background image

176 Detecting

Configuring sensor detection

TCP Flow Max Queued Segments

TCP Flow Max Queued Segments

 regulates the number of TCP segments that are 

out of order in a queue per TCP flow. If the number of out-of-order segments 
exceeds this maximum, the sensor discards the flow. Out-of-order segments in a 
flow usually signify a problem; either something wrong on the network, or a 
denial-of-service attack.

The default is set to 64 for optimum performance and sensitivity, and does not 
need to be changed under most circumstances. The minimum value is 1. If you 
see an operational event indicating too many out-of-order TCP segments, you 
can eliminate the message by increasing this value, at the cost of greater 
memory consumption. If you decrease this value, it reduces detection 
sensitivity. Consider changing it only if you have a thorough understanding of 
its functionality.

TCP Global Max Queued Segments (Fast Ethernet)

TCP Global Max Queued Segments (Fast Ethernet) 

regulates the number of 

out-of-order TCP segments that can remain in queue globally. If the total 
number of out-of-order segments exceeds the value of this parameter, the fast 
Ethernet sensor reclaims the space by replacing old TCP flows and queued 
segments with new out-of-order segments.

The default is set to 65,535 for optimum performance and sensitivity, and does 
not need to be changed under most circumstances. The minimum value is 4,096. 
Although a high number of out-of-order segments is rare, if this is usual for your 
network, you can increase this value to compensate. If you see an operational 
event indicating too many out-of-order TCP segments, you can eliminate the 
message by increasing this value, at the cost of greater memory consumption. 
Consider changing it only if you have a thorough understanding of its 
functionality.

TCP Global Max Queued Segments (Gigabit)

TCP Global Max Queued Segments

 regulates the number of out-of-order TCP 

segments that can remain in queue globally. If the total number of out-of-order 
segments exceeds the value of this parameter, the gigabit sensor reclaims the 
space by replacing old TCP flows and queued segments with new out-of-order 
segments.

The default for 

TCP Global Max Queued Segments (Gigabit) 

is set to 131,072 for 

optimum performance and sensitivity, and does not need to be changed under 
most circumstances. The minimum value is 4,096. Although a high number of 
out-of-order segments is rare, if this is usual for your network, you can increase 
this value to compensate. If you see an operational event indicating too many 

Содержание 10521146 - Network Security 7120

Страница 1: ...Symantec Network Security Administration Guide...

Страница 2: ...hitecture and Symantec Security Response are trademarks of Symantec Corporation Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective c...

Страница 3: ...signatures that ensure the highest level of protection Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages Advan...

Страница 4: ...mer Service online go to www symantec com select the appropriate Global Site for your country then choose Service and Support Customer Service is available to assist with the following types of issues...

Страница 5: ...ec Network Security 25 About the core architecture 25 About detection 26 About analysis 30 About response 31 About management and detection architecture 32 About the Network Security console 32 About...

Страница 6: ...ogy mapping 74 Managing the topology tree 78 Viewing auto generated objects 79 Viewing node details 79 Viewing node status 79 Adding objects for the first time 80 Editing objects 81 Deleting objects 8...

Страница 7: ...Updating policies automatically 125 Annotating policies and events 126 Backing up protection policies 128 Chapter 6 Responding About response rules 129 About automated responses 131 Managing response...

Страница 8: ...rameters 162 Data collection parameters 163 Threshold parameters 164 Saturation parameters 165 Miscellaneous parameters 167 Checksum validation parameters 168 Advanced sensor parameters 169 Interval a...

Страница 9: ...tination Port Weight 218 Monitoring flow statistics 219 Enabling flow data collection 219 Configuring FlowChaser 220 Chapter 9 Reporting About reports and queries 223 Scheduling reports 224 Adding or...

Страница 10: ...9 Compressing log files 252 Exporting data 254 Exporting to file 254 Exporting to SESA 255 Exporting to SQL 257 Exporting to syslog 260 Transferring via SCP 264 Chapter 11 Advanced configuration About...

Страница 11: ...lash 302 Configuring advanced parameters 308 About parameters for clusters nodes and sensors 309 About basic setup and advanced tuning 309 Configuring node parameters 310 Configuring basic parameters...

Страница 12: ...12 Contents Index...

Страница 13: ...egrated hardware and software intrusion detection appliances designed to detect and prevent attacks across multiple network segments at multi gigabit speeds The 7100 Series combines Symantec Network S...

Страница 14: ...14...

Страница 15: ...on This section includes the following topics About the Symantec Network Security 7100 Series About other Symantec Network Security features About the Symantec Network Security 7100 Series Symantec Ne...

Страница 16: ...ent reliability and profile of protected resources and common or individualized policies can be applied per sensor for both in line and passive monitoring Interface Grouping 7100 Series appliance user...

Страница 17: ...tem that supports large distributed enterprise deployments and provides comprehensive configuration and policy management real time threat analysis enterprise reporting and flexible visualization The...

Страница 18: ...evant information providing threat awareness without data overload Symantec Network Security gathers intelligence across the enterprise using cross node analysis to quickly spot trends and identify re...

Страница 19: ...eries appliance nodes and from other network devices to trace attacks to the source Cost effective Scalable Deployment A single Network Security software node or 7100 Series appliance node can monitor...

Страница 20: ...Symantec Network Security 7100 Series appliances in the documentation sets on the product CDs and on the Symantec Web sites This section includes the following topics About 7100 Series appliance docum...

Страница 21: ...ec Network Security 7100 Series Readme on CD This document provides the late breaking information about the Symantec Network Security 7100 Series including limitations workarounds and troubleshooting...

Страница 22: ...site To view the Knowledge Base 1 Open the following URL http www symantec com techsupp enterprise select_product_kb html 2 Click Intrusion Detection Symantec Network Security 4 0 About the Hardware...

Страница 23: ...a Symantec Network Security intrusion detection system Part 2 Getting Started This section explains how to set up your Symantec Network Security intrusion detection system populate a network topology...

Страница 24: ...twork Security log databases and how to view compress save export and archive them Chapter 11 Advanced configuration Describes advanced procedures such as high availability cluster management and inte...

Страница 25: ...rity 7100 Series appliance employ a common core architecture that provides detection analysis storage and response functionality Most procedures in this section apply to both the 7100 Series appliance...

Страница 26: ...ches can miss new attacks protocol anomaly detection can miss attacks that are not considered anomalies traffic anomaly detection misses single shot or low volume attacks and behavioral anomaly detect...

Страница 27: ...tion PAD is a form of anomaly detection PAD detects threats by noting deviations from expected activity rather than known forms of misuse Anomaly detection looks for expected or acceptable traffic and...

Страница 28: ...iteral string of characters found in one packet or it may be a known sequence of packets that are seen together In any case every packet is compared against the pattern Matches trigger an alert while...

Страница 29: ...y the common probing methods but also many stealth modes that slip through firewalls and other defenses For example many firewalls reject attempts to send SYN packets yet allow FIN packets This result...

Страница 30: ...ymantec Network Security matches generic anomalies against a database of refinement rules and for known attacks reclassifies an anomaly event by retagging it with its specific name About correlation S...

Страница 31: ...t response Protection policies and response rules are collections of rules configured to detect specific events and to take specific actions in response to them Protection policies can take action at...

Страница 32: ...unctionality such as incident review logging and reporting The detection component is available as a Network Security software node or a Symantec Network Security 7100 Series appliance node Both are b...

Страница 33: ...t role based administration The Network Security console provides a simple yet powerful interface that is useful for all levels of administration from the Network Operation Center NOC operator who wat...

Страница 34: ...he attacks and initiate responses appropriate to specific attack circumstances The following diagram illustrates how Symantec Network Security s arsenal of tools work together to provide protection Fi...

Страница 35: ...master node and between software and appliance nodes within a cluster are properly authenticated and encrypted In addition this service enforces role base administration and thus prevents any circumve...

Страница 36: ...events event flood invasions by intelligently processing them in multiple event queues based on key criteria In this way if multiple identical events bombard the network the ESP treats the flood of ev...

Страница 37: ...om third party hosts and network IDS products in real time Smart Agents collect event data from external sensors such as Symantec Decoy Server as well as from third party sensors log files SNMP and so...

Страница 38: ...rouping the interfaces into one logical interface with a single sensor allows state to be maintained during the session making it possible to detect attacks About response on the 7100 Series An import...

Страница 39: ...ration to switch between in line alerting and blocking modes About fail open When you configure in line mode on the Symantec Network Security 7100 Series appliance you place the in line interface pair...

Страница 40: ...alternative to using the LCD panel for initial configuration Serial console access requires a valid username and password About the compact flash Other new appliance management functionality involves...

Страница 41: ...serial console and LCD panel accessing nodes and sensors and establishing user permissions and access It also describes deployment considerations and examples of ways to deploy Symantec Network Securi...

Страница 42: ...our network Which devices or elements of your network will you monitor Will you deploy Symantec Network Security as single peer software or appliance nodes or as a cluster of interacting nodes Will yo...

Страница 43: ...ses Review collected data about suspicious activity in logs and databases to use in analyzing and tracking Set configuration parameters Configure single node or cluster wide settings to define advance...

Страница 44: ...interface group that aggregates traffic on up to four monitoring interfaces An interface group is useful for intrusion detection in asymmetrically routed networks About the management interfaces Syma...

Страница 45: ...while the database files load Symantec Network Security caches the files after that first load and makes subsequent launches faster Launching the Network Security console All users can launch the Net...

Страница 46: ...ee main tabs that provide a view of the network topology the network traffic and the detection and response functionality The Devices tab provides a hierarchical tree view of the network topology with...

Страница 47: ...s Indicator This signifies that Network Security processes or connectivity to the network has failed To view node status See the Node Status Indicator for the software or appliance node A red X or Nod...

Страница 48: ...the node that you want to reboot from the pull down list and then click OK 3 Wait until the progress bar indicates that the process is complete Note SuperUsers can reboot Network Security software nod...

Страница 49: ...Security console provides a way to check the status of the Symantec Network Security license applied to each node Note SuperUsers and Administrators can check the licenses of Network Security sensors...

Страница 50: ...nsole The Symantec Network Security 7100 Series provides a way to restart appliance nodes using the serial console You must have secadm access to restart Symantec Network Security on the serial consol...

Страница 51: ...y from the serial console 1 Connect your laptop or other serial device to the appliance with the serial console cable 2 Using a serial terminal application login to the appliance as secadm 3 Type the...

Страница 52: ...CD panel See the Symantec Network Security 7100 Series Implementation Guide for the full range of procedures available on the LCD panel Unlocking the LCD panel The LCD panel may be locked If so you mu...

Страница 53: ...oices until you see SNS7100 4 Start SNS 3 Press e to restart the Symantec Network Security application The LCD screen displays the following when the restart process completes Success Press any button...

Страница 54: ...d to shut down the appliance from the LCD panel If the LCD panel is locked see Unlocking the LCD panel After it is unlocked follow this procedure to restart Symantec Network Security To shut down an a...

Страница 55: ...ons Controlling user access Managing user login accounts The Network Security console provides a way to create and modify user login accounts efficiently In a cluster create user accounts on the maste...

Страница 56: ...ore about permissions To modify an existing user login account 1 In the Network Security console click Admin Manage Users 2 In Manage Users select the user account you want to modify 3 Click Edit 4 Ch...

Страница 57: ...ess All users can change their own passphrase at any time To change login account passphrases 1 In the Network Security console click Admin Change Current Passphrase 2 In Change Passphrase for user en...

Страница 58: ...ot password also changes the password for the elevate command These passwords are always the same To change the root password from the serial console 1 Connect your laptop or other serial device to th...

Страница 59: ...on and can reset the password of a locked out account to re enable it The default value allows 5 attempts to login before locking If this value is set to 0 then no restrictions apply To configure the...

Страница 60: ...do not affect the configuration The log includes data specific to the action such as the date and time of the action the username query information whether the query is allowed or denied and the type...

Страница 61: ...age 287 Deploying single nodes Symantec Network Security can be deployed as one or more single nodes that operate independently of each other within your network The following figure illustrates the r...

Страница 62: ...best suits your network About interface grouping Interface grouping provides a solution when your network employs asymmetric routing Asymmetric routing occurs when traffic arrives on one interface an...

Страница 63: ...if the appliance has a hardware failure network traffic will continue Since the Symantec Network Security 7100 Series appliance is directly in the network path while deployed using in line mode fail o...

Страница 64: ...age 220 See Setting automatic logging levels on page 248 See Archiving log files on page 249 See Compressing log files on page 252 See Exporting data on page 254 See Integrating via Smart Agents on pa...

Страница 65: ...Symantec Network Security 7100 Series Implementation Guide for special considerations when upgrading or migrating clusters Deploying software and appliance nodes in a cluster Both Network Security sof...

Страница 66: ...ection includes the following topics Creating a monitoring group Assigning a monitoring group Renaming a monitoring group Choosing monitoring groups Deleting a monitoring group Creating a monitoring g...

Страница 67: ...p with the view of that monitoring group If you assign a node to a different monitoring group than the monitoring group that defines your incident subset you can miss events even though the sensors de...

Страница 68: ...dent list as well If you view incidents from a node in a different monitoring group than the monitoring group that defines your view subset you can miss events even though the sensors detect them See...

Страница 69: ...m After getting started indicate what to monitor by creating a network topology database what kind of activity to look for by configuring detection signatures and parameters and how to respond by esta...

Страница 70: ...70...

Страница 71: ...the software and the appliance utilize the topology database in the same way The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core archite...

Страница 72: ...dd the others providing Symantec Network Security with the information it needs to monitor your network The following figure shows an example The Devices tab provides a tree oriented view of the netwo...

Страница 73: ...represent the entry point for event data from Symantec Decoy Server Symantec Network Security Smart Agents and other third party sensors Managed network segments Objects that represent subnets in whi...

Страница 74: ...selected device if any Monitored Networks Identifies the networks for which port usage patterns are tracked and anomalies detected Displayed only if you entered network IP addresses on the Network ta...

Страница 75: ...the model for your network topology Locations Decide whether to divide the network into logical or physical groupings depending on the network setup A physical grouping might include all segments with...

Страница 76: ...you gather information specific to each element of your topology This section describes the information and conventions common to most devices and network elements that you might need to provide Each...

Страница 77: ...he topology tree the Details pane displays your description as well as other details about the object such as its IP address or subnet mask if applicable Customer IDs For most objects in the topology...

Страница 78: ...objects for the first time Editing objects Deleting objects Reverting changes Saving changes Forcing nodes to synchronize Backing up Interface name For each interface in the topology tree follow the n...

Страница 79: ...the topology tree the Network Security console displays the description if applicable and other pertinent details about the software or appliance node such as its IP address or subnet mask To view nod...

Страница 80: ...g the initial installation assigned the status of master node and node number of 1 Note Valid node numbers range from 1 to 120 inclusive Do not use a node number over 120 or change the node number aft...

Страница 81: ...t router objects About Smart Agents About managed network segments Caution Click Topology Save Changes before quitting the Network Security console You will lose any unsaved changes when you exit Note...

Страница 82: ...ology tree if you change your mind before saving Note SuperUsers and Administrators can undo cancel or revert changes to the topology tree StandardUsers and RestrictedUsers cannot See User groups refe...

Страница 83: ...ty console click Admin Force Database Sync 3 Click OK to cause all synchronized databases in the cluster to synchronize with the most recent master copy Backing up We recommend that you back up the to...

Страница 84: ...dUsers and RestrictedUsers can view it See User groups reference on page 319 for more information about permissions Adding or editing location objects We recommend that you review the procedure before...

Страница 85: ...Under Enterprise the location object created automatically during the installation process SuperUsers can add objects to represent each software node and 7100 Series appliance node as follows Network...

Страница 86: ...about permissions About Network Security software nodes Under Enterprise the location object created automatically during the installation process SuperUsers can add an object to the topology tree to...

Страница 87: ...e the IP address of a physical node you must edit the Advanced Network Options tab Verify that the values in the Netmask and Default Router fields are valid for the new IP address See Viewing advanced...

Страница 88: ...u must apply the sensor parameter for flow statistics and execute the TrackBack response policy See About monitoring interfaces on software nodes on page 89 See Defining new protection policies on pag...

Страница 89: ...nd the network device such as a router The software or appliance node receives data about traffic on the router via the monitoring interface SuperUsers can add objects to represent monitoring interfac...

Страница 90: ...itoring Interface from the pop up menu Right click an existing monitoring interface object and click Edit from the pop up menu 2 In Add Monitoring Interface or Edit Monitoring Interface enter the inte...

Страница 91: ...fore starting a sensor on the interface To add or edit monitored networks 1 On the Networks tab do one of the following Click Add Select a monitored network and click Edit 2 Replace the default 0 0 0...

Страница 92: ...work Security console provides a way to add or edit Symantec Network Security 7100 Series nodes The installation process populates the fields in the Advanced Network Options tab blank After installati...

Страница 93: ...ions on page 94 5 Enter a unique node number between 2 and 120 inclusive that is not assigned to any other node in the cluster Note Use this same number for the QSP Node Number during initial configur...

Страница 94: ...interfaces on a 7100 Series node but you can create interface groups or in line pairs from the existing interfaces on the node For the sensor to run you must add a protection policy to each interface...

Страница 95: ...The node accesses traffic on the network device via the interface There are three interface types available on a 7100 Series node Local IP Indicates the internal IP address for a node behind a NAT rou...

Страница 96: ...pair objects This section describes the following procedures Editing monitoring interfaces on 7100 Series nodes Adding or editing interface groups Adding or editing in line pairs Editing monitoring i...

Страница 97: ...5 In TCP Reset Interface click the reset interface on the pull down list The reset interface must be cabled to access the monitored network See the Symantec Network Security 7100 Series Implementation...

Страница 98: ...0 0 0 in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface If you fail to take this step the database can fill with invalid data and result in a...

Страница 99: ...iption of up to 255 characters See Description on page 77 6 On the Networks tab click Add enter the network IP address of all networks monitored by this interface group using CIDR format and click OK...

Страница 100: ...lick Edit on the pop up menu 2 In Add In line Pair or Edit In line Pair enter a descriptive name See Name on page 77 3 In Expected Throughput click the expected throughput on the pull down list 4 In P...

Страница 101: ...object to the topology Note Click Topology Save Changes before quitting the Network Security console You will lose any unsaved changes when you exit See Deleting objects on page 81 About router objec...

Страница 102: ...ct and click Edit from the pop up menu 2 In Add Router or Edit Router enter a descriptive name of up to 40 characters for the device See Name on page 77 3 Enter an optional customer ID of up to 40 cha...

Страница 103: ...response action on page 147 See Managing flow alert rules on page 154 See Deleting objects on page 81 About router interfaces An interface object represents each router interface through which Symant...

Страница 104: ...s not yet have an object in the topology tree Symantec Network Security automatically creates an object for the new network segment under the Managed Network Segments category You can edit the default...

Страница 105: ...rom the pop up menu Right click an existing Smart Agent object and click Edit from the pop up menu 2 In Add Smart Agent or Edit Smart Agent enter a descriptive name of up to 40 characters for the devi...

Страница 106: ...ry flow data from this object you must apply the sensor parameter for flow statistics and execute the TrackBack response policy See About Smart Agent interfaces on page 106 See Defining new protection...

Страница 107: ...ght click an existing Smart Agent Interface object and click Edit from the pop up menu 2 In Add Smart Agent Interface or Edit Smart Agent Interface enter a descriptive name See Name on page 77 3 Enter...

Страница 108: ...bject Symantec Network Security adds a new object for the network segment in which the interface resides if not already represented SuperUsers can edit the default name Untitled and the description Ed...

Страница 109: ...ating the topology database Adding nodes and objects See Description on page 77 Caution Click Topology Save Changes before quitting the Network Security console You will lose any unsaved changes when...

Страница 110: ...110 Populating the topology database Adding nodes and objects...

Страница 111: ...tection policies enable users to tailor the protection based on security policies and business need Policies can be tuned by threat category severity intent reliability and profile of protected resour...

Страница 112: ...Security 7100 Series appliance that is deployed in line See Overriding blocking rules globally on page 115 Direct the response You can configure Symantec Network Security to respond automatically to t...

Страница 113: ...elf Searching to create a subset of event types Adding or editing user defined protection policies Enabling or disabling logging rules Enabling or disabling blocking rules Full Event List tab The Full...

Страница 114: ...s globally Undoing policy settings See also the following related topics Defining new protection policies Enabling or disabling blocking rules Selecting pre defined policies On the Protection Policies...

Страница 115: ...tween applied policies and their definitions Slave nodes sometimes then appear to have viable policies applied that in reality are disabled Prevent losing policies through failure by backing up the ma...

Страница 116: ...cation of policies to interfaces Unapplying protection policies The Network Security console provides a way to unapply or remove the application of protection policies from node interfaces To unapply...

Страница 117: ...searching for event types that match specific characteristics If an event type is a known characteristic of your network you can instruct Symantec Network Security not to alert on it by setting loggin...

Страница 118: ...n Intent select an intention from the pull down list In Blocked specify whether you want to view events with blocking rules In Logged specify whether you want to view events with logging rules In Note...

Страница 119: ...nt type details The Network Security console provides a way to view and clone the pre defined Symantec protection policies but you cannot edit or delete them To view individual protection policies 1 O...

Страница 120: ...ng the system This section describes the following procedures Adding or editing user defined protection policies 1 Click New or Clone to begin defining your new pro tection policy 2 Enter a Name for t...

Страница 121: ...he following In Search Events you can change the search parameters to display a more manageable subset of event types to apply rules See Searching to create a subset of event types on page 117 In Sear...

Страница 122: ...ion describes how to enable or disable event logging rules Symantec Network Security displays an event in the Incidents tab each time it detects an event type specified by a logging rule You can also...

Страница 123: ...click Log For All IPs To log selected events click Log For Selected IP Ranges To avoid logging selected events click Log All Except IP Ranges You can use this option as a partial filter to alert you...

Страница 124: ...g Block You can enable blocking rules independently of logging rules See also Enabling or disabling logging rules on page 122 5 In Block Event applies to in line interfaces only do one of the followin...

Страница 125: ...way to put new SecurityUpdate signatures to work immediately Use the LiveUpdate tab to select the types of signatures that you know you want using the given criteria category protocol severity and con...

Страница 126: ...adds new signatures the blocking rules will be created automatically To do this you must define at least one blocking rule in the policy so that blocking is enabled See also Enabling or disabling blo...

Страница 127: ...ails displays the note each time this policy detects the annotated event To make a note about an event within a policy 1 In the Policies tab do one of the following Click New Click Edit 2 In Add Prote...

Страница 128: ...Note 4 Click Close Backing up protection policies Back up the master node regularly The master node stores protection policy definitions If the master node of a cluster fails or is demoted to slave t...

Страница 129: ...f attacks without requiring a separate response rule for each of hundreds of individual base events SuperUsers and Administrators can create separate response rules specific to an individual event typ...

Страница 130: ...gents See Integrating third party events on page 282 No actions See Setting no response action on page 142 Responding at the point of entry See Defining new protection policies on page 120 The followi...

Страница 131: ...action After Symantec Network Security processes one rule it proceeds to one of three alternatives to the rule indicated by the Next parameter to a following rule beyond the Next rule or it stops poli...

Страница 132: ...iewing response rules In the Network Security console you can administer response rules and flow alert rules by clicking Configuration Response Rules All users can view the response rules in the Netwo...

Страница 133: ...se Rules 2 In Response Rules do one of the following Click Action Add Response Rule to add a new row to the end of the response policy table Click Action Insert Response Rule to insert a new row into...

Страница 134: ...to save and exit Searching event types All users can view a more manageable subset of the entire event list by using any or all of the search criteria to shorten the list of event types in the Search...

Страница 135: ...ou have modified your response policy by adding editing or deleting response rules you must save the changes to the database This step provides a chance to change your mind and undo your changes befor...

Страница 136: ...ons network segments and network border interfaces defined in the network topology database Note SuperUsers and Administrators can apply the response rule to a specific location or interface in the ne...

Страница 137: ...otal number of items shown in the subset 5 Click OK to save and exit Setting severity levels The severity parameter describes the relationship between the action to take in response to an incident and...

Страница 138: ...well as all other parameters defined in the response rule then Symantec Network Security responds to the incident by performing the action associated with the response rule SuperUsers and Administrat...

Страница 139: ...ces The Network Security console can apply response rules to specific locations or interfaces in the network using Event Source The event source parameter indicates that a rule applies only to events...

