Homepage Symantec (Consumer) newsroom

Symantec releases decoy based intrusion detection system

Announcement posted by Symantec (Consumer) 02 Jul 2003

A component of Symantec intrusion protection, Symantec Decoy Server 3.1 provides early detection and prioritisation of threats
Symantec, the world leader in Internet security, today announced the release of Symantec Decoy Server, a "honeypot" intrusion detection system (IDS) that detects, contains and monitors unauthorised access and system misuse as it happens. As a complement to host- and network-based IDS, Symantec Decoy Server diverts attacks from key resources while also providing early detection of internal and external attacks.
"Honeypots supplement security solutions such as firewalls and other intrusion detection systems, providing advanced decoy technology and early detection sensors. In addition to the forensic elements, honeypots can be used as a tool for reducing false positives," said Charles Kolodgy, research director for Security Products at International Data Corporation (IDC). "Symantec has a competitive advantage with Symantec Decoy Server, offering all the elements required for comprehensive protection against intrusions."
"Symantec's honeypot approach is the only real enterprise decoy solution available today, providing a layer of protection from internal, external and unknown attacks," said John Donovan, Symantec's Managing Director for Australia and New Zealand. "Symantec Decoy Server is not a real system, so all traffic directed towards it is likely to be suspicious. By focusing on legitimate attacks, system administrators can respond much more effectively allowing them to focus on legitimate attacks."
Symantec Decoy Server provides early detection of threats and enables attack diversion and confinement by actually becoming the target of the attack. The decoy sensor acts like a fully functioning server, and can simulate email traffic between users in the organisation to mirror the appearance of a live mail server. When attacks are directed at the decoy sensor, Symantec Decoy Server delivers comprehensive attack detection through a system of data collection modules. Every action is recorded for analysis, allowing administrators to prioritise and understand the threat and respond appropriately.
Since the decoy server is not a real system, all traffic directed towards Symantec Decoy Server is likely suspicious and should be considered a prelude to an attack. This helps eliminate the nuisance of false negatives and positives, allowing system administrators to focus on legitimate attacks and respond much more effectively.
Symantec Decoy Server is not signature-based, so it automatically detects unknown attacks without any need for security signature updates or dynamic policy configurations. It also detects both host- and network-based attacks, unauthorised use of passwords and server access for increased network protection.
Once a decoy server has been attacked, it covertly monitors the activities of an attacker in real-time using Session Replay, a live session analysis tool. Sessions may be recorded and played back for further analysis to help organisations understand the tools and tactics used against them."Symantec Decoy Server is an excellent technology for not only detecting unauthorised activity, but for capturing detailed information on the attacker, their tools and their identity," said Lance Spitzner, founder of the Honeynet Project and author of Honeypots: Tracking Hackers. "As a honeypot solution, Symantec Decoy Server has capabilities few other technologies can match."
Symantec Decoy Server is a key component of Symantec Intrusion Protection, which offers the flexibility to implement the appropriate technology to anticipate, detect, prevent, and mitigate attacks from internal and external intruders. Symantec Intrusion Protection consists of products and services that evolve with an organisation to meet its changing security needs as the business grows. Elements of Symantec Intrusion Protection may include network- and host-based intrusion detection and prevention, integrated appliances, early warning services, and analysis and mitigation services. Unlike point-product security vendors that provide only a single element of this strategy, Symantec offers all of these elements for comprehensive intrusion protection.
Availability
Symantec Decoy Server is available through Symantec's worldwide network of value-added authorised resellers, distributors and systems integrators. Organisations can be connected with Symantec's resellers and distributors in their areas by visiting the Symantec Solution Provider locator at http://www.symantec.com.au/region/au_nz/partners/.
About Symantec
Symantec Corp. (Nasdaq: SYMC), the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to individuals, enterprises and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and e-mail filtering, remote management technologies and security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit www.symantec.com.au
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Centre at http://www.symantec.com.au/region/au_nz/PressCentre/ on Symantec's Web site. Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.