Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Gartner© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to bereliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretationsthereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
DPRO-93502Ant Allan
Product Report1 July 2003
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
Summary
Symantec offers an enhanced Host IDS product and the advanced ManHunt network IDS, but this maynot be enough to establish Symantec as a leader in a market increasingly favoring intrusion prevention.
Table of Contents
Overview
Analysis
Pricing
Competitors
Strengths
Limitations
Insight
List Of Tables
Table 1: Overview: Symantec Host IDS and ManHunt
Table 2: Functions and Facilities: Symantec Host IDS and ManHunt: Technology InfrastructureCharacteristics
Table 3: Functions and Facilities: Symantec Host IDS and ManHunt: Ruleset Characteristics
Table 4: Functions and Facilities: Symantec Host IDS and ManHunt: Performance Characteristics
Table 5: Functions and Facilities: Symantec Host IDS and ManHunt: Response Characteristics
Table 6: Functions and Facilities: Symantec Host IDS and ManHunt: Operational Characteristics
Table 7: Functions and Facilities: Symantec Host IDS and ManHunt: Management Characteristics
Table 8: Functions and Facilities: Symantec Host IDS and ManHunt: Security Characteristics
Table 9: Functions and Facilities: Symantec Host IDS and ManHunt: Support Characteristics
Table 10: Price List: Symantec Host IDS and ManHunt
Table 11: Competing IDS Products
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 2
Corporate Headquarters
Corporate Headquarters
Symantec Corp.
20330 Stevens Creek Blvd.
Cupertino, CA 95014, U.S.A.
Tel: +1 408 517 8000
Internet: www.symantec.com
Overview
Symantec’s security products portfolio includes two intrusion detection system (IDS) products: a host-based IDS (HIDS), called simply Symantec Host IDS, and a network-based IDS (NIDS), ManHunt. Anorganization can use the two IDS products individually or in combination to continuously monitor systemand network activity and detect, protect, report and respond to misuse by any potential attacker.
Host IDS
Symantec developed Host IDS from the earlier Intruder Alert (ITA) product, developed by AXENT in 1996(and the start of AXENT’s product line) and added to Symantec’s portfolio with the acquisition of AXENTTechnologies, Inc., in December 2000.
Host IDS uses a three-tier management architecture (console, manager and agent) based on the newSymantec Enterprise Security Architecture (SESA). SESA provides a management framework thatprovides consolidated data collection, logging and reporting for Symantec and various third-partyproducts.
A Host IDS agent runs on a host Microsoft Windows (or, from HIDS 4.1, expected mid 2003, Solaris)machine. (ITA 3.6 is still supported and sold for other operating systems.) It compares events againstsecurity policies supplied by Symantec or custom policies that a customer may create or edit. Ondetecting an intrusion, the agent sends an alert to the Host IDS manager, which can then kill the processor send pager or e-mail alerts to network/security administrators. (Host IDS 4.1 will provide protectionfeatures that can, based on policy, stop processes before they are started, maintain a list of processesthat should always be up and running and alert via e-mail or pager.)
A single Host IDS manager, with a separate Host IDS console or a single SESA manager, can manageevent data, policy data and configuration data for thousands of Host IDS agents.
ManHunt
Symantec added ManHunt to its portfolio with the acquisition of Recourse Technologies in July 2002. Thisproduct has entirely superseded AXENT’s NetProwler NIDS. (The Recourse acquisition also gaveSymantec the ManTrap “honeypot” or, as Symantec calls it, a “decoy server” product.)
ManHunt uses a hybrid detection architecture that allows an organization to customize sensor detectioncapabilities to the network environment. ManHunt uses a variety of detection techniques: protocolanomaly detection, stateful signature detection, traffic rate monitoring, protocol state tracking and
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 3
fragmented IP packet re-assembly, as well as allowing custom signatures, including modified Snortsignatures. (Snort is the leading open-source IDS with a reputation for prompt signature release.)
ManHunt still uses Recourse’s cluster architecture (console, master cluster node and slave clusternodes). Symantec will provide initial SESA integration with a “SESA bridge” in ManHunt 3.0, available inmid 2003. A fully SESA-compliant version will be available in 2004.
ManHunt uses a real-time analysis and correlation engine to evaluate high-volume network events incontext. Symantec ManHunt Smart Agents can collect information from other security devices—NIDS,HIDS and firewalls. Using “Cross-Node Analysis,” ManHunt can discover trends and related eventsthroughout large, geographically dispersed networks and can filter out erroneous data.
ManHunt uses policy-based responses to contain and control attacks in real time and to initiate otheractions required for incident response. Customized policies provide immediate response to intrusions ordenial of service attacks based on the type of incident and the location of the event within the network.ManHunt can trace attacks back to the ingress point within the network using proprietary “FlowChaser”technology.