Страница 140: ...se action Setting email notification Setting SNMP notification Setting TrackBack response action Setting a custom response action Setting a TCP reset response action Setting traffic record response ac...

Страница 141: ...d event source parameters match the incident The SuperUser or Administrator can define and customize response actions from the Network Security console If you specify a Smart Agent response action the...

Страница 142: ...ystems because security analysts must be kept informed of attack activity without having to constantly monitor the Network Security console Unfortunately many IDS products use the same interface for d...

Страница 143: ...rs The Network Security console provides a way to establish automatic notification response policies to alert you via email under specific conditions Use the notification parameters to configure these...

Страница 144: ...e Network Security Parameters 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane click Subject Line 4 In the lower right pane enter an alternative subject line 5...

Страница 145: ...directs Symantec Network Security to send SNMP traps to an SNMP manager with a minimum delay of 1 minute between responses The IP address of the SNMP manager must be provided and the SNMP manager mad...

Страница 146: ...tes where the software or appliance node sends SNMP traps To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list an...

Страница 147: ...h applied protection policies to run as well as sensor parameters for flow statistics Setting TrackBack response actions Symantec Network Security can begin tracking in response to an attack The minim...

Страница 148: ...ick OK to save and exit Note If you create a custom response action it will be enabled on all software and appliance nodes defined in your topology Be sure to include the custom application binary in...

Страница 149: ...a comma delimited list of destination IP addresses and ports in the following format IP address port Some attacks such as syn floods may have multiple destinations D Device name for example hub4 F Fl...

Страница 150: ...lumn of a rule 3 In Configure Response Action click TCP Reset 4 Provide the following information Maximum number of TCP resets Enter the number of TCP resets per incident of this response Delay betwee...

Страница 151: ...lumn of a rule 3 In Configure Response Action click Traffic Record 4 Provide the following information Maximum packets to record Enter the maximum number of packets per incident of this response Maxim...

Страница 152: ...the Network Security console click Configuration Response Rules 2 In Response Rules click the Response Action column of a rule 3 In Configure Response Action click Console Response 4 Provide the foll...

Страница 153: ...ng export flow response action The export flow response action exports matching flows stored in the flow data store The action is based on the characteristics of the triggering events which are specif...

Страница 154: ...e Rules click OK to save and exit For related information see the following topics See Playing recorded traffic on page 240 See Exporting data on page 254 See About incident and event data on page 189...

Страница 155: ...figure flow alert rules to allow acceptable corporate traffic flow Set the Permit and Alert rules to specify explicitly what to permit across each interface and to alert on everything else To add a fl...

Страница 156: ...the rule applied and click OK 6 In Flow Alert Rule select the following information from the pull down lists and click Add Source IP address mask and port Destination IP address mask and port See Prov...

Страница 157: ...entered as 172 27 101 1 would require a 32 bit mask Using the permit rule type When selecting a Rule Type of Permit apply a method similar to that used in router access lists The following example il...

Страница 158: ...158 Responding Managing flow alert rules...

Страница 159: ...tection and IP fragment reassembly The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection analysis sto...

Страница 160: ...wnloads the refinement rules from LiveUpdate and stores them individually Configuring sensor detection Symantec Network Security provides an array of sensor parameters that are preset for optimum perf...

Страница 161: ...of the parameter 5 Click Apply 6 In Apply Changes To select the interface or device objects that you want to apply the parameter to 7 Click OK to save the changes to this sensor and close See Advanced...

Страница 162: ...ill quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert This section describes the following sensor detection parameters Enable Flow Statistics Collectio...

Страница 163: ...hat enables the sensor to collect information about network flows The default value is false If your system has performance issues leaving Enable Flow Statistics Collection turned off can provide a mi...

Страница 164: ...c Network Security uses statistical methods to detect flood attacks by examining the types of traffic across the wire and the changes in traffic over periods of time For example if the system suddenly...

Страница 165: ...the same port across multiple hosts which can indicate sweep activity The sensor also detects attempts to connect to the same host on multiple ports which can indicate scan activity If the number of...

Страница 166: ...relatively quiet links Adjust this parameter as necessary until it just barely alerts such as once a day under normal conditions for your environment You can increase the threshold if you expect UDP t...

Страница 167: ...as once a day under normal conditions for your environment A high rate of alerting can slow performance so you can increase the Threshold if you want to tolerate a high percentage of Other traffic in...

Страница 168: ...ber of them have detected packets in only one direction Checksum validation parameters The following parameters enable or disable the ability to validate checksums for a variety of traffic types Enabl...

Страница 169: ...unit generates a checksum and transmits it with the unit The sensor generates a second checksum and compares them Matching checksums confirm that the sensor received the complete transmission By defa...

Страница 170: ...and attacks The sensors check for a variety of flood based denial of service attacks such as ICMP floods UDP floods IP fragmentation floods fragmentation services floods and IP Other floods The defau...

Страница 171: ...ed TCP flows that the sensor sends to analysis during the time period set by Streak Interval If it detects an alarming number of them it sends the packets to streak analysis which inspects the sample...

Страница 172: ...omewhat UDP Number of Streak Packets UDP Number of Streak Packets regulates how many UDP packets to analyze The sensor collects all unacknowledged packets in a given streak interval analyzes them for...

Страница 173: ...number of packets detected even if the sensor detects very little activity In this way it prevents the streak analysis functionality from being too quiet The default is set to 10 for optimum performan...

Страница 174: ...the TCP flow table by controlling the number of simultaneous flows that the fast Ethernet sensor handles It has a direct impact on memory consumption The default is set to 32 768 for optimum performan...

Страница 175: ...um performance and sensitivity and does not need to be changed under most circumstances Valid values range from 32 768 32K to 1 048 576 1M inclusive If you receive an operational log message indicatin...

Страница 176: ...ace by replacing old TCP flows and queued segments with new out of order segments The default is set to 65 535 for optimum performance and sensitivity and does not need to be changed under most circum...

Страница 177: ...onditions for your environment In this way you will quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert TCP Default Window Size TCP Default Window Size r...

Страница 178: ...nsole provides a way to add port mappings for any supported protocol or edit existing mappings To add or edit port mappings 1 In the Network Security console click Configuration Node Port Mapping 2 In...

Страница 179: ...ection includes the following topics About Symantec signatures About user defined signatures Managing signatures About Symantec signatures Symantec Network Security uses network pattern matching or si...

Страница 180: ...e additional user defined signatures on a per sensor basis as well as global signature variables such as creating the variable name port to stand for a value of 2600 User defined signatures are synchr...

Страница 181: ...riables On the Policies tab click the Signature Variables tab to see available variables to use when defining signatures Adding or editing user defined signatures The Network Security console provides...

Страница 182: ...ent bound from the pull down list In Encoding enter the information from the pull down list and click Next 6 In User defined Signature or Edit User defined Signature click Add and do one of the follow...

Страница 183: ...and long descriptions of any events that were triggered in the past by the now deleted signature will not have recognizable names Importing user defined signatures The Network Security console provide...

Страница 184: ...ll signatures both the default Symantec signatures and any user defined signatures that you add To add new signature variables 1 On the Policies tab click Signature Variables New 2 In Variable Name en...

Страница 185: ...select a signature variable and click Delete To apply this change to the database see Applying signatures variables on page 185 Resetting signatures variables Symantec Network Security provides an ea...

Страница 186: ...ity provides an easy way to revert any changes to signature variables if you act before saving To revert changes to signature variables 1 On the Policies tab click Signature Variables 2 In Signature V...

Страница 187: ...ntec Network Security system to monitor your network interpret incidents and events generate reports and run queries maintain logs and databases and fine tune your system using advanced configuration...

Страница 188: ...188...

Страница 189: ...nitored network and can be drilled down for multiple detail levels Incidents to which no new events have been added for a given amount of time are considered idle so Symantec Network Security closes t...

Страница 190: ...about the related events Devices tab Displays the topology tree When you select an object in the topology tree the Network Security console displays related information in the right pane including a...

Страница 191: ...nt The values may change if an event of higher priority is added to the same incident To view incident data In the Network Security console click the Incidents tab All users can modify the view by adj...

Страница 192: ...ident and event tables See User groups reference on page 319 for more about permissions Sorting column data All users can sort the incident data by clicking on the column heading The toggle sorts the...

Страница 193: ...upper and lower pane Incidents and Events at Selected Incident In the upper pane information about each incident is displayed This information is taken from the highest priority event within that inc...

