 |
|
Is the product supplied as software only or as a hardware
appliance? If supplied as an appliance, please provide the hardware
specification (CPU, memory, network cards, etc)
In addition to the Symantec/Sun I-Force appliance offering, the Symantec ManHunt
product is available as a software offering that runs on a Solaris 8 Sparc/Intel
or a RedHat Linux 8.0 Operating System. The I-Force IDS appliance includes a
customized version of ManHunt software specifically optimized for the SUN LX50
x86-based server and Solaris Intel platform. Models range from a 200 Mbps
offering (LX50-FE-200) to a 2 Gbps offering (LX50-GE-2000).
What
is the maximum speed/network load (Mbps) claimed with zero packet loss?
When installed on a properly sized system or when using the LX50-GE-2000
appliance, ManHunt is capable of monitoring up to 2 Gigabits of aggregated
network traffic.
At
the maximum load, what is the maximum TCP connection rate (connections per
second) claimed?
N/A
Product architecture (2-tier/3-tier management? Brief
description)
The ManHunt architecture is 2-tiered consisting of a ManHunt host
(sensor) and a java based Administrative Console GUI. The ManHunt host software
requires a dedicated machine running Solaris 8, either a supported Sun � SPARC �
or Intel � platform or Red Hat Linux 8.0. A dedicated java enabled system is
normally used to run the Administrative Console. The Admin Console is used to
configure and manage the ManHunt nodes and to display alerts.
What are the minimum/recommended sensor OS and hardware
requirements? Is a dedicated machine required/recommended?
The recommended hardware is a function of the amount of traffic to be monitored
and the network configuration. A ManHunt node resides in the same location�and
ideally in the same racks�as the switches and other network devices that carry
the traffic to be monitored. It has a primary network interface that will be
used for administrative communication, as well as communication with other
ManHunt nodes and various network devices, as necessary. Additional network
interface cards (NICs) are installed in the node machine, including gigabit
interfaces to monitor gigabit links that are connected directly to monitored
switches.
What are the minimum/recommended console OS and hardware
requirements? Is a dedicated machine required/recommended?
The ManHunt Administration Console should be installed on a
separate computer from the ManHunt nodes and it is recommended that the system
used have at least a Pentium 2 with 256 MB of memory running Microsoft Windows
2000/XP, or RedHat Linux 8.0 or Solaris 8 Operating Systems. The Administrator
Console also requires the installation of Java 2 Runtime Environment version 1.4
which is included with the ManHunt installation media.
What are the minimum/recommended management server OS and
hardware requirements (if applicable)? Is a dedicated machine
required/recommended?
N/A. ManHunt is a 2-tiered system which does not include a
management server in its architecture.
List required open ports on sensor and their use
ManHunt uses a proprietary protocol called QSP (Query Service
Provider) for communications between Administrative Console and the ManHunt
nodes. This protocol requires that a user defined high order port be opened on
the ManHunt node. This port is defined on the initial installation of the
software or the initial setup of the appliance.
List required open ports on management server (if applicable) and
their use
N/A. ManHunt is a 2-tiered system which does not include a
management server in its architecture.
List required open ports on GUI/management console and their use
ManHunt uses a proprietary protocol called QSP (Query Service Provider) for
communications between Administrative Console and the ManHunt nodes. A user
defined high order port is used by the QSP and is defined during the initial
installation of the ManHunt node.
Communication protocol between sensor and management server
N/A. ManHunt is a 2-tiered system which does not include a
management server in its architecture.
Communication protocol between management server and GUI/console
ManHunt is a 2-tiered system which does not include a management
server in its architecture. However,
ManHunt uses a proprietary
protocol called QSP which enables secure, encrypted communication between the
ManHunt master node and the ManHunt administration console.
Encryption between sensor and management server
N/A. ManHunt is a 2-tiered system which does not include a management server in
its architecture.
Encryption between management server and GUI/console
ManHunt is a 2-tiered system which does not include a management
server in its architecture, however the communications between the master node
and the ManHunt administration console uses a proprietary protocol called QSP.
QSP enables secure and encrypted communications through the use of Diffie
Hellman key exchange for authentication and 256 bit AES for session encryption.
Once deployed and configured, can sensors be managed from a
central console?
Yes. Once deployed, the ManHunt node can be centrally managed
from the Administrative Console. Functions such as configuration, reporting,
signature/engine updates, software restart and system reboot can be performed
from the Administrative Console.
Capacity of the system? How many endpoints can be monitored?
Ratio of endpoints to management servers/consoles, etc.
ManHunt uses a clustering architecture that allows for a group of
two or more servers to be linked together to share attack data. Within a
network, multiple Symantec ManHunt nodes can work together as a cluster and
share event information. A ManHunt cluster can include up to 100 ManHunt nodes
across multiple network segments within multiple network locations. Each
ManHunt node can monitor up to 12 Fast Ethernet or 6 Gigabit Ethernet segments.
What
anti-flooding methods are employed (sensor to management server, and management
server to console)?
ManHunt uses a weighted fair queuing algorithm to balance the
rate of incoming events into its Analysis Framework (AF). Configurable
parameters can be set to control the number of events allowed to flow into the
AF as well as the size of the queues used by this function in order to prevent
ManHunt�s AF from becoming overloaded during an attack.
Maximum insertion rate into alerts database
ManHunt has a distributed database architecture and events
detected by a ManHunt node are inserted into the database on the same node.
Under normal situations, each ManHunt node in a cluster can process
approximately 150 events per second into its database but this figure is
dependant on the hardware configuration used. Higher rates are possible with
the use of higher performance hardware.
Maximum size of database
By default, the ManHunt database on each node is automatically
rotated and archived when it becomes 250 MB in size but the size criteria can be
configured by the user to a higher value.
Maximum number of alerts stored
The maximum number of records stored in the database is a
function of how much information is stored with each event. For example,
capturing full packet payload and/or adding annotations to events would require
more space. A database that grows to be 250 MB in size will contain over 2
million event records.
What happens to alerts in main alert database once capacity
limits exceeded (deleted/archived/etc)
Once the configured database capacity has been reached, the
records are automatically archived and the archived files can then be copied to
another system using Secure Copy.
What is maximum recommended size of alerts database to maintain
acceptable query performance?
Symantec ManHunt uses a proprietary database whose size can grow
dynamically. By default the database is rotated and archived when it reaches
250 MB in size, however this size parameter can be configured larger depending
on the hardware used.
When alerts are removed from main alert database, are they still
available for reporting directly (i.e. can reporting tools merge current and
archived alerts)
No, not directly. ManHunt includes utilities to convert the
database archives into HTML or ASCII text files.
Which database product is used for alert storage? Is schema open?
A proprietary database is used to store event, incident, topology
and policy data on each of the ManHunt nodes and its schema is not open.
However, utilities are provided to export from this proprietary database into
Oracle or MySQL databases for reporting purposes. The schema for the Oracle and
MySQL databases is provided.
What happens when communications between sensor and management
server/console are interrupted? Local logging on sensor? Maximum capacity? What
happens when local sensor logs are full? Is the local repository secure?
ManHunt is a 2-tiered system and does not use a management server
in its architecture therefore all the logging occurs locally on each node. By
default, Symantec ManHunt automatically archives logs based on their size.
ManHunt checks the log sizes periodically, and archives any log that meets or
exceeds a user defined size criteria. The log files as well as the archived
files remain local on the ManHunt node which is a hardened Solaris system.
Secure logon for policy management?
Yes. Only a user with administrator role or higher can make
changes to the ManHunt configuration including any response policies, topology,
or user tuneable parameters. The Administrator Console is used to make these
changes and the communications between the Administrator Console and the ManHunt
nodes are secured using the QSP proprietary protocol.
Granular access (i.e. read only/read-write/etc) granted on a
per-user basis? What levels of granularity are supported?
Symantec ManHunt provides efficient, role-based administration
using four kinds of user roles with predefined sets of permissions and access:
SuperUser, Administrator, StandardUser and RestrictedUser. During installation
of the master node, accounts are created for two of these roles: a SuperUser
with full permissions, and a StandardUser with permission to read only. The
SuperUser can then create additional accounts in any of the four roles, at any
time after installation.
Is it possible to define multiple policies for the sole purpose
of distributing to multiple sensors with different functions?
No, however, response policies can be configured to respond to
events from a specific source or to a specific target.
How are policies distributed to sensors?
All configuration policies are created and configured using the
ManHunt Administrator Console and are initially stored on the ManHunt master
node. These policies are then propagated to the other nodes in the cluster on a
user configurable time interval.
Can policies be deployed on a per-sensor or per-group basis, or
globally only?
Several policies can be defined on a per-sensor basis � filtering
policy rules, signature policy etc. Other policies like response policies are
currently deployed on a global basis � however response policy can be configured
based on several variables including sensing interface, IP etc.
How are policy changes handled? Will the central console detect
which agents are using a changed policy and redeploy automatically, or does the
administrator have to do this manually?
Yes, Since ManHunt policies are global, changes made to the
policies are performed centrally using the Administrator Console and then
propagated to the other nodes in the ManHunt cluster within a configured time
interval.
(NSS NOTE: This does not apply to signature policies - all signature �policies� are defined purely on a per sensor basis - changes made to policies (i.e. to disable a specific signature) must be made on every sensor individually)
Can policy deployment be scheduled?
No.
Does the sensor remain able to detect alerts at all times during
policy/signature updates? Explain how this is achieved.
For response policy updates, there is no disruption to the
sensors detection capabilities. However, for signature updates, the sensor
processes running in the system must be restarted which is accomplished in a
matter of a few seconds. While the sensor processes are being restarted,
detection is not being performed.
Can the administrator define custom attack signatures?
Symantec ManHunt provides the
ability to define and apply your own custom signatures to customize ManHunt to
your particular environment. You can view and manage custom signatures from the
ManHunt console.
Regex supported when creating custom signatures?
No.
ManHunt signatures are based on a subset of Snort syntax
options.
How are new vendor attack signatures obtained and deployed?
They are downloaded via the Symantec website. The file is then
uploaded to the sensor via the ManHunt Console.
Frequency
of signature updates?
Security updates are released in case of high-threat scenarios as
rapidly as possible. Symantec Security Response reacts to high-threat scenarios
on a 24x7 basis. In addition, regular Security Updates are also provided for
ManHunt. Security Updates contain signatures, event refinement rules,
vulnerability information updates or engine updates.
What infrastructure does the vendor have behind the signature
update process (i.e. dedicated team of engineers? How many? Does it have a
name?)
Symantec has a dedicated research and response team � Symantec
Security Response. This team works around the clock to understand and research
security threats and provides Security updates for Symantec ManHunt.
Can one signature update file be downloaded to the local network
and used to update all IDS engines from a central location, or is it necessary
to initiate a live connection to the Internet download server for each
sensor/management server?
Yes. The Security update is a single file that can be placed on
a central file share. As long as that fileshare is reachable by the
administration GUI (or multiple GUI�s) it can be pushed to multiple sensors.
Can signature updates be scheduled and fully automated?
No. That is not currently supported.
Which network types are supported by the sensor?
Symantec ManHunt supports switched ethernet networks of both
fiber and copper medium.
What network protocols are analysed?
ManHunt analyzes TCP, UDP, and ICMP.
What application-level protocols are analysed?
ManHunt analyzes the most commonly used internet application
layer protocols which include SMTP, SNMP, Finger, DNS, HTTP, IMAP, POP3, Telnet,
FTP, NNTP, Rlogin, RSH, RPC, IRC, BGP, HSRP, Ident, SOCKS, LDAP, SSH, OSPF, and
SNMP v2 and v3
Can the product perform protocol decodes?
Yes. We can perform decodes on any of the supported protocol
types.
Can the product perform protocol anomaly detection?
Yes. Protocol Anomaly Detection continues to be a major
detection method used in ManHunt 3.0. State machines are included in the
ManHunt detection engine which monitors the supported protocols and identifies
anomalous usage .
Is the detection engine �stateful�? If so, please explain how
this works.
Yes, ManHunt uses protocol state machines in it�s detection
engine and keeps track of each session on the monitored network and analyzes
each state transition for anomalies or violations to the protocol.
If stateful - how many open connections can be tracked? Is this
value configurable?
We can support up to 1,000,000 connections max across the
system. By default it is set to 64,000 per interface. To configure more will
require additional memory on the sensor.
If stateful - for how long are partially opened connections
tracked? Is this configurable?
Partially open connections are not treated any differently then
any other open connection. This is configurable only as the size of the
flowtable is (up to 1,000,000 max records).
If stateful - for how long are fully opened connections tracked
if not used? Is this configurable?
Fully open connections are not treated any differently then any
other open connection. This is configurable only as the size of the flowtable
is (up to 1,000,000 max records).
If stateful � explain the behaviour of the system when the state
tables are filled
The system will purge the oldest record when the table gets
full.
Will the detection engine alert on ALL suspicious activity, or
only when an attack is made against a vulnerable server? If so, please explain
in detail how this works. Can this behaviour be modified (i.e. to alert on ALL
attacks if required)?
Symantec ManHunt uses multiple detection mechanisms and will
alert on all suspicious traffic.
Are server responses monitored and alerted upon?
Yes. We look at both sides of the session and have detection
methods that monitor server responses.
Ability to monitor user-defined connections (i.e. report on an
FTP connection to a specific server?)
Yes. Manhunt includes a flow alert feature that allows users to
create rules that can alert upon detection of any connections to a specific IP,
IP range, port, etc. With this function, a rule can be created to alert if
traffic is detected coming from anywhere and connecting to port 21 of any host
on a specific network segment or a specific IP address.
Detect network-level packet based attacks?
Yes.
Detect all types of port scans (full connect, SYN stealth, FIN
stealth, UDP)?
Yes. Manhunt detects numerous types of port scans but may
require additional configuration of detection parameters in order to detect
stealthy scans.
Detect SYN floods? Manual or automatic thresholds? Configurable?
Yes. ManHunt can detect SYN floods with default thresholds that
are not currently configurable.
Perform packet/stream reassembly?
Yes. Manhunt performs fragmentation reassembly.
Perform deobfuscation?
Yes. ManHunt is effective on UTF-8 encoded attacks.
List all �prevention� features available (TCP reset, ICMP
unreachable, firewall reconfiguration, drop packets (in-line only))
Symantec ManHunt can perform TCP reset to both the source and
target addresses of an attack to terminate the session. Furthermore, execution
of user written scripts/programs can be used to provide a custom response.
Packet capture capabilities? Only the trigger packet, or before
and after? How are packet captures stored/viewed?
ManHunt is capable of full packet capture, with the offending
portion of the packet identified. The packet content is displayed in the event
detail screen.
Option to record entire sessions for �forensic� investigation?
Where is this data stored? How is it secured from tampering?
ManHunt�s traffic record response dynamically records traffic in
response to an event. Traffic record files are stored in a specific directory on
the ManHunt machine. The ManHunt node, where this data resides, is a hardened
Solaris system.
Reporting from sensor to console - range of alert response
options (detail these, i.e. log, alert, e-mail, pager, packet capture, etc)
ManHunt�s automated policy-based response system includes
alerting (a console action alert, an email alert and an SNMP trap alert),
pinpoint traffic recording, flow tracing, session resetting, QoS ACL suggestion
and user-defined custom response.
Can alert response options be set only at a global policy level,
only at individual signature level, or to groups of signatures (or a mixture of
all three)?
Alert response options can be set on the global policy level, in
groups, and by individual signature.
Can alerts be reported to the central console in real time
without the use of third party software? How easy is it to filter and extract
individual events?
ManHunt alerts in real time and sends the alerts to the console
without any 3rd party software. Events are presented in a correlated
and aggregated display and can then be drilled down on for additional
information by simply doubly clicking on the event or incident.
Can alerts from all sensors be viewed at a single console at the
same time (i.e. without having to connect to separate sensors from the console)?
Yes. The Administration Console connects to the master node of a
ManHunt cluster and is used to view event information from all the nodes in the
cluster. Display filtering options are available to allow the viewing of events
from a specific ManHunt node of interest.
Can the central console correlate alerts from multiple sensors
(i.e. not just display alerts from multiple sensors, but attempt to infer a
connection between different alerts on different sensors)?
Yes. This is a native function and one of the strengths of
ManHunt. In addition to real-time correlation on the ManHunt nodes, there is
also cross-node correlation that is performed using shared event information
within a ManHunt cluster.
Can alerts be correlated manually by the administrator - grouped
together in the database as a single event for further investigation?
ManHunt performs event correlation automatically and does not
allow for manual correlation by the administrator. However, the administrator is
able to adjust the correlation algorithm.
Can alerts/events be annotated and tracked for investigation by
multiple administrators/investigators?
Yes. Administrator level users are able to add notes to a
ManHunt incident record or to any of the event records that make up the incident
record. Annotation becomes a permanent part of these records.
Does the software offer advice on preventative action to ensure
the attack does not happen again?
Yes. This information is offered in the �Long Description� tab
of the event detail screen.
What
industry standards are supported - Intrusion Detection Exchange Format working
group (IDWG), Intrusion Alert Protocol (IAP), Intrusion Detection Message
Exchange Format (IDMEF), IDXP - and in what way?
None at this time.
Which third
party event correlation systems are supported and in what way?
ManHunt has its own correlation and aggregation capabilities in
its analysis framework and provides fully correlated information. In addition,
ManHunt can also integrate with Symantec Incident Manager � an enterprise-wide,
cross-security-function, incident correlation and workflow management system.
Integration with other scanning/IDS products?
ManHunt Smart Agents allow ManHunt to take in events from
selected 3rd party NIDS, HIDS, Firewalls and Symantec Decoy Server.
The MSA Receiver collects event data from log files, SNMP, and source APIs.
ManHunt then sends this data to the Analysis Framework for aggregation and
correlation with all other ManHunt events.
Log file maintenance � automatic rotation, archiving, reporting
from archived logs, etc.
With a SuperUser or Administrator account, you can export,
archive or delete log files at any time using ManHunt. With these same two
accounts, the logs can be archived manually at any time. You can also archive
the logs based on file size, time, or both. The user may use SCP to move the
archived logs to another location. By default, ManHunt automatically triggers
log rotation based on size.
Management reporting � range of reports/custom reports/how easy
is it to filter and extract detail? Different reports for technicians and
management/end users?
ManHunt provides cluster-wide, on-demand, drill down console
based reports that can be generated in text, HTML and PDF formats. These reports
can be emailed, saved or printed. In addition, ManHunt provides cluster-wide
scheduled reports generated on the ManHunt nodes that can be emailed or archived
to a remote machine using secure copy. The reports are created to provide enough
detail for both technicians and management.
Are trend/comparison reports available?
There currently are no trending report capabilities available as
a native function however the database can be exported to an external database
for offline reporting.
Does reporting allow customised filtering down to the level of
reporting all activity on a specific network resource/object by a specific
user/machine on a specific date?
The drill down capabilities of the reporting allow for specific
information on the fields offered.
Report management � can they be scheduled for automatic
production? Can they be e-mailed to administrators or published straight to a
Web site?
Yes. A report scheduler is included in the Administration
Console and reports can be automatically generated and emailed to a user defined
address. Reports can be generated in HTML, or ASCII text formats.
What are the limitations and restrictions on enterprise-wide
alerting and reporting? Can reports consolidate output from every 1) server, 2)
detector
The ManHunt architecture allows all alerts from the cluster to be
centrally correlated, aggregated and reported.
Ability to define custom reports?
Although canned reports can be scheduled or run on demand and
date ranges can be specified, there currently are no facilities to modify the
existing report formats or define custom reports.
Provide brief description of any management software included in
the base price of the product.
The ManHunt management software is included in the price of
ManHunt. This management software is the only piece necessary for ManHunt
reporting, sensor management, and administration.
Provide brief description of any additional management products
available as extra cost options.
No additional console options are available.
Documentation provided
Documentation is included as hardcopy manuals in the media pack
as well as softcopy on the installation cdrom media.
How is the product licensed? How is the license enforced?
The product is licensed using a software Licensing System by
aggregate monitored bandwidth, with 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, or 2
Gbps options. All license levels allow multi-segment or multi-interface
monitoring (up to 12 Fast Ethernet or 6 Gigabit Ethernet interfaces)
End user pricing information
Based on bandwidth:
100Mbps: $ 8,995
200Mbps: $16,995
500Mbps: $31,995
1Gbps: $63,995
2Gbps: $124,995
All license levels allow multi-segment or multi-interface monitoring (up to 12 Fast Ethernet or 6 Gigabit Ethernet interfaces).
Price of Dell PowerEdge 2650 as tested is $5777
Ongoing cost of maintenance/updates
Symantec offers Gold, Platinum and Platinum Premium maintenance
programs that can be purchased, but there is no overhead cost of maintaining or
updating ManHunt.
Click here to return to
the Symantec Review
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or
|