Related Products
• ManTrap is a honeypot product—or what Symantec calls a decoy server product. ManTrap DecoyServers reside within the internal network and transaction zone (or de-militarized zone [DMZ]) tomonitor, respond to and log the actions of an attack. ManTrap can provide real-time detection ofknown and novel attacks on both host-based and network-based services. Because it’s a decoy, andhas no other legitimate function, all activity directed toward ManTrap is immediately consideredsuspicious. It does not require signatures to detect attacks. ManTrap uses a granular policy-basedresponse mechanism. For example, if an attack is specifically intended as a “hop” to furthercompromise network assets or other networks, ManTrap incorporates response policies that may beimplemented to restrict any outbound connections, immediately containing the attack. ManTraprequires a dedicated Sun Solaris server (Scalable Processor Architecture [SPARC] or Intel), whichhas a hardened kernel that doesn’t allow log data to be compromised.
• Symantec Gateway Security is a 1U rack-mountable appliance that integrates firewall, antivirus,Internet content filtering, intrusion detection and virtual private networking (VPN) technologies. Thisappliance is designed to meet the needs of small and midsize organizations as well as branchlocations within larger organizations. The embedded IDS technology is from AXENT NetProwler, butSymantec plans to replace this with ManHunt technology in the next version due in the summer of2003.
Table 1: Overview: Symantec Host IDS and ManHunt
Host IDS ManHunt
Version Symantec Host IDS 4.0 ManHunt 2.2
Date Announced October 2002
(v4.1 planned for mid 2003
release)
October 2002
(v3.0 planned for mid 2003
release)
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 4
Table 1: Overview: Symantec Host IDS and ManHunt
Host IDS ManHunt
Installed Base • Worldwide: undisclosed
• North America:
undisclosed
• Latin America:
undisclosed
• Europe, Middle East and
Africa (EMEA): undisclosed
• Asia/Pacific: undisclosed
• Worldwide: undisclosed
• North America:
undisclosed
• Latin America:
undisclosed
• EMEA: undisclosed
• Asia/Pacific: undisclosed
Table 2: Functions and Facilities: Symantec Host IDS and ManHunt: TechnologyInfrastructure Characteristics
Host IDS ManHunt
Operating Systems Microsoft Windows 2000.
Versions for Sun Solaris
and other Unix OSs (HP-
UX, IBM AIX and Linux)
are mid-2003 delivery.
A version for Novell
NetWare is also planned
for late 2003.
Not applicable (NIDS).
Network Topology Not applicable (HIDS) Fast Ethernet 10/100 and
gigabit Ethernet interfaces.
Switched Network Capability Not applicable (HIDS) ManHunt can be deployed
in large, switched network
environments.
Network Protocols Not applicable (HIDS) TCP/IP
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 5
Table 2: Functions and Facilities: Symantec Host IDS and ManHunt: TechnologyInfrastructure Characteristics
Host IDS ManHunt
Network Application Protocols Not applicable (HIDS). At least:
• Border Gateway Protocol
(BGP)
• Domain Name System
(DNS)
• Finger
• FTP
• HSRP
• HTTP
• Ident
• Integrated multiservice
access platform (IMAP)
• Internet relay chat (IRC)
• Network News Transfer
Protocol (NNTP)
• Open shortest path first
(OSPF)
• Post Office Protocol 3
(POP3)
• Remote Login (Rlogin)
• Remote procedure call
(RPC)
• Remote Shell (RSH)
• Server Message Block
(SMB)
• Simple Mail Transfer
Protocol (SMTP)
• Simple Network
Management Protocol
(SNMP)
• SOCKS
• Telnet
Applications Host IDS agent can
monitor any application that
uses an event log; for
example, Microsoft ISS
Web server.
None
Customizable System Log/Audit Record Definition Can audit any American
Standard Code for
Information Interchange
(ASCII) formatted log.
Not applicable (NIDS).
Customizable Protocol Definition Not applicable (HIDS). ManHunt supports custom
network signatures.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 6
Table 3: Functions and Facilities: Symantec Host IDS and ManHunt: RulesetCharacteristics
Host IDS ManHunt
Detection Method Information is gathered
from monitored sources
and evaluated against a
signature rule base.
If a match is made, then
the action specified in the
rule is executed.
Uses a hybrid-detection
architecture that includes
protocol anomaly detection,
stateful signature detection,
traffic rate monitoring,
network flow monitoring,
scan and flood detection
and fragmented IP packet
re-assembly, and custom
signatures to detect both
known and novel attacks.
Execution Frequency Real time for all analysis. Uses a real-time analysis
and correlation engine to
evaluate network events in
context.
Additional Misuse Monitoring Can detect a number of
viruses and types of
malicious code through
integration with Symantec’s
antivirus products.
Can detect any attacks
based on protocol violation,
explicit signature misuse
detection (if signature is
loaded into the hybrid
engine) and dynamic traffic
anomalies.
Customizable Attack and Misuse Definition Allows an organization to
create fully customizable
policies (or signatures) and
merge them with those
supplied.
Allows an organization to
create custom attack
definitions (or signatures).
Attack Definition Updates Policy updates are
available to customers who
purchase a maintenance
agreement.
Policy updates should
occur every 12 weeks—or
as needed in response to
an outbreak—via
Symantec’s Live Update
distribution.
Signature updates are
available to customers who
purchase a maintenance
agreement. Signature
updates occur every 45-90
days—or as needed in
response to an outbreak.
Additional protocol models
may be incorporated in
new software releases.
Secure Attack Definition Updates Symantec Live Update is a
secure delivery
mechanism.
Signature updates are
available via Web
download.
(This does not use
Symantec Live Update.)
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 7
Table 4: Functions and Facilities: Symantec Host IDS and ManHunt: PerformanceCharacteristics
Host IDS ManHunt
Performance HIDS performance
depends critically on the
volume of data being
logged by the many
applications that can be
running on the machine at
the same time.
Symantec states that under
“normal” installation and
usage, HIDS will use less
than 10 percent CPU
capacity.
ManHunt can monitor
network traffic and detect
intrusions at speeds of up
to 2Gbps (without dropping
packets) across four gigabit
interfaces or 12 fast
Ethernet interfaces on a
single node. (Based on a 2-
CPU Dell 1650 with 4GB
RAM or similar.)
Accuracy Symantec claims that Host
IDS has one of the lowest
false positive rates in the
market.
ManHunt uses protocol
anomaly detection and
stateful signature detection
which leads to much lower
false positive rates than
stateless engines.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 8
Table 5: Functions and Facilities: Symantec Host IDS and ManHunt: ResponseCharacteristics
Host IDS ManHunt
Response Can take predefined
actions that include:
• Logging off a user
• Disabling a user account
• Logging the event to a
local or network file
• Killing a process
• Rebooting a machine if
needed
• Keeping a set process up
and running at all times.
Can also raise alerts
including console alerts, e-
mail and paging.
Uses proactive, policy-
based response.
Customized policies
provide immediate
response to intrusions or
denial-of-service attacks
based on the type of
incident and location of the
event within the network.
Can respond with any of
the following, individually or
in combination:
• Session termination;
• FlowChaser and
Trackback can trace
attacks with spoofed IP
addresses back to the
ingress point within the
network;
• Quality of service (QOS)
filters that mitigate denial of
service attacks by
suggesting QOS access
control lists (ACLs) to be
placed on a network
device;
• Traffic recording;
• Handoff to another
ManHunt cluster to
continue Trackback;
• SNMP and e-mail
notification.
Customizable Response Supports user-defined
actions that can be
associated with any
detection rule.
These actions include the
ability to execute external
programs and scripts.
Allows custom response.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 9
Table 5: Functions and Facilities: Symantec Host IDS and ManHunt: ResponseCharacteristics
Host IDS ManHunt
Event Prioritization Policies that trigger events
are pre-configured with a
“severity” setting (value)
that prioritizes which
events are displayed first.
Uses four variables to
perform statistical analysis
and then assigns different
priority levels as they apply
to the incident. These
variables are:
• The intrinsic severity of
the type of event
• The level/intensity of
traffic for scan and flood
events
• The reliability of the event
• The severity of other
events in the same
incident.
Report Merging and Data Visualization Reporting is delivered via
the SESA management
system, which includes a
number of pre-configured
reports as well as charts
depicting information on
specific attacks and high-
level IDS trends.
Detects attacks across
nodes and correlates and
aggregates events from
disparate sensors into
events.
Presents information in
interactive reports;
administrators can “drill
down” to an individual
attack.
Reports can be presented
in tables or charts (pie,
column and bar).
Event Trace and Replay Events can be replayed
based on review of data
that is kept in the SESA
Datastore.
Can be configured to
enable full packet capture.
(ManHunt 3.0 will allow
replay from the console.)
Also incorporates
FlowChaser and
TrackBack technology to
trace an attack back to the
source using traffic flow
information provided by
other network infrastructure
devices.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 10
Table 5: Functions and Facilities: Symantec Host IDS and ManHunt: ResponseCharacteristics
Host IDS ManHunt
Customizable Reports Administrators can define
custom reports.
Console reporting includes
customizable charts and
graphs for trend analysis
and event prioritization.
Allows incident and event
export to Structured Query
Language (SQL) database
formats for custom
reporting.
Session Hijacking None None
Session Termination None Can perform a
reset/termination
automatically based on
predefined policy
configurations or via
operator control.
Firewall Reconfiguration None None
Router or Switch Reconfiguration None QOS filter
recommendations for QOS
ACLs to be placed on
routers for denial of service
protection.
Deception Techniques None None
Automatic Vulnerability Correction None None
Table 6: Functions and Facilities: Symantec Host IDS and ManHunt: OperationalCharacteristics
Host IDS ManHunt
Implementation A software product that is
installed on standard OS
server platforms.
A network-based detection,
response and incident
management system
(software product) that
integrates with the switch
and routing infrastructure.
Information Sources • OS system and audit logs
• Application logs and audit
files
• File System
• Windows Registry
(HIDS 4.1 will add Process
Monitoring, Blocking and
Reporting.)
Monitors network traffic
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 11
Table 6: Functions and Facilities: Symantec Host IDS and ManHunt: OperationalCharacteristics
Host IDS ManHunt
Distributed Deployment An organization can use
popular software
distribution services to
initially deploy the software.
An organization can use
Symantec’s LiveUpdate to
distribute subsequent
updates to software and
signatures.
Provides “intelligent”
collaboration between
geographically distributed
sensors.
A single system can
monitor multiple segments,
virtual local-area networks
(VLANs), and switches
from a single host.
Sensor:Console Ratio A manager can support up
to 3,500 agents in
centralized, distributed,
hierarchical and redundant
configurations. (Symantec
cites a major U.S.
government customer for
this figure.)
A console connects to a
single manager at one
time.
A single administration
console can monitor a
cluster of up to 125 nodes.
Each node can support 12
Fast Ethernet sensors or
four gigabit sensors. Hence
a cluster of ManHunt nodes
can scale to 1500 Fast
Ethernet sensors or 500
gigabit sensors.
System Requirements for Console A Java-enabled browser
(for example, Internet
Explorer 5.5 or higher).
• Microsoft Windows 98,
NT 4.0 or 2000
• Java 2 Runtime
Environment v1.3 or v1.4
• Solaris 2.6, 7 or 8
• Minimum 256MB RAM
• Minimum 20MB free disk
space
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 12
Table 6: Functions and Facilities: Symantec Host IDS and ManHunt: OperationalCharacteristics
Host IDS ManHunt
System Requirements for Network Sensors General system
requirements for the agent
are:
• 128MB RAM
• 64MB available disk
space.
Requires a dedicated
system with:
• Sun 64-bit Solaris 8 or
Solaris 8 Intel Edition
• Dedicated SPARC or Intel
hardware
• One network interface for
each monitored device—up
to 12 fast Ethernet or four
gigabit Ethernet
• One network Interface for
administration/managemen
t
• 1-Gbps RAM for fast
Ethernet configurations
• 2-Gbps RAM for single
gigabit configurations
• 4-Gbps RAM for
multigigabit configurations
• Java 2 Runtime
Environment, standard
edition 1.2.2
Exportability Uses 128-bit Secure
Sockets Layer (SSL)
encryption and is
exportable to unrestricted
organizations and nations.
Symantec offers the same
version globally.
Robustness Uses extensive flow control
and queuing to ensure
reliable agent/manager
communications.
Furthermore, the agent
state is preserved on
shutdown and is capable of
resuming detection in the
same state as it was prior
to shutdown.
Multiple nodes may be
deployed in a High
Availability (H/A) pair
configuration to ensure
uptime and uninterrupted
event detection.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 13
Table 6: Functions and Facilities: Symantec Host IDS and ManHunt: OperationalCharacteristics
Host IDS ManHunt
Software Updates Software updates are
available to customers who
purchase a maintenance
contract and are entitled to
automatic updates and
upgrades to the product as
they are released.
Same as for HIDS
Secure Software Updates Symantec Live Update is a
secure delivery
mechanism.
All software updates reside
in a secure location and
are accessible to Symantec
customers via a secure,
authenticated Web
download service.
Table 7: Functions and Facilities: Symantec Host IDS and ManHunt: ManagementCharacteristics
Host IDS ManHunt
Management A management
architecture is 3-tier
(console, manager and
agent) based on SESA.
Uses a Java-based
graphical user interface
(GUI) enabling rapid
deployment, policy
maintenance, event filtering
and effective attack
mitigation.
Provides single-point
management between
multiple deployments from
any console.
Comprehensive Network Management System
(NMS)
May be integrated with
NMSs using bridge
modules with the SESA
and third-party NMSs.
From ManHunt 3.0, with
the release of the SESA
bridge, as for HIDS.
Alternative Management System None None
Vulnerability Scanner Does not share a
management interface with
any vulnerability
assessment product.
Does not share a
management interface with
any vulnerability
assessment product.