Страница 194: ...t an incident can cause Confidence level Indicates the confidence level assigned to the incident The confidence value indicates the level of certainty that a particular incident is actually an attack...

Страница 195: ...t 3 In Incident Details click Top Event to view the highest priority event correlated to that incident Event Details of the top event can display any or all of the following information Event name Ind...

Страница 196: ...d Note SuperUsers and Administrators can drill down to view cross node events See User groups reference on page 319 for more about permissions Examining event data This section includes the following...

Страница 197: ...in the lower pane To view event data 1 In the Incidents tab click an incident row 2 Related events are displayed in the lower Events at Selected Incident pane Note All users can view top level event...

Страница 198: ...l assigned to the incident The confidence value indicates the level of certainty that a particular incident is actually an attack If the incident is merely suspicious then its assigned confidence leve...

Страница 199: ...iption Note SuperUsers can view advanced event details and packet contents Administrators StandardUsers and RestrictedUsers cannot See User groups reference on page 319 for more about permissions Abou...

Страница 200: ...o displayed when Symantec Network Security is restarted Network Security SuperUser Login Symantec Network Security displays this event whenever a SuperUser logs into the Network Security console Netwo...

Страница 201: ...this event whenever a software or appliance node with failover enabled becomes the active node Note All users can view operational events at the top level See User groups reference on page 319 for mor...

Страница 202: ...The Incidents tab can display the following incident data Last Mod Time Indicates the date and time when Symantec Network Security last modified the incident record Name Indicates the user group of th...

Страница 203: ...ne of the following Click Select All to select all columns Click the individual columns you want to view 3 Click OK to save and close Device Name Indicates the name of the device where the incident wa...

Страница 204: ...the list of addresses by double clicking the event to see Event Details Severity Indicates the severity level assigned to the event An event s severity is a measure of the potential damage that it can...

Страница 205: ...software or appliance node By default incidents from all nodes are displayed Note When you apply incident view filters they apply only to the incidents not to the events correlated to the incidents F...

Страница 206: ...cidents from all the software or appliance nodes within the topology excluding standby nodes Click Include Backup Nodes to preserve incidents during a failover scenario 7 In Incident Hours do one of t...

Страница 207: ...ts as read and adding notes about them See Marking incidents as read on page 207 See Annotating incident data on page 208 See Customizing annotation templates on page 208 Marking incidents as read All...

Страница 208: ...incident and event data See User groups reference on page 319 for more about permissions Customizing annotation templates The Network Security console provides an informational template to make Analy...

Страница 209: ...he Incidents tab 2 Right click an incident row and click Save 3 Choose a file format from the following Click Save as PDF Click Save as HTML Click Save as PS 4 Enter the desired filename and click Sav...

Страница 210: ...ent Details click To Clipboard 4 Paste this event data into a document or email Note SuperUsers and Administrators can copy data from an incident s top event See User groups reference on page 319 for...

Страница 211: ...on page 319 for more about permissions Emailing incident or event data The Network Security console provides a way to configure Symantec Network Security to export incident or event data via email Co...

Страница 212: ...an email in plain text format Make sure to configure email first 4 To edit the email before sending it do one of the following Click Compose in HTML Format to send an email in HTML format Click Compo...

Страница 213: ...ave been added for a given amount of time SuperUsers and Administrators can define the period of time that an incident remains idle before Symantec Network Security discontinues monitoring it by editi...

Страница 214: ...Node choose the node from the pull down list and click OK 3 In the left pane click Maximum Incidents 4 In the lower right pane enter the number of incidents 5 Click Apply 6 In Apply Changes To select...

Страница 215: ...tly similar enough to be included but causing the incident to expand to a vague definition This parameter gives you a way to maintain a tight and focused incident definition To configure this paramete...

Страница 216: ...vent Correlation Source IP Weight Event Correlation Source IP Weight determines the weight of the event name as a factor in event correlation The default value is set to 4 for optimum performance in a...

Страница 217: ...eight values is equal to or greater than 10 If the sum is less than 10 no events will be correlated Caution Before making changes we recommend that you consult our support team at http www symantec co...

Страница 218: ...pply 6 In Apply Changes To select the node to which to apply the parameter 7 Click OK to save the changes to this node and close Event Correlation Destination Port Weight Event Correlation Destination...

Страница 219: ...from third party sensors You can optimize this by enabling FlowChaser a flow data store that provides data source for Symantec Network Security to analyze and correlate FlowChaser receives information...

Страница 220: ...wChaser Maximum Flows Per Device FlowChaser Maximum Flows Per Device limits the volume of flow data exported from the routers by setting a maximum number of flow entries stored per device in the FlowC...

Страница 221: ...hich to apply the parameter 7 Click OK to save the changes to this node and close Note Restart Symantec Network Security for changes to this parameter to take effect Setting FlowChaser Router Flow Col...

Страница 222: ...f 1 The default value is 2 To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane c...

Страница 223: ...on the types of events and incidents that occurred and protocols exploited during the specified time period With any account you can view and print reports and save them in multiple formats You can ge...

Страница 224: ...Reports in text and HTML format This section includes the following Adding or editing report schedules Refreshing the list of reports Deleting report schedules Managing scheduled reports Note SuperUse...

Страница 225: ...ame Enter a name for the report Report Format Choose plain text or HTML from the pull down list Day to run Choose the day of the week from the pull down list Hour to run Choose the hour from the pull...

Страница 226: ...n list and click OK 3 In Manage Saved Scheduled Reports select a scheduled report 4 Click Actions Delete and click OK Managing scheduled reports Symantec Network Security provides an efficient way to...

Страница 227: ...omatic reports to another secure location using SCP To export saved reports 1 In the Network Security console do one of the following Click Reports Schedule Reports Click Admin Node Manage Report File...

Страница 228: ...drill down reports that provide a more focused level of detail By supplying report parameters you can choose the report type The types of reports that Symantec Network Security generates are described...

Страница 229: ...rts or even from within other drill down reports For example from the Events Per Month report you can drill down to an Events Per Day report and from there to an Events Per Hour report but all of thes...

Страница 230: ...g and saving reports With any account you can save any Network Security console report as a PDF PS or HTML file Select the report format then simply go to the File menu in the Report window and select...

Страница 231: ...o not necessarily map to the top event types You must specify the report start and end date time and number of unique addresses to display For example you could generate a report on the top 10 address...

Страница 232: ...y generates this report in table and column chart formats You can generate several drill down reports for each day listed in the Incidents Per Day report Incidents per hour This report displays the to...

Страница 233: ...n the report then no events were detected during that day Symantec Network Security generates this report in table and column chart formats You can generate several drill down reports for each day lis...

Страница 234: ...s This report has no drill down reports Destinations of source This report lists the destination IP address es for any event source IP address you specify and the number of times each address was the...

Страница 235: ...work Security login history This report lists the user login times IP addresses from which the user logged in and the type of user that logged in either a SuperUser with full read write privileges or...

Страница 236: ...list For the incident you select data is displayed within the Incident List report Events details The Event Details report displays the data within any Event List report Sources of event The Sources...

Страница 237: ...records for each query which prevents overloading memory and displays the results in a table If more results are available click Next Results to proceed This section includes the following Viewing cu...

Страница 238: ...ce or Destination This will make a broader query on either a source IP or a destination IP 3 In Match Source and Destination you can display flows that pertain only to specific source IPs and destinat...

Страница 239: ...you to view the Flow Statistics of any particular event To view flow statistics 1 In the Incidents tab right click an incident 2 Click View Incident Details 3 In Incident Details right click the Top...

Страница 240: ...heading of any column This sort however applies only to the page currently displayed which may be only a portion of the entire report At the top of the display a prompt indicates how many flows are c...

Страница 241: ...d 3 and proceed directly to Step 4 2 In Traffic Playback Configuration you can adjust the view as follows To adjust your view of Recorded Events click Column To remove events you do not want to view c...

Страница 242: ...242 Reporting Playing recorded traffic...

Страница 243: ...lity Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4 0 software The 7100 Series appliance also provides additional functionality that is uni...

Страница 244: ...tion Note If you reset the system clock backward on a software or appliance node you must rotate the log database If you do not the incident list displayed in the Network Security console may not upda...

