The intruder at the gate

By Matt Tett, Technology & Business Magazine

26 September 2005 12:58 PM

Tags: network, security, firewall, t&b, technology & business magazine, intrusion, detection, yes



		Contents Introduction CyberGuard SG710 Fortinet Fortigate 200A Juniper IDP 200 SonicWALL 5060 WatchGuard X1000 Tier-3 Huntsman Specifications How we tested Test Analysis Editor's choice About RMIT

Tier-3 Huntsman
Tier-3's Huntsman can be used as an IDP solution enhancer -- it allows enterprises who already have a capable signature-based IDS/IDP to add an anomaly-based detection and prevention system. As discussed in the IDP review, signature systems rely on databases of known attacks being created and distributed to update the devices which use them. This is well and good if the attack is defined and the signature updated prior to the attack being launched but in this age of paranoia of unknown or "zero day" attacks, the signatures and updates may be slightly behind the actual attacks. This is where anomaly detection systems such as Huntsman's come in. They work by sitting agents on the network at key points and simply watching all the traffic flowing by (reporting back to a central repository) and building up an idea of "normal" traffic flows, size, direction, type, frequency, time of day, and hundreds of other parameters. As soon as something new or different occurs (an anomaly), the system can monitor it, and if it appears too out of the ordinary then an array of policies and rules can swing into action.

Tier-3 has coined the term "Behavioural Anomaly Detection" or BAD for short and Huntsman can not only use it for IDP but also for risk management and policy compliance.

Enterprise security policies can be applied in Huntsman to detect internal abuses of the policies by detecting anomalies in the network traffic such as internal nodes attempting to access information they should not normally access, or copying large slabs of data for no reason.

The "Decider Engine" is the brains behind the system which actually compares the traffic, and if necessary sends it off to the "guardian" that can automatically perform tasks such as locking users etc. All this data can be captured and used later for forensic investigations.

The best explanation of this can actually be found on Tier-3's own Web site: "Huntsman uses Tier-3's next generation hybrid behavioural anomaly detection (BAD) technology to protect intellectual property and sensitive information and instantly alert on any illegal or non-compliant business or IT activity.

"By collecting and centralising audit logs and security information from across the enterprise Huntsman uses standards-based risk management methodologies to enhance the security management process. Huntsman delivers real-time audit information on business activities and permits immediate remediation of any emerging IT risk across the enterprise. Additionally, it protects the enterprise against known and unknown malicious activity on the perimeter, thus, enabling Huntsman to protect the enterprise from external threats as well as monitoring compliance on internal business applications and activities."

Overall, if your job is ensuring that the security policies are enforced within your enterprise it may well be worth your while to have a look at Huntsman from Tier-3.

Product	Huntsman
RRP	N/A
Price range	from AU$50,000
Vendor	Tier-3
Phone	02 9419 3200
Web	www.tier-3.com

Interoperability
Great levels of logging and reporting.
Futureproofing
Centralised logging, remote consoles and separate collection agents, anomaly based intelligent system.
ROI
Pricey but could really aid in medium to large enterprises with compliance to security policies as well as picking up otherwise undetectable attacks.
Service
Warranty is variable and depends on the solution/extras/options etc.
Rating	½