Symantec Strengthens IDS

Framework includes new version of host.

As traditional intrusion detection systems continue to come under criticism for inherent weaknesses, security vendors are introducing products with more advanced intrusion prevention and protection capabilities.

Among them, Symantec Corp. this week plans to unveil a revised Symantec intrusion protection system. One of the main components of the new framework is the companys Host IDS 4.1, which includes a process management feature that can help defeat buffer overrun and Trojan horse attacks.

The new functionality controls which applications and processes can spawn new processes, thereby preventing worms such as Code Red or Slammer from replicating.

This capability is also key to stopping buffer overrun attacks, since spawning a shell is a common result of successful exploitation. The new version of Host IDS also has a reporting function that can audit every process running on a box, down to the subprocess level.

IDSes have come under fire for being ineffective, particularly against unknown attacks. In fact, Gartner Inc., in Stamford, Conn., went so far as to say that traditional IDSes are dead. Still, many experts disagree. "We live in a world of false positives and negatives, and to say thats suddenly going to go away is unrealistic," said Pete Lindstrom, an analyst at Spire Security LLC, in Malvern, Pa. "Its an intoxicating vision, but its also unrealistic. IDS is necessary. You need that audit capability."

Pumped-Up Protection

Host IDS 4.1
  • Process restriction
  • Process reporterManHunt 3.0
  • Custom signature support
  • Traffic record/playbackDecoy Server 3.1
  • Automatic shutdown
  • Traffic record/playback
As part of its rollout, Symantec will also introduce a new version of its ManHunt network IDS and a rebranded and updated version of its Decoy Server, formerly known as ManTrap. ManHunt 3.0 adds several capabilities, including protocol anomaly detection and a traffic record and playback function.

The system models protocol rules and compares them against incoming traffic in real time to identify attacks that may evade signature-based IDSes. The final piece of the new framework is Decoy Server 3.1, an enterprise-class honey-pot server. The new version can silently monitor all activity on the box so that once it has been attacked, the attackers every move is recorded for analysis.

Also rolling out an IDS product is TippingPoint Technologies Inc., with its UnityOne-200 appliance. The new box can handle 200M bps of traffic and performs deep packet inspection, looking at all seven layers of each packet. The Austin, Texas, company has also included a feature that can limit or stop traffic from peer-to-peer applications such as Kazaa and LimeWire.

The UnityOne-200 box, like other TippingPoint appliances, has access to the Attack Filter update service, which provides customers with filters for new and emerging threats as they appear.

All the products are available now.