RE: Looking for Host Based IDS (In a nutshell !)

From: Oliver Petruzel (opetruzel@cox.rr.com)
Date: 12/20/01 

From: "Oliver Petruzel" <opetruzel@cox.rr.com>
To: <focus-ids@securityfocus.com>, "'Guy Fighel'" <GuyF@xpert.com>
Date: Thu, 20 Dec 2001 01:21:39 -0500

Ok, HIDS (Host or Hybrid, take ur pick)

You have all forgotten to mention, or maybe I missed it, so I will put a
good word in for DragonSquire...

Okena is an up and comer, but still remains limited in OS support and
company maturity. It shows promise using a VERY similar approach to
"application shielding" or "cybervaulting" as Entercept. However,
Entercept maintains a stronger(read: longer) history and has a good
reputation as a key partner of Cisco.

The key in deciding your HIDS is in the decision to move toward a
heuristic or prventative product, or continuing to monitor (fulltime!
Ack!) the same old log-mining, or signature-based products. The future
in HIDS is truly with PROACTIVE PREVENTION. That said, Entercept,
Okena, and Dragon are all a step in the right direction. Each can
rightfully claim to have prevented known exploits BEFORE they were even
known... Most of the solutions mentioned thus far during the thread do
not meet my standards for a "next generation HIDS" and do nothing but
increase staffing requirments and workload...

NOTE: A great addition to your enterprise solution is a HIDS/Virus
biproduct, if you will, known as Pentasafe. This is targeted more often
at the remaining WORKSTATIONS or Desktop PC's. The power with this
product is it's blend of IDS -AND- virus-like PROactive protection. I
tested a slightly older version of their software in my lab and had
great results with Win98. This product uses a method similar to
"sandboxing" where activeX, VBS, Javascript, and other similar incoming
content is moved to "protected space" before it executes or gives the
user an option to execute step-by-step. One nice feature is a central
management system that allows the push of rulesets out to the dektops,
taking the enduser out of any decision-making responsibilities.

So, the final answer? (when I don't have to wear the "vendor neutral"
hat):

NIDS - Your choice of gig capable products at front end (whole separate
discussion, lol) -AND- Snort! (BSD -OR- Linux preferred) internally at
each segmented chokepoint.

HIDS (servers) - Most likely Entercept or DragonSquire (or pitbull if
you're masochistic..hey, it works though!) Okena may come up in the
ranks in 2002.
(on a side note, please switch ur sunos/solaris 8 to Trusted Solaris
won't ya? Sheesh... Ever heard of SecureLinux?... Ok, maybe later...)

Desktops - Combination of antivirus software of your choice -AND-
Pentasafe.

And for the grand finale - NetForensics central security management and
monitoring software. Invaluable forensics with multivendor support with
remote logmining/culmination and analytical capabilities...(read: pretty
report on attacks and security events. Result: "so, he went through
Fireall A to system X then through Firewall D onto System Y, then he
attempted to execute Exploit 1 against system Z...wow, and look, his
originating IP is 24.x.x.x, aha!" like I said, invaluable!)

Just my opinion, I could be wrong...

Oliver Petruzel
Computer Security Specialist
Near DC...

Quantcast