Symantec Host Intrusion Detection System and ManHunt ... · Symantec Host Intrusion Detection System and ManHunt Network Intrusion Detection System ... provides consolidated data

Gartner© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to bereliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretationsthereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

DPRO-93502Ant Allan

Product Report1 July 2003

Symantec Host Intrusion Detection System and ManHunt Network Intrusion DetectionSystem

Summary

Symantec offers an enhanced Host IDS product and the advanced ManHunt network IDS, but this maynot be enough to establish Symantec as a leader in a market increasingly favoring intrusion prevention.

Table of Contents

Overview

Analysis

Pricing

Competitors

Strengths

Limitations

Insight

List Of Tables

Table 1: Overview: Symantec Host IDS and ManHunt

Table 2: Functions and Facilities: Symantec Host IDS and ManHunt: Technology InfrastructureCharacteristics

Table 3: Functions and Facilities: Symantec Host IDS and ManHunt: Ruleset Characteristics

Table 4: Functions and Facilities: Symantec Host IDS and ManHunt: Performance Characteristics

Table 5: Functions and Facilities: Symantec Host IDS and ManHunt: Response Characteristics

Table 6: Functions and Facilities: Symantec Host IDS and ManHunt: Operational Characteristics

Table 7: Functions and Facilities: Symantec Host IDS and ManHunt: Management Characteristics

Table 8: Functions and Facilities: Symantec Host IDS and ManHunt: Security Characteristics

Table 9: Functions and Facilities: Symantec Host IDS and ManHunt: Support Characteristics

Table 10: Price List: Symantec Host IDS and ManHunt

Table 11: Competing IDS Products


© 2003 Gartner, Inc. and/or its Affiliates. All Rights Reserved.DPRO-935021 July 2003 2

Corporate Headquarters

Corporate Headquarters

Symantec Corp.

20330 Stevens Creek Blvd.

Cupertino, CA 95014, U.S.A.

Tel: +1 408 517 8000

Internet: www.symantec.com

Overview

Symantec’s security products portfolio includes two intrusion detection system (IDS) products: a host-based IDS (HIDS), called simply Symantec Host IDS, and a network-based IDS (NIDS), ManHunt. Anorganization can use the two IDS products individually or in combination to continuously monitor systemand network activity and detect, protect, report and respond to misuse by any potential attacker.

Host IDS

Symantec developed Host IDS from the earlier Intruder Alert (ITA) product, developed by AXENT in 1996(and the start of AXENT’s product line) and added to Symantec’s portfolio with the acquisition of AXENTTechnologies, Inc., in December 2000.

Host IDS uses a three-tier management architecture (console, manager and agent) based on the newSymantec Enterprise Security Architecture (SESA). SESA provides a management framework thatprovides consolidated data collection, logging and reporting for Symantec and various third-partyproducts.

A Host IDS agent runs on a host Microsoft Windows (or, from HIDS 4.1, expected mid 2003, Solaris)machine. (ITA 3.6 is still supported and sold for other operating systems.) It compares events againstsecurity policies supplied by Symantec or custom policies that a customer may create or edit. Ondetecting an intrusion, the agent sends an alert to the Host IDS manager, which can then kill the processor send pager or e-mail alerts to network/security administrators. (Host IDS 4.1 will provide protectionfeatures that can, based on policy, stop processes before they are started, maintain a list of processesthat should always be up and running and alert via e-mail or pager.)

A single Host IDS manager, with a separate Host IDS console or a single SESA manager, can manageevent data, policy data and configuration data for thousands of Host IDS agents.

ManHunt

Symantec added ManHunt to its portfolio with the acquisition of Recourse Technologies in July 2002. Thisproduct has entirely superseded AXENT’s NetProwler NIDS. (The Recourse acquisition also gaveSymantec the ManTrap “honeypot” or, as Symantec calls it, a “decoy server” product.)

ManHunt uses a hybrid detection architecture that allows an organization to customize sensor detectioncapabilities to the network environment. ManHunt uses a variety of detection techniques: protocolanomaly detection, stateful signature detection, traffic rate monitoring, protocol state tracking and



fragmented IP packet re-assembly, as well as allowing custom signatures, including modified Snortsignatures. (Snort is the leading open-source IDS with a reputation for prompt signature release.)

ManHunt still uses Recourse’s cluster architecture (console, master cluster node and slave clusternodes). Symantec will provide initial SESA integration with a “SESA bridge” in ManHunt 3.0, available inmid 2003. A fully SESA-compliant version will be available in 2004.

