Symantec 10521146 - Network Security 7120, Administration Manual

Page 1: ...Symantec Network Security Administration Guide...

Page 2: ...hitecture and Symantec Security Response are trademarks of Symantec Corporation Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective c...

Page 3: ...signatures that ensure the highest level of protection Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages Advan...

Page 4: ...mer Service online go to www symantec com select the appropriate Global Site for your country then choose Service and Support Customer Service is available to assist with the following types of issues...

Page 5: ...ec Network Security 25 About the core architecture 25 About detection 26 About analysis 30 About response 31 About management and detection architecture 32 About the Network Security console 32 About...

Page 6: ...ogy mapping 74 Managing the topology tree 78 Viewing auto generated objects 79 Viewing node details 79 Viewing node status 79 Adding objects for the first time 80 Editing objects 81 Deleting objects 8...

Page 7: ...Updating policies automatically 125 Annotating policies and events 126 Backing up protection policies 128 Chapter 6 Responding About response rules 129 About automated responses 131 Managing response...

Page 8: ...rameters 162 Data collection parameters 163 Threshold parameters 164 Saturation parameters 165 Miscellaneous parameters 167 Checksum validation parameters 168 Advanced sensor parameters 169 Interval a...

Page 9: ...tination Port Weight 218 Monitoring flow statistics 219 Enabling flow data collection 219 Configuring FlowChaser 220 Chapter 9 Reporting About reports and queries 223 Scheduling reports 224 Adding or...

Page 10: ...9 Compressing log files 252 Exporting data 254 Exporting to file 254 Exporting to SESA 255 Exporting to SQL 257 Exporting to syslog 260 Transferring via SCP 264 Chapter 11 Advanced configuration About...

Page 11: ...lash 302 Configuring advanced parameters 308 About parameters for clusters nodes and sensors 309 About basic setup and advanced tuning 309 Configuring node parameters 310 Configuring basic parameters...

Page 12: ...12 Contents Index...

Page 13: ...egrated hardware and software intrusion detection appliances designed to detect and prevent attacks across multiple network segments at multi gigabit speeds The 7100 Series combines Symantec Network S...

Page 14: ...14...

Page 15: ...on This section includes the following topics About the Symantec Network Security 7100 Series About other Symantec Network Security features About the Symantec Network Security 7100 Series Symantec Ne...

Page 16: ...ent reliability and profile of protected resources and common or individualized policies can be applied per sensor for both in line and passive monitoring Interface Grouping 7100 Series appliance user...

Page 17: ...tem that supports large distributed enterprise deployments and provides comprehensive configuration and policy management real time threat analysis enterprise reporting and flexible visualization The...

Page 18: ...evant information providing threat awareness without data overload Symantec Network Security gathers intelligence across the enterprise using cross node analysis to quickly spot trends and identify re...

Page 19: ...eries appliance nodes and from other network devices to trace attacks to the source Cost effective Scalable Deployment A single Network Security software node or 7100 Series appliance node can monitor...

Page 20: ...Symantec Network Security 7100 Series appliances in the documentation sets on the product CDs and on the Symantec Web sites This section includes the following topics About 7100 Series appliance docum...

Page 21: ...ec Network Security 7100 Series Readme on CD This document provides the late breaking information about the Symantec Network Security 7100 Series including limitations workarounds and troubleshooting...

Page 22: ...site To view the Knowledge Base 1 Open the following URL http www symantec com techsupp enterprise select_product_kb html 2 Click Intrusion Detection Symantec Network Security 4 0 About the Hardware...

Page 23: ...a Symantec Network Security intrusion detection system Part 2 Getting Started This section explains how to set up your Symantec Network Security intrusion detection system populate a network topology...

Page 24: ...twork Security log databases and how to view compress save export and archive them Chapter 11 Advanced configuration Describes advanced procedures such as high availability cluster management and inte...

Page 25: ...rity 7100 Series appliance employ a common core architecture that provides detection analysis storage and response functionality Most procedures in this section apply to both the 7100 Series appliance...

Page 26: ...ches can miss new attacks protocol anomaly detection can miss attacks that are not considered anomalies traffic anomaly detection misses single shot or low volume attacks and behavioral anomaly detect...

Page 27: ...tion PAD is a form of anomaly detection PAD detects threats by noting deviations from expected activity rather than known forms of misuse Anomaly detection looks for expected or acceptable traffic and...

Page 28: ...iteral string of characters found in one packet or it may be a known sequence of packets that are seen together In any case every packet is compared against the pattern Matches trigger an alert while...

Page 29: ...y the common probing methods but also many stealth modes that slip through firewalls and other defenses For example many firewalls reject attempts to send SYN packets yet allow FIN packets This result...

Page 30: ...ymantec Network Security matches generic anomalies against a database of refinement rules and for known attacks reclassifies an anomaly event by retagging it with its specific name About correlation S...

Page 31: ...t response Protection policies and response rules are collections of rules configured to detect specific events and to take specific actions in response to them Protection policies can take action at...

Page 32: ...unctionality such as incident review logging and reporting The detection component is available as a Network Security software node or a Symantec Network Security 7100 Series appliance node Both are b...

Page 33: ...t role based administration The Network Security console provides a simple yet powerful interface that is useful for all levels of administration from the Network Operation Center NOC operator who wat...

Page 34: ...he attacks and initiate responses appropriate to specific attack circumstances The following diagram illustrates how Symantec Network Security s arsenal of tools work together to provide protection Fi...

Page 35: ...master node and between software and appliance nodes within a cluster are properly authenticated and encrypted In addition this service enforces role base administration and thus prevents any circumve...

Page 36: ...events event flood invasions by intelligently processing them in multiple event queues based on key criteria In this way if multiple identical events bombard the network the ESP treats the flood of ev...

Page 37: ...om third party hosts and network IDS products in real time Smart Agents collect event data from external sensors such as Symantec Decoy Server as well as from third party sensors log files SNMP and so...

Page 38: ...rouping the interfaces into one logical interface with a single sensor allows state to be maintained during the session making it possible to detect attacks About response on the 7100 Series An import...

Page 39: ...ration to switch between in line alerting and blocking modes About fail open When you configure in line mode on the Symantec Network Security 7100 Series appliance you place the in line interface pair...

Page 40: ...alternative to using the LCD panel for initial configuration Serial console access requires a valid username and password About the compact flash Other new appliance management functionality involves...

Page 41: ...serial console and LCD panel accessing nodes and sensors and establishing user permissions and access It also describes deployment considerations and examples of ways to deploy Symantec Network Securi...

Page 42: ...our network Which devices or elements of your network will you monitor Will you deploy Symantec Network Security as single peer software or appliance nodes or as a cluster of interacting nodes Will yo...

Page 43: ...ses Review collected data about suspicious activity in logs and databases to use in analyzing and tracking Set configuration parameters Configure single node or cluster wide settings to define advance...

Page 44: ...interface group that aggregates traffic on up to four monitoring interfaces An interface group is useful for intrusion detection in asymmetrically routed networks About the management interfaces Syma...

Page 45: ...while the database files load Symantec Network Security caches the files after that first load and makes subsequent launches faster Launching the Network Security console All users can launch the Net...

Page 46: ...ee main tabs that provide a view of the network topology the network traffic and the detection and response functionality The Devices tab provides a hierarchical tree view of the network topology with...

Page 47: ...s Indicator This signifies that Network Security processes or connectivity to the network has failed To view node status See the Node Status Indicator for the software or appliance node A red X or Nod...

Page 48: ...the node that you want to reboot from the pull down list and then click OK 3 Wait until the progress bar indicates that the process is complete Note SuperUsers can reboot Network Security software nod...

Page 49: ...Security console provides a way to check the status of the Symantec Network Security license applied to each node Note SuperUsers and Administrators can check the licenses of Network Security sensors...

Page 50: ...nsole The Symantec Network Security 7100 Series provides a way to restart appliance nodes using the serial console You must have secadm access to restart Symantec Network Security on the serial consol...

