 |
|
Is the product supplied as software only or as a hardware appliance? If supplied as an appliance, please provide the hardware specification (CPU, memory, network cards, etc)
7120
1) 1-Pentium 4 2.47Ghz Processor
2) 2Gb RAM
3) 4 - 10/100 sniffing ports, 1 - 10/100 reset port. 1 - 10/100 management port.
7160
1) 2-Xeon 3.06Ghz Processors,
2) 6Gb RAM
3) 8 - 10/100/1000 sniffing ports, 3 - 10/100/1000 reset ports, 1 - 10/100/1000 management port
4) Dual power supplies
5) Removable 80G HDD
7161
1) 2-Xeon 3.06Ghz Processors,
2) 6Gb RAM
3) 4 - 10/100/1000 sniffing ports, 4 - Multimode SX Fiber sniffing ports, 3 -10/100/1000 reset ports, 1 - 10/100/1000 management port
4) Dual power supplies
5) Removable 80G HDD
Does sensor work
in-line only, or can it support passive monitoring of switch SPAN port too? If
passive monitoring is supported, what is the maximum number of ports that can be
monitored by a single sensor?
The sensor works both inline and
passive. You can monitor both in-line and passive at the same time if desired.
If you choose to monitor only passive networks you can monitor a total of 8
passive networks with the 716X boxes and 4 with the 7120.
What is the
maximum number of in-line connections (port pairs) that can be monitored by a
single sensor?
You can monitor 4 with the 716X
appliances and 2 with the 7120.
What type
(copper/fibre) and speed of network connection are supported by the sensor
(include default configuration plus any options)?
You can monitor both 10/100/1000
copper and fiber SX connections with the 7161. With the 7160 you can monitor
10/100/1000 copper connections and with the 7120 10/100 connections.
What High
Availability (HA) features are built in to the product by default?
Symantec Network Security
provides a number of ways to recover from network, communication, or process
failures. The Availability Monitor keeps track of each node on the network and
notifies you if the node fails or becomes unavailable. The Watchdog Process
Restart parameter keeps track of processes on a single node. If a process fails,
the failure recovery feature notes the failure and takes action to restart that
process. Failover groups, configured with the watchdog parameters, ensure
detection coverage even if a node should fail. No hardware/sensor HA features
are included other than dual power supplies in the 7160/7161.
What High
Availability (HA) features are available as extra cost options?
Symantec offers 2 in-line bypass
units and 4 in-line bypass units for fail-open capabilities.
What is the
maximum speed/network load (Mbps) claimed with zero packet loss and without
blocking legitimate traffic?
Symantec Network Security can achieve 1000Mbps of traffic with zero packet loss
in-line with the 7160 and 100Mbps with 7120.
At the maximum
load, what is the maximum TCP connection rate through the device (connections
per second) claimed?
35,000 connections per
second (NSS note: Whilst this
may be possible with connections with very small response sizes, a limit of
approximately 17,000 connections per second was observed in testing with more
“real world” traffic)
What is the
average latency claimed through the device (and at what load)?
Average latency is less than 200 microseconds @ 1.0 Gbps
Management
architecture (2-tier/3-tier management? Brief description)
This is a 2-tier architecture.
The Symantec Network Security appliances' unique clustering architecture
delivers the scalability of a multi-tier architecture without the maintenance
and management overhead required to support a management middle layer. A
deployment can consist of multiple clusters, each cluster consisting of up to 50
nodes, and an entire cluster can be securely and remotely managed from a
centralized administration console. The console provides complete cluster
topology and policy management, node and sensor management, incident and event
monitoring, and drill-down incident analysis and reporting.
What are the
minimum/recommended sensor OS and hardware requirements? Is a dedicated machine
required/recommended?
N/A. The SNS 7100 Series are
appliances.
What are the minimum/recommended console OS and hardware requirements? Is a dedicated machine required/recommended?
Processor Intel Pentium or compatible - 1.6GHz or higher
Operating System Microsoft Windows 2000 or XP, Red Hat Enterprise Linux 3.0 ES
Memory Minimum - 256 MB, Recommended - 512 MB
Disk Space 50 MB for installation, 100 MB post installation
Screen Resolution 1024 x 768 or higher
Java Sun Java™ 2 Runtime Environment (J2RE) version 1.4.2
What are the
minimum/recommended management server OS and hardware requirements (if
applicable)? Is a dedicated machine required/recommended?
