background image

92 Incidents and Events

About incidents and events

About the Devices tab

The Devices tab provides a tree-oriented view of the network topology with a 
detailed summary of each device. When you select an object from the topology 
tree in the left pane, the right pane displays related information. Symantec 
Network Security updates this information at frequent intervals, so the status 
remains current.

Viewing device details

When you select an object in the Devices tab, the right pane displays 
information about that object. Depending on the selected object, the following 
information can appear in the right pane:

Device Type

: Displays the type of device selected.

IP address

: Displays the IP address of the selected device, or the 

management IP address for a device with multiple IP addresses.

Node Number

: Displays the node number assigned to the software or 

appliance node, between 1 and 120.

Customer ID

: Displays an optional user-defined ID. Customer IDs for in-line 

pairs and interface groups reflect the 7100 Series appliance nodes to which 
they belong.

Model

: Displays the model number of a 7100 Series appliance, either 7120, 

7160, or 7161.

Monitoring Group

: Identifies the monitoring group of the selected device, if 

any.

Monitored Networks

: Identifies the networks for which port usage patterns 

are tracked and anomalies detected. Displayed only if you entered network 
IP addresses on the Network tab when editing interfaces, adding in-line 
pairs, or adding interface groups. Available only on 7100 Series interfaces.

TCP Reset Interface

: Displays the interface that sends TCP resets; either 

eth0, eth1, or eth2, corresponding to your choice of RST0, RST1, or RST2 
when you added the interface group.

Bandwidth

: Displays the expected throughput for the selected object.

Sensor Status

: Displays the current status of the related sensor.

Description

: Displays a brief optional description of the object.

Active Security Incidents

: Displays the active incidents of the selected 

topology object, with name, state, node number, and last date modified.

Summary of Contents for 10268947 - Network Security 7160

Page 1: ...Symantec Network Security User Guide...

Page 2: ...nd Symantec Security Response are trademarks of Symantec Corporation Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies an...

Page 3: ...signatures that ensure the highest level of protection Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages Advan...

Page 4: ...mer Service online go to www symantec com select the appropriate Global Site for your country then choose Service and Support Customer Service is available to assist with the following types of issues...

Page 5: ...analysis 24 About response 25 About management and detection architecture 26 About the Network Security console 26 About the node architecture 28 About the 7100 Series appliance node 31 Chapter 3 Get...

Page 6: ...of event types 68 Adjusting the view by searching 68 Adjusting the view by columns 69 Viewing logging and blocking rule details 70 Viewing event detailed descriptions 70 Viewing policy automatic upda...

Page 7: ...About Symantec signatures 88 About user defined signatures 88 Viewing signatures 89 About signature variables 89 About refinement rules 89 Chapter 8 Incidents and Events About incidents and events 91...

Page 8: ...per Network Security device 115 Drill down only reports 116 About querying flows 117 Viewing current flows 117 Viewing exported flows 119 Chapter 10 Log Files About the log files 121 About the instal...

Page 9: ...on This section includes the following topics About the Symantec Network Security 7100 Series About other Symantec Network Security features About the Symantec Network Security 7100 Series Symantec Ne...

Page 10: ...ent reliability and profile of protected resources and common or individualized policies can be applied per sensor for both in line and passive monitoring Interface Grouping 7100 Series appliance user...

Page 11: ...tem that supports large distributed enterprise deployments and provides comprehensive configuration and policy management real time threat analysis enterprise reporting and flexible visualization The...

Page 12: ...evant information providing threat awareness without data overload Symantec Network Security gathers intelligence across the enterprise using cross node analysis to quickly spot trends and identify re...

Page 13: ...eries appliance nodes and from other network devices to trace attacks to the source Cost effective Scalable Deployment A single Network Security software node or 7100 Series appliance node can monitor...

Page 14: ...software and Symantec Network Security 7100 Series appliances in the documentation sets on the product CDs and on the Symantec Web sites This section includes the following topics About 7100 Series ap...

