying to build some sort of 
methodology for testing various HIDS/HIPS options and comparing 
them against one another.
My initial thought is to have a number of workstations, each 
installed with its own HIDS but an identical image other than that. 
  I will use our standard desktop image which is missing a couple 
MS Patches and anticipate testing the results across all the 
workstations of working metasploit against known vulnerabilities 
and maybe installing a worm onto a separate machine in this 
isolated environment to see how each deals with it.  Probably also 
subject each host to a nessus or retina scan to see not only what 
it reveals but also how it handles a scan.

Does anyone know if such a document/framework/plan exists (like in 
the SANS reading room or somewhere)?
Do you have any suggestions as to what I should include in my 
process?  I have a basic idea as outlined above which I will begin 
to refine but the more input you can offer me as to what specific 
measurable constructs I should apply in each facet of testing would 
be appreciated.
Any other products that you would reccomend we include in the product

survey?


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



-- 
___________________________________________________
Play 100s of games for FREE! http://games.mail.com/


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Signatures taking down network, Ghetti, Tim
Next by Date:  Re: Signatures taking down network, Sam Evans
Previous by Thread:  Re: HIDS/HIPS Selection Process, Drew Simonis
Next by Thread:  TCP ACK/RST packets with data in the Reset Cause, Mike Gibson
Indexes:  [Date] [Thread] [Top] [All Lists]