Symantec 10521148 - Network Security 7161, 7120, 7160, 7161 Implementation Manual

Symantec™ Network Security 7100 Series Implementation Guide
2
Symantec Network Security 7100 Series Implementation Guide
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
PN: 10268962
Copyright Notice
Copyright © 2004 Symantec Corporation.
All Rights Reserved.
Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.
No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks. Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks of Symantec Corporation.
Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged.
Windows is a registered trademark, and 95, 98, NT and 2002 are trademarks of Microsoft Corporation. Pentium is a registered trademark of Intel Corporation. Sun is a registered trademark, and Java, Solaris, Ultra, Enterprise, and SPARC are trademarks of Sun Microsystems. UNIX is a registered trademark of UNIX System Laboratories, Inc. Cisco and Catalyst are registered trademarks of Cisco Systems, Inc. Foundry is a registered trademark of Foundry Networks. Juniper is a registered trademark of Juniper Networks, Inc. iButton is a trademark of Dallas Semiconductor Corp. Dell is a registered trademark of Dell Computer Corporation. Check Point and OPSEC are trademarks and FireWall-1 is a registered trademark of Check Point Software Technologies, Ltd. Tripwire is a registered trademark of Tripwire, Inc.
Symantec Network Security software contains/includes the following Third Party Software from external sources:
“bzip2” and associated library “libbzip2,” Copyright © 1996-1998, Julian R Seward. All rights reserved. (http://sources.redhat.com/bzip2).
“Castor,”ExoLab Group, Copyright 1999-2001 © 199-2001 Intalio, Inc. All rights reserved. (http://
www.exolab.org).
Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts.
Symantec technical support offerings include:
A range of support options that give you the flexibility to select the right
amount of service for any size organization
Telephone and Web support components that provide rapid response and
up-to-the-minute information
3
Upgrade insurance that delivers automatic software upgrade protection
Content Updates for virus definitions and security signatures that ensure
the highest level of protection
Global support from Symantec Security Response experts, which is
available 24 hours a day, 7 days a week worldwide in a variety of languages
Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, offer enhanced response and proactive security support
Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.
Licensing and registration
If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.
Contacting Technical Support
Customers with a current support agreement may contact the Technical Support group via phone or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www-secure.symantec.com/platinum/.
4
Customer Service
When contacting the Technical Support group, please have the following:
Product release level
Hardware information
Available memory, disk space, NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description
Error messages/log files
Troubleshooting performed prior to contacting Symantec
Recent software configuration changes and/or network changes
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization
Product registration updates such as address or name changes
General product information (features, language availability, local dealers)
Latest information on product updates and upgrades
Information on upgrade insurance and maintenance contracts
Information on Symantec Value License Program
Advice on Symantec's technical support options
Nontechnical pre-sales questions
Missing or defective CD-ROMs or manuals
SYMANTEC NETWORK SECURITY APPLIANCE (7100 SERIES)
LICENSE AND WARRANTY AGREEMENT
SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES (“SYMANTEC”) IS WILLING TO LICENSE THE SOFTWARE INCLUDED WITH THE APPLIANCE YOU HAVE PURCHASED TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS “YOU OR YOUR”) AND TO PROVIDE WARRANTIES ON THE APPLIANCE ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AND WARRANTY AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AND WARRANTY AGREEMENT CAREFULLY BEFORE USING THE APPLIANCE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND SYMANTEC. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKING ON THE “AGREE” OR “YES” BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, REQUESTING A LICENSE KEY OR USING THE SOFTWARE AND THE APPLIANCE, YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK ON THE “I DO NOT AGREE” OR “NO” BUTTON IF APPLICABLE AND DO NOT USE THE SOFTWARE AND THE APPLIANCE.
1. Software License:
Except for the software, if any, described in the Excluded Software section at the end of this agreement (the “Excluded Software”), the software (the “Software”) which accompanies the appliance You have purchased (the “Appliance”) is the property of Symantec or its licensors and is protected by copyright law. Except for the Excluded Software, You agree and acknowledge that You must purchase a separate license for each Software functionality which You intend to use in connection with the Appliance, and activate such Software functionalities as designated by Symantec, prior to using the Appliance. While Symantec continues to own the Software, You will have certain rights to use the Software after Your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the Licensor may furnish to You as well as the copy of the Software provided to You on a CD-ROM or other media in connection with the Appliance (the “Recovery Software”). Except as may be modified by a Symantec license certificate, license coupon, or license key (each a “License Module”) which accompanies, precedes, or follows this license, and as may be further defined in the user documentation accompanying the Appliance and/or the Software, Your rights and obligations with respect to the use of this Software are as follows:
You may:
A. use the Software solely as part of the Appliance for no more than the number of users as have been licensed to You by Symantec under a License Module;
B. use the Recovery Software solely to restore the Appliance to its original factory functionality in the event the Software preloaded on the Appliance is corrupted or becomes unusable;
C. make copies of the printed documentation which accompanies the Appliance as necessary to support Your authorized use of the Appliance; and
D. after written notice to Symantec and in connection with a transfer of the Appliance, transfer the Software on a permanent basis to another person or entity, provided that You retain no copies of the Software, Symantec consents to the transfer and the transferee agrees in writing to the terms and conditions of this agreement.
You may not:
A. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any
attempt to discover the source code of the Software, or create derivative works from the Software;
B. use the Recovery Software for any purpose other than to restore the Appliance to the original factory functionality;
C. use, if You received the Software distributed on an Appliance containing multiple Symantec products, any Symantec software on the Appliance for which You have not received a permission in a License Module; or
D. use the Software in any manner not authorized by this license.
2. Content Updates:
Certain Symantec software products utilize content that is updated from time to time (e.g., antivirus products utilize updated virus definitions; content filtering products utilize updated URL lists; some firewall products utilize updated firewall rules; vulnerability assessment products utilize updated vulnerability data, etc.; collectively, these are referred to as “Content Updates”). You may obtain Content Updates for each Software functionality which You have purchased and activated for use with the Appliance for any period for which You have (i) purchased a subscription for Content Updates for such Software functionality; (ii) entered into a support agreement that includes Content Updates for such Software functionality; or (iii) otherwise separately acquired the right to obtain Content Updates for such Software functionality. This license does not otherwise permit You to obtain and use Content Updates.
3. Limited Warranty:
Symantec warrants that the media on which the Recovery Software is distributed will be free from defects for a period of thirty (30) days from the date of original purchase of the Appliance. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Recovery Software.
Symantec warrants that the Software will perform on the Appliance in substantial compliance with the written documentation accompanying the Appliance for a period of thirty (30) days from the date of original purchase of the Appliance. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, repair or replace any defective Software returned to Symantec within the warranty period or refund the money You paid for the Appliance.
Symantec warrants that the hardware component of the Appliance (the “Hardware”) shall be free from defects in material and workmanship under normal use and service and substantially conform to the written documentation accompanying the Appliance for a period of three hundred sixty-five (365) days from the date of original( purchase of the Appliance. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its option, repair or replace any defective Hardware returned to Symantec within the warranty period or refund the money You paid for the Appliance.
The warranties contained in this agreement will not apply to any Software or Hardware which:
A. has been altered, supplemented, upgraded or modified in any way; or
B. has been repaired except by Symantec or its designee.
Additionally, the warranties contained in this agreement do not apply to repair or replacement caused or necessitated by:
6
(i) events occurring after risk of loss passes to You such as loss or damage during shipment; (ii) acts of God including without limitation natural acts such as fire, flood, wind earthquake, lightning or similar disaster; (iii) improper use, environment, installation or electrical supply, improper maintenance, or any other misuse, abuse or mishandling; (iv) governmental actions or inactions; (v) strikes or work stoppages; (vi) Your failure to follow applicable use or operations instructions or manuals; (vii) Your failure to implement, or to allow Symantec or its designee to implement, any corrections or modifications to the Appliance made available to You by Symantec; or (viii) such other events outside Symantec’s reasonable control.
Upon discovery of any failure of the Hardware, or component thereof, to conform to the applicable warranty during the applicable warranty period, You are required to contact us within ten (10) days after such failure and seek a return material authorization (“RMA”) number. Symantec will promptly issue the requested RMA as long as we determine that You meet the conditions for warranty service. The allegedly defective Appliance, or component thereof, shall be returned to Symantec, securely and properly packaged, freight and insurance prepaid, with the RMA number prominently displayed on the exterior of the shipment packaging and with the Appliance. Symantec will have no obligation to accept any Appliance which is returned without an RMA number.
Upon completion of repair or if Symantec decides, in accordance with the warranty, to replace a defective Appliance, Symantec will return such repaired or replacement Appliance to You, freight and insurance prepaid. In the event that Symantec, in its sole discretion, determines that it is unable to replace or repair the Hardware, Symantec will refund to You the F.O.B. price paid by You for the defective Appliance. Defective Appliances returned to Symantec will become the property of Symantec.
Symantec does not warrant that the Appliance will meet Your requirements or that operation of the Appliance will be uninterrupted or that the Appliance will be error-free.
In order to exercise any of the warranty rights contained in this Agreement, You must have available an original sales receipt or bill of sale demonstrating proof of purchase with Your warranty claim.
THE ABOVE WARRANTIES ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE.
4. Disclaimer of Damages:
SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC OR ITS LICENSORS BE LIABLE TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
IN NO CASE SHALL SYMANTEC'S OR ITS LICENSORS’ LIABILITY EXCEED THE PURCHASE PRICE FOR THE APPLIANCE. The disclaimers and limitations set forth above will apply regardless of whether You accept the Software or the Appliance.