There are plans for future
integration, however.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 14
Table 7: Functions and Facilities: Symantec Host IDS and ManHunt: ManagementCharacteristics
Host IDS ManHunt
Separate Host-Based or Network-Based IDS ManHunt can consume and
correlate HIDS data.
Full-integration
management will be
provided through SESA in
a future release.
ManHunt Smart Agents
can take events from
Symantec Host IDS and
third-party products:
• Cisco IDS (NIDS)
• Snort (NIDS)
• Enterasys Dragon (NIDS)
• ISS RealSecure (NIDS)
• Tripwire (file-integrity
assessment)
• Okena StormWatch HIDS
(now acquired by Cisco)
• Check Point Firewall-1
• NetScreen integrated
firewall and VPN systems
and appliances
Table 8: Functions and Facilities: Symantec Host IDS and ManHunt: SecurityCharacteristics
Host IDS ManHunt
Security Audit Supports the option to
create an audit/debug log.
Creates a signed database
of
administration/configuration
events.
Identification and Authentication
Login User has to log in and
provide a password to
access any event or
configuration data for the
IDS system.
User may log in and
provide a password to
access any event or
configuration data.
The log-in has multiple
levels, giving varying levels
of access to administrators
and users.
Authentication Failure Handling Account lockout setting is
available and accessible as
a SESA/Lightweight
Directory Access Protocol
(SESA/LDAP) configuration
option.
A user supplying an
incorrect password, port or
IP address will be denied
access, and the event will
be logged to the signed
database.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 15
Table 8: Functions and Facilities: Symantec Host IDS and ManHunt: SecurityCharacteristics
Host IDS ManHunt
User Attribute Definition Maintains user name, role,
password and privileges for
each user.
Maintains user name,
password and access
privileges for each user on
the host.
Authentication Service Symantec Host IDS
authenticates users to the
console and agents to the
manager using encrypted
passwords and credentials.
Communicates between
the master node and the
administration console and
between ManHunt nodes
within the same cluster
using password protected
Diffie-Hellman
authentication.
Users may also use an
iButton (from Dallas
Semiconductor) to sign
logs. The iButton protects
against falsification of log
records and provides
Federal Information
Processing Standard
(FIPS)-140 authenticated
signatures for non-
repudiation of events.
Security Policy Management
Non-Bypassability of the Security Policy The console invokes an
authentication request on
any attempt to access
configuration or event data.
Unless the console has
correctly authenticated to
the ManHunt host, the
encrypted control tunnel
cannot be established.
Domain Separation Supports configuration
groups or domains making
it possible to configure
different levels of security
and apply that security
easily to predefined groups
of servers.
ManHunt has the ability to
segment network domains
by VLAN.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 16
Table 8: Functions and Facilities: Symantec Host IDS and ManHunt: SecurityCharacteristics
Host IDS ManHunt
Administration A default administrator
account is provided that
has all rights needed to
configure and administer
the system as well as
create supplemental
accounts complete with
roles and permissions.
An Administrative account
must be used for accessing
ManHunt security
functions.
System Privileges and Access Control The management console
implements role-based
access control.
Access to certain
management functions is
restricted unless
specifically permitted.
There are two types of
administrator pass-phrases
in ManHunt, administrator
and user.
The administrator pass-
phrase allows the user to
make changes to the
topology tree, response
policies, configuration
parameters, mark incidents
and add incident
annotations.
The user pass-phrase
privileges are limited to
marking incidents and
adding incident
annotations.
Security Roles Partitions rights generally
between the ability to
configure the product and
the ability to see events
and reports and to do this
by security domain.
The level of access is
defined by the
administrator and may
encompass either an
administrator role or
restricted user privileges.
Data and Communications Security
Availability Uses extensive flow control
and queuing to ensure
reliable agent/manager
communications.
ManHunt communicates to
the administration console
and between nodes using
256-bit Advanced
Encryption Standard (AES)
encryption so that
information may be
securely and easily
accessed.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 17
Table 8: Functions and Facilities: Symantec Host IDS and ManHunt: SecurityCharacteristics
Host IDS ManHunt
Trusted Communication Symantec Host IDS uses
asymmetric keys to
authenticate users and to
then exchange data-
encryption keys.
Communications between
all components are
authenticated and
encrypted using password
protected Diffie-Hellman
and 256-bit AES.
Confidentiality During Transmission Communications between
components are all
encrypted using SSL.
Protects data transmitted
between management
console and sensors using
256-bit AES encryption.
Detection of Modification Uses cryptographic
techniques to detect
modification of data.
If a payload is altered, Host
IDS ignores the payload
information.
Logs may be
cryptographically signed
with the iButton, to detect
tampering with log records.
Cryptography Options None ManHunt has the option of
incorporating an iButton
FIPS-140 encryption.
Attack Protection
Self-Monitoring Monitors all server-auditing
sources to ensure that they
are not disabled.
In addition, the product
monitors its own binary
files and can monitor its
own audit file.
Monitors events associated
with console authentication
and operation.
Stealth Techniques None All monitoring/sensor
interfaces operate in
stealth mode with no IP
stack.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 18
Table 9: Functions and Facilities: Symantec Host IDS and ManHunt: SupportCharacteristics
Host IDS ManHunt
Vendor-Provided Attack Database Attack database provides
basic descriptive
information enabling the
user to identify the type of
attack and providing basic
remediation steps.
In addition, Symantec
offers an optional, full-
featured Incident
Management application
that offers more extensive
diagnostic and remediation
capabilities.
ManHunt provides detailed
descriptions of attacks and
remediation steps.
24×7 Vendor Hotline 24×7 support is available to
customers who have
purchased platinum or
premium-platinum
maintenance agreements
for both ManHunt and
HIDS.
24×7 support is available to
customers who have
purchased platinum or
premium-platinum
maintenance agreements
for both ManHunt and
HIDS.
Vendor Response Call back and response is
targeted and usually
happens within 24 hours.
Call back and response is
targeted and usually
happens within 24 hours.
Analysis
Host-Based IDS: Host IDS
Symantec developed Host IDS from the earlier Intruder Alert product. Where Intruder Alert boasted broadplatform support—not only for Microsoft Windows and leading Unix OSs, but also for Novell NetWare andsome less common Unix OSs (SCO, Silicon Graphics)—the new Host IDS is, for the time being, availableonly for Windows.
Host IDS cannot only monitor discrete hosts but can also correlate activity across different hosts. To dothis, Host IDS employs an inter-agent communications protocol, which initiates a counter if suspiciousactivity is suspected (for example, multiple failed logins). The protocol then informs other agents of thepossible suspicious activity and makes the counter available to all agents. If a second agent suspects asimilar suspicious activity, the counter is incremented. When the counter reaches a user-definedthreshold, an alert is generated. This approach gives better accuracy than the simple analysis of discreteevents that some other IDS products offer.
Network-Based IDS: ManHunt
ManHunt is a newer product with a different heritage, which Symantec added to its portfolio through theacquisition of Recourse and which supersedes Symantec’s earlier NetProwler product from AXENT.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 19
This change of product offering addresses the most serious limitation of NetProwler, that it used onlysignature-based detection techniques. ManHunt can use signatures, but primarily uses advancedtechniques: protocol anomaly detection, traffic rate monitoring, protocol state tracking and IP packet re-assembly. Protocol anomaly detection can catch new attacks on “day zero,” as well as providing moreaccurate detection than signature-based detection alone. ManHunt can also use custom signatures. Thismix of complementary technologies gives the organization a robust network intrusion detection capabilitythat matches the capabilities of leading IDS products.
ManHunt can maintain 100 percent of its detection capability for up to 2 Gbps on a single node. ManHuntcan do this by combining flow-based processing with focused analysis to identify malicious traffic withinspecific states within a protocol. This is a significant advantage in large enterprises with high trafficvolumes. Only high-end IDS and IPS appliances from other vendors can match this performance.
ManHunt offers real-time event correlation and analysis. Its analysis engine aims to filter out erroneousdata and refine only the relevant information, so providing awareness without data overload. ManHuntuses “Cross Node Analysis” and its “Correlation and Aggregation Engine” to spot trends and sort-relatedincidents to quickly recognize events as they happen, with higher confidence than discrete event analysis.ManHunt also supports forensic investigation through a full-packet capture feature on a per node basis.
ManHunt provides the organization with a policy-based response to detected incidents. Through custompolicies, responses can be tailored to the type of incident and the location of the events within thenetwork.
Toward Integrated Management Functions
Symantec had planned to integrate the two ex-AXENT IDS products with a common console, commonlogging and alerting, and data correlation between HIDS and NIDS, putting it on a similar footing to someof the leading IDS vendors. This move was long overdue, as AXENT had announced a similardevelopment plan before the acquisition by Symantec.
As things turned out, however, this development was superseded by Symantec’s acquisition of Recourse,giving the vendor a new NIDS to integrate with its HIDS.
Host IDS’s management architecture is based on the new SESA. SESA will provide a sharedmanagement platform for a variety of security products including antivirus, vulnerability assessment andfirewall as well as IDS. Symantec Host IDS will be fully integrated with ManHunt through SESA in a futurerelease.
For now, the products can be integrated only at the event level: ManHunt Smart Agents can take eventsfrom Host IDS—as well as third-party HIDS, NIDS, and firewalls.
SESA also facilitates integration with Symantec’s new Incident Manager application. This productincorporates “CyberWolf” technology from Symantec’s acquisition of Mountain Wave, making it easier toidentify, correlate and resolve security incidents across the organization.
Signature Updating
Each of the IDS products has a rulebase uncoupled from its analysis engine, so enabling dynamicsignature updates. Symantec offers about 400 policies for Host IDS. As ManHunt uses advanced protocolanomaly detection methods and other sophisticated heuristics-based detection methodologies that don’trequire traditional signatures, its performance is less dependent on signature updates than NetProwler
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 20
was. Symantec estimates that ManHunt can detect more than 800 network intrusion events (via bothanomalies and signatures).
Host IDS is integrated with Symantec LiveUpdate (the same signature updating mechanism used bySymantec’s antivirus products). A ManHunt version is also slated to support LiveUpdate by the end of2003 making both IDS products updateable through Symantec LiveUpdate service. But for now, lack of acommon update mechanism may be an issue for some organizations.
Symantec’s security response team manages both Host IDS and ManHunt signature updates. Thisensures regular updates quarterly and rapid-response updates as needed to mitigate urgent and severeoutbreaks. In addition, both products support full signature customization, allowing organizations to rapidlycreate or modify signatures. ManHunt’s hybrid analysis engine also allows an organization to use Snortsignatures from snort.org.
Pricing
Table 10: Price List: Symantec Host IDS and ManHunt
Product Price (US$)
Host IDS
Agent 995 per host
Manager 28 (for SESA)
Console No charge
ManHunt
100 megabit 12,250
200 megabit 19,995
500 megabit 35,000
1 gigabit 70,000
2 gigabit 125,000
GSA Pricing
Yes.
Competitors
Table 11: Competing IDS Products
Vendor/Product(s) Description
Cisco Systems, Inc.
• Cisco IDS
(Internet:
www.cisco.com)
Cisco IDS combines its own NIDS product (formerly NetRanger) with the
StormSystem intrusion prevention products for servers and desktops from its recent
acquisition of Okena.
Cisco IDS offers a centralized control console that leverages netForensics and other
products for event correlation.
The NIDS sensor is normally delivered as an appliance, but can also be
implemented as software on Cisco’s PIX Firewall and Internet Operating System
(IOS) routers and as a “blade” in Cisco’s switches.
StormWatch host agents intercept an application’s resource requests to the
operating system to make a real-time allow/deny decision according to the
customer’s application security policy.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 21
Table 11: Competing IDS Products
Vendor/Product(s) Description
Enterasys
Networks, Inc.
• Dragon IDS
(Internet:
www.enterasys.com)
Dragon IDS comprises Dragon Network Sensors, Dragon Host Sensors (formerly
Dragon Squire) and a common Dragon Enterprise Management Server for Web-
based management and reporting.
Dragon Network Sensor is available as software and as Linux-based appliances.
Dragon Host Sensor monitors host platforms, applications, firewalls and other
vendors’ NIDSs and HIDS sensors.
Enterasys also offers the Dragon Integrated Server/Sensor, an all-in-one appliance
aimed at small or branch office use.
Enterasys has a strong focus on the managed security service provider (MSSP)
space and has achieved significant penetration.
Internet Systems
Security, Inc. (ISS)
• Real Secure IDS
(Internet:
www.iss.net)
RealSecure integrates RealSecure Network agents (NIDS), RealSecure Host
agents (HIDS), RealSecure Desktop agents and RealSecure Vulnerability
Assessment agents with its single, central management console, RealSecure
SiteProtector.
ISS is integrating components acquired from Network Ice (protocol anomaly
detection) and vCIS (preemptive behavioral inspection) into its RealSecure IDS
technology and increasing the proactive “prevention” responses.
RealSecure now offers Proventia network intrusion prevention appliances, for
aggregate network bandwidth up to 1200 Mbps on one to four network segments.
Network
Associates Inc.
(NAI)
• “IntruShield”
(formerly IntruVert
IntruShield)
• “Entercept”
(formerly Entercept
Host Sensor)
(Internet:
www.nai.com)
NAI was a former leader in the IDS market with the Pretty Good Privacy (PGP)
Security CyberCop IDS, but withdrew this product early in 2001.
In May 2003 NAI positioned itself to compete effectively in the IDS market with the
acquisition of two IPS vendors:
• IntruVert, one of the leading vendors in the network intrusion prevention space;
• Entercept, with its strong host-based intrusion prevention offering.
NAI’s funds and global presence gives these products more leverage in deals where
they compete against traditional IDS vendors.
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 22
Table 11: Competing IDS Products
Vendor/Product(s) Description
Snort
• Snort
(Internet:
www.snort.org)
Snort is an open-source NIDS, available free under a GNU General Public License.
(As such, it is excluded from the Gartner Research Magic Quadrant for this market.)
Snort is the leading open-source NIDS and ranks highly in comparison with
commercial NIDS products and higher than any commercial product in signature
coverage.
The rapid evolution of the rule sets is an important advantage of an open-source
system, where a large community can create new rules promptly.
In some cases, a Snort rule is posted to BugTraq (a moderated mailing list that
alerts subscribers to vulnerabilities and offers solutions to deal with them) with the
original vulnerability report.
Additionally, Snort also allows plug-ins—ways to incorporate additional detection
functionality into the system.
Snort has been making growing inroads into the marketplace, but many
organizations are reluctant to adopt it because of the lack of commercial support. In
this case, an organization may consider:
• Silicon Defense (Internet: www.silicondefense.com), which provides commercial
support contracts for organizations using Snort.
• Sourcefire (Internet: www.sourcefire.com), which offers an enhanced version of
Snort with its Intrusion Management System (IMS), an appliance-based system that
provides event correlation and analysis.
An organization will likely find it useful to install Snort for at least a trial period during
the selection process for a commercial NIDS product. Snort can provide an effective
additional source of data to an IT security management product.
Strengths
Increased Accuracy Through Hybrid Detection and Correlation
ManHunt exhibits a low false-positive rate owing to its multiple detection techniques and its ability tocorrelate attacks in a distributed environment. Host IDS also has improved accuracy through correlationbetween hosts. Furthermore, using ManHunt Smart Agents, ManHunt can consume and correlate HIDSevent data.
High-Bandwidth NIDS
ManHunt can provide full 2-Gbps performance without dropping packets (and, hence, without missingevents). This level of performance is typical in IDS and IPS appliances, but is rare in a software productrunning on a commercial off-the-shelf (COTS) platform. This makes ManHunt more attractive to largeorganizations with high network-traffic volumes.
Enterprise IT Security Management-Like Capabilities
ManHunt Smart Agents can “consume” event data from a variety of security products, including SymantecHost IDS, third-party HIDS and NIDS, and third-party firewalls (but not Symantec firewalls). This gives theorganization a more comprehensive view of activity across the whole network—and allows them toleverage existing investment in other NIDS products. This gives organizations some of the benefits of an
Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem
© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 23
enterprise IT security management solution, and without the need for a full-blown security managementproduct, such as Symantec’s own Incident Manager.
Limitations
Host IDS 4.0 Available Only for Microsoft Windows
Symantec provides only a Windows version of Host IDS, where the previous versions of the product hadvery broad platform coverage.
Organizations using Unix rather than Windows servers—especially common for security-criticalapplications—will for now have to rely on the older Intruder Alert 3.6. Symantec declares that it willcontinue support for ITA 3.6 until an individual platform is supported under HIDS 4.x or greater. Thecombination of Host IDS and ITA 3.6 does give broad platform coverage, and Symantec provides anintegration tool—a “SESA bridge”—that allows ITA 3.6 agents to work in a Host IDS/SESA environment.
Lack of Integration Between Host IDS and ManHunt
While ManHunt can “consume” alerts generated by Host IDS, through a ManHunt Smart Agent (MSA),and display them in the ManHunt Intrusion Management System, the two products are not yet fullyintegrated. This disadvantages Symantec’s offering in comparison with leading competitors, where fullintegration makes IDS management easier.
Host IDS is a native SESA-enabled product, and Symantec plans to make ManHunt fully SESA compliantin 2004. Once this is done, both products will share a common data repository, event monitor andintegrated configuration capabilities.
Different Signature Update Routines for Host IDS and ManHunt
Symantec now offers Live Update for Host IDS signature updates, but not yet for ManHunt. For themoment, organizations have to bear the overheads of using different update mechanisms.
Insight
Gartner doesn’t regard Symantec as a leader in the IDS market, but it is a challenger. Intruder Alert was asound HIDS product, and the new version, Host IDS, benefits from SESA. While Host IDS is nowavailable only for Microsoft Windows 2000, Symantec promises broader platform support in the nearfuture. ManHunt is an advanced NIDS product, far superior to its predecessor, NetProwler, which reliedon signatures only. ManHunt’s combination of protocol anomaly detection and other advanced detectiontechniques allows for high accuracy, even in fully saturated two-gigabit networks. Large organizationsmight also benefit from the ManTrap “honey-pot” product, while small organizations might prefer to deploythe Symantec Gateway Security appliance. Organizations considering the core HIDS and NIDS productsshould be aware that Symantec currently lacks the strong network and host integration of some leadingcompetitors. Host IDS and ManHunt are discrete products, albeit with data correlation of Host IDS eventsin ManHunt. Symantec will address this by offering a “SESA bridge” for ManHunt in mid 2003, with a fullySESA-compliant version of ManHunt planned for 2004.