23
Architecture
About the core architecture
define, manage, and apply user-defined signatures from the Network Security
console.
Monitoring traffic rate
Symantec Network Security detects malicious flow and traffic shape, provides
multi-gigabit traffic monitoring, and maintains 100% of its detection capability
on a fully saturated gigabit network.
Symantec Network Security performs passive traffic monitoring on its detection
interfaces. It uses this data to perform both aggregate traffic analysis and
individual packet inspection. Individual packets are inspected and traffic is
analyzed per interface. It also uses Netflow data that is locally collected, or
forwarded from a remote device, to augment its traffic analysis.
Symantec Network Security's aggregate analysis detects both denial-of-service
and distributed denial-of-service attacks. These attacks are recognized as
unusual spikes in traffic volume. Using the same data, Symantec Network
Security can also recommend proper remediation of the problem.
Beyond attack detection, Symantec Network Security uses traffic analysis to
detect many information-gathering probes. It detects not only the common
probing methods, but also many stealth modes that slip through firewalls and
other defenses. For example, many firewalls reject attempts to send SYN
packets, yet allow FIN packets. This results in a common port scan method.
Symantec Network Security recognizes this anomaly and triggers an alert.
About DoS detection
Symantec Network Security provides passive traffic monitoring on its detection
interfaces that allows it to detect a variety of DoS attacks such as flooding,
resource reservation, and malformed traffic. Symantec Network Security also
detects a variety of reconnaissance efforts, such as various forms of stealth
scans.
About external EDP
The Event Dispatch Protocol (EDP) provides a generalized framework for
sending events to software and appliance nodes for correlation, investigation,
analysis, and response. Using EDP, Symantec Network Security can collect
security data not only from its own sensors, but also from arbitrary third-party
sources such as firewalls, IDS sensors, and host-based IDS devices. The process
of integrating a third-party sensor generally involves three steps: collection,
conversion, and transmission. First, Symantec Network Security collects the
data from the third-party sensor in its usual collection format, such as flat text
files, SNMP, and source APIs. Then Symantec Network Security converts the
Summary of Contents for 10268947 - Network Security 7160
Page 1: ...Symantec Network Security User Guide...
Page 18: ...18 Introduction Finding information...
Page 34: ...34 Architecture About management and detection architecture...
Page 46: ...46 Getting Started About deploying node clusters...
Page 64: ...64 Topology Database Viewing objects in the topology tree...
Page 124: ...124 Log Files About log files...
Page 134: ...134 Index...