N/A. The manager is contained
within the SNS 7100 Series Appliance
List required open
ports on sensor and their use
Port 2600 is used by the
Symantec Network Security 7100 Series appliance for management communication.
This port is user configurable. Port 22 (SSH) is used for connection to the
local command line interface on the appliance.
List required open
ports on management server (if applicable) and their use
N/A
List required open
ports on GUI/management console and their use
A user defined high order port
is defined during the initial installation of the Symantec Network Security
nodes. The default port is 2600 and is user-configurable.
Communication
protocol between sensor and management server
The Symantec Network Security
7100 is a 2-tiered system that does not include a management server in its
architecture. All communications between nodes within a Symantec Network
Security 7100 Series cluster are encrypted using 256-bit AES in a Symantec
proprietary communication protocol.
Communication
protocol between management server and GUI/console
The Symantec Network Security
7100 uses a proprietary protocol called QSP (Query Service Provider) for secure
encrypted communications between the Symantec Network Security Console and the
SNS nodes.
Encryption between
sensor and management server
All communications between nodes
within a Symantec Network Security 7100 Series cluster are encrypted using
256-bit AES in a Symantec proprietary communication protocol.
Encryption between
management server and GUI/console
The Symantec Network Security
7100 is a 2-tiered system that does not include a management server in its
architecture; however the communications between the master node and the
Symantec Network Security Console uses a proprietary protocol called QSP. QSP
enables secure and encrypted communications through the use of Diffie Hellman
key exchange for authentication and 256 bit AES for session encryption.
Once deployed and
configured, can sensors be managed from a central console?
Yes, the SNS 7100 Series
appliances can be centrally managed via the Symantec Network Security Console.
This Console allows users to manage all aspects of the appliances, from initial
provisioning and updating to creating and applying policies and investigating
incidents. In addition, the Symantec Enterprise Security Architecture and
Symantec Incident Manager solutions provide integrated data consolidation,
analysis, and reporting for SNS and other Symantec solutions, as well as a wide
range of third-party information security data sources.
Capacity of the
system? How many endpoints can be monitored? Ratio of endpoints to management
servers/consoles, etc.
A cluster (management group) of
Symantec Network Security nodes can contain up to 50 nodes, all of which can be
centrally managed via the SNS Console.
How many
management consoles can be actively logged in to the management server at the
same time?
There is no enforced limit on
the number of users who can be actively logged into the management cluster
simultaneously. If more than one user with write permissions is logged on at a
time, the system will reflect the last changes made by one of these users.
What anti-flooding
methods are employed (sensor to management server, and management server to
console)?
Anti-flooding measures are
employed at multiple levels with the Symantec Network Security 7100 Series
solution:
� In the Symantec Network Security Console, the automated correlation feature controls event flow to the Console by only loading events when the Console user clicks on an incident in the Incident pane. In addition, incident display and filtering parameters permit further control over the amount of data that is seen and stored in the Console.
� Within each node, the ESP queues events based on type and IPs in order to prevent discrete attacks from being hidden or lost in a large-scale DoS attack.
� Cross-node correlated events are managed to prevent broadcast of too many cross-node events between nodes.
Maximum insertion
rate into alerts database
The Symantec Network Security
system is tested and certified up to 120 events per second.
Maximum size of
database
By default, the SNS database on
each node is automatically rotated and archived when it becomes 250 MB in size
but the size criteria can be configured by the user to a higher value. The
maximum allowed is 10GB at which the database logs will rotate and compress on a
drive that will hold 80Gb worth of data.
Maximum number of
alerts stored
The maximum number of records
stored in the database is a function of how much information is stored with each
event. For example, capturing full packet payload and/or adding annotations to
events would require more space. A database that grows to be 250 MB in size can
contain over 2 million event records.
What happens to
alerts in main alert database once capacity limits exceeded
(deleted/archived/etc)
Once the configured database
capacity has been reached, the records are automatically archived and compressed
and the archived files can then be copied to another system using Secure Copy.
What is maximum
recommended size of alerts database to maintain acceptable query performance?
SNS uses a proprietary database
whose size can grow dynamically. By default the database is rotated and
archived when it reaches 250 MB in size, however this size parameter can be
increased if needed.
When alerts are
removed from main alert database, are they still available for reporting
directly (i.e. can reporting tools merge current and archived alerts)
No, not directly. SNS includes
utilities to convert the database archives into HTML, or ASCII text files.
Which database
product is used for alert storage? Is schema open?
Symantec Network Security uses
the open-source BerkeleyDB for storage of alerts. While the node database is not
directly query able, the SNS’ SQLexport feature enables users to replicate their
SNS database in a SQL-compliant database for queries and additional analysis.
What happens when
communications between sensor and management server/console are interrupted?
Local logging on sensor? Maximum capacity? What happens when local sensor logs
are full? Is the local repository secure?
Symantec Network Security
appliances are designed to continue operation and data logging in the event that
communication with the master node or management system is lost. Event data is
stored locally on the node that detected the events, and can also be relayed via
SESA Agents to the SESA Manager for storage and management in a central SESA
database. Local storage of event data ensures security data integrity and
operational continuity: in the event that communication with the SNS Console or
the SESA Manger is lost, data generated during the down period will be sent to
the Console or Manager when the connection is re-established.
The Symantec Network Security appliances are capable of storing up to 80 GB of data locally. Data displayed in the Console is stored in the active database, and then archived to backup log files based on the user-configurable log rotation parameter. The default setting is to rotate data to archive log files every 250 MB, but this parameter can be increased or decreased based on customer needs. Log files can be securely archived via SCP.
Secure logon for
policy management?
All policy configuration and
administration is performed via the Symantec Network Security Console, which
requires a username and password for access. Console logins are securely stored
within the SNS system.
Granular access
(i.e. read only/read-write/etc) granted on a per-user basis? What levels of
granularity are supported (i.e. is it possible to restrict user access to
specific parts of the management console, to specific appliances, etc.)?
Yes, the Symantec Network
Security Console provides multi-user roles that provide administrators control
over the level of control and access for each SNS user. Four roles - SuperUser,
AdminUser, StandardUser, and RestrictedUser - provide different levels of access
to event data and rights to administer, modify, or otherwise manage the SNS
deployment.
Is it possible to
define multiple policies for the sole purpose of distributing to multiple
sensors with different functions?
Yes, different policies can be
defined and deployed to different sensors within a management cluster, and even
to different interfaces on a single Symantec Network Security node.
How are policies
distributed to sensors?
Policies are distributed to
Symantec Network Security via a secure communications protocol.
Can policies be
deployed on a per-port, per-sensor or per-group basis, or globally only?
Symantec Network Security policy
management capabilities give users the ability to perform global and granular
configuration of logging and blocking by applying policies at the interface,
node, or cluster levels.
How are policy
changes handled? Will the central console detect which sensors are using a
changed policy and redeploy automatically, or does the administrator have to do
this manually?
Policies can be modified
manually via the Symantec Network Security Console, or automatically using the
AutoUpdate Rules feature. AutoUpdate rules allow new signatures be added and
enabled in active policies when new content has been obtained via LiveUpdate.
Predefined policies are kept up-to-date by AutoUpdate rules that automatically
add and enable the appropriate new content in existing policies, and users can
define their own AutoUpdate rules for their customized policies, ensuring that
SNS nodes are equipped with the most current security content while streamlining
the policy management process. Because AutoUpdate rules are part of each policy,
only users with rights to edit policies can create or modify AutoUpdate rules,
and policies can only be edited via the SNS Console - they cannot be accessed or
modified directly from the Symantec Network Security node.
Can policy
deployment be scheduled?
Yes - when using AutoUpdate
rules, the scheduled LiveUpdates in effect also schedule the updates for the
detection and prevention policies.
Does the sensor
remain able to detect alerts at all times during policy/signature updates? If
so, explain how this is achieved. If not, for how long is it inactive, and does
the sensor block all or pass all traffic whilst inactive?
The Symantec Network Security
sensors continue to detect alerts during policy and signature updates. For
policies changes and Security Updates - which include new and updated
signatures, the most commonly delivered type of updates - detection continues
because there is no need to restart the sensor or SNS application. Engine
updates can involve interruptions in detection service.
Can the
administrator define custom attack signatures?
Yes. Custom signatures may be
created using our User Defined Signature Wizard.
Regex supported
when creating custom signatures?
Yes. The Symantec Network
Security 7100 utilizes Regex as well as additional powerful functions and
operands to characterize the latest threats and vulnerabilities.
How are new vendor
attack signatures obtained and deployed?
New attack signatures are
obtained by using the Symantec Live Update system. Additionally, these
signatures may be automatically applied to any policy based on severity,
category, protocol and confidence. Furthermore, blocking may be applied to the
new attacks.
Frequency of
signature updates?
With comprehensive vulnerability
attack interception and protocol anomaly detection, the Symantec Network
Security provides zero-day attack protection for many threats without updates.
If updates are required they are sent out via LiveUpdate as needed and
developed. Security updates are released in case of critical high-threat
scenarios as rapidly as possible (often same day). Symantec Security Response
reacts immediately to high-threat scenarios on a 24x7 basis. In addition,
regular Security Updates are also provided for the SNS Appliance on a bi-weekly
basis.
What
infrastructure does the vendor have behind the signature update process (i.e.
dedicated team of engineers? How many? Does it have a name?)
Symantec utilizes Symantec
DeepSight and Symantec Security Response. Symantec DeepSight is a system that
protects assets around the clock using expertise from 24,000 sensors world-wide
and 1,500 researchers, analysts and engineers. Symantec Security Response is a
worldwide, 24/7 research and response team with industry-leading expertise
focused on the content to combat the widest variety of threats providing updates
as new attacks hit. Signatures updates include detailed write-ups based on
information from the Symantec DeepSight researchers.
Can one signature
update file be downloaded to the local network and used to update all sensors
from a central location, or is it necessary to initiate a live connection to the
Internet download server for each sensor/management server?
The Symantec Network Security
7100 Series appliance’s Internal LiveUpdate server feature enables users to
update their SNS nodes from an internally managed LiveUpdate server rather than
via direct connections to the Symantec LiveUpdate Internet site. Using the
Internal LiveUpdate server feature, the LiveUpdate package is downloaded to the
internal LU server, and then the SNS nodes are directed to that internal server
(the address is user-configurable) for their update packages.
Can signature
updates be scheduled and fully automated? Is automated download AND deployment
to sensors supported, or just download (or neither)?
New and updated security content
can be downloaded and installed on the SNS 7100 using the LiveUpdate feature,
which can be run on-demand or scheduled to run automatically hourly, daily, or
weekly. LiveUpdate gives users the option of automatically downloading and
installing updates, or simply downloading updates without installing, allowing
administrators to review updates before deploying them to their IPS nodes.
Scheduled and on-demand LiveUpdates can be executed on one or multiple nodes at
the administrator’s discretion.
What network
protocols are analysed?
The Symantec Network Security
7100 analyses transport and network layer protocols including IP, TCP, UDP, ICMP,
BGP, OSPF, IGMP, and HSRP
What
application-level protocols are analysed?
The Symantec Network Security
analyses over 95 network and application protocols including (a PDF is
available): AOL ICQ, AOL Instant Messenger Protocol, Apple iChat, Back Orifice
2000, Back Orifice, Backdoor - Gaobot, Backdoor - Phatbot, BitTorrent, Common
Internet File System (CIFS), CHARGEN, DAYTIME, DISCARD, Domain Name Service
(DNS), Dynamic Host Configuration (DHCP), ECHO, Emule Peer 2 Peer, File Transfer
(FTP), FINGER User Information, Gnutella Bearshare Peer to Peer file sharing,
Gnutella Morpheus Peer to Peer file Sharing, Gnutella Peer to Peer file sharing,
GOPHER, GTP, GPRS, GRE, Hotline Messaging, Hypertext Tranfer (HTTP),
Identification (IDENT), Internet Control Message, ICCP/SCADA, Internet Control
Message, Version 6, Internet Group Management version 2, Internet Message Access
version 4, Internet Relay Chat, IP Protocol 103, PIM, IP Protocol 11, Voice
Protocol, IP Protocol 53, SWIPE, IP Protocol 55, IP Mobility, IP Protocol 77,
Sun ND, Kazaa Peer 2 Peer, Lightweight Directory Access (LDAP), Limewire Peer 2
Peer, Lotus Notes,
Microsoft Distributed Component Object Model Remote Protocols, Microsoft Mediaplayer, Microsoft Messenger, Microsoft Remote Procedure Call (RPC), Multipurpose Internet Mail Extensions, NetBIOS, Network News Transport (NNTP), Open Shortest-Path First Interior Gateway (OSPF), Phex Peer 2 Peer, Point-to-Point Tunneling, Post Office version 3, Remote Administrator, Remote Procedure Call (RPC), Remote Login (Rlogin), Remote Shell (RSH), Secure Shell, Secure Socket Layer (SSL), Server Message Buffer (SMB), Simple Mail Transfer (SMTP), Simple Network Management (SNMP), Simple Network Time (SNTP), Simple Server Redundancy, SOCKS version 5, SubSeven trojan, Sun RPC MountD, Sun RPC NFS mount service, Sun RPC NIS Bind, Sun RPC portmapper service, Sun RPC Sadmind, Sun RPC, Statd, Sun RPC, , Sun RPC ToolTalk, Sun RPC UDP, Swapper Peer 2 Peer, Symantec pcAnywhere, Telnet, Transport Control Protocol (TCP), Trivial File Transfer (TFTP) version 2 Protocol, Virtual Network Computing (VNC), WinMX Peer 2 Peer, Xolox Peer 2 Peer, Yahoo! Messenger
Can the product
perform protocol decodes?
Yes. Symantec Network Security
can perform decodes on any of the supported protocol types.
Can the product
perform protocol anomaly detection?
Yes. This is a key detection
method used in the Symantec Network Security 7100 to provide “zero-day” attack
coverage. State machines are included in the Symantec Network Security
detection engine that deeply model and monitor the supported protocols and
identify anomalous usage.
Can sensor support
both normal and asymmetric network configurations?
Yes, the Symantec Network
Security Sensor supports both normal and asymmetric network configurations.
Symantec utilizes a feature called interface grouping to allow for logical
grouping of sensors to allow for accurate detection. This can take the send and
receive from a tap and create an interface group.
Is the detection
engine “stateful”? If so, please explain how this works.
Yes, The Symantec Network
Security 7100 uses protocol state machines in its detection engine and keeps
track of each session on the monitored network and analyzes each state
transition for anomalies or violations to the protocol.
If stateful - how
many open connections can be tracked? Is this value configurable?
Symantec Network Security can
support up to 1,000,000 connections max across the system. By default it is set
to 128K per Gigabit interface.
If stateful - for
how long are partially opened connections tracked? Is this configurable?
The Symantec Network Security
7100 keeps partially opened connections indefinitely until the space needs to be
reclaimed. As added detection for reconnaissance attacks we have a stealth
scan detection system that maintains partially open connections in a database
for long periods of time for scan analysis. 30 days is the default and this is
configurable.
If stateful - for
how long are fully opened connections tracked if not used? Is this configurable?
By default, Idle TCP connections are tracked for 4
hours (for optimum performance and sensitivity). This time is configurable.
What is the
default action when system resources run low or state tables are filled - block
or permit all new connections? Is this default action configurable?
When state tables are full, space is reclaimed in
a performant manner, Symantec Network Security does not block any new
connections. New connections just use the reclaimed space.
What is the
default action when power fails or the system is powered down - block or permit
all traffic? Is this default action configurable?
As a default, the SNS 7100
Series appliances block if the system power were to fail. This action is
configurable, as the SNS can fail open with the use of the In-Line Bypass Unit.
What is the
default action when the sensor is unavailable for any length of time (i.e.
during policy download or software update - block or permit all traffic? Is this
default action configurable?
As a default, the SNS 7100
Series appliances block if the system were to fail, but this is configurable
using the bypass unit. It is important to note that detection processes do not
stop when Security Updates are applied.
Will the detection
engine block/alert on ALL suspicious activity, or only when an attack is made
against a vulnerable server? If so, please explain in detail how this works. Can
this behaviour be modified (i.e. to alert on ALL attacks if required)?
The detection engine of the SNS
7100 Series can block and alert on all suspicious activity in order to give the
administrator a better overall picture of ALL attempted attacks on their
network. This is configurable via protection policy and additional information
such as the severity or confidence of the protection is provided to aide the
user in determining whether to alert only or to block.
Are server
responses monitored and alerted/blocked? Does this have an impact on
performance?
Yes. Symantec Network Security
looks at both sides of the session and have detection methods that monitor
server responses.
Ability to monitor
user-defined connections (i.e. report on an FTP connection to a specific
server?)
Yes. SNS includes a flow alert
feature that allows users to create rules that can alert upon detection of any
connections to a specific IP, IP range, port, etc. With this function, a rule
can be created to alert if traffic is detected coming from anywhere and
connecting to port 21 of any host on a specific network segment or a specific IP
address
Detect/block
network-level packet based attacks?
Yes.
Detect/block all
types of port scans (full connect, SYN stealth, FIN stealth, UDP)?
Yes. SNS detects numerous
types of port scans and utilizes a separate slow scan engine for stealth scans.
Detect/block SYN
floods? Manual or automatic thresholds? Configurable? How is SYN flood
protection implemented?
Yes. SNS can detect SYN floods
with default thresholds that are configurable to make SNS more or less
sensitive. The SNS provides various methods for mitigating SYN floods.
Perform
packet/stream reassembly?
Yes. The Symantec Network
Security performs fragmentation reassembly.
Perform
deobfuscation?
Yes. The Symantec Network
Security performs deobfuscation for path normalization (\.\, forward path and
backward path), % encoding, %u encoding, case normalization, Telnet Opcode
handling
Is all traffic
scrubbed/normalised/reordered as it passes through the sensor?
Yes. The Symantec Network
Security provides normalization and reordering as traffic is passed through the
sensor. Path normalization (\.\, forward path and backward path) % encoding, %u
encoding, case normalization, Telnet Opcode handling. Evasion handing methods
are simultaneously taken to ensure that normalized traffic does not reduce
accuracy of detection.
How is fragmented
traffic handled by the sensor?
Symantec Network Security
handles IP fragmentation by reassembling the information and it is then sent to
the layer 4 decoding engine. The Symantec Network Security has built in DoS
protection against the sensor itself.
List all
prevention features available (alert only, drop packets, block TCP session)
The Symantec Network Security
7100 Series appliances perform session-based blocking of traffic, detecting and
dropping malicious packets before they can reach their target host. IPS ports
sit inline with network traffic so that packets can be analyzed and dropped
before they continue on to their target. The SNS 7100 is configurable to:
Alert only, drop packet, block session, send TCP reset, send email notification,
send SNMP notification, Trackback source of intrusion, record traffic, and
custom response.
List any other
security features available (bandwidth shaping, rate limiting, etc.)
Traffic Record and Flow Alert
Monitoring are available in the SNS 7100 Series, as well.
Packet capture
capabilities? Only the trigger packet, or before and after? How are packet
captures stored/viewed?
Each alert allows the
administrator to view a window that shows a Packet Summary. This shows the
entire packet, with the offending portion highlighted. Additionally, this view
provides information on the protocol, TCP header flags, TCP header length, IP
Version, IP header length, IP total length, IP flags, time to live, packet
source and destination.
Do you track and
display context data as part of each alert (i.e. for an FTP overflow, do you
show which user name/password combination was used to login to the FTP server,
etc?). If so, how much context data is available?
Using Traffic Record for the
alert allows the user to see all keystrokes for the attack that is alerted.
Option to record
entire sessions for “forensic” investigation? Where is this data stored? How is
it secured from tampering?
Traffic Record may be enabled.
These sessions are stored in as PCAP files and digitally signed to prevent
tampering.
Reporting from
sensor to console - range of alert response options (detail these, i.e. log,
alert, e-mail, pager, packet capture, etc)
The Symantec Network Security
7100 Series appliance alert options, in addition to logging and blocking, are:
email notification, SNMP notification, Trackback, TCP reset, traffic record,
export flows and console response. Additionally custom responses may be created
and incorporated to enable an additional level of functionality in the SNS
response action.
Can alert response
options be set only at a global policy level, only at individual signature
level, or to groups of signatures (or a mixture of all three)?
Alert response options can be
set on the global policy level, in groups, and by individual signature.
Can alerts be
reported to the central console in real time without the use of third party
software? How easy is it to filter and extract individual events?
SNS alerts in real time and
sends the alerts to the console without any 3rd party software.
Events are presented in a correlated display and can then be drilled down on for
additional information by simply double clicking on the event or incident.
Can alerts from
all sensors be viewed at a single console at the same time (i.e. without having
to connect to separate sensors from the console)?
Yes. The SNS Console connects
to the master node of a SNS cluster and is used to view event information from
all the nodes in the cluster. Display filtering options are available to allow
the viewing of events from a specific SNS node of interest.
