Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 040571.html (Request Expert securityfocus.com Support)

Re: host-based ips ?

From: Andrew Plato <aplato(at)anitian.com>
Date: Wed Apr 30 2003 - 22:02:12 EDT

>there are some nips (network based ips), but i never ever heard about
>host based ips. any body have known about this?

Host-based IPS is actually been around even longer than network IPS. The first commercial IPS product (that is an IDS matched with a firewall) was the BlackICE product from Network ICE, which is now RealSecure Server Sensor and Desktop Protector. The big breakthrough with BlackICE was that it was both a protocol analysis-based IDS and could respond in *near* real time and block intruders.

Since then others have joined that market.

Cisco Secure Agent (formerly Okena StormWatch) is a lot like BlackICE/RS Desktop in that it's a protocol analysis-based IDS & firewall. It's a very capable and powerful product. Cisco's acquisition of Okena was arguably one of the smarter moves Cisco has made in while. I like it because it has a similar look and feel to ISS's ICEcap and I am a bit of an ICEcap junkie.

Entercept is more of a OS-level monitor. Its an interesting product, but its rather heavy on the system. My company used to sell Entercept and we had a very hard time getting customers interested in it. In comparison to other products, Entercept has a very high memory & CPU footprint.

Sygate has a host IPS. I've played with it a bit. Its okay. It does not have a very large market penetration.

Symantec's secure agent is not much more than a "personal firewall." Which is an important distinction. Some people call ZoneAlarm an IPS. I wouldn't. In my book, an IPS has to be an IDS & a firewall combination. ZoneAlarm, Symantec, and the other "personal firewalls" do not possess IDS capabilities (or very rudimentary IDS capabilities).

Do you need help?X

If you are evaluating host IPS, make sure you try out Okena and RealSecure desktop. I feel they are the best of lot. However, I am a reseller of both, so naturally I would have a preference for them.

There are some open-source solutions in this space. Sounds like others have pointed them out.

SHAMELESS PLUG: If you happen to be in Seattle, Washington on June, 10 2003. I will be giving a talk on IPS technologies. I will be discussing the use of host-IPS as well as network-IPS. Details at: http://www.anitian.com/seminars/ips.htm


Andrew Plato, CISSP
President / Principal Consultant
Anitian Enterprise Security   
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile

www.anitian.com

Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No?
No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2

Received on Sun May 4 03:16:34 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library