RE: Entercept HIDS Question

Josh.Berry_at_compucom.com
Date: 03/04/04

  • Next message: josh: "RE: blocking p2p traffic"
    To: <focus-ids@securityfocus.com>
    Date: Thu, 4 Mar 2004 14:21:08 -0600
    
    

    This is one of those it depends on your network and application
    environment questions because we had terrible performance numbers with
    Okena also. Okena's rules configuration and push-out technology was
    very cumbersome and we had odd anomalous issues on the desktop systems
    that we tested it on (for instance one user couldn't download anything
    faster than 27k until we disabled the agent).

    Signature based systems on the host end are hard to manage at a large
    scale on heterogeneous systems.

    -----Original Message-----
    From: gatekeeper [mailto:gatekeeper@globenet.com.ph]
    Sent: Wednesday, March 03, 2004 5:54 PM
    To: Berry, Josh (jberry); sam@neuroflux.com
    Cc: focus-ids@securityfocus.com
    Subject: Re: Entercept HIDS Question

    We bought Entercept along with Cisco IDS 4250 appliance (Entercept used
    to
    be Cisco HIDS, now Cisco packaged the Okena HIDs). We had it running
    both
    for Windows and Solaris. No issues on Windows we have our signature
    fine-tuned via Console Manager. On Unix, process penalty is about 3-4%
    on
    normal operation. I say normal because one have to understand that
    Entercept
    sits around the kernel. It catches sys call from apps and validates them
    against specific signature (for known attacks) or generic signature (use
    to
    catch unknown attacks). This works because sys calls are clearly
    documented
    in such a way that a deviation would surely be tagged as malicious. So
    the
    process would depend on the number of such calls.

    I think this concept is nothing different to a hacker methodology of
    redirecting sys calls to a trojaned binary, only it is being used here
    in a
    noble way ;-)

    You can find evaluation report at www.nss.co.uk

    regards,
    jun g.
    "hiding in plain sight"

    ----- Original Message -----
    From: <Josh.Berry@compucom.com>
    To: <sam@neuroflux.com>
    Cc: <focus-ids@securityfocus.com>
    Sent: Wednesday, March 03, 2004 2:25 AM
    Subject: RE: Entercept HIDS Question

    My company bought Entercept and then immediately removed it from
    production if that tells you anything. It caused blue-screen's like
    crazy, huge performance issues, and blocked an inordinate amount of
    allowed traffic. This was even in detect only mode.

    -----Original Message-----
    From: sam@neuroflux.com [mailto:sam@neuroflux.com]
    Sent: Tuesday, March 02, 2004 11:31 AM
    To: focus-ids@securityfocus.com
    Subject: Entercept HIDS Question

    Hello.. We are currently in the process of selecting a HIDS based
    product, and according to the Entercept sales person, they claim that
    the
    product has a feature that works very much like Tripwire.

    My question here, is how much overhead does it add to a server, to watch
    the filesystem in real time? And, if we already have Tripwire, would
    their File Integrity checking process be enough to replace Tripwire?

    And, if anyone is currently using the Entercept HIDS product, I'm
    wondering how easily it can be managed (not only from the HIDS piece,
    but
    from the file integrity standpoint -- excluding files, creating
    policies,
    etc.)

    Thanks!
    -Sam

    ------------------------------------------------------------------------

    ---
    Free 30-day trial: firewall with virus/spam protection, URL filtering,
    VPN,
    wireless security
    Protect your network against hackers, viruses, spam and other risks with
    Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total
    cost of
    ownership.
    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    Free 30-day trial: firewall with virus/spam protection, URL filtering,
    VPN,
    wireless security
    Protect your network against hackers, viruses, spam and other risks with
    Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total
    cost
    of
    ownership.
    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    Free 30-day trial: firewall with virus/spam protection, URL filtering,
    VPN,
    wireless security
    Protect your network against hackers, viruses, spam and other risks with
    Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total
    cost of
    ownership.
    Download your free trial at 
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security
    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.
    Download your free trial at 
    http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301
    ---------------------------------------------------------------------------
    

  • Next message: josh: "RE: blocking p2p traffic"

    Relevant Pages

    • Re: blocking p2p traffic
      ... Network Security Specialist ... firewall with virus/spam protection, ... the comprehensive security solution that combines six ...
      (Focus-IDS)
    • Re: DHCP or Probe?
      ... somewhat limited understanding of cable network architecture, ... >> Security Linux, the comprehensive security solution that combines six ... > Protect your network against hackers, viruses, spam and other risks with Astaro ...
      (Incidents)
    • RE: help with exchange
      ... Network Administrator ... Subject: help with exchange ... Security Linux, the comprehensive security solution that combines six ...
      (Security-Basics)
    • RE: help with exchange
      ... Network Administrator ... Subject: help with exchange ... Security Linux, the comprehensive security solution that combines six ...
      (Security-Basics)
    • SecurityFocus Microsoft Newsletter #50
      ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
      (Focus-Microsoft)