Страница 245: ...enter a page number Click Next Page to progress forward Click Previous Page to progress backward 6 Click Close to exit Note All users can view log files See User groups reference on page 319 for more...

Страница 246: ...nistrators can archive log files StandardUsers and RestrictedUsers cannot See User groups reference on page 319 for more about permissions Copying log files The Network Security console now provides a...

Страница 247: ...list and click OK 3 In Log Files click a log file to select it 4 In Actions click Delete 5 Click Yes Note SuperUsers and Administrators can delete log files StandardUsers and RestrictedUsers cannot Se...

Страница 248: ...ging Level controls the amount of information written to the operational log file The default value is set to level 5 Values range from 0 to 10 inclusive To configure this parameter 1 Click Configurat...

Страница 249: ...ing by editing the Size to Trigger Rotation parameter Alternatively you can configure Symantec Network Security to perform time based log archiving In either case you must configure the Compression On...

Страница 250: ...r 7 Click OK to save the changes to this node and close Note If you set this value at too large a number with compression enabled it may put excess strain on the node when the logs eventually archive...

Страница 251: ...the traffic record directory If traffic record files take more disk space than indicated by this value then files are removed starting with the oldest to satisfy the limit The default value is 5 GB an...

Страница 252: ...e logs YYMMDDHHMMSS tar bz2 format If compression is disabled then when the operational log is archived it is renamed using the manhunt YYMMDDHHMMSS format In that case the incident and event logs are...

Страница 253: ...ompression may require large amounts of memory and CPU usage Note For how to verify log files manually see About the Knowledge Base on page 22 Setting Compression Command Compression Command indicates...

Страница 254: ...nother host for long term storage Export to file if you want the log in a format that is readable by other programs or applications Other methods of export use the Symantec format This section include...

Страница 255: ...an install the Bridge to both software and appliance nodes by running the Bridge installation script located in the usr SNS install sesabridge directory The SESA Bridge enables you to send events form...

Страница 256: ...SA Agent to be passed on to a SESA Manager Note that you must have a local SESA Agent installed and configured for the SESA Bridge to function The default value is false on 7100 Series appliances On N...

Страница 257: ...the Knowledge Base on page 22 This section includes the following export parameters Setting Cluster ID Setting JDBC Driver Setting DB Connection String Setting DB User Setting DB Password SQL referenc...

Страница 258: ...left pane under SQL Export Parameters click this parameter to display it 4 In the lower right pane enter the JDBC Driver using one of the following classpath formats 5 Click Apply 6 In Apply Changes T...

Страница 259: ...this node and close Note Restart Symantec Network Security for changes to this parameter to take effect Setting DB User DB User indicates the user name that Symantec Network Security uses to authenti...

Страница 260: ...s 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane under Log Database Parameters click this parameter to display it 4 In the lower right pane enter a password 5...

Страница 261: ...Symantec Network Security can export event data to syslog Data remains in the proprietary format Syslog is always considered remote even if located on the same host This section includes the following...

Страница 262: ...re A value of 0 disables Echo Operational Log to Syslog To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list and...

Страница 263: ...nt RAM exists on the system for this parameter It may take up to 10 minutes for changes to this parameter to take effect Setting Remote Syslog Destination Port Remote Syslog Destination Port indicates...

Страница 264: ...o configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane under Log Database Parameters...

Страница 265: ...which rotates logs on the original node SCP transfer does not impact performance The default value is false To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Sele...

Страница 266: ...t for SCP User Account for SCP indicates the user name that log and database files are transferred to via SCP To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Se...

Страница 267: ...ocal bin scp directory Set the value for this parameter if the SCP binary is in an alternative location Note You do not need to set Location of SCP Binary for 7100 Series nodes because the location of...

Страница 268: ...268 Managing log files Exporting data...

Страница 269: ...ilover systems and backing up and restoring The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection ana...

Страница 270: ...on capabilities to the product such as event data refinement rules and encrypted signatures SecurityUpdates are cumulative Each update includes the data from the updates before it Some SecurityUpdates...

Страница 271: ...In the left pane select the nodes to receive updates 3 On the LiveUpdate tab click Scan For Updates Note SuperUsers and Administrators can view LiveUpdate using the Network Security console StandardU...

Страница 272: ...lish a LiveUpdate server To set the LiveUpdate server 1 In the Network Security console click Admin LiveUpdate 2 On the LiveUpdate tab click Set LiveUpdate Server 3 In LiveUpdate Server Configuration...

Страница 273: ...ovide the following information In Check for Update Every select Week Day or Hour from the pull down list In Day To Run select the day of the week from the pull down list In Hour To Run select a time...

Страница 274: ...schedule 3 On the Schedule LiveUpdate tab click Revert to undo your changes Backing up LiveUpdate configurations The Network Security console provides a way to customize Symantec Network Security to...

Страница 275: ...subsequent nodes act as slave nodes Superusers can change the status by setting a new node as the cluster master SuperUsers can also assign a standby node to provide high availability for either a sla...

Страница 276: ...cluster master node using the Network Security console Note To deploy a 7100 Series node as a slave the master node must be either a Symantec Network Security 4 0 node or another 7100 Series node To s...

Страница 277: ...rm the initial configuration of the appliance and when you install Symantec Network Security software on a designated computer See the following for additional related information See Adding or editin...

Страница 278: ...shed cluster This section describes the following day to day tasks of managing an established cluster Licensing nodes in a cluster Synchronizing clustered nodes Changing node numbers Changing node pas...

Страница 279: ...of protection policies that you apply to slave nodes If the master node fails or is demoted by setting a new cluster master the link is broken between applied policies and their definitions Slave nod...

Страница 280: ...ing nodes and objects on page 83 5 Assign a new node number See Node number on page 77 Note SuperUsers can change node numbers Administrators StandardUsers and RestrictedUsers cannot See User groups r...

Страница 281: ...ference on page 319 for more about permissions Setting a cluster wide parameter Symantec Network Security provides one cluster parameter called QSP Port Number to ensure communication between all node...

Страница 282: ...n backup data from one node and exchange between nodes in the cluster to a certain degree See Backing up and restoring on page 297 Note SuperUsers can back up node configurations Administrators Standa...

Страница 283: ...data from external sensors and correlate that data with all other Network Security events Symantec Network Security performs some internal Smart Agent configuration for integrating Symantec Decoy Ser...

Страница 284: ...export flows TrackBack email and SNMP notification responses on events received via Smart Agents This section includes the following Smart Agent parameter Setting EDP Port Number Setting EDP Port Num...

Страница 285: ...the Symantec Decoy Server console by simply right clicking any external sensor object in the topology tree and selecting Start Decoy Console Note that the Symantec Decoy Server console remains open ev...

Страница 286: ...editing Smart Agent objects on page 105 3 Apply Symantec Network Security response policy rules to the Symantec Decoy Server events See Setting response actions on page 141 Note SuperUsers can integr...

Страница 287: ...missions Establishing high availability failover Symantec Network Security provides a number of ways to recover from network communication or process failures The Availability Monitor keeps track of e...

Страница 288: ...nds and to generate an availability drop event if the host fails to respond 8 times in a row slightly longer than a minute Note SuperUsers can monitor availability Administrators StandardUsers and Res...

Страница 289: ...the node from the pull down list and click OK 3 In the left pane click Watchdog Process Restart Only 4 In the lower right corner of the Configuration Parameters pane do one of the following Click True...

Страница 290: ...tolerant feature occurs automatically and transparently and ensures that Symantec Network Security remains continuously available Do not confuse high availability failover with load balancing in whic...

Страница 291: ...console add or edit the active and standby objects to the network topology tree considering the following In Add or Edit 7100 Series Node or Add or Edit Software Node under Failover Group Information...

Страница 292: ...Enabling this feature causes incidents to load from all nodes in the cluster including any standby nodes and thus avoids dropping incidents When a failover occurs the incident table remains unchanged...

Страница 293: ...original master comes back online the Network Security console does not automatically switch back Response actions such as TrackBack that augment the incident may not be visible during a failover as a...

Страница 294: ...in line with a firewall Note SuperUsers can configure watchdog processes Administrators StandardUsers and RestrictedUsers cannot See User groups reference on page 319 for more about permissions Set u...

Страница 295: ...left pane click the parameter that you want to configure 4 In the lower right corner of the Configuration Parameters pane enter a fail rate If the number of failures breaches this threshold it resort...

Страница 296: ...failure occurs The default value is false If set to true Symantec Network Security restarts the product on failure If this value is not set the default is to reboot the system on failure Note SuperUs...

Страница 297: ...hanges To select the node or subset of nodes that you want to apply the parameter to 7 Click OK to save the changes to this sensor and close Backing up and restoring Symantec Network Security provides...

Страница 298: ...as topology parameter policy and report configurations but does not include collected data such as flow records traffic record sessions and generated reports To back up a configuration 1 In the Netwo...

Страница 299: ...nfiguration 1 In the Network Security console click Admin Node Manage Backups 2 In Select Node choose a node from the pull down list and click OK 3 In Backups click an existing backup configuration 4...

Страница 300: ...ser groups reference on page 319 for more about permissions Restoring Symantec Network Security configurations Symantec Network Security provides a way to restore a previous configuration to an entire...

Страница 301: ...level is the same The Symantec Network Security SecurityUpdate and EngineUpdate levels must be the same or greater than the backup The restoration machine must have the same number and type of interf...

Страница 302: ...ete software and appliance nodes from the cluster Administrators StandardUsers and RestrictedUsers can view them but cannot delete them See User groups reference on page 319 for more about permissions...

Страница 303: ...each node individually to get the per node configuration Cluster wide configuration is synchronized from the master to the slave nodes If the compact flash card is mounted SuperUsers can choose from b...

Страница 304: ...es node object whose configuration you wish to save then click Configuration 7100 Series Configuration Save Configuration File On Devices click Configuration Node 7100 Series Configuration Save Config...

Страница 305: ...the IP address of the default router for this node Note Values for the netmask and default router will be automatically updated after the slave appliance is connected to the network and initially con...

Страница 306: ...verting to the original installation You can cause the 7100 Series to revert to the original manufacturer s installation if you want to completely reconfigure it All existing configuration is erased a...

Страница 307: ...e Click OK 2 If a Warning is displayed read the message and do one of the following Click Yes to generate new SSH keys This replaces any existing keys Click No to exit the process 3 In Generating SSH...

Страница 308: ...space allowed for traffic record data 10 Click Apply Configuring advanced parameters The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core...

Страница 309: ...apacity of the node and the amount of traffic you expect it to monitor Software nodes The Network Security software nodes include parameters that allow for variations from the default during installat...

Страница 310: ...e Configuration Parameters pane click the radio button or enter the value of the parameter 5 Click Apply 6 In Apply Changes To select the node or subset of nodes that you want to apply the parameter t...

Страница 311: ...t lacks sufficient memory to load all the data the Network Security console becomes unresponsive To prevent this you can limit the number of incidents loaded by editing the incidentHours key in the Sy...

Страница 312: ...he value 5 Click Apply 6 In Apply Changes To select the node or subset of nodes that you want to apply the parameter to 7 Click OK to save the changes to this sensor and close Caution Take note of the...

Страница 313: ...to take effect Setting Event Queue Length Event Queue Length prevents the system from becoming overloaded during a denial of service attack This parameter indicates the length of the event queue by se...

Страница 314: ...value is set to 150 events per second for optimum performance and you do not need to lower it under most circumstances Increase the value to see more events but make sure that the system has sufficien...

Страница 315: ...315 Advanced configuration Configuring advanced parameters Restart Symantec Network Security for changes to this parameter to take effect...

Страница 316: ...316 Advanced configuration Configuring advanced parameters...

Страница 317: ...Part IV Appendices The following appendices provide additional reference information User groups reference SQL reference...

Страница 318: ...318...

Страница 319: ...upon the same core architecture that provides detection analysis storage and response functionality Both the software and the appliance utilize the core functionality in the same way and the group per...

Страница 320: ...lave nodes in a cluster This section describes the permissions of the user groups in detail SuperUsers A user authenticated with full administrative capabilities This user is allowed to perform all ad...

Страница 321: ...d to view Allowed to view Appliance specific Write to Compact Flash Allowed to write to compact flash Allowed to write to compact flash Not allowed Not allowed Availability Monitor Allowed to edit ava...

Страница 322: ...Monitoring Groups Allowed to add assign and rename monitoring groups Allowed to choose Allowed to choose Allowed to choose Nodes both software and appliance Allowed to add edit delete all objects incl...

Страница 323: ...ns Allowed to view Allowed to view Response Action Custom Allowed to add edit and delete custom response actions Allowed to view Allowed to view Allowed to view Restart Symantec Network Security Appli...

Страница 324: ...re or appliance nodes Allowed to view Allowed to view Topology tree view Allowed to view Allowed to view Allowed to view Allowed to view Traffic Playback Allowed to view Allowed to view Allowed to vie...

Страница 325: ...d response functionality Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4 0 software The 7100 Series appliance also provides additional funct...

Страница 326: ...f the incident and event tables that Symantec Network Security uses to export data to an Oracle database To configure software or appliance nodes to export tables to Oracle see also Exporting to SQL o...

Страница 327: ...ce interfaceID from the topology table where the best event was detected Used Internally ifName varchar 65 Indicates the actual name of the interface associated with the best event corresponding to if...

Страница 328: ...t Valid values are 1 10 severity integer Indicates the severity of the best event Valid values are 1 10 state integer Indicates the state of this incident 1 active currently being monitored by the AF...

Страница 329: ...xtBuffer Base 64 encoded crtTime integer Indicates the time when this event was realized in the Analysis Framework Standard UNIX time format seconds since 1970 GMT custID varchar 41 Indicates the Cust...

Страница 330: ...ed For example hme0 incidentID varchar 33 Indicates a unique string identifier that identifies the incident to which this event belongs mappedType varchar 128 Indicates the mapped type of the event in...

Страница 331: ...are 1 10 sips varchar 195 Indicates a list of source IPs for this event src_etheraddr varchar 33 Indicates the source ethernet address sttTime integer Indicates the start time for this event accordin...

Страница 332: ...es to export incident data to a MySQL database Table B 3 MySQL Incident Table Field Name Type Description Notes class varchar 33 Indicates the class of the best event clusterID integer Indicates the N...

Страница 333: ...7d091e45e8 2 3d20b45191f6ec72 3 lastEvtTime integer Indicates the last time when an event was added to this incident mappedType varchar 128 Indicates the mapped type of the event incident correspondin...

Страница 334: ...9 Indicates the type of the best event viewed integer Indicates the marked status of this incident 0 Not yet marked by a Network Security console user 1 Marked by a Network Security console user and u...

Страница 335: ...Indicates a list of destination IPs for this event dst_etheraddr varchar 33 Indicates the destination ethernet address dvName varchar 41 Indicates the name of the network device where the event was de...

Страница 336: ...s generated Used internally nodeName varchar 255 Indicates the hostname of the software or appliance node corresponding to nodeNum nodeNum integer Indicates the Network Security node number where the...

Страница 337: ...is event according to the sensor Standard UNIX time format trgtname text Indicates the name of the attacker s target or blank if not applicable trgtntype integer Indicates the type of the attacker s t...

Страница 338: ...338 SQL reference Using MySQL tables...

Страница 339: ...espective set of permissions is predefined and cannot be modified See also user account alarm A sound or visual signal that is triggered by an error condition alert See notification See also event ale...

Страница 340: ...r network See also PAP Password Authentication Protocol authentication token A portable device used for authenticating a user Authentication tokens operate by challenge response time based code sequen...

Страница 341: ...uter to a modem or a cable that connects two computers directly that is sometimes called a null modem cable cache file A file that is used to improve the performance of Microsoft Windows The cache fil...

Страница 342: ...nsmission rate interval type and mode compact flash CF Digital memory technology providing non volatile data storage on a compact flash card readable and writable by a compact flash adaptor on a compu...

Страница 343: ...pable of performing other duties it is assigned to only one denial of service DoS attack A type of attack in which a user or program takes up all of the system resources by launching a multitude of re...

Страница 344: ...otected network and an external network to provide an additional layer of security Sometimes called a perimeter network DNS Domain Name System A hierarchical system of host naming that groups TCP IP h...

Страница 345: ...on with DEC and Intel in 1976 Ethernet uses a bus or star topology and supports data transfer rates of 100 Mbps Ethernet interface NIC interfaces on the Network Security or network devices capable of...

Страница 346: ...ertain qualifying criteria and then process or forward it accordingly Also a method of querying a list to produce a subset of items with specified characteristics firewall A program that protects the...

Страница 347: ...t contains specific predefined permissions and rights See also user account group monitoring A subset of a cluster hack A program in which a significant portion of the code was originally another prog...

Страница 348: ...s the identity of a Network Security node icon A graphic representation of a container document network object or other data that users can open or manipulate in an application inactive A status that...

Страница 349: ...ng real time or near real time warning of attempts to access system resources in an unauthorized manner intrusion management The centralized management of intrusion based security technologies to iden...

Страница 350: ...munications link that enables any device to interact with any other device on the network LDAP Lightweight Directory Access Protocol A software protocol that enables anyone to locate organizations ind...

Страница 351: ...defined by an MIB middleware An application that connects two otherwise separate applications MIME Multipurpose Internet Mail Extensions A protocol used for transmitting documents with different form...

Страница 352: ...ing the notes posted on newsgroups NNTP replaced the original Usenet protocol UNIX to UNIX node active The primary node in a watchdog process or failover group from which all activity predominates See...

Страница 353: ...ssword In network security a password that is issued only once as a result of a challenge response authentication process This cannot be stolen or reused for unauthorized access online The state of be...

Страница 354: ...assigned to a variable In communications a parameter is a means of customizing program software and hardware operation passphrase A unique string of characters that a user types as an identification...

Страница 355: ...rom a mail server POP3 Post Office Protocol 3 An email protocol used to retrieve email from a remote server over an Internet connection port 1 A hardware location for passing data into and out of a co...

Страница 356: ...affic compares observed behavior during network protocol exchange to structured protocols analyzes defiant behavior in context and detects deviations from the norm proxy server A server that acts on b...

Страница 357: ...predefined reaction to an event or alert to a defined security threat such as capturing the attacker s section triggering tracking or emailing an alert Response actions can be configured for each type...

Страница 358: ...are expressed using the application s rules and syntax combined with simple control structures script kiddie An unskilled cracker who uses code and software or scripts downloaded from the Internet to...

Страница 359: ...mmunication between two computers that have been previously configured for communication with each other Smart Agents See Symantec Network Security Smart Agents SMF Standard Message Format A message f...

Страница 360: ...erwise gaining access to information sent over the network SSL Secure Sockets Layer A protocol that allows mutual authentication between a client and server and the establishment of an authenticated a...

Страница 361: ...on requests can t be accommodated Although the packet in the buffer is dropped after a certain period of time without a reply the effect of many of these bogus connection requests is to make it diffic...

Страница 362: ...ed If the time out value is reached before or during the execution of a task the task is cancelled title bar The area at the top of a window showing the name of the program function document or applic...

Страница 363: ...IP networks Unlike TCP IP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network UDP is used primarily for broadcasting messages...

Страница 364: ...or program from its binary or bit stream representation into the 7 bit ASCII set of text characters validation The process of checking a configuration for completeness ensuring that all values are val...

Страница 365: ...rom the outside that is aimed at Web server vulnerabilities Web denial of service A denial of service attack that specifically targets a Web server wildcard character A symbol that enables multiple ma...

Страница 366: ...366 Glossary...

Страница 367: ...CLI Command Line Interface CPU Central Processing Unit CSP Client server protocol CTR Cisco Threat Response CVE Common Vulnerabilities and Exposures DDOS Distributed denial of service DMZ Demilitariz...

Страница 368: ...ction System IDWG Intrusion Detection Working Group IETF Internet Engineering Task Force IHS internal hostile structured threat IHU internal hostile unstructured threat IKE Internet Key Exchange IM In...

Страница 369: ...Computer Security Association NIC Network Interface Card NIDS Network based intrusion detection system NNTP Network News Transfer Protocol NOC Network Operation Center NTP Network Time Protocol ODBC O...

Страница 370: ...Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SPI Security Parameter Index SQL Structured Query Language SSH Secure Shell SSL Secure Sockets Layer STOP Stack Over...

Страница 371: ...e administration service node architecture 35 Administrators about 320 pre defined login account 200 advanced parameters configuring 308 311 alert manager node architecture 35 alerting See logging ale...

Страница 372: ...67 attack responses See responses attacks categories 136 flood based 142 fragmentation 230 syn floods 149 target IP address 202 204 traffic 249 Auto Update tab about 113 automated response architectu...

Страница 373: ...evel 204 response rules 139 setting level 139 viewing events 197 configuration via compact flash 40 console response action configuring 152 console See Network Security console serial console Symantec...

Страница 374: ...266 Destination Host for SCP setting node parameters 265 details viewing event types 119 viewing objects 74 detection about 159 about 7100 Series appliances 38 about architecture 26 about denial of s...

Страница 375: ...Smart Agents 106 284 communication by proxy 284 EDP cont detection architecture 29 Network Security node passphrase 284 setting passphrases 106 setting port numbers 284 EDP Port Number setting node pa...

Страница 376: ...detail reports 236 email notifying 142 enabling logging 122 enabling SNMP notifications 145 examining data 196 filtering 205 206 filtering tables 205 206 integrating third party 282 interpreting seve...

Страница 377: ...haser Router Flow Collection Threads setting node parameters 220 FlowChaser Sensor Threads setting node parameters 222 flows adding alert rules 155 alert rules 154 configuring FlowChaser 220 flows con...

Страница 378: ...viewing 292 viewing details 193 viewing flow statistics 239 viewing from monitoring groups 68 viewing top event 195 viewing top level data 193 in line about 16 38 62 in line cont about blocking 112 a...

Страница 379: ...ser login accounts 56 editing user accounts 56 from Windows 45 history report 235 Network Security Administrator 200 Network Security console 199 200 login cont setting maximum failures 59 logs about...

Страница 380: ...adding or editing on software nodes 90 editing on appliance nodes 96 monitoring interfaces cont on appliance nodes 95 on software nodes 89 MSAs See Smart Agents MySQL event table 334 exporting to 257...

Страница 381: ...48 rebooting from the serial console 50 restarting from the LCD panel 53 restarting from the serial console 50 shutting down 54 single node deployment 61 single node appliance deployment 62 nodes cont...

Страница 382: ...e 163 setting Enable IPv4 Header Checksum Validation 168 setting Enable TCP Checksum Validation 169 setting Enable UDP Checksum Validation 169 setting Enable Watchdog Process 294 setting Event Correla...

Страница 383: ...ng TCP Maximum Flow Table Elements Gigabit 174 setting TCP Minimum Flows 171 setting TCP Number of Streak Packets 172 setting Traffic Mode 168 setting UDP Flood Alert Threshold 165 setting UDP Maximum...

Страница 384: ...nsors 36 ProductUpdates about 269 accessing 22 protection policies about 31 111 adding 121 protection policies cont adjusting the view 117 annotating 126 applying to save 115 Auto Update tab 113 backi...

Страница 385: ...223 about top level and drill down 228 adding or editing schedules 224 by event characteristics 233 deleting saved 228 reports cont deleting schedules 226 drill down 236 exporting saved 227 format 228...

Страница 386: ...king data stream to source 147 traffic record 150 using permit types 157 viewing rules 132 restarting Network Security sensors 49 nodes from the LCD panel 53 nodes from the Network Security console 47...

Страница 387: ...etwork Security console 49 restarting in a cluster 281 restarting or stopping 161 setting Packet Counter Interval parameter 170 tweaking sensitivity 162 169 serial console about 40 49 editing root pas...

Страница 388: ...out the node architecture 34 accessing Knowledge Base 22 adding nodes 86 adding or editing nodes 86 clustering with appliances 65 software cont deleting nodes 277 documentation 21 node status indicato...

Страница 389: ...ting sensor parameters 177 TCP Flood Alert Threshold setting sensor parameters 164 TCP Flow Max Queued Segments setting sensor parameters 176 TCP Global max Queued Segments Fast Ethernet setting senso...

Страница 390: ...Number of Streak Packets setting sensor parameters 172 UDP Saturation Alert Threshold setting sensor parameters 166 undoing changes to topology tree 82 LiveUpdate schedules 274 undoing cont policy ap...

Страница 391: ...s 181 top event of incident 195 top level events 197 top level incident data 193 topology 46 47 VLAN specifying rules 139 W watchdog process adding failover groups 290 high availability 289 preserving...

Страница 392: ...392 Index...

Отзывы: