HIPS

CA Host-Based Intrusion Prevention System
REVIEWED BY BRAD CAUSEY

CA
Price: $40 per client with enterprise-level maintenance

CA Host-Based Intrusion Prevention System (CA HIPS) combines standalone firewall and intrusion detection and prevention technologies to provide security, access control, policy enforcement, intrusion prevention management and deployment from a central console.

Configuration/Management

A

Management server setup was simple and fast. The server will automatically enumerate all LDAP users and groups, ultimately providing the ability to control policies and rule sets by Active Directory group membership. The management server is configured by default to check for LDAP changes every 180 seconds.

The real beauty of CA HIPS is its Learning Mode, which allows you to monitor a group of systems to determine what constitutes acceptable behavior. This will help avoid the problem of a policy deployment that is either too restrictive, causing application/network outages, or too liberal, limiting the effectiveness of the product.

Client deployment is a cinch for desktops and servers. Log in to the intuitive, Web-based console and configure the client with the options you desire. Click "Build" and you are presented with an installation package.

Policy Control

A

The intuitive policy creation and deployment workflow simplifies what could be a complicated process.

You begin by creating "Common Objects"--basically, the targets of security policies, such as USB drives, registry entries or network protocols. There are thousands of default objects, which can be easily customized. Next, you define the list of rules associated to the objects. Rules are broken down into categories such as application, firewall, operating system and IDS/IPS.

Customizing or creating rules is simple, and they can be grouped into manageable collections such as high-security laptops and DMZ Web servers.

Policies allow you to apply groups of rules to subnets, hosts, users, groups and a number of other criteria. A simple deployment wizard pushes the policy to clients.

Effectiveness

B

CA HIPS provides effective defense against threats, known and unknown. Clients are heavily protected, but in a way that will not adversely affect the functionality of the system. By sandboxing an application or questionable device, it protects against unknown threats.

We executed a number of viruses, Trojans and other malware, many of which didn't have signatures. Software that wasn't approved was sandboxed based on the policy, and escalated for approval/restriction. Known malware was restricted from accessing the OS and network.

You'll still need an antivirus product to remove viruses and Trojans. CA's antivirus product works with CA HIPS to remove malicious code, but the products aren't completely integrated yet.

Reporting

D

Reporting seems immature. There are around 100 pre-built reports that offer a plethora of information, but there's no method to modify them or create custom reports from inside the Web interface. The only criteria that can be supplied to filter the results are based on time frames, such as the last week or month.

CA does provide an API to create custom reports, but that shouldn't be necessary to create a report from data that is stored on the management server.

Verdict

CA HIPS offers comprehensive threat defense in a flexible and easy-to-use product. Its reporting weaknesses may rule it out for some organizations.

Testing methodology: We assigned policies to users and computer groups in a single Active Directory domain. Attacks were launched on the clients in the form of viruses, worms, remote exploits (some with no known patches) and spyware.