Symantec Intruder Alert

Brief product description
Intruder Alert is a host-based IDS.� It monitors system events (syslog, successful & failed logins, NT/W2K audit trails & events, etc.), performs file integrity monitoring, and monitors arbitrary applications for security events through text-based logs (databases, web servers, etc.)

Architecture
Host-based IDS.� Scalable 3-tier architecture: Elements are Agents (perform collection & analysis), Managers (communications hub and database), and Consoles (Event monitoring and Administration)

At what layer of the protocol stack is the product working?
N/A

Documentation
Hard copy: User�s Guide, Installation Guide, Release Notes.� Online Help available within the product.� On the web: User�s Guide�

What are the minimum/recommended console OS and hardware requirements?�
NT 4 � SP3, or SP5+
HPUX 10.20
Solaris 2.5, 2.5.1, 2.6, 7

Is a dedicated machine required/recommended?
No.

Will it work on Windows 2000?�
Agents and Managers are currently supported on Windows 2000, Consoles are not.�

What are the minimum/recommended agent OS and hardware requirements?
Solaris 2.5, 2.5.1, 2.6, 7
HPUX 10.20, 11.0
AIX 4.2, 4.3, and 4.3.1
Windows NT 4 � SP3, or SP5+
Windows 2000
Tru64 (Digital UNIX) 4.0D+
IRIX 6.2, 6.5
NCR UNIX SVR4 3.0
Sequent DYNIX/ptx 4.4.2
NetWare 4.11, 4.2, 5.0, 5.1
RedHat Linux available in December 2000

Managers:
Solaris, HPUX, AIX, NT, Windows 2000 (versions as above)

Is a dedicated machine required/recommended?�
Agents: no dedicated machine.� Managers: recommended, not required.

Will it work on Windows 2000?
Yes

What components are installed on a detector�
Agents and Managers run as NT services, UNIX daemons, or NetWare NLM�s.

Which network types are supported
Intruder Alert is a host-based IDS and can communicate over any physical network topology that supports TCP/IP.

Any specific recommendations for monitoring Gigabit networks with your product?
N/A

Which OS platforms are actively monitored?�
Solaris 2.5, 2.5.1, 2.6, 7
HPUX 10.20, 11.0
AIX 4.2, 4.3, and 4.3.1
Windows NT 4 � SP3, or SP5+
Windows 2000
Tru64 (Digital UNIX) 4.0D+
IRIX 6.2, 6.5
NCR UNIX SVR4 3.0
Sequent DYNIX/ptx 4.4.2
NetWare 4.11, 4.2, 5.0, 5.1
RedHat Linux available in December 2000

Can sensors/detectors be deployed and configured initially from a central console?�
Intruder Alert can be remotely deployed using a third-party deployment tool such as Microsoft SMS or Tivoli. Once deployed, the product can be remotely upgraded from a single console without using any third-party products.

Once deployed and configured, can sensors be managed from a central console?
Yes.� Up to 1000 agents can be managed from 1 console.

Authentication between console and engines? What algorithm/key lengths?
Yes. User authentication is through username/password pairs.� Diffie-Hellman key exchanges (128 bit keys), 400 bit Blowfish encryption on data.

Secure logon for policy management?�
Yes.

How are policies distributed to engines?�
Drag and Drop from single console.

How are policy changes handled?�
Drag and Drop from single console.�

Will the central console detect which agents are using a changed policy and redeploy automatically, or does the administrator have to do this manually?�
N/A

How many attack signatures?
�400+�

Can the administrator define custom attack signatures?�
Yes.� Very complex signatures and responses can be defined.

How are new attack signatures obtained and deployed?�
Policies can be written/modified by users from a single console, new policies can be downloaded from the Symantec SWAT website.

Frequency of signature updates?��
14 new policy sets in the last year

Provide dates of all updates in the last year.�
10/5/00 (3 policy sets)
9/22/00 (1 policy set)
8/29/00 (2 policy sets)
8/14/00 (1 policy set)
6/28/00 (1 policy set)
6/26/00 (2 policy sets)
3/23/00 (2 policy sets)
2/18/00 (1 policy set)
1/21/00 (1 policy set)

What infrastructure do you have behind the signature update process
Signature Updates are researched and created by Symantec�s dedicated team of security experts, the Information Security SWAT Team.

Can one signature update file be downloaded to the local network and used to update all IDS engines from a central location, or is it necessary to initiate a live connection to the Internet download server for each engine?�
One signature file can be downloaded and then distributed to an entire enterprise from a single console.

Can signature updates be scheduled and fully automated?�
No.

What network protocols are analysed?�
N/A

What application-level protocols are analysed?�
N/A

Can the product perform protocol decodes?�
N/A

Can the product perform session recording on suspect sessions?�
N/A

Block/tear down session?�
N/A

Ability to monitor user-defined connections (i.e. report on an FTP connection to a specific server?)�
N/A

Monitor changes in critical system files?�
Yes.� Intruder Alert monitors a short list of files every 30 seconds and a longer list of files every 8 hours (time periods and checksum types are user-definable).

Monitor changes in user-defined files?�
Yes.� Users can add arbitrary files to the list of critical files provided by Symantec.

Monitor changes in Registry?�
Yes, using NT Registry Auditing.

Monitor unauthorised access to files?�
Yes.

Monitor administrator activity (creation of new users, etc)?�
Yes.

Monitor excessive failed logins?�
Yes.

List any other resources/locations that are monitored.��
NT Application Log and sublogs, NT Security Log, NT System Logs and sublogs, UNIX syslog, wtmp, btmp, C2 logs, any user-defined text-based logfile (DB logs, web server logs, etc.), NetWare OS call-backs are used to monitor system activity on NetWare.

Track successful logins, monitoring subsequent file activity, etc?�
Intruder Alert can track successful logins.� Subsequent file activity can be monitored in a limited fashion via NT file audit messages and/or the Intruder Alert FileWatch utility.

Detect network-level packet based attacks?�
N/A

Detect all types of port scans (full connect, SYN stealth, FIN stealth, UDP)?�
N/A

Detect and report on nmap OS fingerprinting?�
N/A

Perform packet reassembly? Resistance to known IDS evasion techniques?�
N/A

Reconfigure firewall? If so, which firewall(s) and how?�
N/A

Option to record everything for �forensic� investigation? Where is this data stored? How is it secured from tampering?�
All collected date is stored in a database on the manager and can be used for forensic information.� It is encrypted and communications are authenticated to prevent spoofing.

Reporting from engine to console - range of action/alert options�
There are 14 Actions that can be used to respond to an event:
Record to Database
Send Email
Send Page
Append to Text Log File
Notify User via Pop-up Message
Execute Any Command or Script
Perform a Pre-defined Group of Responses
Kill Process
Disconnect Session
Disable User
Raise Flag (for event correlation)
Lower Flag (for event correlation)
Start Timer (to define time intervals for attacks)
Cancel Timer (to define time intervals for attacks)

What provision is made for temporary communications interruption between detector and console?�
If communications are interrupted, events are locally cached until communications are restored.

Where are alerts stored?�
On the agent or manager in question

Is the repository secure?�
Yes, the files are protected via system permissions and are encrypted.

Can alerts be reported to the central console in real time without the use of third party software?�
Yes, this is how Intruder Alert normally operates.��

How easy is it to filter and extract individual events?�
Intruder Alert has powerful querying abilities that can filter on numerous variables.

Does the software offer advice on preventative action to ensure the attack does not happen again?�
The on-line documentation� (http://www.Symantec.com/customersupport/intruderalert/docs/35/info/policydoc.html

provides a growing body information on the vulnerabilities and countermeasures, organized by Intruder Alert policy name.

Integration with other scanning/IDS products?
Yes.� Intruder Alert can integrate with most any IDS via SNMP or text-file monitoring.

Log file maintenance � automatic rotation, archiving, reporting from archived logs, etc.�
Intruder Alert manages the size of its own copy of syslog.� The event database is archivable, and reports can be generated from archived logs.

Management reporting � range of reports/custom reports/how easy is it to filter and extract detail?�
Intruder Alert reporting uses its own powerful querying and filtering mechanism coupled with the Crystal Reports runtime engine to generate reports.� There are pre-defined report templates that can use custom-defined ranges and filters to generate an infinite variety of reports.� Custom report templates can be created as well if the user owns the Crystal Reports Report Designer.�

Different reports for technicians and management/end users?�
Yes.

Report management � can they be scheduled for automatic production?�
No.

Can they be e-mailed to administrators or published straight to a Web site?�
No.

What are the limitations and restrictions on enterprise-wide alerting and reporting? Can reports consolidate output from every 1) server, 2) detector
Alerts can be sent anywhere within an enterprise.� Reports are generated at the manager level, and are limited to the 100 agents associated with that manager.

Define custom reports?�
Yes.

How is it licensed? How is the license enforced?�
Intruder Alert is licensed for each Agent and Manager.� Consoles are free.�� The product enforces licensing through the Console.

End user pricing information�
Agents:����� $995 per server, $395 per workstation
Managers:�� $1995 each
Consoles:��� Free

Ongoing cost of maintenance/updates
Basic Maintenance: 15% of purchase price � Includes all product updates and phone support
Extended Maintenance: 22.5% of purchase price � Includes updates and 7x24 phone support.

Click here to return to the Symantec Intruder Alert Review
Click here to return to the IDS Index Section