Can the central
console correlate alerts from multiple sensors (i.e. not just display alerts
from multiple sensors, but attempt to infer a connection between different
alerts on different sensors)? IS this offered as standard or extra-cost option?
Yes. This is a native function
and one of the strengths of SNS. In addition to real-time correlation on the
nodes, there is also cross-node correlation that is performed using shared event
information within a SNS cluster.
Can alerts be
correlated manually by the administrator - grouped together in the database as a
single event for further investigation?
SNS performs real time event
correlation automatically with default values that are configurable. An
administrator can assign heavier weights to attributes such as event name,
source or destination IP’s and source and destination ports. An administrator
can also assign the number of unique IP’s are allowed in an incident.
Can alerts/events
be annotated and tracked for investigation by multiple
administrators/investigators?
Yes. Event annotation is a
capability of the SNS Appliance.
Does the software
offer advice on preventative action to ensure the attack does not happen again?
Yes. The long description of the
event offers information on the attack, possible false positives (if applicable)
and advice and actions on how to prevent the attack in the future.
What
industry standards are supported - Intrusion Detection Exchange Format working
group (IDWG), Intrusion Alert Protocol (IAP), Intrusion Detection Message
Exchange Format (IDMEF), IDXP - and in what way?
The Symantec Network Security 7100
Series appliance
provides interfaces for custom alerting which our customers, SIM and managed
service vendors utilize today. In future releases we may support certain
leading industry standards.
Which
third party event correlation systems are supported and in what way?
The SNS Appliance has its own correlation
capabilities in its analysis framework and provides fully correlated
information. Additionally, the SNS Appliance is compatible with Symantec
Enterprise Security Architecture. This allows integration into broader network
management frameworks such as HP OpenView and IBM Tivoli via SESA relays.
Additionally, this allows integration with industry leading Security Information
Management (SIM) product - Symantec Incident Manager.
Integration with
other scanning/IDS/prevention products?
Several options are available
for integrating Symantec Network Security with other network security products.
SNS SmartAgents enable users to import data from Snort and CiscoIDS directly
into the SNS database, providing real-time viewing and analysis of event data
from multiple IDS sources within a single SNS Console. More extensive data
collection and reporting capabilities for third party security products -
including IDS and vulnerability assessment products - is available through the
Symantec Enterprise Security Architecture (SESA), and Symantec Incident Manager
can provide advanced, user-tunable correlation and analysis of these data
sources.
Log file
maintenance - automatic rotation, archiving, reporting from archived logs, etc.
The Symantec Network Security
appliances are capable of storing up to 80 GB of data locally. Data displayed in
the Console is stored in the active database, and then archived to backup log
files based on the user-configurable log rotation parameter. The default setting
is to rotate data to archive log files every 250 MB, but this parameter can be
increased or decreased based on customer needs. Log files can be securely
archived via SCP, and archived log files can be viewed in text or HTML format.
Management
reporting - range of reports/custom reports/how easy is it to filter and extract
detail? Different reports for technicians and management/end users?
Symantec Network Security
includes a range of reports designed to meet the needs of different levels of
users. “Top N” reports display graph information about the most common events,
attackers, and event categories for security managers, while security analysts
can drill down on each graph report for detailed information about each event.
Reports for events by category, severity, protocol, and several other sort
options enable technical users to view their security events from different
perspectives for improved analysis. Additional IDS and IPS reports are available
within the Symantec Enterprise Security Architecture (SESA) for advanced,
enterprise-view reporting and analysis.
Are
trend/comparison reports available?
Trend reports for different
periods of time (hour, day, and week) are available from the Symantec Network
Security reporting feature.
Does reporting
allow customised filtering down to the level of reporting all activity on a
specific network resource/object by a specific user/machine on a specific date?
Symantec Network Security
reports permit users to drill down from high-level graph information to
event-specific information, including time of event, source and destination IP
addresses, and other detailed information.
Report management
- can they be scheduled for automatic production? Can they be e-mailed to
administrators or published straight to a Web site?
Symantec Network Security’s
reporting feature enables users to schedule reports to be automatically
generated and exported to HTML and text formats. Scheduled reports can be
emailed, saved to file, or transfer to another location via SCP.
List the output
formats supported for reports (HTML, text, PDF, etc)
Reports can be exported to HTML,
PDF, text, and .ps formats.
What are the
limitations and restrictions on enterprise-wide alerting and reporting? Can
reports consolidate output from every 1) server, 2) detector
Symantec Network Security
reports include data from all nodes and all sensors (detectors) within a
management cluster, providing a comprehensive enterprise view of attack
activity.
Ability to define
custom reports?
Not out of the box. Symantec
provides Symantec Network Security users the ability to create and manage custom
reports via the Symantec Enterprise Security Management System, which includes
SESA (Symantec Enterprise Security Architecture) and Symantec Incident Manager.
Provide brief
description of any management software included in the base price of the
product.
Symantec Network Security 7100
Series appliances are centrally managed via the Symantec™ Network Security
Management Console - a powerful and scalable security management system that
supports large, distributed enterprise deployments and provides comprehensive
configuration and policy management, real-time threat analysis, enterprise
reporting and flexible visualization. For users seeking additional data
consolidation and cross-product reporting and analysis, the multi-tier Symantec
Enterprise Security Architecture is available at no additional charge to
Symantec Network Security customers.
Provide brief
description of any additional management products available as extra cost
options.
Symantec Incident Manager is
available for an additional charge and provides advanced analytics and reporting
for IDS/IPS data, incident creation and tracking, and integration with
third-party trouble-ticketing systems.
Documentation
provided (Hard copies available? Extra cost?)
Each Symantec Network Security
7100 Series appliance includes complete documentation at no additional cost.
Printed documentation includes the Administrators Guide, Implementation Guide,
and Quick Start card, and PDF versions of all documents are also available.
Numerous other technical documents and white papers on the SNS 7100 are also
available from Symantec.
How is the product
licensed? How is the license enforced?
Symantec Network Security 7100
Series appliances are licensed based on the bandwidth capacity for each node.
For example, the SNS 7160 can be licensed for bandwidths from 250Mbps to 2Gbps,
and licensed bandwidth can easily be increased simply by adding a license for
additional capacity. License enforcement is based the total licensed capacity
for the node: when the 7-day average bandwidth exceeds the licensed capacity,
the SNS node generates operational events to the Console alerting the user to
the license violation. The frequency of the alerts ranges from once every 24
hours to every 15 minutes, depending upon the amount by which the licensed
bandwidth is exceeded. Once the 7-day average bandwidth returns below the
licensed capacity, the operational alerts cease. At no time when licensed
bandwidth is exceeded does the SNS restrict alerting, traffic bandwidth, or
otherwise restrict its detection or performance.
End user pricing
information for product provided for test (include all sensor, management
server and console costs for both hardware AND software). Include
options/configurations other than those tested - ALL PRICES AS LIST PRICE ONLY!
MSRP for the tested Symantec
Network Security 7100 Series appliances are shown below.
|
Model |
Bandwidth |
MSRP* |
Bypass Unit* |
|
SNS 7120 |
100 Mbps |
$9,495 |
$1,750 |
|
SNS 7160 |
1 Gbps |
$51,995 |
$3,500 |
* Prices include 1st-year maintenance and Gold Customer Support.
In addition to the tested models and bandwidths shown above, users can purchase the Symantec Network Security appliances in a wide range of bandwidths and prices. The table below shows the pricing and performance ranges available for the SNS 7100 Series appliances.
|
SNS Model |
Ports |
Capacity |
MSRP* |
|
SNS 7120 |
4 10/100 Base-T |
50 Mbps - 200 Mbps |
$7,995 - $14,495 |
|
SNS 7160 |
8 10/100/1000 Base-T |
250 Mbps - 2 Gbps |
$23,995 - $83,995 |
|
SNS 7161 |
4 10/100/1000 Base-T 4 1000 Base-SX Fiber |
250 Mbps - 2 Gbps |
$26,995 - $86,995 |
* Prices include 1st-year maintenance and Gold Customer Support.
Ongoing cost of
maintenance/updates
Maintenance renewal fees for the
tested Symantec Network Security 7100 Series appliances and optional in-line
bypass unit are shown below. Prices are MSRP.
|
Model |
Bandwidth |
SNS Maintenance Renewal |
Bypass Unit Maint. Renewal |
|
SNS 7120 |
100 Mbps |
$2,183.85 |
$175 |
|
SNS 7160 |
1 Gbps |
$11,958.85 |
$350 |
Click
here to
return to vendor questionnaire index
Click here to return to
the Symantec Review
Click here to return to the IPS Index Section
Send mail to webmaster
with questions or
|