ManHunt uses a real-time analysis and correlation engine to evaluate high-volume network events incontext. Symantec ManHunt Smart Agents can collect information from other security devices—NIDS,HIDS and firewalls. Using “Cross-Node Analysis,” ManHunt can discover trends and related eventsthroughout large, geographically dispersed networks and can filter out erroneous data.

ManHunt uses policy-based responses to contain and control attacks in real time and to initiate otheractions required for incident response. Customized policies provide immediate response to intrusions ordenial of service attacks based on the type of incident and the location of the event within the network.ManHunt can trace attacks back to the ingress point within the network using proprietary “FlowChaser”technology.

Related Products

• ManTrap is a honeypot product—or what Symantec calls a decoy server product. ManTrap DecoyServers reside within the internal network and transaction zone (or de-militarized zone [DMZ]) tomonitor, respond to and log the actions of an attack. ManTrap can provide real-time detection ofknown and novel attacks on both host-based and network-based services. Because it’s a decoy, andhas no other legitimate function, all activity directed toward ManTrap is immediately consideredsuspicious. It does not require signatures to detect attacks. ManTrap uses a granular policy-basedresponse mechanism. For example, if an attack is specifically intended as a “hop” to furthercompromise network assets or other networks, ManTrap incorporates response policies that may beimplemented to restrict any outbound connections, immediately containing the attack. ManTraprequires a dedicated Sun Solaris server (Scalable Processor Architecture [SPARC] or Intel), whichhas a hardened kernel that doesn’t allow log data to be compromised.

• Symantec Gateway Security is a 1U rack-mountable appliance that integrates firewall, antivirus,Internet content filtering, intrusion detection and virtual private networking (VPN) technologies. Thisappliance is designed to meet the needs of small and midsize organizations as well as branchlocations within larger organizations. The embedded IDS technology is from AXENT NetProwler, butSymantec plans to replace this with ManHunt technology in the next version due in the summer of2003.


Host IDS ManHunt

Version Symantec Host IDS 4.0 ManHunt 2.2

Date Announced October 2002

(v4.1 planned for mid 2003

release)

October 2002

(v3.0 planned for mid 2003

release)




Host IDS ManHunt

Installed Base • Worldwide: undisclosed

• North America:

undisclosed

• Latin America:

undisclosed

• Europe, Middle East and

Africa (EMEA): undisclosed

• Asia/Pacific: undisclosed

• Worldwide: undisclosed

• North America:

undisclosed

• Latin America:

undisclosed

• EMEA: undisclosed

• Asia/Pacific: undisclosed

Table 2: Functions and Facilities: Symantec Host IDS and ManHunt: TechnologyInfrastructure Characteristics

Host IDS ManHunt

Operating Systems Microsoft Windows 2000.

Versions for Sun Solaris

and other Unix OSs (HP-

UX, IBM AIX and Linux)

are mid-2003 delivery.

A version for Novell

NetWare is also planned

for late 2003.

Not applicable (NIDS).

Network Topology Not applicable (HIDS) Fast Ethernet 10/100 and

gigabit Ethernet interfaces.

Switched Network Capability Not applicable (HIDS) ManHunt can be deployed

in large, switched network

environments.

Network Protocols Not applicable (HIDS) TCP/IP



Table 2: Functions and Facilities: Symantec Host IDS and ManHunt: TechnologyInfrastructure Characteristics

Host IDS ManHunt

Network Application Protocols Not applicable (HIDS). At least:

• Border Gateway Protocol

(BGP)

• Domain Name System

(DNS)

• Finger

• FTP

• HSRP

• HTTP

• Ident

• Integrated multiservice

access platform (IMAP)

• Internet relay chat (IRC)

• Network News Transfer

Protocol (NNTP)

• Open shortest path first

(OSPF)

• Post Office Protocol 3

(POP3)

• Remote Login (Rlogin)

• Remote procedure call

(RPC)

• Remote Shell (RSH)

• Server Message Block

(SMB)

• Simple Mail Transfer

Protocol (SMTP)

• Simple Network

Management Protocol

(SNMP)

• SOCKS

• Telnet

Applications Host IDS agent can

monitor any application that

uses an event log; for

example, Microsoft ISS

Web server.

None

Customizable System Log/Audit Record Definition Can audit any American

Standard Code for

Information Interchange

(ASCII) formatted log.

Not applicable (NIDS).

Customizable Protocol Definition Not applicable (HIDS). ManHunt supports custom

network signatures.



Table 3: Functions and Facilities: Symantec Host IDS and ManHunt: RulesetCharacteristics

Host IDS ManHunt

Detection Method Information is gathered

from monitored sources

and evaluated against a

signature rule base.

If a match is made, then

the action specified in the

rule is executed.

