IDS mailing list archives

RE: Symantec Manhunt

From: Troy Pressley <Troy_Pressley () advantechsolutions com>
Date: Fri, 5 Dec 2003 14:38:13 -0500

A few other notes to take into account.

- SESA (Symantec Enterprise Security Architecture) needs it's own dedicated
server IMHO and the minimum requirements for it are not Small Big Processor
and lots of Memory. SESA is a beast of its own, and has had a few gotcha's
in its early inception. (i.e.: Complete reinstall instead of updates with
earlier changes)

- Decoy Server is the ManTrap Product from Recourse, which were also the
original owners of ManHunt.

- HIDS with SESA is not a simple product to deploy. Once you have SESA under
control, Setting up the HIDS policies is tedious.

Just my .02 cents.

-T


-------------------------------------------------------------
Troy E. Pressley
Senior Systems Engineer
Advantech Solutions
1410 N. Westshore Blvd.
Suite 600
Tampa, FL 33607
813.207.8654
-------------------------------------------------------------
 

-----Original Message-----
From: Johann van Duyn [mailto:Johann_van_Duyn () bat com] 
Sent: Friday, December 05, 2003 8:54 AM
To: Hernansanz Daniel
Cc: Duston Sickler; focus-ids () securityfocus com
Subject: RE: Symantec Manhunt




Daniel,

Regarding the Symantec product portfolio:

(It can be a bit confusing, but I talk to Symantec fairly often, so I have
an idea as to what their products do. I currently use quite a few of their
products, and have done so in previous jobs, too.)

ManHunt and Decoy Server perform very different functions. ManHunt = NIDS;
Decoy Server = Honeypot. There is actually a difference there. :-)

HIDS is the "new" Intruder Alert... it will eventually completely replace
ITA on all platforms. This gives us 1 H-IDS. :-)

NetRecon is a network-based vulnerability scanner, while Vulnerability
Assessment is an agent-based vulnerabiliy assessor. (VA looks at the
machine from the inside, NetRecon looks at the machine from the outside.)
:-)

(What does get a bit blurry is the difference between ESM and VA, since VA
seems to be little more than ESM from a "vulenrability enumeration" point
of view. If I were a Symantec employee, I would hurt a product manager or
two until they merge ESM and VA.)

NetProwler is no more. ManTrap is now called Decoy Server, just like
Raptor is now called Symantec Enterprise Firewall and PowerVPN is now
called Symantec Enterprise VPN. :-)

Hope this elucidates things a bit.

Cheers

--------------------------------------------------------
J o h a n n   v a n   D u y n, CISSP
IT Risk and Security Manager: British American Tobacco South Africa
Stellenbosch, South Africa
Tel.  +27 (21) 8883765
Cel.  +27 (82) 3248035
Fax.  +27 (21) 8883587
eFax. +1 (509) 2785044
E:mail: johann_van_duyn () bat com
--------------------------------------------------------
"Very funny, Scotty...
 Now beam down my clothes!"

                                                     -- Captain
Kirk (unconfirmed)




"Hernansanz Daniel" <dhernansanz () alava net>
04-12-2003 11:50


       To:     focus-ids () securityfocus com
       cc:     "Duston Sickler" <dustons () charter net>, (bcc: Johann van
Duyn/Stellenbosch/ZA/BATCo)
       Subject:        RE: Symantec Manhunt

The company I work for is looking into Symantec Manhunt IDS.  As part

of my

research I was hoping anyone in this list familiar with this product

could

give me some of the positive and negatives of this IDS.


IMHO...

Man Hunt positives
==================
 - Hibryd detection: signature analysis + anomaly analysis
 - Centralized admin, with *correlation* capabilities
 - Third party event analysis and correlation (Checkpoint, Snort, ISS,
Tripwire...)
 - ManHunt: SW-NIDS (unix platform) and HW-NIDS (iForce appliance)
 - High availibility (HA) support
 - Reporting capabilities

Man Hunt negatives
==================
 - Licen$e (ok, cheaper than ISS and Enterasys, but...)
 - Symantec's portfolio is a mess, illogical:
       * 2x N-IDS: ManHunt, Decoy Server
       * 2x H-IDS: Intruder Alert, HostIDS
       * 2x VA: NetRecon, Vulnerability Assessment
       * Old stuff: NetProwler, ManTrap
   How will it be reorganized? Will Symantec continue with ManHunt?



I hope this helps.

---------------------------------------------------------------------------
---------------------------------------------------------------------------




Confidentiality Notice: The information in this document and
attachments is confidential and may also be legally privileged.
It is intended only for the use of the named recipient. Internet
communications are not   secure and therefore British American
Tobacco does not accept legal responsibility for the contents of
this message. If you are not the intended recipient,please notify us
immediately and then delete this document. Do not disclose the
contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.



---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

RE: Symantec Manhunt Fergus Brooks (Dec 01)
- <Possible follow-ups>
- RE: Symantec Manhunt Mariusz Burdach (Dec 02)
- RE: Symantec Manhunt Hernansanz, Daniel (Dec 04)
- RE: Symantec Manhunt edward gonzales (Dec 04)
  - RE: Symantec Manhunt Fergus Brooks (Dec 05)
- RE: Symantec Manhunt Johann van Duyn (Dec 05)
- RE: Symantec Manhunt simonis (Dec 05)
- RE: Symantec Manhunt Troy Pressley (Dec 05)