Page 15: ...re Symantec Network Security 7100 Series Readme on CD This document provides the late breaking information about the Symantec Network Security 7100 Series including limitations workarounds and trouble...

Page 16: ...site To view the Knowledge Base 1 Open the following URL http www symantec com techsupp enterprise select_product_kb html 2 Click Intrusion Detection Symantec Network Security 4 0 About the Hardware...

Page 17: ...rity intrusion detection system Chapter 4 Topology Database Describes network topology mapping and the kind of information visible in the topology database Chapter 5 Protection policies Describes Syma...

Page 18: ...18 Introduction Finding information...

Page 19: ...rity 7100 Series appliance employ a common core architecture that provides detection analysis storage and response functionality Most procedures in this section apply to both the 7100 Series appliance...

Page 20: ...ches can miss new attacks protocol anomaly detection can miss attacks that are not considered anomalies traffic anomaly detection misses single shot or low volume attacks and behavioral anomaly detect...

Page 21: ...tion PAD is a form of anomaly detection PAD detects threats by noting deviations from expected activity rather than known forms of misuse Anomaly detection looks for expected or acceptable traffic and...

Page 22: ...iteral string of characters found in one packet or it may be a known sequence of packets that are seen together In any case every packet is compared against the pattern Matches trigger an alert while...

Page 23: ...y the common probing methods but also many stealth modes that slip through firewalls and other defenses For example many firewalls reject attempts to send SYN packets yet allow FIN packets This result...

Page 24: ...generic anomalies against a database of refinement rules and for known attacks reclassifies an anomaly event by retagging it with its specific name About correlation Symantec Network Security uses eve...

Page 25: ...t response Protection policies and response rules are collections of rules configured to detect specific events and to take specific actions in response to them Protection policies can take action at...

Page 26: ...unctionality such as incident review logging and reporting The detection component is available as a Network Security software node or a Symantec Network Security 7100 Series appliance node Both are b...

Page 27: ...t role based administration The Network Security console provides a simple yet powerful interface that is useful for all levels of administration from the Network Operation Center NOC operator who wat...

Page 28: ...he attacks and initiate responses appropriate to specific attack circumstances The following diagram illustrates how Symantec Network Security s arsenal of tools work together to provide protection Fi...

Page 29: ...master node and between software and appliance nodes within a cluster are properly authenticated and encrypted In addition this service enforces role base administration and thus prevents any circumve...

Page 30: ...events event flood invasions by intelligently processing them in multiple event queues based on key criteria In this way if multiple identical events bombard the network the ESP treats the flood of ev...

Page 31: ...om third party hosts and network IDS products in real time Smart Agents collect event data from external sensors such as Symantec Decoy Server as well as from third party sensors log files SNMP and so...

Page 32: ...aces into one logical interface with a single sensor allows state to be maintained during the session making it possible to detect attacks About response on the 7100 Series An important new 7100 Serie...

Page 33: ...mode over operating in passive mode is that you can enable blocking with a single mouse click from the Network Security console You don t need to halt network traffic while changing cabling and confi...

Page 34: ...34 Architecture About management and detection architecture...

Page 35: ...including accessing the management interfaces Network Security console serial console and LCD panel accessing nodes and sensors and establishing user permissions and access It also describes most ofte...

Page 36: ...database files load Symantec Network Security caches the files after that first load and makes subsequent launches faster Launching the Network Security console All users can launch the Network Securi...

Page 37: ...view of the network topology the network traffic and the detection and response functionality The Devices tab provides a hierarchical tree view of the network topology with a detailed summary of each...

Page 38: ...twork has failed To view node status See the Node Status Indicator for the software or appliance node A red X or Node Status Indicator signifies that Network Security processes or network connectivity...

Page 39: ...e four groups from the Network Security console Each group includes a predefined set of permissions and access that cannot be modified Note The four user groups are unique to the Network Security cons...

Page 40: ...odes can be deployed singly or clustered Single node deployment A peer relationship between one or more individual single nodes viewed from one or more independent Network Security consoles Cluster de...

Page 41: ...ecurity can be deployed using one or more single Network Security software nodes Each node functions independently as the master node in a cluster of one Managing a single node is simpler than managin...

Page 42: ...r is started for the interface group allowing Symantec Network Security to analyze the different traffic flows as if they were combined on one interface This is a very effective deployment mode for a...

Page 43: ...to provide fail open capability for the Symantec Network Security 7100 Series The bypass unit is available in two models which accommodate two or four in line interface pairs respectively Fail open i...

Page 44: ...for only a subset of software or appliance nodes This increases performance as well because it reduces the number of incidents that a single Network Security console must load When subdivided by monit...

Page 45: ...OK to view incidents from the selected monitoring group Note Always assign at least one node to each monitoring group If you create groups without assigning nodes to them you can miss events even thou...

Page 46: ...46 Getting Started About deploying node clusters...

Page 47: ...s information about connections to autonomous systems or other segments within a distributed network Note Both StandardUsers and RestrictedUsers can view the topology tree displayed on the Devices tab...

Page 48: ...lowing types of objects to represent the elements of your network and security system Locations Objects that represent physical or logical groups of one or more network segments The installation proce...

Page 49: ...es Monitoring interfaces Objects that represent dedicated ports that mirror incoming or outgoing traffic on a software or appliance node In line pairs Objects that represent pairs of interfaces on a 7...

Page 50: ...IP address of the selected device or the management IP address for a device with multiple IP addresses Node Number Displays the node number assigned to the software or appliance node between 1 and 120...

Page 51: ...some cases you can add more of them to the topology tree For example the installation process creates an object for one location in the topology tree called Enterprise by default Users can add more lo...

Page 52: ...ftware installed on designated computers Under Enterprise the location object created automatically during the installation process SuperUsers can add an object to the topology tree to represent each...

Page 53: ...address if the node is positioned behind a NAT device Node Number Indicates the unique node number Monitoring Group Indicates the monitoring group the node is assigned to if any Failover Group Indica...

Page 54: ...ring interface and click Edit to view detailed information 2 In Edit Monitoring Interfaces click the Interface tab The following list describes the interface fields 3 In Edit Monitoring Interfaces cli...

Page 55: ...ote Both StandardUsers and RestrictedUsers can view software or appliance nodes but cannot add edit or delete them To view 7100 Series nodes 1 On the Devices tab do one of the following Click an exist...

Page 56: ...nd a NAT router Netmask Indicates which part of the node s IP address applies to the network Required field Default Router Indicates the IP address of the router that sends network traffic to and from...

Page 57: ...e tab The following list describes the interface fields 3 In Edit Monitoring Interfaces click the Networks tab to view the networks that this interface monitors 4 Click Cancel to close the view Viewin...

Page 58: ...o view an in line pair 1 On the Devices tab do one of the following Click an existing in line pair to view summary information in the right pane Right click an existing in line pair and click Edit to...

Page 59: ...router objects The Network Security console provides a way to view routers To view a router object 1 On the Devices tab do one of the following Click an existing router object to view summary informat...

Page 60: ...pand the security umbrella and enhance the threat detection value of existing security assets by aggregating third party intrusion events into Symantec Network Security which leverages its correlation...

Page 61: ...On the Devices tab do one of the following Click an existing Smart Agent interface to view summary information in the right pane Right click an existing Smart Agent interface and click Edit to view de...

Page 62: ...ces and interfaces reside When a new interface object is created Network Security adds a new object for the network segment in which the interface resides if that segment has not already been represen...

Page 63: ...ot Found message appears Click OK 3 In Select the Symantec Decoy Server Console Directory navigate to the directory containing mtadmin jar and click Open This file is typically located in Program File...

