Host Intrusion Prevention

Previous page
Table of content
Next page

  1. Describe the Host Intrusion Prevention System (HIPS) product at a high level.

  2. Is the Host Intrusion Prevention portion of the solution implemented as hardware, software, or both?

Functionality

  1. Describe the attack detection techniques your product uses.

  2. Does the product use stateful analysis? If so, describe its use.

  3. If malicious activity is detected, what response capabilities does your product have (allow, deny, and so on)?

  4. What host resources are analyzed (network, memory, file, registry, and so on)?

  5. How is data gathered (system call interception, and so on)?

  6. Does the product conduct packet inspection? If so, describe how.

  7. Does the HIPS have any remediation capabilities? If so, describe them.

  8. False positives are an issue for most HIPS products. If we encounter false positives with your products, how do we tune them?

  9. Is there a tuning, learning, or testing mode?

  10. Describe the impact your product has on host performance (processor usage, memory usage, latency, and so on).

  11. What information do logged events contain?

  12. Can event severity be modified?

  13. What types of signatures/policies are used (atomic, stateful, and so on)?

  14. What triggering mechanisms does your product use (pattern detection, anomaly-based, behavior-based, and so on)?

  15. Can signatures/policies be customized or created?

  16. Does the product have any application-specific signatures/policies? If so, what applications are included?

  17. What self-defense capabilities does the product have?

  18. Does your product have the capability to detect or stop known attacks? How?

  19. Does your product have the capability to detect or stop unknown attacks? How?

  20. Does your product have the capability to detect or stop network worms? How?

  21. Does your product have the capability to detect or stop Trojans? How?

  22. Does your product have the capability to detect or stop spyware? How?

  23. Does your product have the capability to detect or stop adware? How?

  24. Does your product have the capability to detect or stop viruses? How?

  25. Does your product have the capability to detect or stop traditional hacking attempts? How?

  26. Does your product have the capability to detect or stop encrypted attacks? How?

  27. Does your product have the ability to control bandwidth utilization? How?

  28. Does your product have the ability to enforce acceptable use policies (peer-to-peer file sharing, pornography, and so on)?

  29. Does your product have the ability to enforce security policies (confidentiality of data and so on)?

  30. Can your product isolate malicious traffic/hosts?

  31. Can your product overcome evasion techniques? How?

  32. How are configuration changes distributed?

  33. Are languages other than English supported? If so, describe the level of support and list the languages.

  34. If the product fails, does it fail open or closed?

  35. What happens to the HIPS if the management solution fails?

  36. If the host is offline, what happens to the HIPS? Are events cached?

  37. Can host software be hidden from the end user?

  38. Does the HIPS display any messages to the end user? If so, describe them.

  39. Does the installation require a reboot?

  40. Do signature/policy/engine updates require a reboot?

  41. What format does the HIPS installation package use (InstallShield, MSI, and so on)?

  42. What software distribution mechanisms can be used to distribute the HIPS (Microsoft Systems Management Server, Radia, Altiris, CD, e-mail, and so on)?

  43. Are administrative rights required for install?

  44. Does the product have an unattended silent install capability?

  45. Does the product support user-based profiles? If so, describe how they work.

  46. Does the product support location-based profiles? If so, describe how they work.

  47. Please describe the current roadmap for future product releases.

Management

  1. Is the product centrally managed?

  2. Describe the management interface.

  3. Does the management solution have a database component? If so, what type of database?

  4. What architectural options are supported (single-server, tiered, hierarchical)?

  5. How many hosts can each architecture (single-server, tiered, hierarchical) support?

  6. Describe the high availability and failover capabilities of the management solution.

  7. How do administrators access the management interface?

  8. How are administrators authenticated?

  9. How is administrator-to-management communication secured?

  10. Is there an audit trail? If so, describe it.

  11. Is role-based administration supported?

  12. How many events can one management server store?

  13. How many events per second can one management server handle?

  14. What are the bandwidth requirements? Describe the communication protocols between the managed hosts and the management server.

  15. How does management avoid denial-of-service because of event flooding?

  16. Can a policy/signature be backed out?

  17. What capabilities does the management offer for signature/policy testing before they are deployed?

  18. Does the management solution provide a detailed status of the hosts it manages? If so, describe the details that are provided.

  19. Describe any centralized notification/alerting capabilities.

  20. Are events collected in real time?

  21. Are alerts delivered in real time?

  22. How can alerts be delivered (e-mail, SNMP, and so on)?

  23. How is device-to-management communication secured?

  24. How is the management infrastructure itself secured?

  25. If your product requires updates, how are the updates distributed? Is it automatic?

  26. How are configuration changes distributed?

  27. Are languages other than English supported? If so, list them.

  28. Can logs be exported?

  29. Describe any capability to group managed hosts.

  30. Does the management solution provide detailed status of the devices it manages?

  31. What happens if the management solution fails?

  32. Can logs be exported?

Operations

  1. Describe any reporting capabilities the product might have.

  2. Can custom reports be created?

  3. Describe any backup capabilities the product might have.

  4. Describe any restore capabilities the product might have.

  5. Describe any automatic log archival capabilities the product might have.

Compatibility

  1. What operating systems are supported for the management infrastructure?

  2. What operating systems are supported for the HIPS software?

  3. Is the product compatible with asset management solutions? If so, list them.

  4. Is the product compatible with any event collection/correlation solutions? If so, list them.

  5. Is the product compatible with any third-party management solutions? If so, list them.

  6. Does the product support any directory services (Active Directory, Lightweight Directory Access Protocol, Novell eDirectory, and so on)? If so, describe the support.



Previous page
Table of content
Next page
Intrusion Prevention Fundamentals
Intrusion Prevention Fundamentals
ISBN: 1587052393
EAN: 2147483647
Year: N/A
Pages: 115
Authors: Earl Carter, Jonathan Hogue
BUY ON AMAZON
Software Configuration Management
Image Processing with LabVIEW and IMAQ Vision
Documenting Software Architectures: Views and Beyond
Building Web Applications with UML (2nd Edition)
MPLS Configuration on Cisco IOS Software
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy