Re: [fw-wiz] HIPS experience

Kristian Hermansen said:
On 5/15/07, "Mike LeBlanc" <mlinfosec@xxxxxxxxxxx> wrote:
Would love to hear nay feedback form the list on these or other

Have you considered Cisco Security Agent? This is the de facto
standard amongst corporations/governments with highly valuable assets.
Although, the costs are also quite reasonable for both Desktop and
Server licensing. CSA protects against Zero Day attacks, which is
something many products claim, but few actually do.

Three jobs ago I had a lot of experience with CSA, ending in August 2004.
We purchased 100 licenses for it, and I spent about a year supporting it,
along with a Cisco VPN concentrator that was configured allow access to
only clients that were runnning CSA.

So I have a pretty good working knowledge of it, although my info may be a
little out of date.

First, I'll say I think it's a great product. When properly installed and
administered, it provides better protection that conventional
signature-based anti-virus/worm/spyware products.

But there are caveats.

First, the default installation allows users, in some cases, to make the
decision about whether or not a particular event can occur. This is always
a mistake. We all know that there are users who consider pop-up alerts to
be nothing but an irritant and will always click on "Allow". I actually
had one tell me that he did this without even reading the message. "So, if
it popped up with 'Program disk-killer wants to reformat your hard-drive.
Allow?'," I asked him, "you'd click on 'Allow'?" He didn't bother to
reply, because we both knew what his answer would be.

So you have to run it in the mode where users never get to make the
decision. This increases the workload for the central administrator. Not
only must you routinely review all the alerts from the client population
(I did this twice per day), but you must be available to intervene
whenever someone wants to install some software and wants to do it NOW.

The way this works is that you approve a particular event at the
management console (a CiscoWorks module) and the new policy is exported
out to all CSA clients. This means that if 50 users are going to install a
new piece of software, the first one to try it will fail, and an alert
gets sent to the management server. The admin approves it, the new policy
gets exported, and the other 49 users can install the sw without problem.

Reviewing the event logs and trying to decide what was safe was pretty
time-consuming. I spent a lot of time Googling .exe files to find out what
they were. I also had to keep up with MS updates.

As I said, the management software is a component of CiscoWorks. It didn't
start out that way. The product was developed by Okeena, who were bought
out by Cisco. The management piece was stand-alone and cost about $3k.
Cisco dropped that and bundled it into CiscoWorks, which costs about $10k.

The licenses are pricey. Workstation licenses retail about $50-60
(depending on how many you buy) and server licenses are well over $1,000.

Checkpoint has a very similar (i.e. behavioral, not signature-based HIPS)
known as "Integrity Secure Client". The management center is stand-alone,
costs about $3k IIRC. The client licenses cost less as well. For an
additional fee you get point-and-click access to a big database of events
and software, so it's much easier to determine whether a particular .exe
is safe.

I had planned to evaluate the product, but never got to it, so I don't
know how well it performed versus Cisco SA. Interestingly, it's supported
by Cisco VPN concentrators.

As for CSA, yes, it offers great protection. I ran it on all my own
Windows workstations. However, given the cost of client licenses,
CiscoWorks, and the time required to administer it, I don't see it as a
solution for a small business, or even many medium sized ones.

configuration, and requiring no user interaction after installation
(takes 30-60 minutes to install):

30-60 minutes? No, more like 10.


Yep. Unpatched computers with CSA were not infected.


Scott L. Stursa
CCNA, MCSA, Security+
firewall-wizards mailing list

Relevant Pages

  • Re: Reliable freeware (RTOS and TCP/IP) for ARM7
    ... The product is very cost-sensitive which has made us looking for freeware alternatives to the commercial/proffessional RTOS and TCP/IP stacks. ... For example, FreeRTOS is available as open source, but has the restriction that any changes you make to the FreeRTOS software must be made available to your customers. ... These are, of course, perfectly fair and reasonable terms, and there is also a commercial license available if you don't want to make your changes available (but of course, that costs money, albeit not much). ... But again, you should chose these with the understanding of what the open source licenses give you, and what they ask of you. ...
  • Re: CISCO Supervisor question
    ... could be sued for switching on Cisco equipment that I haven't paid ... Even windows boxes with OEM licenses come with non-transferable ... old gear and didn't buy the proper relicense? ... for what you have gone through and paid for old crud.. ...
  • Re: Sun On The Run?
    ... > SPARC boxes all include Solaris right to use licenses with the ... > Linux release which ends up being mainly Redhat. ... > RedHat AS which is what most customers end up with costs between ...
  • Re: The IP Piracy Myth . . .
    ... you don't believe you can recover the costs of (that is, ... "package deal" licenses force you to release all the titles in the ... The problem is that the fanbase is almost exclusively people who don't ...
  • Re: When MV is not an option
    ... Pay for the MV licenses and recoup your costs in future customizations or ...