63
Getting started
Deploying single nodes
You can configure a policy for an in-line pair that alerts on or blocks malicious
traffic. When a malicious packet is detected in alerting mode, the appliance
software executes the configured responses, which may be email, Network
Security console displays, or other choices available on both appliances and
Network Security software nodes. Blocking mode prevents malicious traffic of
the designated event types from being transmitted into your protected network.
When a blocked TCP/IP event is detected, the node sends TCP resets to both
interfaces in the pair. For a blocked UDP event, the appliance drops the packet
and marks the flow as dropped.
For policies configured with both blocking and alerting, you can run Network
Security with blocking disabled until you are sure the policy is correct. If you
decide that the configured event types should be blocked, you can change the
policy to enable blocking with a single mouse-click in the Network Security
console.
About fail-open
Fail-open is an option when using in-line mode and is the default for passive
mode. Fail-open means that if the appliance has a hardware failure, network
traffic will continue. Since the Symantec Network Security 7100 Series
appliance is directly in the network path while deployed using in-line mode,
fail-open capability requires the purchase and installation of a separate device.
The Symantec Network Security In-line Bypass unit has been custom designed
to provide fail-open capability for the Symantec Network Security 7100 Series.
The bypass unit is available in two models, which accommodate two or four
in-line interface pairs respectively. Fail-open is available for all copper gigabit
or Fast Ethernet interfaces on the appliance. It is not an option for fiber
interfaces at this time. The In-line Bypass unit is only necessary for fail-open
when appliance interfaces are configured for in-line mode. All interfaces
configured in passive mode are fail-open by default.
Configuring single-node parameters
Symantec Network Security provides configurable parameters to customize
your network intrusion detection system from multiple levels. These
parameters fall into the following three categories:
■
Node parameters
: Apply to individual nodes, either within a cluster or set
up as peers.
For more information about node parameters, see
“Configuring node
parameters”
on page 310.
■
Cluster parameter
: Applies to all nodes within a cluster.
Summary of Contents for 10521146 - Network Security 7120
Page 1: ...Symantec Network Security Administration Guide...
Page 12: ...12 Contents Index...
Page 14: ...14...
Page 70: ...70...
Page 110: ...110 Populating the topology database Adding nodes and objects...
Page 158: ...158 Responding Managing flow alert rules...
Page 188: ...188...
Page 242: ...242 Reporting Playing recorded traffic...
Page 268: ...268 Managing log files Exporting data...
Page 316: ...316 Advanced configuration Configuring advanced parameters...
Page 318: ...318...
Page 338: ...338 SQL reference Using MySQL tables...
Page 366: ...366 Glossary...
Page 392: ...392 Index...