PRODUCT DESCRIPTION

ManHunt is a network infrastructure security software product that protects the network and systems under its surveillance by monitoring traffic that passes over network components. ManHunt sensors look for nonstandard traffic and analyze discovered anomalies to determine if they represent a threat to components of the network. Should the traffic be determined as potentially threatening, the ManHunt analyzer sends alerts to the ManHunt console or performs predetermined actions.

ManHunt resides on a Solaris 8 platform deployed on dedicated hardware that is collocated with the network switches and other devices carrying the traffic to be monitored. The ManHunt Smart Agent (MSA) enables ManHunt to accept event data in real time from external sensors, such as ManTrap, as well as from third-party sensors. The MSA event coordinator receives the event data and sends it to the analysis framework for aggregation and correlation with all other ManHunt events. The analysis framework aggregates event data on possible attacks from all event sources. The analysis framework also performs statistical correlation analysis on events to identify event patterns that vary significantly from usual network activity and to identify individual events that are typically attack-related, such as a port scan followed closely by an intrusion attempt.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which ManHunt was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Computer Sciences Corporation determined that the evaluation assurance level (EAL) for the product is EAL 3. The product, as configured and installed according to supplied guidance, satisfies all of the security functional requirements stated in the Security Target. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Computer Sciences Corporation. The evaluation was completed in November 2003. Results of the evaluation can be found in the Evaluation Technical Report for a Target of Evaluation for ManHunt Version 2.11 prepared by Computer Sciences Corporation.

ENVIRONMENTAL STRENGTHS

The TOE provides the following security features:

Secure Communication – The TOE uses QSP proxy, a proprietary protocol, that enables secure, encrypted communication between the master node and the administration console, and between ManHunt nodes within the same cluster. From the administration console, the ManHunt system administrator can perform tasks, such as configuring the system, editing the topology and policy databases, monitoring attack incidents in progress, and generating reports. Changes to the configuration, topology or policy databases can be made to a master ManHunt node that will subsequently push the updates to the other ManHunt nodes in the cluster.

Security Management – ManHunt recognizes two types of administrative roles: Console Administrator (available from Administration Console) and User (also available from Administration Console). The Console Administrator can make changes to the topology tree, response policies, and configuration parameters, mark incidents and add incident annotations from the administrative console. The User's privileges are limited to viewing incident data, marking incidents and adding incident annotations

Vendor Information

Symantec Corporation
Sandeep Kumar
650.381.8121
sandeep_kumar@symantec.com

http://www.symantec.com