Page 64: ...64 Topology Database Viewing objects in the topology tree...

Page 65: ...and profile of protected resources Common or individualized policies can be applied per sensor for both in line and passive monitoring The Symantec Network Security software and the Symantec Network...

Page 66: ...ctivated by setting them to interfaces and applying them You can also define your own policies and activate them using the same procedures On the Protection Policies tab you can view all available pro...

Page 67: ...ew protection policies that you define yourself Adjusting the view by searching Full Event List tab The Full Event List displays all event types that the selected policy can detect Even after you defi...

Page 68: ...iew on a manageable subset of possible event types with specific characteristics The policy still detects and acts on the full list of event types but you have a shorter list to sift through as you de...

Page 69: ...exit Note Remember that the policy still contains the full list of event types This search has provided a shorter more manageable subset to view Note Both StandardUsers and RestrictedUsers can adjust...

Page 70: ...ers cannot Viewing event detailed descriptions Symantec Network Security provides detailed descriptions of the event types in each policy through a browser display To view individual protection polici...

Page 71: ...f notes were taken about a particular policy then when you hover the cursor over that policy in the policy list the note appears as a tool tip To view a policy annotation In the Policies tab hover the...

Page 72: ...o event types but cannot add edit or delete them Annotating event instances The Network Security console provides a field in which to make notes about a specific instance of an event This provides ass...

Page 73: ...attacks without requiring a separate response rule for each of hundreds of individual base events SuperUsers and Administrators can create separate response rules specific to an individual event type...

Page 74: ...and the Network Security console Symantec Network Security generates responses based on multiple criteria such as event targets attack types or categories event sources and severity or confidence leve...

Page 75: ...view the following response parameters Event Target Event Type Severity Confidence Event Source Response Action Next Action 4 Click the Response Actions column of a response rule to see all possible r...

Page 76: ...Severity to indicate the severity level Click Confidence to indicate the confidence level Click Intent to indicate the intent 4 After selecting search criteria click Search Events About response param...

Page 77: ...number and frequency of packets received Severity of other events in the same incident Symantec Network Security correlates severity levels from all events in the same incident By using these variable...

Page 78: ...N ID About response actions The Network Security console provides a way to apply the response rule to take a specific action when triggered using Response Action The Response parameter determines the...

Page 79: ...e rule such as from Rule 5 to Rule 8 The Stop value directs Symantec Network Security to discontinue searching for matching response rules About response actions Configurable response parameters indic...

Page 80: ...face for notification thus enabling the Network Security console to successfully send email notification even during an attack About SNMP notification Symantec Network Security can initiate an SNMP no...

Page 81: ...d response action begins recording traffic when triggered It continues to record based on the number of minutes and the number of packets specified in the response configuration Traffic recording stop...

Page 82: ...fic console response actions 1 In the Network Security console click Configuration Response Rules 2 In Response Rules click Configuration Console Response Configuration 3 In Local Console Configuratio...

Page 83: ...tions such as TrackBack and notifies you about illegal flows Symantec Network Security uses FlowChaser to store the data in coordination with TrackBack which traces a DoS attack or network flow back t...

Page 84: ...and 3 and proceed directly to Step 4 2 In Traffic Playback Configuration you can adjust the view as follows To adjust your view of Recorded Events click Column To remove events you do not want to view...

Page 85: ...res IP traffic rate monitoring IDS evasion detection and IP fragment reassembly The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core arch...

Page 86: ...reclassifies an anomaly event by retagging it with its specific name New refinement rules are available as part of SecurityUpdates on a periodic basis Each software or appliance node downloads the re...

Page 87: ...gs can be added to run services on non standard ports or to ignore ports on which you normally run non standard protocols to mitigate common violations of protocol from being falsely reported as event...

Page 88: ...t detection without the weaknesses of either PAD alone or signatures alone Symantec Network Security s high performance is maintained by matching against the smallest set of signatures as is possible...

Page 89: ...ature variables On the Policies tab click the Signature Variables tab to see available variables to use when defining signatures About signature variables Symantec Network Security provides signature...

Page 90: ...ods About refinement rules New refinement rules are available as part of SecurityUpdates on a periodic basis Each software or appliance node downloads the refinement rules from LiveUpdate and stores t...

Page 91: ...be drilled down for multiple detail levels Incidents to which no new events have been added for a given amount of time are considered idle so Symantec Network Security closes them The condition of th...

Page 92: ...optional user defined ID Customer IDs for in line pairs and interface groups reflect the 7100 Series appliance nodes to which they belong Model Displays the model number of a 7100 Series appliance ei...

Page 93: ...ther the sensor is running on the Network Security interface to the monitored interface Bit rate Displays the average number of megabits per second Mbps monitored on the interface This calculation is...

Page 94: ...a multi level view of both incidents and events Incidents are groups of multiple related base events Base events are the representation of individual occurrences either suspicious or operational The...

Page 95: ...and lists the author of the annotation You can sort multiple annotations for an event by time stamp in ascending or descending order To annotate an incident or event 1 On the Incidents tab double clic...

Page 96: ...wing incident data The Incidents tab contains an upper and lower pane Incidents and Events at Selected Incident In the upper pane information about each incident is displayed This information is taken...

Page 97: ...destination is made up of multiple addresses then the Network Security console displays multiple IPs and you can view the list of addresses by double clicking the event to see Event Details Event Cou...

Page 98: ...ick Filters 2 Click Hide Closed Incidents to show only active incidents in the cluster 3 In Incident Class do one of the following Click Hide All Operational to show only those incidents classified as...

Page 99: ...ack composed of multiple related events When the sensor detects a suspicious event it correlates the event to an incident containing related events Event types are group names for one or more base eve...

Page 100: ...ted Incident can display the following information Time Indicates the date and time when Symantec Network Security first detected and logged the event Event Type Indicates the event category of the de...

Page 101: ...100 events per incident 4 Click Apply to save and exit Confidence Indicates the confidence level assigned to the event An event s confidence is a measure of the level of certainty that it is actually...

Page 102: ...expires to ensure that the log files continue to be signed and the iButton can continue to perform its authentication and data hashing functions See the Symantec Network Security Installation Guide fo...

Page 103: ...Symantec Network Security Email Alert Failed An error occurred while sending an email alert from Symantec Network Security SNMP Alert Successful but Truncated An SNMP trap was successfully sent by Sym...

Page 104: ...curity console You can display the options by double clicking an incident row and choosing from the menu items on the Incident Details or by right clicking an incident row and choosing from the menu i...

Page 105: ...to the incident by the Analysis Framework The priority level is a function of the severity and reliability levels Severity The severity level Network Security assigned to the incident An incident s s...

Page 106: ...ons Click Page Setup to layout the page before printing or previewing Click Print Preview to preview the page before printing 4 Click Print to send the incident data to a printer Configuring Network S...

Page 107: ...ck Send 5 Select a path by doing one of the following Click Email Through Browser to select a browser path and store it in Local Preferences for future reference Click Email Through Mail Client to sel...

Page 108: ...108 Incidents and Events Managing the incident event data 3 Open the desired email or file and paste the incident data from the clipboard to the email content...

Page 109: ...nd protocols exploited during the specified time period With any account you can view and print reports and save them in multiple formats You can generate reports that appear in table format and sort...

Page 110: ...eports are generated in one or more formats depending on the type of report Possible formats include tables bar charts column charts and pie charts The report generator makes most reports available in...

Page 111: ...ons do not necessarily map to the top event types You must specify the report start and end date time and number of unique addresses to display For example you could generate a report on the top 10 ad...

