Re: [fw-wiz] HIPS experience
- From: "Paul Melson" <pmelson@xxxxxxxxx>
- Date: Wed, 16 May 2007 15:02:48 -0400
I am looking for feedback from those that have rolled out HIPS (hostintrusion prevention).
I am looking for both server and desktop based and would be interested inwhich vendor was
chosen and why. This far I have looked at SANA, Determina, and about tolook at ISS and
Macafee. On the destop we are running xp sp2 with NAV, so I am wonderingif I want to use
hips that supply firewall/av capability. SANA seems to have alot of bellsand whistles but
is a/confusing b/takes a while to train (esp on servers)
I've done several HIPS server roll-outs, all Entercept/McAfee. I was only
involved in one comparo project, and it was Okena Stormwatch (now Cisco)
heads up against Entercept (now McAfee) and there was really no competition.
I've not looked at SANA or Determina beyond their cut sheets.
But here is my advice in rolling out HIPS, especially on servers.
1. Benchmark performance on the servers. For Windows, using System Monitor
is fine. Use the following Perf Objects:
Processor / % Processor Time
Memory / Pages/sec
Memory / Available Mbytes
Physical Disk / % Disk Time
Compare performance with and without HIPS. Note where servers need more
hardware to accomidate HIPS. Also keep an eye out for performance
conflicts. HIPS is invasive and can screw things up. This can be
especially true of vendor A's HIPS product trying to cohabitate with vendor
B's AV product.
2. Plan time for deployment and plan 4x that time for initial tuning. One
thing Entercept did shortly before McAfee acquired them was to create a kind
of step-up policy configuration. From deployment you can turn on their
'high' level events and then medium, and low and so on. And you can do this
in a way that keeps you from being deluged with events from the time you
turn on the agent. Of course, I think this probably also leads to most
deployments never 'stepping up' to more detailed detection. Plan to 'step
up' and expect to spend lots of time tuning. If your HIPS vendor doesn't
have a tiered protection/logging policy like Entercept does, well, make that
6x as much time.
3. When creating policy, logically group and deploy by application and
function, not by OS version. A Win2K3 server running WebSphere is more like
a Win2K server running Jboss than it is like a Win2K3 domain controller.
Group them together because their policy and tuning should be similar. (Of
course, a Solaris server running J2EE should not be tuned the same as a
Win2K server running Jboss.)
firewall-wizards mailing list
- [fw-wiz] HIPS experience
- From: Mike LeBlanc
- [fw-wiz] HIPS experience
- Prev by Date: Re: [fw-wiz] Bridge with transparent proxy
- Next by Date: Re: [fw-wiz] HIPS experience
- Previous by thread: Re: [fw-wiz] HIPS experience
- Next by thread: Re: [fw-wiz] HIPS experience