CA HIPS is a client/server appli??ícation. I installed the CA HIPS server in a VMware ESX Server 3.5 environment on a VM (virtual machine) configured with a sin??ígle processor, 20GB drive, 2GB of RAM and a single NIC with a fixed IP address.
CA HIPS can use an exter??ínal Microsoft SQL Server 2005 database to track clients, which I installed on a VM in the same VMware ESX cluster. There is currently no Oracle database support. The CA HIPS agent, which performs monitoring and policy enforcement on the target workstations and servers, can be installed on Windows 2000-, XP- or 2003-based systems. Vista is not currently supported.
CA HIPS policies are enforced according to a complex set of rules. Out of the box, I used the monitor (everything is allowed and tracked) to start learning about the applications on my systems. Other policy groups were relevant to the firewall and IDS functionality of the product, although applica??ítion rules I created could be used in these modules. Users are not able to allow unapproved applica??ítions.
Instead of allowing end-user control over application approval, CA HIPS provides a "test har??íness" that can be used in learning mode on representative end-user systems. I used a model com??íputer with the test harness appli??ícation to detect network traffic and applications. I then created rules and policies that governed how end users could use these applications and then imported the rules to the CA HIPS server for deployment.
The process for using the test harness was quite tedious and required a complex workflow to ensure that the application reposi??ítory, firewall zones and OS security rules were imported correctly.
While the CA HIPS monitors client activity, it was not easy to understand what kind of counter??ímeasures were being taken by the CA HIPS agent to protect my end-user systems. Like Bit9's Parity, it was easy to get lost in the volumi??ínous amount of system messages, the vast majority of which merely reported only that the system was functioning normally.
After installing the CA HIPS agent on a system, the product started to work at once. While the agent can be installed and active with no user notification, I used mine with the local user interface active. Here I could see how many files had been blocked and get other information about how the product was working. While I was able to get most of this informa??ítion in the reporting tool provided on the administrative console, I can imagine that end users would appreciate and use this kind of information.
I easily integrated CA HIPS with the Active Directory infrastructure in use on my test network, which made short work of grouping end-user systems.
Once the CA HIPS system was fully operational, I spent most of my time in the reports section, gathering information about what was happening in my test envi??íronment. Combined with data I gleaned from the event viewer and the system messages, I was able to get a fair idea of the security landscape among my monitored Windows systems.
eWEEK Labs Technical Director Cameron Sturdevant can be reached at [email protected]