Page 51: ...y from the serial console 1 Connect your laptop or other serial device to the appliance with the serial console cable 2 Using a serial terminal application login to the appliance as secadm 3 Type the...

Page 52: ...CD panel See the Symantec Network Security 7100 Series Implementation Guide for the full range of procedures available on the LCD panel Unlocking the LCD panel The LCD panel may be locked If so you mu...

Page 53: ...oices until you see SNS7100 4 Start SNS 3 Press e to restart the Symantec Network Security application The LCD screen displays the following when the restart process completes Success Press any button...

Page 54: ...d to shut down the appliance from the LCD panel If the LCD panel is locked see Unlocking the LCD panel After it is unlocked follow this procedure to restart Symantec Network Security To shut down an a...

Page 55: ...ons Controlling user access Managing user login accounts The Network Security console provides a way to create and modify user login accounts efficiently In a cluster create user accounts on the maste...

Page 56: ...ore about permissions To modify an existing user login account 1 In the Network Security console click Admin Manage Users 2 In Manage Users select the user account you want to modify 3 Click Edit 4 Ch...

Page 57: ...ess All users can change their own passphrase at any time To change login account passphrases 1 In the Network Security console click Admin Change Current Passphrase 2 In Change Passphrase for user en...

Page 58: ...ot password also changes the password for the elevate command These passwords are always the same To change the root password from the serial console 1 Connect your laptop or other serial device to th...

Page 59: ...on and can reset the password of a locked out account to re enable it The default value allows 5 attempts to login before locking If this value is set to 0 then no restrictions apply To configure the...

Page 60: ...do not affect the configuration The log includes data specific to the action such as the date and time of the action the username query information whether the query is allowed or denied and the type...

Page 61: ...age 287 Deploying single nodes Symantec Network Security can be deployed as one or more single nodes that operate independently of each other within your network The following figure illustrates the r...

Page 62: ...best suits your network About interface grouping Interface grouping provides a solution when your network employs asymmetric routing Asymmetric routing occurs when traffic arrives on one interface an...

Page 63: ...if the appliance has a hardware failure network traffic will continue Since the Symantec Network Security 7100 Series appliance is directly in the network path while deployed using in line mode fail o...

Page 64: ...age 220 See Setting automatic logging levels on page 248 See Archiving log files on page 249 See Compressing log files on page 252 See Exporting data on page 254 See Integrating via Smart Agents on pa...

Page 65: ...Symantec Network Security 7100 Series Implementation Guide for special considerations when upgrading or migrating clusters Deploying software and appliance nodes in a cluster Both Network Security sof...

Page 66: ...ection includes the following topics Creating a monitoring group Assigning a monitoring group Renaming a monitoring group Choosing monitoring groups Deleting a monitoring group Creating a monitoring g...

Page 67: ...p with the view of that monitoring group If you assign a node to a different monitoring group than the monitoring group that defines your incident subset you can miss events even though the sensors de...

Page 68: ...dent list as well If you view incidents from a node in a different monitoring group than the monitoring group that defines your view subset you can miss events even though the sensors detect them See...

Page 69: ...m After getting started indicate what to monitor by creating a network topology database what kind of activity to look for by configuring detection signatures and parameters and how to respond by esta...

Page 70: ...70...

Page 71: ...the software and the appliance utilize the topology database in the same way The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core archite...

Page 72: ...dd the others providing Symantec Network Security with the information it needs to monitor your network The following figure shows an example The Devices tab provides a tree oriented view of the netwo...

Page 73: ...represent the entry point for event data from Symantec Decoy Server Symantec Network Security Smart Agents and other third party sensors Managed network segments Objects that represent subnets in whi...

Page 74: ...selected device if any Monitored Networks Identifies the networks for which port usage patterns are tracked and anomalies detected Displayed only if you entered network IP addresses on the Network ta...

Page 75: ...the model for your network topology Locations Decide whether to divide the network into logical or physical groupings depending on the network setup A physical grouping might include all segments with...

Page 76: ...you gather information specific to each element of your topology This section describes the information and conventions common to most devices and network elements that you might need to provide Each...

Page 77: ...he topology tree the Details pane displays your description as well as other details about the object such as its IP address or subnet mask if applicable Customer IDs For most objects in the topology...

Page 78: ...objects for the first time Editing objects Deleting objects Reverting changes Saving changes Forcing nodes to synchronize Backing up Interface name For each interface in the topology tree follow the n...

Page 79: ...the topology tree the Network Security console displays the description if applicable and other pertinent details about the software or appliance node such as its IP address or subnet mask To view nod...

Page 80: ...g the initial installation assigned the status of master node and node number of 1 Note Valid node numbers range from 1 to 120 inclusive Do not use a node number over 120 or change the node number aft...

Page 81: ...t router objects About Smart Agents About managed network segments Caution Click Topology Save Changes before quitting the Network Security console You will lose any unsaved changes when you exit Note...

Page 82: ...ology tree if you change your mind before saving Note SuperUsers and Administrators can undo cancel or revert changes to the topology tree StandardUsers and RestrictedUsers cannot See User groups refe...

Page 83: ...ty console click Admin Force Database Sync 3 Click OK to cause all synchronized databases in the cluster to synchronize with the most recent master copy Backing up We recommend that you back up the to...

Page 84: ...dUsers and RestrictedUsers can view it See User groups reference on page 319 for more information about permissions Adding or editing location objects We recommend that you review the procedure before...

Page 85: ...Under Enterprise the location object created automatically during the installation process SuperUsers can add objects to represent each software node and 7100 Series appliance node as follows Network...

Page 86: ...about permissions About Network Security software nodes Under Enterprise the location object created automatically during the installation process SuperUsers can add an object to the topology tree to...

Page 87: ...e the IP address of a physical node you must edit the Advanced Network Options tab Verify that the values in the Netmask and Default Router fields are valid for the new IP address See Viewing advanced...

Page 88: ...u must apply the sensor parameter for flow statistics and execute the TrackBack response policy See About monitoring interfaces on software nodes on page 89 See Defining new protection policies on pag...

Page 89: ...nd the network device such as a router The software or appliance node receives data about traffic on the router via the monitoring interface SuperUsers can add objects to represent monitoring interfac...

Page 90: ...itoring Interface from the pop up menu Right click an existing monitoring interface object and click Edit from the pop up menu 2 In Add Monitoring Interface or Edit Monitoring Interface enter the inte...

Page 91: ...fore starting a sensor on the interface To add or edit monitored networks 1 On the Networks tab do one of the following Click Add Select a monitored network and click Edit 2 Replace the default 0 0 0...

Page 92: ...work Security console provides a way to add or edit Symantec Network Security 7100 Series nodes The installation process populates the fields in the Advanced Network Options tab blank After installati...

Page 93: ...ions on page 94 5 Enter a unique node number between 2 and 120 inclusive that is not assigned to any other node in the cluster Note Use this same number for the QSP Node Number during initial configur...

Page 94: ...interfaces on a 7100 Series node but you can create interface groups or in line pairs from the existing interfaces on the node For the sensor to run you must add a protection policy to each interface...

Page 95: ...The node accesses traffic on the network device via the interface There are three interface types available on a 7100 Series node Local IP Indicates the internal IP address for a node behind a NAT rou...

Page 96: ...pair objects This section describes the following procedures Editing monitoring interfaces on 7100 Series nodes Adding or editing interface groups Adding or editing in line pairs Editing monitoring i...

Page 97: ...5 In TCP Reset Interface click the reset interface on the pull down list The reset interface must be cabled to access the monitored network See the Symantec Network Security 7100 Series Implementation...

Page 98: ...0 0 0 in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface If you fail to take this step the database can fill with invalid data and result in a...

Page 99: ...iption of up to 255 characters See Description on page 77 6 On the Networks tab click Add enter the network IP address of all networks monitored by this interface group using CIDR format and click OK...

Page 100: ...lick Edit on the pop up menu 2 In Add In line Pair or Edit In line Pair enter a descriptive name See Name on page 77 3 In Expected Throughput click the expected throughput on the pull down list 4 In P...

Page 101: ...object to the topology Note Click Topology Save Changes before quitting the Network Security console You will lose any unsaved changes when you exit See Deleting objects on page 81 About router objec...

Page 102: ...ct and click Edit from the pop up menu 2 In Add Router or Edit Router enter a descriptive name of up to 40 characters for the device See Name on page 77 3 Enter an optional customer ID of up to 40 cha...

Page 103: ...response action on page 147 See Managing flow alert rules on page 154 See Deleting objects on page 81 About router interfaces An interface object represents each router interface through which Symant...

Page 104: ...s not yet have an object in the topology tree Symantec Network Security automatically creates an object for the new network segment under the Managed Network Segments category You can edit the default...

Page 105: ...rom the pop up menu Right click an existing Smart Agent object and click Edit from the pop up menu 2 In Add Smart Agent or Edit Smart Agent enter a descriptive name of up to 40 characters for the devi...

Page 106: ...ry flow data from this object you must apply the sensor parameter for flow statistics and execute the TrackBack response policy See About Smart Agent interfaces on page 106 See Defining new protection...

Page 107: ...ght click an existing Smart Agent Interface object and click Edit from the pop up menu 2 In Add Smart Agent Interface or Edit Smart Agent Interface enter a descriptive name See Name on page 77 3 Enter...

Page 108: ...bject Symantec Network Security adds a new object for the network segment in which the interface resides if not already represented SuperUsers can edit the default name Untitled and the description Ed...

Page 109: ...ating the topology database Adding nodes and objects See Description on page 77 Caution Click Topology Save Changes before quitting the Network Security console You will lose any unsaved changes when...

Page 110: ...110 Populating the topology database Adding nodes and objects...

Page 111: ...tection policies enable users to tailor the protection based on security policies and business need Policies can be tuned by threat category severity intent reliability and profile of protected resour...

Page 112: ...Security 7100 Series appliance that is deployed in line See Overriding blocking rules globally on page 115 Direct the response You can configure Symantec Network Security to respond automatically to t...

Page 113: ...elf Searching to create a subset of event types Adding or editing user defined protection policies Enabling or disabling logging rules Enabling or disabling blocking rules Full Event List tab The Full...

Page 114: ...s globally Undoing policy settings See also the following related topics Defining new protection policies Enabling or disabling blocking rules Selecting pre defined policies On the Protection Policies...

Page 115: ...tween applied policies and their definitions Slave nodes sometimes then appear to have viable policies applied that in reality are disabled Prevent losing policies through failure by backing up the ma...

Page 116: ...cation of policies to interfaces Unapplying protection policies The Network Security console provides a way to unapply or remove the application of protection policies from node interfaces To unapply...

Page 117: ...searching for event types that match specific characteristics If an event type is a known characteristic of your network you can instruct Symantec Network Security not to alert on it by setting loggin...

Page 118: ...n Intent select an intention from the pull down list In Blocked specify whether you want to view events with blocking rules In Logged specify whether you want to view events with logging rules In Note...

Page 119: ...nt type details The Network Security console provides a way to view and clone the pre defined Symantec protection policies but you cannot edit or delete them To view individual protection policies 1 O...

Page 120: ...ng the system This section describes the following procedures Adding or editing user defined protection policies 1 Click New or Clone to begin defining your new pro tection policy 2 Enter a Name for t...

Page 121: ...he following In Search Events you can change the search parameters to display a more manageable subset of event types to apply rules See Searching to create a subset of event types on page 117 In Sear...

Page 122: ...ion describes how to enable or disable event logging rules Symantec Network Security displays an event in the Incidents tab each time it detects an event type specified by a logging rule You can also...

Page 123: ...click Log For All IPs To log selected events click Log For Selected IP Ranges To avoid logging selected events click Log All Except IP Ranges You can use this option as a partial filter to alert you...

Page 124: ...g Block You can enable blocking rules independently of logging rules See also Enabling or disabling logging rules on page 122 5 In Block Event applies to in line interfaces only do one of the followin...

Page 125: ...way to put new SecurityUpdate signatures to work immediately Use the LiveUpdate tab to select the types of signatures that you know you want using the given criteria category protocol severity and con...

Page 126: ...adds new signatures the blocking rules will be created automatically To do this you must define at least one blocking rule in the policy so that blocking is enabled See also Enabling or disabling blo...

Page 127: ...ails displays the note each time this policy detects the annotated event To make a note about an event within a policy 1 In the Policies tab do one of the following Click New Click Edit 2 In Add Prote...

Page 128: ...Note 4 Click Close Backing up protection policies Back up the master node regularly The master node stores protection policy definitions If the master node of a cluster fails or is demoted to slave t...

Page 129: ...f attacks without requiring a separate response rule for each of hundreds of individual base events SuperUsers and Administrators can create separate response rules specific to an individual event typ...

Page 130: ...gents See Integrating third party events on page 282 No actions See Setting no response action on page 142 Responding at the point of entry See Defining new protection policies on page 120 The followi...

Page 131: ...action After Symantec Network Security processes one rule it proceeds to one of three alternatives to the rule indicated by the Next parameter to a following rule beyond the Next rule or it stops poli...

Page 132: ...iewing response rules In the Network Security console you can administer response rules and flow alert rules by clicking Configuration Response Rules All users can view the response rules in the Netwo...

Page 133: ...se Rules 2 In Response Rules do one of the following Click Action Add Response Rule to add a new row to the end of the response policy table Click Action Insert Response Rule to insert a new row into...

Page 134: ...to save and exit Searching event types All users can view a more manageable subset of the entire event list by using any or all of the search criteria to shorten the list of event types in the Search...

Page 135: ...ou have modified your response policy by adding editing or deleting response rules you must save the changes to the database This step provides a chance to change your mind and undo your changes befor...

Page 136: ...ons network segments and network border interfaces defined in the network topology database Note SuperUsers and Administrators can apply the response rule to a specific location or interface in the ne...

Page 137: ...otal number of items shown in the subset 5 Click OK to save and exit Setting severity levels The severity parameter describes the relationship between the action to take in response to an incident and...

Page 138: ...well as all other parameters defined in the response rule then Symantec Network Security responds to the incident by performing the action associated with the response rule SuperUsers and Administrat...

Page 139: ...ces The Network Security console can apply response rules to specific locations or interfaces in the network using Event Source The event source parameter indicates that a rule applies only to events...

Page 140: ...se action Setting email notification Setting SNMP notification Setting TrackBack response action Setting a custom response action Setting a TCP reset response action Setting traffic record response ac...

Page 141: ...d event source parameters match the incident The SuperUser or Administrator can define and customize response actions from the Network Security console If you specify a Smart Agent response action the...

Page 142: ...ystems because security analysts must be kept informed of attack activity without having to constantly monitor the Network Security console Unfortunately many IDS products use the same interface for d...

Page 143: ...rs The Network Security console provides a way to establish automatic notification response policies to alert you via email under specific conditions Use the notification parameters to configure these...

Page 144: ...e Network Security Parameters 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane click Subject Line 4 In the lower right pane enter an alternative subject line 5...

Page 145: ...directs Symantec Network Security to send SNMP traps to an SNMP manager with a minimum delay of 1 minute between responses The IP address of the SNMP manager must be provided and the SNMP manager mad...

Page 146: ...tes where the software or appliance node sends SNMP traps To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list an...

Page 147: ...h applied protection policies to run as well as sensor parameters for flow statistics Setting TrackBack response actions Symantec Network Security can begin tracking in response to an attack The minim...

Page 148: ...ick OK to save and exit Note If you create a custom response action it will be enabled on all software and appliance nodes defined in your topology Be sure to include the custom application binary in...

Page 149: ...a comma delimited list of destination IP addresses and ports in the following format IP address port Some attacks such as syn floods may have multiple destinations D Device name for example hub4 F Fl...

Page 150: ...lumn of a rule 3 In Configure Response Action click TCP Reset 4 Provide the following information Maximum number of TCP resets Enter the number of TCP resets per incident of this response Delay betwee...

Page 151: ...lumn of a rule 3 In Configure Response Action click Traffic Record 4 Provide the following information Maximum packets to record Enter the maximum number of packets per incident of this response Maxim...

Page 152: ...the Network Security console click Configuration Response Rules 2 In Response Rules click the Response Action column of a rule 3 In Configure Response Action click Console Response 4 Provide the foll...

Page 153: ...ng export flow response action The export flow response action exports matching flows stored in the flow data store The action is based on the characteristics of the triggering events which are specif...

Page 154: ...e Rules click OK to save and exit For related information see the following topics See Playing recorded traffic on page 240 See Exporting data on page 254 See About incident and event data on page 189...

Page 155: ...figure flow alert rules to allow acceptable corporate traffic flow Set the Permit and Alert rules to specify explicitly what to permit across each interface and to alert on everything else To add a fl...

Page 156: ...the rule applied and click OK 6 In Flow Alert Rule select the following information from the pull down lists and click Add Source IP address mask and port Destination IP address mask and port See Prov...

Page 157: ...entered as 172 27 101 1 would require a 32 bit mask Using the permit rule type When selecting a Rule Type of Permit apply a method similar to that used in router access lists The following example il...

Page 158: ...158 Responding Managing flow alert rules...

Page 159: ...tection and IP fragment reassembly The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection analysis sto...

Page 160: ...wnloads the refinement rules from LiveUpdate and stores them individually Configuring sensor detection Symantec Network Security provides an array of sensor parameters that are preset for optimum perf...

Page 161: ...of the parameter 5 Click Apply 6 In Apply Changes To select the interface or device objects that you want to apply the parameter to 7 Click OK to save the changes to this sensor and close See Advanced...

Page 162: ...ill quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert This section describes the following sensor detection parameters Enable Flow Statistics Collectio...

Page 163: ...hat enables the sensor to collect information about network flows The default value is false If your system has performance issues leaving Enable Flow Statistics Collection turned off can provide a mi...

Page 164: ...c Network Security uses statistical methods to detect flood attacks by examining the types of traffic across the wire and the changes in traffic over periods of time For example if the system suddenly...

Page 165: ...the same port across multiple hosts which can indicate sweep activity The sensor also detects attempts to connect to the same host on multiple ports which can indicate scan activity If the number of...

Page 166: ...relatively quiet links Adjust this parameter as necessary until it just barely alerts such as once a day under normal conditions for your environment You can increase the threshold if you expect UDP t...

Page 167: ...as once a day under normal conditions for your environment A high rate of alerting can slow performance so you can increase the Threshold if you want to tolerate a high percentage of Other traffic in...

Page 168: ...ber of them have detected packets in only one direction Checksum validation parameters The following parameters enable or disable the ability to validate checksums for a variety of traffic types Enabl...

Page 169: ...unit generates a checksum and transmits it with the unit The sensor generates a second checksum and compares them Matching checksums confirm that the sensor received the complete transmission By defa...

Page 170: ...and attacks The sensors check for a variety of flood based denial of service attacks such as ICMP floods UDP floods IP fragmentation floods fragmentation services floods and IP Other floods The defau...

Page 171: ...ed TCP flows that the sensor sends to analysis during the time period set by Streak Interval If it detects an alarming number of them it sends the packets to streak analysis which inspects the sample...

Page 172: ...omewhat UDP Number of Streak Packets UDP Number of Streak Packets regulates how many UDP packets to analyze The sensor collects all unacknowledged packets in a given streak interval analyzes them for...

Page 173: ...number of packets detected even if the sensor detects very little activity In this way it prevents the streak analysis functionality from being too quiet The default is set to 10 for optimum performan...

Page 174: ...the TCP flow table by controlling the number of simultaneous flows that the fast Ethernet sensor handles It has a direct impact on memory consumption The default is set to 32 768 for optimum performan...

Page 175: ...um performance and sensitivity and does not need to be changed under most circumstances Valid values range from 32 768 32K to 1 048 576 1M inclusive If you receive an operational log message indicatin...

Page 176: ...ace by replacing old TCP flows and queued segments with new out of order segments The default is set to 65 535 for optimum performance and sensitivity and does not need to be changed under most circum...

Page 177: ...onditions for your environment In this way you will quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert TCP Default Window Size TCP Default Window Size r...

Page 178: ...nsole provides a way to add port mappings for any supported protocol or edit existing mappings To add or edit port mappings 1 In the Network Security console click Configuration Node Port Mapping 2 In...

Page 179: ...ection includes the following topics About Symantec signatures About user defined signatures Managing signatures About Symantec signatures Symantec Network Security uses network pattern matching or si...

Page 180: ...e additional user defined signatures on a per sensor basis as well as global signature variables such as creating the variable name port to stand for a value of 2600 User defined signatures are synchr...

Page 181: ...riables On the Policies tab click the Signature Variables tab to see available variables to use when defining signatures Adding or editing user defined signatures The Network Security console provides...

Page 182: ...ent bound from the pull down list In Encoding enter the information from the pull down list and click Next 6 In User defined Signature or Edit User defined Signature click Add and do one of the follow...

Page 183: ...and long descriptions of any events that were triggered in the past by the now deleted signature will not have recognizable names Importing user defined signatures The Network Security console provide...

Page 184: ...ll signatures both the default Symantec signatures and any user defined signatures that you add To add new signature variables 1 On the Policies tab click Signature Variables New 2 In Variable Name en...

Page 185: ...select a signature variable and click Delete To apply this change to the database see Applying signatures variables on page 185 Resetting signatures variables Symantec Network Security provides an ea...

Page 186: ...ity provides an easy way to revert any changes to signature variables if you act before saving To revert changes to signature variables 1 On the Policies tab click Signature Variables 2 In Signature V...

Page 187: ...ntec Network Security system to monitor your network interpret incidents and events generate reports and run queries maintain logs and databases and fine tune your system using advanced configuration...

Page 188: ...188...

Page 189: ...nitored network and can be drilled down for multiple detail levels Incidents to which no new events have been added for a given amount of time are considered idle so Symantec Network Security closes t...

Page 190: ...about the related events Devices tab Displays the topology tree When you select an object in the topology tree the Network Security console displays related information in the right pane including a...

Page 191: ...nt The values may change if an event of higher priority is added to the same incident To view incident data In the Network Security console click the Incidents tab All users can modify the view by adj...

Page 192: ...ident and event tables See User groups reference on page 319 for more about permissions Sorting column data All users can sort the incident data by clicking on the column heading The toggle sorts the...

Page 193: ...upper and lower pane Incidents and Events at Selected Incident In the upper pane information about each incident is displayed This information is taken from the highest priority event within that inc...

Page 194: ...t an incident can cause Confidence level Indicates the confidence level assigned to the incident The confidence value indicates the level of certainty that a particular incident is actually an attack...

Page 195: ...t 3 In Incident Details click Top Event to view the highest priority event correlated to that incident Event Details of the top event can display any or all of the following information Event name Ind...

Page 196: ...d Note SuperUsers and Administrators can drill down to view cross node events See User groups reference on page 319 for more about permissions Examining event data This section includes the following...

Page 197: ...in the lower pane To view event data 1 In the Incidents tab click an incident row 2 Related events are displayed in the lower Events at Selected Incident pane Note All users can view top level event...

Page 198: ...l assigned to the incident The confidence value indicates the level of certainty that a particular incident is actually an attack If the incident is merely suspicious then its assigned confidence leve...

Page 199: ...iption Note SuperUsers can view advanced event details and packet contents Administrators StandardUsers and RestrictedUsers cannot See User groups reference on page 319 for more about permissions Abou...

Page 200: ...o displayed when Symantec Network Security is restarted Network Security SuperUser Login Symantec Network Security displays this event whenever a SuperUser logs into the Network Security console Netwo...

Page 201: ...this event whenever a software or appliance node with failover enabled becomes the active node Note All users can view operational events at the top level See User groups reference on page 319 for mor...

Page 202: ...The Incidents tab can display the following incident data Last Mod Time Indicates the date and time when Symantec Network Security last modified the incident record Name Indicates the user group of th...

Page 203: ...ne of the following Click Select All to select all columns Click the individual columns you want to view 3 Click OK to save and close Device Name Indicates the name of the device where the incident wa...

Page 204: ...the list of addresses by double clicking the event to see Event Details Severity Indicates the severity level assigned to the event An event s severity is a measure of the potential damage that it can...

Page 205: ...software or appliance node By default incidents from all nodes are displayed Note When you apply incident view filters they apply only to the incidents not to the events correlated to the incidents F...

Page 206: ...cidents from all the software or appliance nodes within the topology excluding standby nodes Click Include Backup Nodes to preserve incidents during a failover scenario 7 In Incident Hours do one of t...

Page 207: ...ts as read and adding notes about them See Marking incidents as read on page 207 See Annotating incident data on page 208 See Customizing annotation templates on page 208 Marking incidents as read All...

Page 208: ...incident and event data See User groups reference on page 319 for more about permissions Customizing annotation templates The Network Security console provides an informational template to make Analy...

Page 209: ...he Incidents tab 2 Right click an incident row and click Save 3 Choose a file format from the following Click Save as PDF Click Save as HTML Click Save as PS 4 Enter the desired filename and click Sav...

Page 210: ...ent Details click To Clipboard 4 Paste this event data into a document or email Note SuperUsers and Administrators can copy data from an incident s top event See User groups reference on page 319 for...

Page 211: ...on page 319 for more about permissions Emailing incident or event data The Network Security console provides a way to configure Symantec Network Security to export incident or event data via email Co...

Page 212: ...an email in plain text format Make sure to configure email first 4 To edit the email before sending it do one of the following Click Compose in HTML Format to send an email in HTML format Click Compo...

Page 213: ...ave been added for a given amount of time SuperUsers and Administrators can define the period of time that an incident remains idle before Symantec Network Security discontinues monitoring it by editi...

Page 214: ...Node choose the node from the pull down list and click OK 3 In the left pane click Maximum Incidents 4 In the lower right pane enter the number of incidents 5 Click Apply 6 In Apply Changes To select...

Page 215: ...tly similar enough to be included but causing the incident to expand to a vague definition This parameter gives you a way to maintain a tight and focused incident definition To configure this paramete...

Page 216: ...vent Correlation Source IP Weight Event Correlation Source IP Weight determines the weight of the event name as a factor in event correlation The default value is set to 4 for optimum performance in a...

Page 217: ...eight values is equal to or greater than 10 If the sum is less than 10 no events will be correlated Caution Before making changes we recommend that you consult our support team at http www symantec co...

Page 218: ...pply 6 In Apply Changes To select the node to which to apply the parameter 7 Click OK to save the changes to this node and close Event Correlation Destination Port Weight Event Correlation Destination...

Page 219: ...from third party sensors You can optimize this by enabling FlowChaser a flow data store that provides data source for Symantec Network Security to analyze and correlate FlowChaser receives information...

Page 220: ...wChaser Maximum Flows Per Device FlowChaser Maximum Flows Per Device limits the volume of flow data exported from the routers by setting a maximum number of flow entries stored per device in the FlowC...

Page 221: ...hich to apply the parameter 7 Click OK to save the changes to this node and close Note Restart Symantec Network Security for changes to this parameter to take effect Setting FlowChaser Router Flow Col...

Page 222: ...f 1 The default value is 2 To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane c...

Page 223: ...on the types of events and incidents that occurred and protocols exploited during the specified time period With any account you can view and print reports and save them in multiple formats You can ge...

Page 224: ...Reports in text and HTML format This section includes the following Adding or editing report schedules Refreshing the list of reports Deleting report schedules Managing scheduled reports Note SuperUse...

Page 225: ...ame Enter a name for the report Report Format Choose plain text or HTML from the pull down list Day to run Choose the day of the week from the pull down list Hour to run Choose the hour from the pull...

Page 226: ...n list and click OK 3 In Manage Saved Scheduled Reports select a scheduled report 4 Click Actions Delete and click OK Managing scheduled reports Symantec Network Security provides an efficient way to...

Page 227: ...omatic reports to another secure location using SCP To export saved reports 1 In the Network Security console do one of the following Click Reports Schedule Reports Click Admin Node Manage Report File...

Page 228: ...drill down reports that provide a more focused level of detail By supplying report parameters you can choose the report type The types of reports that Symantec Network Security generates are described...

Page 229: ...rts or even from within other drill down reports For example from the Events Per Month report you can drill down to an Events Per Day report and from there to an Events Per Hour report but all of thes...

Page 230: ...g and saving reports With any account you can save any Network Security console report as a PDF PS or HTML file Select the report format then simply go to the File menu in the Report window and select...

Page 231: ...o not necessarily map to the top event types You must specify the report start and end date time and number of unique addresses to display For example you could generate a report on the top 10 address...

Page 232: ...y generates this report in table and column chart formats You can generate several drill down reports for each day listed in the Incidents Per Day report Incidents per hour This report displays the to...

Page 233: ...n the report then no events were detected during that day Symantec Network Security generates this report in table and column chart formats You can generate several drill down reports for each day lis...

Page 234: ...s This report has no drill down reports Destinations of source This report lists the destination IP address es for any event source IP address you specify and the number of times each address was the...

Page 235: ...work Security login history This report lists the user login times IP addresses from which the user logged in and the type of user that logged in either a SuperUser with full read write privileges or...

Page 236: ...list For the incident you select data is displayed within the Incident List report Events details The Event Details report displays the data within any Event List report Sources of event The Sources...

Page 237: ...records for each query which prevents overloading memory and displays the results in a table If more results are available click Next Results to proceed This section includes the following Viewing cu...

Page 238: ...ce or Destination This will make a broader query on either a source IP or a destination IP 3 In Match Source and Destination you can display flows that pertain only to specific source IPs and destinat...

Page 239: ...you to view the Flow Statistics of any particular event To view flow statistics 1 In the Incidents tab right click an incident 2 Click View Incident Details 3 In Incident Details right click the Top...

Page 240: ...heading of any column This sort however applies only to the page currently displayed which may be only a portion of the entire report At the top of the display a prompt indicates how many flows are c...

Page 241: ...d 3 and proceed directly to Step 4 2 In Traffic Playback Configuration you can adjust the view as follows To adjust your view of Recorded Events click Column To remove events you do not want to view c...

Page 242: ...242 Reporting Playing recorded traffic...

Page 243: ...lity Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4 0 software The 7100 Series appliance also provides additional functionality that is uni...

Page 244: ...tion Note If you reset the system clock backward on a software or appliance node you must rotate the log database If you do not the incident list displayed in the Network Security console may not upda...

Page 245: ...enter a page number Click Next Page to progress forward Click Previous Page to progress backward 6 Click Close to exit Note All users can view log files See User groups reference on page 319 for more...

Page 246: ...nistrators can archive log files StandardUsers and RestrictedUsers cannot See User groups reference on page 319 for more about permissions Copying log files The Network Security console now provides a...

Page 247: ...list and click OK 3 In Log Files click a log file to select it 4 In Actions click Delete 5 Click Yes Note SuperUsers and Administrators can delete log files StandardUsers and RestrictedUsers cannot Se...

Page 248: ...ging Level controls the amount of information written to the operational log file The default value is set to level 5 Values range from 0 to 10 inclusive To configure this parameter 1 Click Configurat...

Page 249: ...ing by editing the Size to Trigger Rotation parameter Alternatively you can configure Symantec Network Security to perform time based log archiving In either case you must configure the Compression On...

Page 250: ...r 7 Click OK to save the changes to this node and close Note If you set this value at too large a number with compression enabled it may put excess strain on the node when the logs eventually archive...

Page 251: ...the traffic record directory If traffic record files take more disk space than indicated by this value then files are removed starting with the oldest to satisfy the limit The default value is 5 GB an...

Page 252: ...e logs YYMMDDHHMMSS tar bz2 format If compression is disabled then when the operational log is archived it is renamed using the manhunt YYMMDDHHMMSS format In that case the incident and event logs are...

Page 253: ...ompression may require large amounts of memory and CPU usage Note For how to verify log files manually see About the Knowledge Base on page 22 Setting Compression Command Compression Command indicates...

Page 254: ...nother host for long term storage Export to file if you want the log in a format that is readable by other programs or applications Other methods of export use the Symantec format This section include...

Page 255: ...an install the Bridge to both software and appliance nodes by running the Bridge installation script located in the usr SNS install sesabridge directory The SESA Bridge enables you to send events form...

Page 256: ...SA Agent to be passed on to a SESA Manager Note that you must have a local SESA Agent installed and configured for the SESA Bridge to function The default value is false on 7100 Series appliances On N...

Page 257: ...the Knowledge Base on page 22 This section includes the following export parameters Setting Cluster ID Setting JDBC Driver Setting DB Connection String Setting DB User Setting DB Password SQL referenc...

Page 258: ...left pane under SQL Export Parameters click this parameter to display it 4 In the lower right pane enter the JDBC Driver using one of the following classpath formats 5 Click Apply 6 In Apply Changes T...

Page 259: ...this node and close Note Restart Symantec Network Security for changes to this parameter to take effect Setting DB User DB User indicates the user name that Symantec Network Security uses to authenti...

Page 260: ...s 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane under Log Database Parameters click this parameter to display it 4 In the lower right pane enter a password 5...

Page 261: ...Symantec Network Security can export event data to syslog Data remains in the proprietary format Syslog is always considered remote even if located on the same host This section includes the following...

Page 262: ...re A value of 0 disables Echo Operational Log to Syslog To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list and...

Page 263: ...nt RAM exists on the system for this parameter It may take up to 10 minutes for changes to this parameter to take effect Setting Remote Syslog Destination Port Remote Syslog Destination Port indicates...

Page 264: ...o configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Select Node choose the node from the pull down list and click OK 3 In the left pane under Log Database Parameters...

Page 265: ...which rotates logs on the original node SCP transfer does not impact performance The default value is false To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Sele...

Page 266: ...t for SCP User Account for SCP indicates the user name that log and database files are transferred to via SCP To configure this parameter 1 Click Configuration Node Network Security Parameters 2 In Se...

Page 267: ...ocal bin scp directory Set the value for this parameter if the SCP binary is in an alternative location Note You do not need to set Location of SCP Binary for 7100 Series nodes because the location of...

Page 268: ...268 Managing log files Exporting data...

Page 269: ...ilover systems and backing up and restoring The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection ana...

Page 270: ...on capabilities to the product such as event data refinement rules and encrypted signatures SecurityUpdates are cumulative Each update includes the data from the updates before it Some SecurityUpdates...

Page 271: ...In the left pane select the nodes to receive updates 3 On the LiveUpdate tab click Scan For Updates Note SuperUsers and Administrators can view LiveUpdate using the Network Security console StandardU...

Page 272: ...lish a LiveUpdate server To set the LiveUpdate server 1 In the Network Security console click Admin LiveUpdate 2 On the LiveUpdate tab click Set LiveUpdate Server 3 In LiveUpdate Server Configuration...

Page 273: ...ovide the following information In Check for Update Every select Week Day or Hour from the pull down list In Day To Run select the day of the week from the pull down list In Hour To Run select a time...

Page 274: ...schedule 3 On the Schedule LiveUpdate tab click Revert to undo your changes Backing up LiveUpdate configurations The Network Security console provides a way to customize Symantec Network Security to...

Page 275: ...subsequent nodes act as slave nodes Superusers can change the status by setting a new node as the cluster master SuperUsers can also assign a standby node to provide high availability for either a sla...

Page 276: ...cluster master node using the Network Security console Note To deploy a 7100 Series node as a slave the master node must be either a Symantec Network Security 4 0 node or another 7100 Series node To s...

Page 277: ...rm the initial configuration of the appliance and when you install Symantec Network Security software on a designated computer See the following for additional related information See Adding or editin...

Page 278: ...shed cluster This section describes the following day to day tasks of managing an established cluster Licensing nodes in a cluster Synchronizing clustered nodes Changing node numbers Changing node pas...

Page 279: ...of protection policies that you apply to slave nodes If the master node fails or is demoted by setting a new cluster master the link is broken between applied policies and their definitions Slave nod...

Page 280: ...ing nodes and objects on page 83 5 Assign a new node number See Node number on page 77 Note SuperUsers can change node numbers Administrators StandardUsers and RestrictedUsers cannot See User groups r...

Page 281: ...ference on page 319 for more about permissions Setting a cluster wide parameter Symantec Network Security provides one cluster parameter called QSP Port Number to ensure communication between all node...

Page 282: ...n backup data from one node and exchange between nodes in the cluster to a certain degree See Backing up and restoring on page 297 Note SuperUsers can back up node configurations Administrators Standa...

Page 283: ...data from external sensors and correlate that data with all other Network Security events Symantec Network Security performs some internal Smart Agent configuration for integrating Symantec Decoy Ser...

Page 284: ...export flows TrackBack email and SNMP notification responses on events received via Smart Agents This section includes the following Smart Agent parameter Setting EDP Port Number Setting EDP Port Num...

Page 285: ...the Symantec Decoy Server console by simply right clicking any external sensor object in the topology tree and selecting Start Decoy Console Note that the Symantec Decoy Server console remains open ev...

Page 286: ...editing Smart Agent objects on page 105 3 Apply Symantec Network Security response policy rules to the Symantec Decoy Server events See Setting response actions on page 141 Note SuperUsers can integr...

Page 287: ...missions Establishing high availability failover Symantec Network Security provides a number of ways to recover from network communication or process failures The Availability Monitor keeps track of e...

Page 288: ...nds and to generate an availability drop event if the host fails to respond 8 times in a row slightly longer than a minute Note SuperUsers can monitor availability Administrators StandardUsers and Res...

Page 289: ...the node from the pull down list and click OK 3 In the left pane click Watchdog Process Restart Only 4 In the lower right corner of the Configuration Parameters pane do one of the following Click True...

Page 290: ...tolerant feature occurs automatically and transparently and ensures that Symantec Network Security remains continuously available Do not confuse high availability failover with load balancing in whic...

Page 291: ...console add or edit the active and standby objects to the network topology tree considering the following In Add or Edit 7100 Series Node or Add or Edit Software Node under Failover Group Information...

Page 292: ...Enabling this feature causes incidents to load from all nodes in the cluster including any standby nodes and thus avoids dropping incidents When a failover occurs the incident table remains unchanged...

Page 293: ...original master comes back online the Network Security console does not automatically switch back Response actions such as TrackBack that augment the incident may not be visible during a failover as a...

Page 294: ...in line with a firewall Note SuperUsers can configure watchdog processes Administrators StandardUsers and RestrictedUsers cannot See User groups reference on page 319 for more about permissions Set u...

Page 295: ...left pane click the parameter that you want to configure 4 In the lower right corner of the Configuration Parameters pane enter a fail rate If the number of failures breaches this threshold it resort...

Page 296: ...failure occurs The default value is false If set to true Symantec Network Security restarts the product on failure If this value is not set the default is to reboot the system on failure Note SuperUs...

Page 297: ...hanges To select the node or subset of nodes that you want to apply the parameter to 7 Click OK to save the changes to this sensor and close Backing up and restoring Symantec Network Security provides...

Page 298: ...as topology parameter policy and report configurations but does not include collected data such as flow records traffic record sessions and generated reports To back up a configuration 1 In the Netwo...

Page 299: ...nfiguration 1 In the Network Security console click Admin Node Manage Backups 2 In Select Node choose a node from the pull down list and click OK 3 In Backups click an existing backup configuration 4...

Page 300: ...ser groups reference on page 319 for more about permissions Restoring Symantec Network Security configurations Symantec Network Security provides a way to restore a previous configuration to an entire...

Page 301: ...level is the same The Symantec Network Security SecurityUpdate and EngineUpdate levels must be the same or greater than the backup The restoration machine must have the same number and type of interf...

Page 302: ...ete software and appliance nodes from the cluster Administrators StandardUsers and RestrictedUsers can view them but cannot delete them See User groups reference on page 319 for more about permissions...

Page 303: ...each node individually to get the per node configuration Cluster wide configuration is synchronized from the master to the slave nodes If the compact flash card is mounted SuperUsers can choose from b...

Page 304: ...es node object whose configuration you wish to save then click Configuration 7100 Series Configuration Save Configuration File On Devices click Configuration Node 7100 Series Configuration Save Config...

Page 305: ...the IP address of the default router for this node Note Values for the netmask and default router will be automatically updated after the slave appliance is connected to the network and initially con...

Page 306: ...verting to the original installation You can cause the 7100 Series to revert to the original manufacturer s installation if you want to completely reconfigure it All existing configuration is erased a...

Page 307: ...e Click OK 2 If a Warning is displayed read the message and do one of the following Click Yes to generate new SSH keys This replaces any existing keys Click No to exit the process 3 In Generating SSH...

Page 308: ...space allowed for traffic record data 10 Click Apply Configuring advanced parameters The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core...

Page 309: ...apacity of the node and the amount of traffic you expect it to monitor Software nodes The Network Security software nodes include parameters that allow for variations from the default during installat...

Page 310: ...e Configuration Parameters pane click the radio button or enter the value of the parameter 5 Click Apply 6 In Apply Changes To select the node or subset of nodes that you want to apply the parameter t...

Page 311: ...t lacks sufficient memory to load all the data the Network Security console becomes unresponsive To prevent this you can limit the number of incidents loaded by editing the incidentHours key in the Sy...

Page 312: ...he value 5 Click Apply 6 In Apply Changes To select the node or subset of nodes that you want to apply the parameter to 7 Click OK to save the changes to this sensor and close Caution Take note of the...

Page 313: ...to take effect Setting Event Queue Length Event Queue Length prevents the system from becoming overloaded during a denial of service attack This parameter indicates the length of the event queue by se...

Page 314: ...value is set to 150 events per second for optimum performance and you do not need to lower it under most circumstances Increase the value to see more events but make sure that the system has sufficien...

Page 315: ...315 Advanced configuration Configuring advanced parameters Restart Symantec Network Security for changes to this parameter to take effect...

Page 316: ...316 Advanced configuration Configuring advanced parameters...

Page 317: ...Part IV Appendices The following appendices provide additional reference information User groups reference SQL reference...

Page 318: ...318...

Page 319: ...upon the same core architecture that provides detection analysis storage and response functionality Both the software and the appliance utilize the core functionality in the same way and the group per...

Page 320: ...lave nodes in a cluster This section describes the permissions of the user groups in detail SuperUsers A user authenticated with full administrative capabilities This user is allowed to perform all ad...

Page 321: ...d to view Allowed to view Appliance specific Write to Compact Flash Allowed to write to compact flash Allowed to write to compact flash Not allowed Not allowed Availability Monitor Allowed to edit ava...

Page 322: ...Monitoring Groups Allowed to add assign and rename monitoring groups Allowed to choose Allowed to choose Allowed to choose Nodes both software and appliance Allowed to add edit delete all objects incl...

Page 323: ...ns Allowed to view Allowed to view Response Action Custom Allowed to add edit and delete custom response actions Allowed to view Allowed to view Allowed to view Restart Symantec Network Security Appli...

Page 324: ...re or appliance nodes Allowed to view Allowed to view Topology tree view Allowed to view Allowed to view Allowed to view Allowed to view Traffic Playback Allowed to view Allowed to view Allowed to vie...

Page 325: ...d response functionality Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4 0 software The 7100 Series appliance also provides additional funct...

Page 326: ...f the incident and event tables that Symantec Network Security uses to export data to an Oracle database To configure software or appliance nodes to export tables to Oracle see also Exporting to SQL o...

Page 327: ...ce interfaceID from the topology table where the best event was detected Used Internally ifName varchar 65 Indicates the actual name of the interface associated with the best event corresponding to if...

Page 328: ...t Valid values are 1 10 severity integer Indicates the severity of the best event Valid values are 1 10 state integer Indicates the state of this incident 1 active currently being monitored by the AF...

Page 329: ...xtBuffer Base 64 encoded crtTime integer Indicates the time when this event was realized in the Analysis Framework Standard UNIX time format seconds since 1970 GMT custID varchar 41 Indicates the Cust...

Page 330: ...ed For example hme0 incidentID varchar 33 Indicates a unique string identifier that identifies the incident to which this event belongs mappedType varchar 128 Indicates the mapped type of the event in...

Page 331: ...are 1 10 sips varchar 195 Indicates a list of source IPs for this event src_etheraddr varchar 33 Indicates the source ethernet address sttTime integer Indicates the start time for this event accordin...

Page 332: ...es to export incident data to a MySQL database Table B 3 MySQL Incident Table Field Name Type Description Notes class varchar 33 Indicates the class of the best event clusterID integer Indicates the N...

Page 333: ...7d091e45e8 2 3d20b45191f6ec72 3 lastEvtTime integer Indicates the last time when an event was added to this incident mappedType varchar 128 Indicates the mapped type of the event incident correspondin...

Page 334: ...9 Indicates the type of the best event viewed integer Indicates the marked status of this incident 0 Not yet marked by a Network Security console user 1 Marked by a Network Security console user and u...

Page 335: ...Indicates a list of destination IPs for this event dst_etheraddr varchar 33 Indicates the destination ethernet address dvName varchar 41 Indicates the name of the network device where the event was de...

Page 336: ...s generated Used internally nodeName varchar 255 Indicates the hostname of the software or appliance node corresponding to nodeNum nodeNum integer Indicates the Network Security node number where the...

Page 337: ...is event according to the sensor Standard UNIX time format trgtname text Indicates the name of the attacker s target or blank if not applicable trgtntype integer Indicates the type of the attacker s t...

Page 338: ...338 SQL reference Using MySQL tables...

Page 339: ...espective set of permissions is predefined and cannot be modified See also user account alarm A sound or visual signal that is triggered by an error condition alert See notification See also event ale...

Page 340: ...r network See also PAP Password Authentication Protocol authentication token A portable device used for authenticating a user Authentication tokens operate by challenge response time based code sequen...

Page 341: ...uter to a modem or a cable that connects two computers directly that is sometimes called a null modem cable cache file A file that is used to improve the performance of Microsoft Windows The cache fil...

Page 342: ...nsmission rate interval type and mode compact flash CF Digital memory technology providing non volatile data storage on a compact flash card readable and writable by a compact flash adaptor on a compu...

Page 343: ...pable of performing other duties it is assigned to only one denial of service DoS attack A type of attack in which a user or program takes up all of the system resources by launching a multitude of re...

Page 344: ...otected network and an external network to provide an additional layer of security Sometimes called a perimeter network DNS Domain Name System A hierarchical system of host naming that groups TCP IP h...

Page 345: ...on with DEC and Intel in 1976 Ethernet uses a bus or star topology and supports data transfer rates of 100 Mbps Ethernet interface NIC interfaces on the Network Security or network devices capable of...

Page 346: ...ertain qualifying criteria and then process or forward it accordingly Also a method of querying a list to produce a subset of items with specified characteristics firewall A program that protects the...

Page 347: ...t contains specific predefined permissions and rights See also user account group monitoring A subset of a cluster hack A program in which a significant portion of the code was originally another prog...

Page 348: ...s the identity of a Network Security node icon A graphic representation of a container document network object or other data that users can open or manipulate in an application inactive A status that...

Page 349: ...ng real time or near real time warning of attempts to access system resources in an unauthorized manner intrusion management The centralized management of intrusion based security technologies to iden...

Page 350: ...munications link that enables any device to interact with any other device on the network LDAP Lightweight Directory Access Protocol A software protocol that enables anyone to locate organizations ind...

Page 351: ...defined by an MIB middleware An application that connects two otherwise separate applications MIME Multipurpose Internet Mail Extensions A protocol used for transmitting documents with different form...

Page 352: ...ing the notes posted on newsgroups NNTP replaced the original Usenet protocol UNIX to UNIX node active The primary node in a watchdog process or failover group from which all activity predominates See...

Page 353: ...ssword In network security a password that is issued only once as a result of a challenge response authentication process This cannot be stolen or reused for unauthorized access online The state of be...

Page 354: ...assigned to a variable In communications a parameter is a means of customizing program software and hardware operation passphrase A unique string of characters that a user types as an identification...

Page 355: ...rom a mail server POP3 Post Office Protocol 3 An email protocol used to retrieve email from a remote server over an Internet connection port 1 A hardware location for passing data into and out of a co...

Page 356: ...affic compares observed behavior during network protocol exchange to structured protocols analyzes defiant behavior in context and detects deviations from the norm proxy server A server that acts on b...

Page 357: ...predefined reaction to an event or alert to a defined security threat such as capturing the attacker s section triggering tracking or emailing an alert Response actions can be configured for each type...

Page 358: ...are expressed using the application s rules and syntax combined with simple control structures script kiddie An unskilled cracker who uses code and software or scripts downloaded from the Internet to...

Page 359: ...mmunication between two computers that have been previously configured for communication with each other Smart Agents See Symantec Network Security Smart Agents SMF Standard Message Format A message f...

Page 360: ...erwise gaining access to information sent over the network SSL Secure Sockets Layer A protocol that allows mutual authentication between a client and server and the establishment of an authenticated a...

Page 361: ...on requests can t be accommodated Although the packet in the buffer is dropped after a certain period of time without a reply the effect of many of these bogus connection requests is to make it diffic...

Page 362: ...ed If the time out value is reached before or during the execution of a task the task is cancelled title bar The area at the top of a window showing the name of the program function document or applic...

Page 363: ...IP networks Unlike TCP IP UDP provides very few error recovery services offering instead a direct way to send and receive datagrams over an IP network UDP is used primarily for broadcasting messages...

Page 364: ...or program from its binary or bit stream representation into the 7 bit ASCII set of text characters validation The process of checking a configuration for completeness ensuring that all values are val...

Page 365: ...rom the outside that is aimed at Web server vulnerabilities Web denial of service A denial of service attack that specifically targets a Web server wildcard character A symbol that enables multiple ma...

Page 366: ...366 Glossary...

Page 367: ...CLI Command Line Interface CPU Central Processing Unit CSP Client server protocol CTR Cisco Threat Response CVE Common Vulnerabilities and Exposures DDOS Distributed denial of service DMZ Demilitariz...

Page 368: ...ction System IDWG Intrusion Detection Working Group IETF Internet Engineering Task Force IHS internal hostile structured threat IHU internal hostile unstructured threat IKE Internet Key Exchange IM In...

Page 369: ...Computer Security Association NIC Network Interface Card NIDS Network based intrusion detection system NNTP Network News Transfer Protocol NOC Network Operation Center NTP Network Time Protocol ODBC O...

Page 370: ...Protocol SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SPI Security Parameter Index SQL Structured Query Language SSH Secure Shell SSL Secure Sockets Layer STOP Stack Over...

Page 371: ...e administration service node architecture 35 Administrators about 320 pre defined login account 200 advanced parameters configuring 308 311 alert manager node architecture 35 alerting See logging ale...

Page 372: ...67 attack responses See responses attacks categories 136 flood based 142 fragmentation 230 syn floods 149 target IP address 202 204 traffic 249 Auto Update tab about 113 automated response architectu...

Page 373: ...evel 204 response rules 139 setting level 139 viewing events 197 configuration via compact flash 40 console response action configuring 152 console See Network Security console serial console Symantec...

Page 374: ...266 Destination Host for SCP setting node parameters 265 details viewing event types 119 viewing objects 74 detection about 159 about 7100 Series appliances 38 about architecture 26 about denial of s...

Page 375: ...Smart Agents 106 284 communication by proxy 284 EDP cont detection architecture 29 Network Security node passphrase 284 setting passphrases 106 setting port numbers 284 EDP Port Number setting node pa...

Page 376: ...detail reports 236 email notifying 142 enabling logging 122 enabling SNMP notifications 145 examining data 196 filtering 205 206 filtering tables 205 206 integrating third party 282 interpreting seve...

Page 377: ...haser Router Flow Collection Threads setting node parameters 220 FlowChaser Sensor Threads setting node parameters 222 flows adding alert rules 155 alert rules 154 configuring FlowChaser 220 flows con...

Page 378: ...viewing 292 viewing details 193 viewing flow statistics 239 viewing from monitoring groups 68 viewing top event 195 viewing top level data 193 in line about 16 38 62 in line cont about blocking 112 a...

Page 379: ...ser login accounts 56 editing user accounts 56 from Windows 45 history report 235 Network Security Administrator 200 Network Security console 199 200 login cont setting maximum failures 59 logs about...

Page 380: ...adding or editing on software nodes 90 editing on appliance nodes 96 monitoring interfaces cont on appliance nodes 95 on software nodes 89 MSAs See Smart Agents MySQL event table 334 exporting to 257...

Page 381: ...48 rebooting from the serial console 50 restarting from the LCD panel 53 restarting from the serial console 50 shutting down 54 single node deployment 61 single node appliance deployment 62 nodes cont...

Page 382: ...e 163 setting Enable IPv4 Header Checksum Validation 168 setting Enable TCP Checksum Validation 169 setting Enable UDP Checksum Validation 169 setting Enable Watchdog Process 294 setting Event Correla...

Page 383: ...ng TCP Maximum Flow Table Elements Gigabit 174 setting TCP Minimum Flows 171 setting TCP Number of Streak Packets 172 setting Traffic Mode 168 setting UDP Flood Alert Threshold 165 setting UDP Maximum...

Page 384: ...nsors 36 ProductUpdates about 269 accessing 22 protection policies about 31 111 adding 121 protection policies cont adjusting the view 117 annotating 126 applying to save 115 Auto Update tab 113 backi...

Page 385: ...223 about top level and drill down 228 adding or editing schedules 224 by event characteristics 233 deleting saved 228 reports cont deleting schedules 226 drill down 236 exporting saved 227 format 228...

Page 386: ...king data stream to source 147 traffic record 150 using permit types 157 viewing rules 132 restarting Network Security sensors 49 nodes from the LCD panel 53 nodes from the Network Security console 47...

Page 387: ...etwork Security console 49 restarting in a cluster 281 restarting or stopping 161 setting Packet Counter Interval parameter 170 tweaking sensitivity 162 169 serial console about 40 49 editing root pas...

Page 388: ...out the node architecture 34 accessing Knowledge Base 22 adding nodes 86 adding or editing nodes 86 clustering with appliances 65 software cont deleting nodes 277 documentation 21 node status indicato...

Page 389: ...ting sensor parameters 177 TCP Flood Alert Threshold setting sensor parameters 164 TCP Flow Max Queued Segments setting sensor parameters 176 TCP Global max Queued Segments Fast Ethernet setting senso...

Page 390: ...Number of Streak Packets setting sensor parameters 172 UDP Saturation Alert Threshold setting sensor parameters 166 undoing changes to topology tree 82 LiveUpdate schedules 274 undoing cont policy ap...

Page 391: ...s 181 top event of incident 195 top level events 197 top level incident data 193 topology 46 47 VLAN specifying rules 139 W watchdog process adding failover groups 290 high availability 289 preserving...

Page 392: ...392 Index...