Page 112: ...curity generates this report in table and column chart formats You can generate several drill down reports for each day listed in the Incidents Per Day report Incidents per hour This report displays t...

Page 113: ...ted in the report then no events were detected during that day Symantec Network Security generates this report in table and column chart formats You can generate several drill down reports for each da...

Page 114: ...ormats This report has no drill down reports Destinations of source This report lists the destination IP address es for any event source IP address you specify and the number of times each address was...

Page 115: ...ts the user login times IP addresses from which the user logged in and the type of user that logged in either a SuperUser with full read write privileges or one of the other user login accounts with l...

Page 116: ...Event list For the incident you select data is displayed within the Incident List report Events details The Event Details report displays the data within any Event List report Sources of event The Sou...

Page 117: ...plays the results in a table If more results are available click Next Results to proceed Viewing current flows View Current Flows enables you to search against all of the collected flows by FlowChaser...

Page 118: ...ither a source IP or a destination IP by entering data in the following fields Source or Destination IP Numeric IP address Prefix Len Mask of the IP address in integers between 1 and 32 Port Valid por...

Page 119: ...specific source and destination IPs To make this more focused query enter data in the following fields Source IP Numeric IP address Port Valid port number 4 In Match Source or Destination you can dis...

Page 120: ...120 Reports and Queries About querying flows Note StandardUsers can query the FlowChaser database for current or exported flow data RestrictedUsers cannot...

Page 121: ...s section apply to both the 7100 Series appliance and the Symantec Network Security 4 0 software The 7100 Series appliance also provides additional functionality that is unique to an appliance Each se...

Page 122: ...tion About log files Symantec Network Security provides log and database management from the Network Security console described in the following sections Viewing log files Viewing live log files Note...

Page 123: ...ne of the following Click a log file to select it Click Refresh Table to get the latest logs 4 In Actions click View Live Log 5 In Live Log scroll to read all lines on the log 6 Click Close to exit No...

Page 124: ...124 Log Files About log files...

Page 125: ...about blocking 32 about detection 32 about in line mode 32 about interface groups 32 about LCD panel 38 about nodes 52 about passive mode 32 about response 32 about serial console 39 about the 7100 S...

Page 126: ...es 70 viewing objects 50 detection about 85 about 7100 Series appliances 32 about architecture 20 about denial of service 23 about protocol anomaly detection 85 about refinement rules 86 about signatu...

Page 127: ...ayed 97 100 definition 99 destination report 116 detail reports 116 email notifying 80 filtering 98 101 filtering tables 98 101 list reports 116 modifying the view 38 modifying the view of types 38 ne...

Page 128: ...porting per hour 112 reporting per month 112 selecting columns 100 viewing from monitoring groups 44 in line about 10 32 42 about bypass unit 11 33 about deployment 40 about fail open 33 sensor proces...

Page 129: ...tory 115 Network Security console about 26 accessing 36 changing font size 38 choosing view 37 38 expanding or collapsing view 37 launching from Windows 36 login 36 node status indicator 38 viewing 37...

Page 130: ...details 70 port mapping about 87 ports flow reports by destination 117 flow reports by source 117 mapping 87 viewing mappings 87 viewing port mappings 87 portscan top event type 111 primary default ma...

Page 131: ...rces 78 setting event targets 76 setting event types 77 setting next actions 79 setting response actions 78 SNMP notification 80 TCP reset 81 TrackBack 80 viewing 75 responses about 25 about automated...

Page 132: ...chitecture 29 about detection 20 about response 25 about software features 11 about the 7100 Series 9 about the core architecture 19 about the node architecture 28 accessing patch site 16 accessing th...

Page 133: ...sponse rules 75 expanding and collapsing the view 37 flow alert rules 83 in line pairs 58 interface groups 57 live logs 123 log files 123 logs 122 monitoring groups 44 monitoring interfaces on applian...

Page 134: ...134 Index...

Reviews: