Hi all,

I just need your guys opinion about HIPS and pc firewalls. We have some servers (windows 2003 and 2008) that we need to further protect with either or both of above mentioned systems. This is just a recommendation from our IS deptt and we need to give them a reliable demo to see if this actually works. Basically the point is, our servers may (and in most cases will) run vulnerable services but we need to place some sort of pc based security solution that can stop malicious attempts. I know the requirement is bit vague but when i searched the internet, there were few pc based firewalls but i found very little information of any famous HIPS. But since we need to monitor applications behaviour (like http, sql etc) we need some sort of application level monitoring for malicious packets, and the biggest requirement of all, we need to customize or even create or own rules/signatures to prevent from attacks.

Now i know of snort, sorry for my 2 stupid questions
1) can it prevent from attacks also
2) can it be used ideally as HIPS ?

Anyone has any suggestions for any powerful host based security solutions, almost impenetrablea :-)

For 2008 Servers you can utilize the Windows Firewall with IPSEC rules.  It is manageable via GPO/IPSEC policies.  You can also evaluate the options you have for AV.  If you run Symantec Endpoint it has firewall and IPS features which work pretty well so long as they are configured properly.  You can run them both in a logging only mode so you can assess what ports will be required to open and what applications will be allowed in and out.  It is centrally managed so creating separate policies for different sets of servers is possible. 

2003 servers I would stick with something similar to the SEP option since the 2003 Windows Firewall and IPSEC support is no where near as robust as the 2008.  Remember though, any Host based solution will put additional performance loads on the server so the box should be configured accordingly (RAM/CPU/HDD). 

There is nothing wrong going to a Networked based solution either.  Might cost you a bit more but at least the servers won't take a hit in performance.  Pop the servers on their own VLAN or Physical LAN and firewall it off.  Utilize a firewall that has some IPS capability to get the most bang for the buck.  The IPS of choice (NIPS or HIPS) should be tested in a logging mode so a proper baseline can be set.  Once you know what valid traffic looks like, then its time to tweak the rules accordingly, log the activity and then look at working with a report card of sorts.  Any changes made to the infrastructure should always be logged and a report card completed.  Once all activity has been confirm, time to turn on the IPS to block possible attacks.  Again set a baseline and tweak.

Don't forget to turn off definitions that don't apply to your environment.  If you don't run Oracle DBs, don't monitor for attacks related to Oracle databases.  And so on... 

Good luck!

Never promise something is 100% secure.  There is always a way through something.  If someone wants the information bad enough, they will get it.  All you can promise is that you will do your best to prevent this from happening or will at least be able to determine who/what/where/when/how. 

The popular phrase out in the InfoSec world is "there are two types of companies out there...  Those who have been breached and those who know they've been breached..."  get it?  At best we can try to put as many obstacles in the way of an attacker to either delay them from attaining their goal or frustrate the crap out of them that they will give up and go elsewhere.  Though most likely the latter will occur since they are being paid well to get said information.

Too many exec and non-technical folks believe that the shiny boxes with blinking lights makes their network impervious to attacks.  All you need to do to prove against it is mention RSA and EMC.