[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] Desktop protector vs. server protector/sensor

"Anderson, Mike" <Mike_Anderson@xxxxxxxxxxxxxxxxxxxxx> wrote

> Server Sensor is by far more powerful and customizable then 
> Dekstop Protector.
>  
> The amount of customization you can do in Desktop Protector 
> is limited to simple port blocking/IP blocking and a pre-set 
> policy (trusting, nervous, cautious, paranoid).  Desktop 
> Protector also does not pick up on OS events like Server 
> Sensor does (such as user being added to administrative 
> group, brute force attempts, etc.)
>  
> With Server Sensor, you can turn off and on checks in your 
> policy to your liking, to further reduce false positives, and 
> to make analyzing events much more time-worthy.  That is not 
> available in Desktop Protector.

This is not entirely true. Desktop and Server protector can actually do
*almost* everything server sensor does. You can turn off and modify
detection, exactly the same as server sensor. You can even feed trons
sigs to desktop protector products. 

The key to desktop/server protector is the numerous parameters. Using
the parameters you can do customize virtually every signature and every
IDS threshold. Download the document Desktop Protector Advanced
Administration Guide
(http://documents.iss.net/literature/BlackICE/BI-AAG.pdf) and learn
those parameters. 

Using those and the custom section of ICEcap, you can tweak, tune, and
reconfigure your Desktop/Server protectors. For example, you can change
logon thresholds and suppress port probes. 

Another trick in desktop/server protector is to use the application
control features as a "tripwire-esque" file monitor. It takes some
customization, but when its up and running, its very cool. Anytime a
hashed file changes, the report goes to ICEcap/Siteprotector but does
not stop the application. See my white paper:
http://www.anitian.com/Corp/papers/BI%20AC%20tweaking.pdf 

As for trons help - see: http://www.robertgraham.com/pubs/ids/trons.html

I usually tell customers that desktop/server protector is very powerful
solution that can be used at a very advanced level, but you have to be
willing to crawl under the covers of the product and look past the
current documentation. 

Server sensor has more features and capabilities (like OS monitoring),
but it's a heavier solution.  Desktop has limitations, no question about
that, but it does cost a bit less. . You also can use ICEcap with the
desktop product, which is thinner and lighter than Site Protector (IMO).


Please note: I have a bias toward the desktop products, namely because I
was the original author of all the tech docs back at Network ICE (I do
NOT write the docs anymore) and I helped design some of ICEcap's
features. I also do a LOT of ICEcap/desktop protector consulting work. 

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

Enterprise Security &
Infrastructure Solutions
 
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com 
___________________________________

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo