Symantec 10268947 - Network Security 7160 Скачать руководство пользователя страница 91 | Manualshive

Страница: 91 / 134

Symantec 10268947 - Network Security 7160 Скачать руководство пользователя страница 91

Chapter

8

Incidents and Events

This chapter includes the following topics:

■

About incidents and events

■

Monitoring incidents

■

Monitoring events

■

Managing the incident/event data

About incidents and events

The Network Security console provides a central point from which you can
monitor all attack activity in any network location defined in the topology tree.
The Network Security console displays detailed information about incidents and
events, which are the elements of a possible attack.

In the Network Security console

,

the Incidents tab displays both active and idle

incidents and events taking place in the monitored network, and can be drilled
down for multiple detail levels. Incidents to which no new events have been
added for a given amount of time are considered idle, so Symantec Network
Security closes them. The condition of the incident can be viewed in the State
column of the Incidents table. The incident idle time is a configurable
parameter.

An incident is a set of events that are related. An event is a significant security
occurrence that appears to exploit a vulnerability of the system or application.
When a sensor detects a suspicious event, it sends the data to be analyzed. The
analysis process correlates the event with similar or related events, and
categorizes them in the form of an incident. The incident is named after the
event with the highest priority, and reported in the form of incidents that are
displayed in the Network Security console.

«
...
89
90
91
92
93
...
»

Содержание 10268947 - Network Security 7160

Страница 1: ...Symantec Network Security User Guide...

Страница 2: ...nd Symantec Security Response are trademarks of Symantec Corporation Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies an...

Страница 3: ...signatures that ensure the highest level of protection Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages Advan...

Страница 4: ...mer Service online go to www symantec com select the appropriate Global Site for your country then choose Service and Support Customer Service is available to assist with the following types of issues...

Страница 5: ...analysis 24 About response 25 About management and detection architecture 26 About the Network Security console 26 About the node architecture 28 About the 7100 Series appliance node 31 Chapter 3 Get...

Страница 6: ...of event types 68 Adjusting the view by searching 68 Adjusting the view by columns 69 Viewing logging and blocking rule details 70 Viewing event detailed descriptions 70 Viewing policy automatic upda...

Страница 7: ...About Symantec signatures 88 About user defined signatures 88 Viewing signatures 89 About signature variables 89 About refinement rules 89 Chapter 8 Incidents and Events About incidents and events 91...

Страница 8: ...per Network Security device 115 Drill down only reports 116 About querying flows 117 Viewing current flows 117 Viewing exported flows 119 Chapter 10 Log Files About the log files 121 About the instal...

Страница 9: ...on This section includes the following topics About the Symantec Network Security 7100 Series About other Symantec Network Security features About the Symantec Network Security 7100 Series Symantec Ne...

Страница 10: ...ent reliability and profile of protected resources and common or individualized policies can be applied per sensor for both in line and passive monitoring Interface Grouping 7100 Series appliance user...

Страница 11: ...tem that supports large distributed enterprise deployments and provides comprehensive configuration and policy management real time threat analysis enterprise reporting and flexible visualization The...

Страница 12: ...evant information providing threat awareness without data overload Symantec Network Security gathers intelligence across the enterprise using cross node analysis to quickly spot trends and identify re...

Страница 13: ...eries appliance nodes and from other network devices to trace attacks to the source Cost effective Scalable Deployment A single Network Security software node or 7100 Series appliance node can monitor...

Страница 14: ...software and Symantec Network Security 7100 Series appliances in the documentation sets on the product CDs and on the Symantec Web sites This section includes the following topics About 7100 Series ap...

Страница 15: ...re Symantec Network Security 7100 Series Readme on CD This document provides the late breaking information about the Symantec Network Security 7100 Series including limitations workarounds and trouble...

Страница 16: ...site To view the Knowledge Base 1 Open the following URL http www symantec com techsupp enterprise select_product_kb html 2 Click Intrusion Detection Symantec Network Security 4 0 About the Hardware...

Страница 17: ...rity intrusion detection system Chapter 4 Topology Database Describes network topology mapping and the kind of information visible in the topology database Chapter 5 Protection policies Describes Syma...

Страница 18: ...18 Introduction Finding information...

Страница 19: ...rity 7100 Series appliance employ a common core architecture that provides detection analysis storage and response functionality Most procedures in this section apply to both the 7100 Series appliance...

Страница 20: ...ches can miss new attacks protocol anomaly detection can miss attacks that are not considered anomalies traffic anomaly detection misses single shot or low volume attacks and behavioral anomaly detect...

Страница 21: ...tion PAD is a form of anomaly detection PAD detects threats by noting deviations from expected activity rather than known forms of misuse Anomaly detection looks for expected or acceptable traffic and...

Страница 22: ...iteral string of characters found in one packet or it may be a known sequence of packets that are seen together In any case every packet is compared against the pattern Matches trigger an alert while...

Страница 23: ...y the common probing methods but also many stealth modes that slip through firewalls and other defenses For example many firewalls reject attempts to send SYN packets yet allow FIN packets This result...

Страница 24: ...generic anomalies against a database of refinement rules and for known attacks reclassifies an anomaly event by retagging it with its specific name About correlation Symantec Network Security uses eve...

Страница 25: ...t response Protection policies and response rules are collections of rules configured to detect specific events and to take specific actions in response to them Protection policies can take action at...

Страница 26: ...unctionality such as incident review logging and reporting The detection component is available as a Network Security software node or a Symantec Network Security 7100 Series appliance node Both are b...

Страница 27: ...t role based administration The Network Security console provides a simple yet powerful interface that is useful for all levels of administration from the Network Operation Center NOC operator who wat...

Страница 28: ...he attacks and initiate responses appropriate to specific attack circumstances The following diagram illustrates how Symantec Network Security s arsenal of tools work together to provide protection Fi...

Страница 29: ...master node and between software and appliance nodes within a cluster are properly authenticated and encrypted In addition this service enforces role base administration and thus prevents any circumve...

Страница 30: ...events event flood invasions by intelligently processing them in multiple event queues based on key criteria In this way if multiple identical events bombard the network the ESP treats the flood of ev...

Страница 31: ...om third party hosts and network IDS products in real time Smart Agents collect event data from external sensors such as Symantec Decoy Server as well as from third party sensors log files SNMP and so...

Страница 32: ...aces into one logical interface with a single sensor allows state to be maintained during the session making it possible to detect attacks About response on the 7100 Series An important new 7100 Serie...

Страница 33: ...mode over operating in passive mode is that you can enable blocking with a single mouse click from the Network Security console You don t need to halt network traffic while changing cabling and confi...

Страница 34: ...34 Architecture About management and detection architecture...

Страница 35: ...including accessing the management interfaces Network Security console serial console and LCD panel accessing nodes and sensors and establishing user permissions and access It also describes most ofte...

Страница 36: ...database files load Symantec Network Security caches the files after that first load and makes subsequent launches faster Launching the Network Security console All users can launch the Network Securi...

Страница 37: ...view of the network topology the network traffic and the detection and response functionality The Devices tab provides a hierarchical tree view of the network topology with a detailed summary of each...

Страница 38: ...twork has failed To view node status See the Node Status Indicator for the software or appliance node A red X or Node Status Indicator signifies that Network Security processes or network connectivity...

Страница 39: ...e four groups from the Network Security console Each group includes a predefined set of permissions and access that cannot be modified Note The four user groups are unique to the Network Security cons...

Страница 40: ...odes can be deployed singly or clustered Single node deployment A peer relationship between one or more individual single nodes viewed from one or more independent Network Security consoles Cluster de...

Страница 41: ...ecurity can be deployed using one or more single Network Security software nodes Each node functions independently as the master node in a cluster of one Managing a single node is simpler than managin...

Страница 42: ...r is started for the interface group allowing Symantec Network Security to analyze the different traffic flows as if they were combined on one interface This is a very effective deployment mode for a...

Страница 43: ...to provide fail open capability for the Symantec Network Security 7100 Series The bypass unit is available in two models which accommodate two or four in line interface pairs respectively Fail open i...

Страница 44: ...for only a subset of software or appliance nodes This increases performance as well because it reduces the number of incidents that a single Network Security console must load When subdivided by monit...

Страница 45: ...OK to view incidents from the selected monitoring group Note Always assign at least one node to each monitoring group If you create groups without assigning nodes to them you can miss events even thou...

Страница 46: ...46 Getting Started About deploying node clusters...

Страница 47: ...s information about connections to autonomous systems or other segments within a distributed network Note Both StandardUsers and RestrictedUsers can view the topology tree displayed on the Devices tab...

Страница 48: ...lowing types of objects to represent the elements of your network and security system Locations Objects that represent physical or logical groups of one or more network segments The installation proce...

Страница 49: ...es Monitoring interfaces Objects that represent dedicated ports that mirror incoming or outgoing traffic on a software or appliance node In line pairs Objects that represent pairs of interfaces on a 7...

Страница 50: ...IP address of the selected device or the management IP address for a device with multiple IP addresses Node Number Displays the node number assigned to the software or appliance node between 1 and 120...

Страница 51: ...some cases you can add more of them to the topology tree For example the installation process creates an object for one location in the topology tree called Enterprise by default Users can add more lo...

Страница 52: ...ftware installed on designated computers Under Enterprise the location object created automatically during the installation process SuperUsers can add an object to the topology tree to represent each...

Страница 53: ...address if the node is positioned behind a NAT device Node Number Indicates the unique node number Monitoring Group Indicates the monitoring group the node is assigned to if any Failover Group Indica...

Страница 54: ...ring interface and click Edit to view detailed information 2 In Edit Monitoring Interfaces click the Interface tab The following list describes the interface fields 3 In Edit Monitoring Interfaces cli...

Страница 55: ...ote Both StandardUsers and RestrictedUsers can view software or appliance nodes but cannot add edit or delete them To view 7100 Series nodes 1 On the Devices tab do one of the following Click an exist...

Страница 56: ...nd a NAT router Netmask Indicates which part of the node s IP address applies to the network Required field Default Router Indicates the IP address of the router that sends network traffic to and from...

Страница 57: ...e tab The following list describes the interface fields 3 In Edit Monitoring Interfaces click the Networks tab to view the networks that this interface monitors 4 Click Cancel to close the view Viewin...

Страница 58: ...o view an in line pair 1 On the Devices tab do one of the following Click an existing in line pair to view summary information in the right pane Right click an existing in line pair and click Edit to...

Страница 59: ...router objects The Network Security console provides a way to view routers To view a router object 1 On the Devices tab do one of the following Click an existing router object to view summary informat...

Страница 60: ...pand the security umbrella and enhance the threat detection value of existing security assets by aggregating third party intrusion events into Symantec Network Security which leverages its correlation...

Страница 61: ...On the Devices tab do one of the following Click an existing Smart Agent interface to view summary information in the right pane Right click an existing Smart Agent interface and click Edit to view de...

Страница 62: ...ces and interfaces reside When a new interface object is created Network Security adds a new object for the network segment in which the interface resides if that segment has not already been represen...

Страница 63: ...ot Found message appears Click OK 3 In Select the Symantec Decoy Server Console Directory navigate to the directory containing mtadmin jar and click Open This file is typically located in Program File...

Страница 64: ...64 Topology Database Viewing objects in the topology tree...

Страница 65: ...and profile of protected resources Common or individualized policies can be applied per sensor for both in line and passive monitoring The Symantec Network Security software and the Symantec Network...

Страница 66: ...ctivated by setting them to interfaces and applying them You can also define your own policies and activate them using the same procedures On the Protection Policies tab you can view all available pro...

Страница 67: ...ew protection policies that you define yourself Adjusting the view by searching Full Event List tab The Full Event List displays all event types that the selected policy can detect Even after you defi...

Страница 68: ...iew on a manageable subset of possible event types with specific characteristics The policy still detects and acts on the full list of event types but you have a shorter list to sift through as you de...

Страница 69: ...exit Note Remember that the policy still contains the full list of event types This search has provided a shorter more manageable subset to view Note Both StandardUsers and RestrictedUsers can adjust...

Страница 70: ...ers cannot Viewing event detailed descriptions Symantec Network Security provides detailed descriptions of the event types in each policy through a browser display To view individual protection polici...

Страница 71: ...f notes were taken about a particular policy then when you hover the cursor over that policy in the policy list the note appears as a tool tip To view a policy annotation In the Policies tab hover the...

Страница 72: ...o event types but cannot add edit or delete them Annotating event instances The Network Security console provides a field in which to make notes about a specific instance of an event This provides ass...

Страница 73: ...attacks without requiring a separate response rule for each of hundreds of individual base events SuperUsers and Administrators can create separate response rules specific to an individual event type...

Страница 74: ...and the Network Security console Symantec Network Security generates responses based on multiple criteria such as event targets attack types or categories event sources and severity or confidence leve...

Страница 75: ...view the following response parameters Event Target Event Type Severity Confidence Event Source Response Action Next Action 4 Click the Response Actions column of a response rule to see all possible r...

Страница 76: ...Severity to indicate the severity level Click Confidence to indicate the confidence level Click Intent to indicate the intent 4 After selecting search criteria click Search Events About response param...

Страница 77: ...number and frequency of packets received Severity of other events in the same incident Symantec Network Security correlates severity levels from all events in the same incident By using these variable...

Страница 78: ...N ID About response actions The Network Security console provides a way to apply the response rule to take a specific action when triggered using Response Action The Response parameter determines the...

Страница 79: ...e rule such as from Rule 5 to Rule 8 The Stop value directs Symantec Network Security to discontinue searching for matching response rules About response actions Configurable response parameters indic...

