firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: HIPS experience (Kristian Hermansen)
2. Re: HIPS experience (Victor Williams)
3. Re: HIPS experience (Paul Melson)
----------------------------------------------------------------------
Message: 1
Date: Sat, 19 May 2007 15:32:15 -0400
From: "Kristian Hermansen" <kristian.hermansen@gmail.com>
Subject: Re: [fw-wiz] HIPS experience
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<fe37588d0705191232r330ba1ean12b2ce2a45076d40@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 5/19/07, stursa@695online.com wrote:
> As I said, the management software is a component of CiscoWorks. It didn't
> start out that way. The product was developed by Okeena, who were bought
> out by Cisco. The management piece was stand-alone and cost about $3k.
> Cisco dropped that and bundled it into CiscoWorks, which costs about $10k.
You will be happy to know that CSA no longer depends on CiscoWorks :-)
> As for CSA, yes, it offers great protection. I ran it on all my own
> Windows workstations. However, given the cost of client licenses,
> CiscoWorks, and the time required to administer it, I don't see it as a
> solution for a small business, or even many medium sized ones.
Again, no CiscoWorks, but CSA is still an enterprise product and is
priced as such. For the security it buys the purchaser, and from your
experience as you stated, the pricing is fair. Since CSA is one of
the only products that stops 0-day, the purchaser must ask themselves
what the cost is for cleaning up after being hit by an attack as such.
But as always, there are many security products available, so decide
which one fits yours needs and price point...
--
Kristian Hermansen
------------------------------
Message: 2
Date: Fri, 18 May 2007 23:07:55 -0500
From: Victor Williams <vbwilliams@neb.rr.com>
Subject: Re: [fw-wiz] HIPS experience
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <464E781B.4040100@neb.rr.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Just to throw my own endorsement out there, I have been supporting it
for customers and in a corporate environment for over 3 years now (since
August of '03), and find it to be the best thing offered to date.
Honestly, when configured correctly, you don't need to run anti-virus.
I supported it (up until January) in primarily a Citrix environment, and
it worked great there...when configured properly.
FWIW, there is no more central server within CiscoWorks. CSA Management
Center now runs standalone on it's own server, and it's a heck of lot
more responsive in that configuration. Likewise, it now requires
Windows 2003 R2 for the latest 5.2 version. 5.1 will only run on
Windows 2003 Standard (no R2), and 5.0 will only run within CiscoWorks/VMS.
Only warning I will throw out there is that if you have any home-grown
applications that are written badly, CSA will probably not allow them to
run like they normally do without CSA running, if it allows them to run
at all. We have an app to this day that still does a lot of stupid
things with memory and obviously has memory leaks and buffer
over/underruns, and CSA just completely kills/ends the application every
time this happens...which is good. Fair warning though.
stursa@695online.com wrote:
>Kristian Hermansen said:
>
>
>>On 5/15/07, "Mike LeBlanc" <mlinfosec@comcast.net> wrote:
>>
>>
>>>Would love to hear nay feedback form the list on these or other
>>>products.
>>>
>>>
>>Have you considered Cisco Security Agent? This is the de facto
>>standard amongst corporations/governments with highly valuable assets.
>> Although, the costs are also quite reasonable for both Desktop and
>>Server licensing. CSA protects against Zero Day attacks, which is
>>something many products claim, but few actually do.
>>
>>
>
>Three jobs ago I had a lot of experience with CSA, ending in August 2004.
>We purchased 100 licenses for it, and I spent about a year supporting it,
>along with a Cisco VPN concentrator that was configured allow access to
>only clients that were runnning CSA.
>
>So I have a pretty good working knowledge of it, although my info may be a
>little out of date.
>
>First, I'll say I think it's a great product. When properly installed and
>administered, it provides better protection that conventional
>signature-based anti-virus/worm/spyware products.
>
>But there are caveats.
>
>First, the default installation allows users, in some cases, to make the
>decision about whether or not a particular event can occur. This is always
>a mistake. We all know that there are users who consider pop-up alerts to
>be nothing but an irritant and will always click on "Allow". I actually
>had one tell me that he did this without even reading the message. "So, if
>it popped up with 'Program disk-killer wants to reformat your hard-drive.
>Allow?'," I asked him, "you'd click on 'Allow'?" He didn't bother to
>reply, because we both knew what his answer would be.
>
>So you have to run it in the mode where users never get to make the
>decision. This increases the workload for the central administrator. Not
>only must you routinely review all the alerts from the client population
>(I did this twice per day), but you must be available to intervene
>whenever someone wants to install some software and wants to do it NOW.
>
>The way this works is that you approve a particular event at the
>management console (a CiscoWorks module) and the new policy is exported
>out to all CSA clients. This means that if 50 users are going to install a
>new piece of software, the first one to try it will fail, and an alert
>gets sent to the management server. The admin approves it, the new policy
>gets exported, and the other 49 users can install the sw without problem.
>
>Reviewing the event logs and trying to decide what was safe was pretty
>time-consuming. I spent a lot of time Googling .exe files to find out what
>they were. I also had to keep up with MS updates.
>
>As I said, the management software is a component of CiscoWorks. It didn't
>start out that way. The product was developed by Okeena, who were bought
>out by Cisco. The management piece was stand-alone and cost about $3k.
>Cisco dropped that and bundled it into CiscoWorks, which costs about $10k.
>
>The licenses are pricey. Workstation licenses retail about $50-60
>(depending on how many you buy) and server licenses are well over $1,000.
>
>Checkpoint has a very similar (i.e. behavioral, not signature-based HIPS)
>known as "Integrity Secure Client". The management center is stand-alone,
>costs about $3k IIRC. The client licenses cost less as well. For an
>additional fee you get point-and-click access to a big database of events
>and software, so it's much easier to determine whether a particular .exe
>is safe.
>
>I had planned to evaluate the product, but never got to it, so I don't
>know how well it performed versus Cisco SA. Interestingly, it's supported
>by Cisco VPN concentrators.
>
>As for CSA, yes, it offers great protection. I ran it on all my own
>Windows workstations. However, given the cost of client licenses,
>CiscoWorks, and the time required to administer it, I don't see it as a
>solution for a small business, or even many medium sized ones.
>
>
>
>
>>configuration, and requiring no user interaction after installation
>>(takes 30-60 minutes to install):
>>
>>
>
>30-60 minutes? No, more like 10.
>
>
>
>
>>Blaster
>>
>>
>
>Yep. Unpatched computers with CSA were not infected.
>
>- SLS
>
>
>
>
------------------------------
Message: 3
Date: Fri, 18 May 2007 00:45:12 -0400
From: "Paul Melson" <pmelson@gmail.com>
Subject: Re: [fw-wiz] HIPS experience
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Cc: kristian.hermansen@gmail.com, mlinfosec@comcast.net
Message-ID:
<40ecb01f0705172145p6bd82d68t5d5c2de578d4f30e@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 5/15/07, Kristian Hermansen <kristian.hermansen@gmail.com> wrote:
> Have you considered Cisco Security Agent? This is the de facto
> standard amongst corporations/governments with highly valuable assets.
Were you planning to disclose to everyone that you're a Cisco
employee? Or are you intentionally being a shill?
http://www.linkedin.com/pub/3/790/415
> CSA protects against Zero Day attacks, which is
> something many products claim, but few actually do.
...
> Bagle
> SQL Snake
> Blaster
> JPEG/GDI+
> Bugbear
> MyDoom
> Code Red
> Nimda
If I ever travel back in time to 2003, remind me to install CSA on my
laptop before I go. :-)
PaulM
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 13, Issue 9
***********************************************
No comments:
Post a Comment