Symantec updates focus on intrusion protection

Security company Symantec Corp. issued updated versions of a number of software products on Monday under the guise of a new security framework it calls Symantec Intrusion Protection.

The Cupertino, Calif., company refreshed its ManHunt network intrusion detection system (IDS) product, as well as the Intruder Alert host-based IDS and ManTrap “honeypot” products. Intruder Alert is now known as Symantec Host IDS and ManTrap is branded as Symantec Decoy Server.

The centrepiece of Symantec’s announcements is Symantec ManHunt 3.0, which updates the IDS technology that Symantec purchased from Recourse Technology Inc. in July 2002.

The new version of ManHunt includes a feature that delivers security updates to ManHunt sensors in response to emerging threats. Those updates use information from Symantec’s Security Response research organization to update the ManHunt devices, providing updated vulnerability information, attack signatures and rules to refine event data and spot attacks, according to Sandeep Kumar, director of product management at Symantec.

Previous versions of ManHunt permitted attack signature updates, but not modifications to the sensors, Kumar said.

ManHunt will now run on Red Hat Inc.’s Linux 8 platform, in addition to Sun Microsystems Inc.’s Solaris operating system, he said.

For companies looking for host-based intrusion detection and prevention, Symantec updated its Intruder Alert product, rebranding it as Symantec Host IDS version 4.1.

The new version of the Host IDS product includes improved “process management” features that make it easier to harden applications against attacks, according to Matt Rodgers, senior product manager at Symantec.

For example, for a Web server the process management features would allow administrators to create security policies that enforce a core set of capabilities out of a much larger set of supported capabilities, blocking the server from spawning nonessential processes.

Those policies can be applied to individual hosts or groupings of servers based on operating system, department or other internal designations, Rodgers said.

Symantec also expanded the number of supported platforms for Host IDS. In addition to Sun’s Solaris 8 and 9 operating systems, it now supports Microsoft Corp.’s Windows XP, 2000 and NT 4.0 operating systems.

Recourse’s ManTrap product also got a face-lift, Symantec announced.

The product was relaunched Monday as Symantec Decoy Server 3.1, with a new user interface and look and feel, Kumar said.

The Decoy Server is honeypot technology, which mimics the behaviour of real systems on a company’s network.

Decoy Server mimics actual server behaviour such as e-mail traffic to and from a mail server. When attackers target the honeypot system, the server collects and stores attack data and actions, thwarting actual attacks while giving administrators a clear look at the threat, Symantec said.

Version 3.1 contains a number of improvements over earlier versions of ManTrap, including the ability to spawn multiple decoy environments or “cages” from a single Decoy Server.

By simulating multiple honeypots, Decoy Server increases the odds of catching hackers and makes it easier to obscure an organization’s actual servers, Kumar said.

In addition, version 3.1 adds new attack alerts through pagers or Short Message Service (SMS), improved logging and attack play-back capabilities, and tighter integration with the ManHunt product, Kumar said.

The new software updates are all part of a technology framework Symantec is calling Symantec Intrusion Protection. The idea is to tie together the company’s disparate technologies into a system of complementary technologies that use a common architecture and management interface, according to Symantec.

The new system encompasses a number of Symantec’s recent technology purchases in the intrusion detection and prevention areas, including the Recourse technology and vulnerability information from its purchase of SecurityFocus in August 2002.

In addition to the ManHunt, Host IDS and Decoy Server products, Symantec is grouping its recently announced Vulnerability Assessment tool and DeepSight Alert services under the Intrusion Protection banner.

Along with its software updates, Symantec revamped its management console, adding centralized license management and signature updates as well as role-based administration, Kumar said.

While the new intrusion protection system has room for improvement, network administrators may well be drawn to the promise of end-to-end protection with a simplified management interface, according to Eric Ogren, a senior analyst at The Yankee Group.

Conventional wisdom has it that companies are drawn to “best of breed” security products rather than all-in-one product suites, he said.

However, the cost of administrative overhead created by multiple, disconnected products may make the individual components of Symantec’s Intrusion Protection framework attractive, even when superior third-party products exist, Ogren said.