Страница 80: ...face for notification thus enabling the Network Security console to successfully send email notification even during an attack About SNMP notification Symantec Network Security can initiate an SNMP no...

Страница 81: ...d response action begins recording traffic when triggered It continues to record based on the number of minutes and the number of packets specified in the response configuration Traffic recording stop...

Страница 82: ...fic console response actions 1 In the Network Security console click Configuration Response Rules 2 In Response Rules click Configuration Console Response Configuration 3 In Local Console Configuratio...

Страница 83: ...tions such as TrackBack and notifies you about illegal flows Symantec Network Security uses FlowChaser to store the data in coordination with TrackBack which traces a DoS attack or network flow back t...

Страница 84: ...and 3 and proceed directly to Step 4 2 In Traffic Playback Configuration you can adjust the view as follows To adjust your view of Recorded Events click Column To remove events you do not want to view...

Страница 85: ...res IP traffic rate monitoring IDS evasion detection and IP fragment reassembly The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core arch...

Страница 86: ...reclassifies an anomaly event by retagging it with its specific name New refinement rules are available as part of SecurityUpdates on a periodic basis Each software or appliance node downloads the re...

Страница 87: ...gs can be added to run services on non standard ports or to ignore ports on which you normally run non standard protocols to mitigate common violations of protocol from being falsely reported as event...

Страница 88: ...t detection without the weaknesses of either PAD alone or signatures alone Symantec Network Security s high performance is maintained by matching against the smallest set of signatures as is possible...

Страница 89: ...ature variables On the Policies tab click the Signature Variables tab to see available variables to use when defining signatures About signature variables Symantec Network Security provides signature...

Страница 90: ...ods About refinement rules New refinement rules are available as part of SecurityUpdates on a periodic basis Each software or appliance node downloads the refinement rules from LiveUpdate and stores t...

Страница 91: ...be drilled down for multiple detail levels Incidents to which no new events have been added for a given amount of time are considered idle so Symantec Network Security closes them The condition of th...

Страница 92: ...optional user defined ID Customer IDs for in line pairs and interface groups reflect the 7100 Series appliance nodes to which they belong Model Displays the model number of a 7100 Series appliance ei...

Страница 93: ...ther the sensor is running on the Network Security interface to the monitored interface Bit rate Displays the average number of megabits per second Mbps monitored on the interface This calculation is...

Страница 94: ...a multi level view of both incidents and events Incidents are groups of multiple related base events Base events are the representation of individual occurrences either suspicious or operational The...

Страница 95: ...and lists the author of the annotation You can sort multiple annotations for an event by time stamp in ascending or descending order To annotate an incident or event 1 On the Incidents tab double clic...

Страница 96: ...wing incident data The Incidents tab contains an upper and lower pane Incidents and Events at Selected Incident In the upper pane information about each incident is displayed This information is taken...

Страница 97: ...destination is made up of multiple addresses then the Network Security console displays multiple IPs and you can view the list of addresses by double clicking the event to see Event Details Event Cou...

Страница 98: ...ick Filters 2 Click Hide Closed Incidents to show only active incidents in the cluster 3 In Incident Class do one of the following Click Hide All Operational to show only those incidents classified as...

Страница 99: ...ack composed of multiple related events When the sensor detects a suspicious event it correlates the event to an incident containing related events Event types are group names for one or more base eve...

Страница 100: ...ted Incident can display the following information Time Indicates the date and time when Symantec Network Security first detected and logged the event Event Type Indicates the event category of the de...

Страница 101: ...100 events per incident 4 Click Apply to save and exit Confidence Indicates the confidence level assigned to the event An event s confidence is a measure of the level of certainty that it is actually...

Страница 102: ...expires to ensure that the log files continue to be signed and the iButton can continue to perform its authentication and data hashing functions See the Symantec Network Security Installation Guide fo...

Страница 103: ...Symantec Network Security Email Alert Failed An error occurred while sending an email alert from Symantec Network Security SNMP Alert Successful but Truncated An SNMP trap was successfully sent by Sym...

Страница 104: ...curity console You can display the options by double clicking an incident row and choosing from the menu items on the Incident Details or by right clicking an incident row and choosing from the menu i...

Страница 105: ...to the incident by the Analysis Framework The priority level is a function of the severity and reliability levels Severity The severity level Network Security assigned to the incident An incident s s...

Страница 106: ...ons Click Page Setup to layout the page before printing or previewing Click Print Preview to preview the page before printing 4 Click Print to send the incident data to a printer Configuring Network S...

Страница 107: ...ck Send 5 Select a path by doing one of the following Click Email Through Browser to select a browser path and store it in Local Preferences for future reference Click Email Through Mail Client to sel...

Страница 108: ...108 Incidents and Events Managing the incident event data 3 Open the desired email or file and paste the incident data from the clipboard to the email content...

Страница 109: ...nd protocols exploited during the specified time period With any account you can view and print reports and save them in multiple formats You can generate reports that appear in table format and sort...

Страница 110: ...eports are generated in one or more formats depending on the type of report Possible formats include tables bar charts column charts and pie charts The report generator makes most reports available in...

Страница 111: ...ons do not necessarily map to the top event types You must specify the report start and end date time and number of unique addresses to display For example you could generate a report on the top 10 ad...

Страница 112: ...curity generates this report in table and column chart formats You can generate several drill down reports for each day listed in the Incidents Per Day report Incidents per hour This report displays t...

Страница 113: ...ted in the report then no events were detected during that day Symantec Network Security generates this report in table and column chart formats You can generate several drill down reports for each da...

Страница 114: ...ormats This report has no drill down reports Destinations of source This report lists the destination IP address es for any event source IP address you specify and the number of times each address was...

Страница 115: ...ts the user login times IP addresses from which the user logged in and the type of user that logged in either a SuperUser with full read write privileges or one of the other user login accounts with l...

Страница 116: ...Event list For the incident you select data is displayed within the Incident List report Events details The Event Details report displays the data within any Event List report Sources of event The Sou...

Страница 117: ...plays the results in a table If more results are available click Next Results to proceed Viewing current flows View Current Flows enables you to search against all of the collected flows by FlowChaser...

Страница 118: ...ither a source IP or a destination IP by entering data in the following fields Source or Destination IP Numeric IP address Prefix Len Mask of the IP address in integers between 1 and 32 Port Valid por...

Страница 119: ...specific source and destination IPs To make this more focused query enter data in the following fields Source IP Numeric IP address Port Valid port number 4 In Match Source or Destination you can dis...

Страница 120: ...120 Reports and Queries About querying flows Note StandardUsers can query the FlowChaser database for current or exported flow data RestrictedUsers cannot...

Страница 121: ...s section apply to both the 7100 Series appliance and the Symantec Network Security 4 0 software The 7100 Series appliance also provides additional functionality that is unique to an appliance Each se...

Страница 122: ...tion About log files Symantec Network Security provides log and database management from the Network Security console described in the following sections Viewing log files Viewing live log files Note...

Страница 123: ...ne of the following Click a log file to select it Click Refresh Table to get the latest logs 4 In Actions click View Live Log 5 In Live Log scroll to read all lines on the log 6 Click Close to exit No...

Страница 124: ...124 Log Files About log files...

Страница 125: ...about blocking 32 about detection 32 about in line mode 32 about interface groups 32 about LCD panel 38 about nodes 52 about passive mode 32 about response 32 about serial console 39 about the 7100 S...

Страница 126: ...es 70 viewing objects 50 detection about 85 about 7100 Series appliances 32 about architecture 20 about denial of service 23 about protocol anomaly detection 85 about refinement rules 86 about signatu...

Страница 127: ...ayed 97 100 definition 99 destination report 116 detail reports 116 email notifying 80 filtering 98 101 filtering tables 98 101 list reports 116 modifying the view 38 modifying the view of types 38 ne...

Страница 128: ...porting per hour 112 reporting per month 112 selecting columns 100 viewing from monitoring groups 44 in line about 10 32 42 about bypass unit 11 33 about deployment 40 about fail open 33 sensor proces...

Страница 129: ...tory 115 Network Security console about 26 accessing 36 changing font size 38 choosing view 37 38 expanding or collapsing view 37 launching from Windows 36 login 36 node status indicator 38 viewing 37...

Страница 130: ...details 70 port mapping about 87 ports flow reports by destination 117 flow reports by source 117 mapping 87 viewing mappings 87 viewing port mappings 87 portscan top event type 111 primary default ma...

Страница 131: ...rces 78 setting event targets 76 setting event types 77 setting next actions 79 setting response actions 78 SNMP notification 80 TCP reset 81 TrackBack 80 viewing 75 responses about 25 about automated...

Страница 132: ...chitecture 29 about detection 20 about response 25 about software features 11 about the 7100 Series 9 about the core architecture 19 about the node architecture 28 accessing patch site 16 accessing th...

Страница 133: ...sponse rules 75 expanding and collapsing the view 37 flow alert rules 83 in line pairs 58 interface groups 57 live logs 123 log files 123 logs 122 monitoring groups 44 monitoring interfaces on applian...

Страница 134: ...134 Index...

Отзывы:

Нет отзывов