Re: Symantec Manhunt

["Johann van Duyn" <Johann_van_Duyn () bat com>]

Using it. Loving it.

Nuff sed?

I have it set up in conjunction with a few Network Critical taps (meaning
that every interface sees only one half of the conversation), which means
that the software's ability to cross-correlate is key to making any sense
of the traffic it sees, and it does that bit really well.

It also correlates events into incidents (giving you a shorter list of
cr-p to sift through when chasing an incident) very well, although
sometimes the correlation logic escapes me a bit. Depending on how much
coffee I have had in the morning, this is not always difficult, though...
Its ability to correlate events and incidents across multiple ManHunt
nodes is impressive.

A MAJOR PLUS is that you can define tons of monitoring interfaces on each
ManHunt box and set them to sniff lots of different segments, and your
license (MH is licensed according to the actual sniffed bandwidth it will
see, NOT per interface) is then aggregated across all the interfaces. This
is much cheaper than having to deploy, e.g., 8 separate sensors of most
other products.

We use Nortel switches, so we cannot make use of MH's ability to "browse"
switches (by spanning switch ports over to its monitoring interfaces one
by one) when it is not otherwise occupied, but its insight into our Cisco
routers is very good, even though Networking sees it as cheeky that an IDS
makes QoS suggestions.

The signatures work very well, and Symantec have been quite quick in
releasing signatures to complement the anomaly detection capabilities of
the product. Both facets of the anomaly detection (protocol anomaly, which
works out of the box, and traffic anomaly, which takes a while to settle
into the environment and then complains about traffic pattern changes)
also work very well in my environment.

One thing I don't like is that it does not currently come out of the box
with the ability to blacklist IPs on firewalls, and if you want to do
that, you need to get the application that reconfigures the firewall and
put it on the ManHunt box, calling it whenever you would want to blacklist
an IP. This may not be something that you would use all the time, but in
times of large breakouts it could come in handy. It integrates into SESA
(Symantec Enterprise Security Architecture) now and one should be able to
make SESA create blacklists on SGS or SEF firewalls (and maybe even FW-1
and PIX, with the necessary Event Managers for Firewalls) based on ManHunt
outputs, but I have not played with that aspect of the product yet.

Depending on how au fait you are with Linux/Solaris, and who will be
supporting the IDS, you may want to push Symantec and ask them when it's
going to be available as an appliance.

Get a demo CD from Symantec and play with it... it's an insane product
that achieves its goals in rather impressive style.

YMMV, but I hope this helps...

--------------------------------------------------------
J o h a n n   v a n   D u y n, CISSP
IT Risk and Security Manager: British American Tobacco South Africa
Stellenbosch, South Africa
Tel.  +27 (21) 8883765
Cel.  +27 (82) 3248035
Fax.  +27 (21) 8883587
eFax. +1 (509) 2785044
E:mail: johann_van_duyn () bat com
--------------------------------------------------------
"...damage amounts in computer-related crime are
 often based on numbers plucked from thin air."

                                                     -- Bruce
Schneier


Confidentiality Notice: The information in this document and
attachments is confidential and may also be legally privileged.
It is intended only for the use of the named recipient. Internet
communications are not   secure and therefore British American
Tobacco does not accept legal responsibility for the contents of
this message. If you are not the intended recipient,please notify us
immediately and then delete this document. Do not disclose the
contents of this document to any other person, nor take any copies.
Violation of this notice may be unlawful.



---------------------------------------------------------------------------
---------------------------------------------------------------------------