Uses a hybrid-detection

architecture that includes

protocol anomaly detection,

stateful signature detection,

traffic rate monitoring,

network flow monitoring,

scan and flood detection

and fragmented IP packet

re-assembly, and custom

signatures to detect both

known and novel attacks.

Execution Frequency Real time for all analysis. Uses a real-time analysis

and correlation engine to

evaluate network events in

context.

Additional Misuse Monitoring Can detect a number of

viruses and types of

malicious code through

integration with Symantec’s

antivirus products.

Can detect any attacks

based on protocol violation,

explicit signature misuse

detection (if signature is

loaded into the hybrid

engine) and dynamic traffic

anomalies.

Customizable Attack and Misuse Definition Allows an organization to

create fully customizable

policies (or signatures) and

merge them with those

supplied.

Allows an organization to

create custom attack

definitions (or signatures).

Attack Definition Updates Policy updates are

available to customers who

purchase a maintenance

agreement.

Policy updates should

occur every 12 weeks—or

as needed in response to

an outbreak—via

Symantec’s Live Update

distribution.

Signature updates are



agreement. Signature

updates occur every 45-90

days—or as needed in

response to an outbreak.

Additional protocol models

may be incorporated in

new software releases.

Secure Attack Definition Updates Symantec Live Update is a

secure delivery

mechanism.

Signature updates are

available via Web

download.

(This does not use

Symantec Live Update.)



Table 4: Functions and Facilities: Symantec Host IDS and ManHunt: PerformanceCharacteristics

Host IDS ManHunt

Performance HIDS performance

depends critically on the

volume of data being

logged by the many

applications that can be

running on the machine at

the same time.

Symantec states that under

“normal” installation and

usage, HIDS will use less

than 10 percent CPU

capacity.

ManHunt can monitor

network traffic and detect

intrusions at speeds of up

to 2Gbps (without dropping

packets) across four gigabit

interfaces or 12 fast

Ethernet interfaces on a

single node. (Based on a 2-

CPU Dell 1650 with 4GB

RAM or similar.)

Accuracy Symantec claims that Host

IDS has one of the lowest

false positive rates in the

market.

ManHunt uses protocol

anomaly detection and

stateful signature detection

which leads to much lower

false positive rates than

stateless engines.



Table 5: Functions and Facilities: Symantec Host IDS and ManHunt: ResponseCharacteristics

Host IDS ManHunt

Response Can take predefined

actions that include:

• Logging off a user

• Disabling a user account

• Logging the event to a

local or network file

• Killing a process

• Rebooting a machine if

needed

• Keeping a set process up

and running at all times.

Can also raise alerts

including console alerts, e-

mail and paging.

Uses proactive, policy-

based response.

Customized policies

provide immediate

response to intrusions or

denial-of-service attacks

based on the type of

incident and location of the

event within the network.

Can respond with any of

the following, individually or

in combination:

• Session termination;

• FlowChaser and

Trackback can trace

attacks with spoofed IP

addresses back to the

ingress point within the

network;

• Quality of service (QOS)

filters that mitigate denial of

service attacks by

suggesting QOS access

control lists (ACLs) to be

placed on a network

device;

• Traffic recording;

• Handoff to another

ManHunt cluster to

continue Trackback;

• SNMP and e-mail

notification.

Customizable Response Supports user-defined

actions that can be

associated with any

detection rule.

These actions include the

ability to execute external

programs and scripts.

Allows custom response.




Host IDS ManHunt

Event Prioritization Policies that trigger events

are pre-configured with a

“severity” setting (value)

that prioritizes which

events are displayed first.

Uses four variables to

perform statistical analysis

and then assigns different

priority levels as they apply

to the incident. These

variables are:

• The intrinsic severity of

the type of event

• The level/intensity of

traffic for scan and flood

events

• The reliability of the event

• The severity of other

events in the same

incident.

Report Merging and Data Visualization Reporting is delivered via

the SESA management

system, which includes a

number of pre-configured

reports as well as charts

depicting information on

specific attacks and high-

level IDS trends.

Detects attacks across

nodes and correlates and

aggregates events from

disparate sensors into

events.

Presents information in

interactive reports;

administrators can “drill

down” to an individual

attack.

Reports can be presented

in tables or charts (pie,

column and bar).

Event Trace and Replay Events can be replayed

based on review of data

that is kept in the SESA

Datastore.

Can be configured to

enable full packet capture.

(ManHunt 3.0 will allow

replay from the console.)

Also incorporates

FlowChaser and

TrackBack technology to

trace an attack back to the

source using traffic flow

information provided by

other network infrastructure

devices.




Host IDS ManHunt

Customizable Reports Administrators can define

custom reports.

Console reporting includes

customizable charts and

graphs for trend analysis

and event prioritization.

Allows incident and event

export to Structured Query

Language (SQL) database

formats for custom

reporting.

Session Hijacking None None

Session Termination None Can perform a

reset/termination

automatically based on

predefined policy

configurations or via

operator control.

Firewall Reconfiguration None None

Router or Switch Reconfiguration None QOS filter

recommendations for QOS

ACLs to be placed on

routers for denial of service

protection.

Deception Techniques None None

Automatic Vulnerability Correction None None

Table 6: Functions and Facilities: Symantec Host IDS and ManHunt: OperationalCharacteristics

Host IDS ManHunt

Implementation A software product that is

installed on standard OS

server platforms.

A network-based detection,

response and incident

management system

(software product) that

integrates with the switch

and routing infrastructure.

Information Sources • OS system and audit logs

• Application logs and audit

files

• File System

• Windows Registry

(HIDS 4.1 will add Process

Monitoring, Blocking and

Reporting.)

Monitors network traffic




Host IDS ManHunt

Distributed Deployment An organization can use

popular software

distribution services to

initially deploy the software.

An organization can use

Symantec’s LiveUpdate to

distribute subsequent

updates to software and

signatures.

Provides “intelligent”

collaboration between

geographically distributed

sensors.

A single system can

monitor multiple segments,

virtual local-area networks

(VLANs), and switches

from a single host.

Sensor:Console Ratio A manager can support up

to 3,500 agents in

centralized, distributed,

hierarchical and redundant

configurations. (Symantec

cites a major U.S.

government customer for

this figure.)

A console connects to a

single manager at one

time.

A single administration

console can monitor a

cluster of up to 125 nodes.

Each node can support 12

Fast Ethernet sensors or

four gigabit sensors. Hence

a cluster of ManHunt nodes

can scale to 1500 Fast

Ethernet sensors or 500

gigabit sensors.

System Requirements for Console A Java-enabled browser

(for example, Internet

Explorer 5.5 or higher).

• Microsoft Windows 98,

NT 4.0 or 2000

• Java 2 Runtime

Environment v1.3 or v1.4

• Solaris 2.6, 7 or 8

• Minimum 256MB RAM

• Minimum 20MB free disk

space




Host IDS ManHunt

System Requirements for Network Sensors General system

requirements for the agent

are:

• 128MB RAM

• 64MB available disk

space.

Requires a dedicated

system with:

• Sun 64-bit Solaris 8 or

Solaris 8 Intel Edition

• Dedicated SPARC or Intel

hardware

• One network interface for

each monitored device—up

to 12 fast Ethernet or four

gigabit Ethernet

• One network Interface for

administration/managemen

t

• 1-Gbps RAM for fast

Ethernet configurations

• 2-Gbps RAM for single

gigabit configurations

• 4-Gbps RAM for

multigigabit configurations

• Java 2 Runtime

Environment, standard

edition 1.2.2

Exportability Uses 128-bit Secure

Sockets Layer (SSL)

encryption and is

exportable to unrestricted

organizations and nations.

Symantec offers the same

version globally.

Robustness Uses extensive flow control

and queuing to ensure

reliable agent/manager

communications.

Furthermore, the agent

state is preserved on

shutdown and is capable of

resuming detection in the

same state as it was prior

to shutdown.

Multiple nodes may be

deployed in a High

Availability (H/A) pair

configuration to ensure

uptime and uninterrupted

event detection.




Host IDS ManHunt

Software Updates Software updates are



contract and are entitled to

automatic updates and

upgrades to the product as

they are released.

Same as for HIDS

Secure Software Updates Symantec Live Update is a

secure delivery

mechanism.

All software updates reside

in a secure location and

are accessible to Symantec

customers via a secure,

authenticated Web

download service.

Table 7: Functions and Facilities: Symantec Host IDS and ManHunt: ManagementCharacteristics

Host IDS ManHunt

Management A management

architecture is 3-tier

(console, manager and

agent) based on SESA.

Uses a Java-based

graphical user interface

(GUI) enabling rapid

deployment, policy

maintenance, event filtering

and effective attack

mitigation.

Provides single-point

management between

multiple deployments from

any console.

Comprehensive Network Management System

(NMS)

May be integrated with

NMSs using bridge

modules with the SESA

and third-party NMSs.

From ManHunt 3.0, with

the release of the SESA

bridge, as for HIDS.

Alternative Management System None None

Vulnerability Scanner Does not share a

management interface with

any vulnerability

assessment product.

Does not share a

management interface with

any vulnerability

assessment product.

There are plans for future

integration, however.



Table 7: Functions and Facilities: Symantec Host IDS and ManHunt: ManagementCharacteristics

Host IDS ManHunt

Separate Host-Based or Network-Based IDS ManHunt can consume and

correlate HIDS data.

Full-integration

management will be

provided through SESA in

a future release.

ManHunt Smart Agents

can take events from

Symantec Host IDS and

third-party products:

• Cisco IDS (NIDS)

• Snort (NIDS)

• Enterasys Dragon (NIDS)

• ISS RealSecure (NIDS)

• Tripwire (file-integrity

assessment)

• Okena StormWatch HIDS

(now acquired by Cisco)

• Check Point Firewall-1

• NetScreen integrated

firewall and VPN systems

and appliances

Table 8: Functions and Facilities: Symantec Host IDS and ManHunt: SecurityCharacteristics

Host IDS ManHunt

Security Audit Supports the option to

create an audit/debug log.

Creates a signed database

of

administration/configuration

events.

Identification and Authentication

Login User has to log in and

provide a password to

access any event or

configuration data for the

IDS system.

User may log in and

provide a password to

access any event or

configuration data.

The log-in has multiple

levels, giving varying levels

of access to administrators

and users.

Authentication Failure Handling Account lockout setting is

available and accessible as

a SESA/Lightweight

Directory Access Protocol

(SESA/LDAP) configuration

option.

A user supplying an

incorrect password, port or

IP address will be denied

access, and the event will

be logged to the signed

database.




Host IDS ManHunt

User Attribute Definition Maintains user name, role,

password and privileges for

each user.

Maintains user name,

password and access

privileges for each user on

the host.

Authentication Service Symantec Host IDS

authenticates users to the

console and agents to the

manager using encrypted

passwords and credentials.

Communicates between

the master node and the

administration console and

between ManHunt nodes

within the same cluster

using password protected

Diffie-Hellman

authentication.

Users may also use an

iButton (from Dallas

Semiconductor) to sign

logs. The iButton protects

against falsification of log

records and provides

Federal Information

Processing Standard

(FIPS)-140 authenticated

signatures for non-

repudiation of events.

Security Policy Management

Non-Bypassability of the Security Policy The console invokes an

authentication request on

any attempt to access

configuration or event data.

Unless the console has

correctly authenticated to

the ManHunt host, the

encrypted control tunnel

cannot be established.

Domain Separation Supports configuration

groups or domains making

it possible to configure

different levels of security

and apply that security

easily to predefined groups

of servers.

ManHunt has the ability to

segment network domains

by VLAN.




Host IDS ManHunt

Administration A default administrator

account is provided that

has all rights needed to

configure and administer

the system as well as

create supplemental

accounts complete with

roles and permissions.

An Administrative account

must be used for accessing

ManHunt security

functions.

System Privileges and Access Control The management console

implements role-based

access control.

Access to certain

management functions is

restricted unless

specifically permitted.

There are two types of

administrator pass-phrases

in ManHunt, administrator

and user.

The administrator pass-

phrase allows the user to

make changes to the

topology tree, response

policies, configuration

parameters, mark incidents

and add incident

annotations.

The user pass-phrase

privileges are limited to

marking incidents and

adding incident

annotations.

Security Roles Partitions rights generally

between the ability to

configure the product and

the ability to see events

and reports and to do this

by security domain.

The level of access is

defined by the

administrator and may

encompass either an

administrator role or

restricted user privileges.

Data and Communications Security

Availability Uses extensive flow control

and queuing to ensure

reliable agent/manager

communications.

ManHunt communicates to

the administration console

and between nodes using

256-bit Advanced

Encryption Standard (AES)

encryption so that

information may be

securely and easily

accessed.




Host IDS ManHunt

Trusted Communication Symantec Host IDS uses

asymmetric keys to

authenticate users and to

then exchange data-

encryption keys.

Communications between

all components are

authenticated and

encrypted using password

protected Diffie-Hellman

and 256-bit AES.

Confidentiality During Transmission Communications between

components are all

encrypted using SSL.

Protects data transmitted

between management

console and sensors using

256-bit AES encryption.

Detection of Modification Uses cryptographic

techniques to detect

modification of data.

If a payload is altered, Host

IDS ignores the payload

information.

Logs may be

cryptographically signed

with the iButton, to detect

tampering with log records.

Cryptography Options None ManHunt has the option of

incorporating an iButton

FIPS-140 encryption.

Attack Protection

Self-Monitoring Monitors all server-auditing

sources to ensure that they

are not disabled.

In addition, the product

monitors its own binary

files and can monitor its

own audit file.

Monitors events associated

with console authentication

and operation.

Stealth Techniques None All monitoring/sensor

interfaces operate in

stealth mode with no IP

stack.



Table 9: Functions and Facilities: Symantec Host IDS and ManHunt: SupportCharacteristics

Host IDS ManHunt

Vendor-Provided Attack Database Attack database provides

basic descriptive

information enabling the

user to identify the type of

attack and providing basic

remediation steps.

In addition, Symantec

offers an optional, full-

featured Incident

Management application

that offers more extensive

diagnostic and remediation

capabilities.

ManHunt provides detailed

descriptions of attacks and

remediation steps.

24×7 Vendor Hotline 24×7 support is available to

customers who have

purchased platinum or

premium-platinum

maintenance agreements

for both ManHunt and

HIDS.

24×7 support is available to

customers who have

purchased platinum or

premium-platinum

maintenance agreements

for both ManHunt and

HIDS.

Vendor Response Call back and response is

targeted and usually

happens within 24 hours.

Call back and response is

targeted and usually

happens within 24 hours.

Analysis

Host-Based IDS: Host IDS

Symantec developed Host IDS from the earlier Intruder Alert product. Where Intruder Alert boasted broadplatform support—not only for Microsoft Windows and leading Unix OSs, but also for Novell NetWare andsome less common Unix OSs (SCO, Silicon Graphics)—the new Host IDS is, for the time being, availableonly for Windows.

Host IDS cannot only monitor discrete hosts but can also correlate activity across different hosts. To dothis, Host IDS employs an inter-agent communications protocol, which initiates a counter if suspiciousactivity is suspected (for example, multiple failed logins). The protocol then informs other agents of thepossible suspicious activity and makes the counter available to all agents. If a second agent suspects asimilar suspicious activity, the counter is incremented. When the counter reaches a user-definedthreshold, an alert is generated. This approach gives better accuracy than the simple analysis of discreteevents that some other IDS products offer.

Network-Based IDS: ManHunt

ManHunt is a newer product with a different heritage, which Symantec added to its portfolio through theacquisition of Recourse and which supersedes Symantec’s earlier NetProwler product from AXENT.



This change of product offering addresses the most serious limitation of NetProwler, that it used onlysignature-based detection techniques. ManHunt can use signatures, but primarily uses advancedtechniques: protocol anomaly detection, traffic rate monitoring, protocol state tracking and IP packet re-assembly. Protocol anomaly detection can catch new attacks on “day zero,” as well as providing moreaccurate detection than signature-based detection alone. ManHunt can also use custom signatures. Thismix of complementary technologies gives the organization a robust network intrusion detection capabilitythat matches the capabilities of leading IDS products.

ManHunt can maintain 100 percent of its detection capability for up to 2 Gbps on a single node. ManHuntcan do this by combining flow-based processing with focused analysis to identify malicious traffic withinspecific states within a protocol. This is a significant advantage in large enterprises with high trafficvolumes. Only high-end IDS and IPS appliances from other vendors can match this performance.

ManHunt offers real-time event correlation and analysis. Its analysis engine aims to filter out erroneousdata and refine only the relevant information, so providing awareness without data overload. ManHuntuses “Cross Node Analysis” and its “Correlation and Aggregation Engine” to spot trends and sort-relatedincidents to quickly recognize events as they happen, with higher confidence than discrete event analysis.ManHunt also supports forensic investigation through a full-packet capture feature on a per node basis.

ManHunt provides the organization with a policy-based response to detected incidents. Through custompolicies, responses can be tailored to the type of incident and the location of the events within thenetwork.

Toward Integrated Management Functions

Symantec had planned to integrate the two ex-AXENT IDS products with a common console, commonlogging and alerting, and data correlation between HIDS and NIDS, putting it on a similar footing to someof the leading IDS vendors. This move was long overdue, as AXENT had announced a similardevelopment plan before the acquisition by Symantec.

As things turned out, however, this development was superseded by Symantec’s acquisition of Recourse,giving the vendor a new NIDS to integrate with its HIDS.

Host IDS’s management architecture is based on the new SESA. SESA will provide a sharedmanagement platform for a variety of security products including antivirus, vulnerability assessment andfirewall as well as IDS. Symantec Host IDS will be fully integrated with ManHunt through SESA in a futurerelease.

For now, the products can be integrated only at the event level: ManHunt Smart Agents can take eventsfrom Host IDS—as well as third-party HIDS, NIDS, and firewalls.

SESA also facilitates integration with Symantec’s new Incident Manager application. This productincorporates “CyberWolf” technology from Symantec’s acquisition of Mountain Wave, making it easier toidentify, correlate and resolve security incidents across the organization.

Signature Updating

Each of the IDS products has a rulebase uncoupled from its analysis engine, so enabling dynamicsignature updates. Symantec offers about 400 policies for Host IDS. As ManHunt uses advanced protocolanomaly detection methods and other sophisticated heuristics-based detection methodologies that don’trequire traditional signatures, its performance is less dependent on signature updates than NetProwler



was. Symantec estimates that ManHunt can detect more than 800 network intrusion events (via bothanomalies and signatures).

Host IDS is integrated with Symantec LiveUpdate (the same signature updating mechanism used bySymantec’s antivirus products). A ManHunt version is also slated to support LiveUpdate by the end of2003 making both IDS products updateable through Symantec LiveUpdate service. But for now, lack of acommon update mechanism may be an issue for some organizations.

Symantec’s security response team manages both Host IDS and ManHunt signature updates. Thisensures regular updates quarterly and rapid-response updates as needed to mitigate urgent and severeoutbreaks. In addition, both products support full signature customization, allowing organizations to rapidlycreate or modify signatures. ManHunt’s hybrid analysis engine also allows an organization to use Snortsignatures from snort.org.

Pricing

Table 10: Price List: Symantec Host IDS and ManHunt

Product Price (US$)

Host IDS

Agent 995 per host

Manager 28 (for SESA)

Console No charge

ManHunt

100 megabit 12,250

200 megabit 19,995

500 megabit 35,000

1 gigabit 70,000

2 gigabit 125,000

GSA Pricing

Yes.

Competitors


Vendor/Product(s) Description

Cisco Systems, Inc.

• Cisco IDS

(Internet:

www.cisco.com)

Cisco IDS combines its own NIDS product (formerly NetRanger) with the

StormSystem intrusion prevention products for servers and desktops from its recent

acquisition of Okena.

Cisco IDS offers a centralized control console that leverages netForensics and other

products for event correlation.

The NIDS sensor is normally delivered as an appliance, but can also be

implemented as software on Cisco’s PIX Firewall and Internet Operating System

(IOS) routers and as a “blade” in Cisco’s switches.

StormWatch host agents intercept an application’s resource requests to the

operating system to make a real-time allow/deny decision according to the

customer’s application security policy.





Enterasys

Networks, Inc.

• Dragon IDS

(Internet:

www.enterasys.com)

Dragon IDS comprises Dragon Network Sensors, Dragon Host Sensors (formerly

Dragon Squire) and a common Dragon Enterprise Management Server for Web-

based management and reporting.

Dragon Network Sensor is available as software and as Linux-based appliances.

Dragon Host Sensor monitors host platforms, applications, firewalls and other

vendors’ NIDSs and HIDS sensors.

Enterasys also offers the Dragon Integrated Server/Sensor, an all-in-one appliance

aimed at small or branch office use.

Enterasys has a strong focus on the managed security service provider (MSSP)

space and has achieved significant penetration.

Internet Systems

Security, Inc. (ISS)

• Real Secure IDS

(Internet:

www.iss.net)

RealSecure integrates RealSecure Network agents (NIDS), RealSecure Host

agents (HIDS), RealSecure Desktop agents and RealSecure Vulnerability

Assessment agents with its single, central management console, RealSecure

SiteProtector.

ISS is integrating components acquired from Network Ice (protocol anomaly

detection) and vCIS (preemptive behavioral inspection) into its RealSecure IDS

technology and increasing the proactive “prevention” responses.

RealSecure now offers Proventia network intrusion prevention appliances, for

aggregate network bandwidth up to 1200 Mbps on one to four network segments.

Network

Associates Inc.

(NAI)

• “IntruShield”

(formerly IntruVert

IntruShield)

• “Entercept”

(formerly Entercept

Host Sensor)

(Internet:

www.nai.com)

NAI was a former leader in the IDS market with the Pretty Good Privacy (PGP)

Security CyberCop IDS, but withdrew this product early in 2001.

In May 2003 NAI positioned itself to compete effectively in the IDS market with the

acquisition of two IPS vendors:

• IntruVert, one of the leading vendors in the network intrusion prevention space;

• Entercept, with its strong host-based intrusion prevention offering.

NAI’s funds and global presence gives these products more leverage in deals where

they compete against traditional IDS vendors.





Snort

• Snort

(Internet:

www.snort.org)

Snort is an open-source NIDS, available free under a GNU General Public License.

(As such, it is excluded from the Gartner Research Magic Quadrant for this market.)

Snort is the leading open-source NIDS and ranks highly in comparison with

commercial NIDS products and higher than any commercial product in signature

coverage.

The rapid evolution of the rule sets is an important advantage of an open-source

system, where a large community can create new rules promptly.

In some cases, a Snort rule is posted to BugTraq (a moderated mailing list that

alerts subscribers to vulnerabilities and offers solutions to deal with them) with the

original vulnerability report.

Additionally, Snort also allows plug-ins—ways to incorporate additional detection

functionality into the system.

Snort has been making growing inroads into the marketplace, but many

organizations are reluctant to adopt it because of the lack of commercial support. In

this case, an organization may consider:

• Silicon Defense (Internet: www.silicondefense.com), which provides commercial

support contracts for organizations using Snort.

• Sourcefire (Internet: www.sourcefire.com), which offers an enhanced version of

Snort with its Intrusion Management System (IMS), an appliance-based system that

provides event correlation and analysis.

An organization will likely find it useful to install Snort for at least a trial period during

the selection process for a commercial NIDS product. Snort can provide an effective

additional source of data to an IT security management product.

Strengths

Increased Accuracy Through Hybrid Detection and Correlation

ManHunt exhibits a low false-positive rate owing to its multiple detection techniques and its ability tocorrelate attacks in a distributed environment. Host IDS also has improved accuracy through correlationbetween hosts. Furthermore, using ManHunt Smart Agents, ManHunt can consume and correlate HIDSevent data.

High-Bandwidth NIDS

ManHunt can provide full 2-Gbps performance without dropping packets (and, hence, without missingevents). This level of performance is typical in IDS and IPS appliances, but is rare in a software productrunning on a commercial off-the-shelf (COTS) platform. This makes ManHunt more attractive to largeorganizations with high network-traffic volumes.

Enterprise IT Security Management-Like Capabilities

ManHunt Smart Agents can “consume” event data from a variety of security products, including SymantecHost IDS, third-party HIDS and NIDS, and third-party firewalls (but not Symantec firewalls). This gives theorganization a more comprehensive view of activity across the whole network—and allows them toleverage existing investment in other NIDS products. This gives organizations some of the benefits of an



enterprise IT security management solution, and without the need for a full-blown security managementproduct, such as Symantec’s own Incident Manager.

Limitations

Host IDS 4.0 Available Only for Microsoft Windows

Symantec provides only a Windows version of Host IDS, where the previous versions of the product hadvery broad platform coverage.

Organizations using Unix rather than Windows servers—especially common for security-criticalapplications—will for now have to rely on the older Intruder Alert 3.6. Symantec declares that it willcontinue support for ITA 3.6 until an individual platform is supported under HIDS 4.x or greater. Thecombination of Host IDS and ITA 3.6 does give broad platform coverage, and Symantec provides anintegration tool—a “SESA bridge”—that allows ITA 3.6 agents to work in a Host IDS/SESA environment.

Lack of Integration Between Host IDS and ManHunt

While ManHunt can “consume” alerts generated by Host IDS, through a ManHunt Smart Agent (MSA),and display them in the ManHunt Intrusion Management System, the two products are not yet fullyintegrated. This disadvantages Symantec’s offering in comparison with leading competitors, where fullintegration makes IDS management easier.

Host IDS is a native SESA-enabled product, and Symantec plans to make ManHunt fully SESA compliantin 2004. Once this is done, both products will share a common data repository, event monitor andintegrated configuration capabilities.

Different Signature Update Routines for Host IDS and ManHunt

Symantec now offers Live Update for Host IDS signature updates, but not yet for ManHunt. For themoment, organizations have to bear the overheads of using different update mechanisms.

Insight

Gartner doesn’t regard Symantec as a leader in the IDS market, but it is a challenger. Intruder Alert was asound HIDS product, and the new version, Host IDS, benefits from SESA. While Host IDS is nowavailable only for Microsoft Windows 2000, Symantec promises broader platform support in the nearfuture. ManHunt is an advanced NIDS product, far superior to its predecessor, NetProwler, which reliedon signatures only. ManHunt’s combination of protocol anomaly detection and other advanced detectiontechniques allows for high accuracy, even in fully saturated two-gigabit networks. Large organizationsmight also benefit from the ManTrap “honey-pot” product, while small organizations might prefer to deploythe Symantec Gateway Security appliance. Organizations considering the core HIDS and NIDS productsshould be aware that Symantec currently lacks the strong network and host integration of some leadingcompetitors. Host IDS and ManHunt are discrete products, albeit with data correlation of Host IDS eventsin ManHunt. Symantec will address this by offering a “SESA bridge” for ManHunt in mid 2003, with a fullySESA-compliant version of ManHunt planned for 2004.

Documents

Symantec Host Intrusion Detection System and ManHunt ... · Symantec Host Intrusion Detection System and ManHunt Network Intrusion Detection System ... provides consolidated data