5. U.S. Government Restricted Rights:
RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software documentation are “Commercial Items”, as that term is defined in 48 C.F.R. section 2.101, consisting of “Commercial Computer Software” and “Commercial Computer Software Documentation”, as such terms are defined in 48 C.F.R. section 252.227-7014(a)(5) and 48 C.F.R. section 252.227-7014(a)(1), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
6. Export Regulation:
You agree to comply strictly with all applicable export control laws, including the US Export Administration Act and its associated regulations and acknowledge Your responsibility to obtain licenses as required to export, re-export or import the Appliance. Export or re-export of the Appliance to Cuba, North Korea, Iran, Iraq, Libya, Syria or Sudan is prohibited.
7. General:
If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United States of America. Otherwise, this Agreement will be governed by the laws of England. This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Appliance and: (i) supersedes all prior or contemporaneous oral or written communications, proposals and representations with respect to its subject matter; and (ii) prevails over any conflicting or additional terms of any quote, order, acknowledgment or similar communications between the parties. This Agreement may only be modified by a License Module or by a written document which has been signed by both You and Symantec. This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software and shall return the Appliance to Symantec. The disclaimers of warranties and damages and limitations on liability shall survive termination. Should You have any questions concerning this Agreement, or if You desire to contact Symantec for any
reason, please write: (i) Symantec Customer Service, 555 International Way, Springfield, OR 97477, USA, or (ii) Symantec Customer Service Center, PO BOX 5689, Dublin 15, Ireland.
8. Excluded Software:
The Excluded Software consists of the open source code software known as Linux included with the Appliance. All Excluded Software is licensed under the GNU General Public License, Version 2, June 1991, a copy of which is included with the user documentation for the Appliance. The license entitles You to receive a copy of the source code for Linux only upon request at a nominal charge. If You are interested in obtaining a copy of such source code, please contact Symantec Customer Service at one of the above addresses for further information.
7
8
Chapter 1 Introduction
About the Symantec Network Security 7100 Series ......................................... 9
About the core software ..............................................................................10
About the detection architecture ..............................................................10
About the management system ................................................................. 10
About the 7100 Series models ....................................................................11
About this guide ...................................................................................................11
About the documentation set ............................................................................13
About the Web sites .............................................................................................14
Verifying the materials .......................................................................................14
Contents
Chapter 2 Introducing the 7100 Series components
About the 7100 Series components ..................................................................17
About 7100 Series models ..................................................................................17
Model 7120 ....................................................................................................18
Model 7160 ....................................................................................................19
Model 7161 ....................................................................................................20
About core components ...................................................................................... 21
LCD panel ......................................................................................................22
LED lights ......................................................................................................24
Serial port ..................................................................................................... 25
USB ports ......................................................................................................25
Compact flash adapter ................................................................................25
About additional components ............................................................................27
Removable disk drive ..................................................................................27
Dual redundant power supplies ................................................................. 28
Chapter 3 Deploying the 7100 Series
About deploying the 7100 Series .......................................................................29
Deployment options ............................................................................................ 29
Bandwidth licensing options ......................................................................30
Passive mode ................................................................................................30
In-line mode ..................................................................................................31
Blocking and alerting ..........................................................................31
In-line pairs ...........................................................................................32
2 Contents
Deployment using in-line mode ........................................................33
Comparing in-line mode to passive mode ........................................ 33
Interface grouping .......................................................................................33
Fail-open ....................................................................................................... 35
About the In-line Bypass unit ............................................................35
The 2 In-line Bypass unit ....................................................................36
The 4 In-line Bypass unit ....................................................................36
Port groups and the management port on the bypass unit ........... 37
Online and bypass modes ...................................................................38
Link parameters on bypass unit interfaces .....................................38
Front panel LEDs on the bypass unit ................................................ 39
Rear panel LEDs on the bypass unit ................................................. 40
Clustering ...................................................................................................... 41
External IDS products .................................................................................42
Network Security console accessibility ............................................................ 42
SESA server accessibility .................................................................................... 42
Symantec LiveUpdate accessibility .................................................................. 43
Chapter 4 Installing the 7100 Series
About installing the 7100 Series .......................................................................45
Rack mounting .....................................................................................................46
Mounting the appliance to a two-post rack ............................................. 46
Mounting the appliance to a four-post rack ............................................ 47
Cabling ................................................................................................................... 49
Cabling for model 7120 ............................................................................... 49
Connecting the management, reset, and serial ports .................... 50
Cabling for passive mode monitoring ............................................... 50
Cabling for in-line mode monitoring ................................................ 50
Cabling a bypass unit for fail-open ...................................................51
Powering the 7120 on or off ............................................................... 54
Cabling for model 7160 ............................................................................... 54
Connecting the management, reset, and serial ports .................... 55
Cabling for passive mode monitoring ............................................... 56
Cabling for in-line mode monitoring ................................................ 56
Cabling a bypass unit for fail-open ...................................................57
Powering the 7160 on or off ............................................................... 62
Cabling for model 7161 ............................................................................... 62
Connecting the management, reset, and serial ports .................... 63
Cabling for passive mode monitoring ............................................... 64
Cabling for in-line mode monitoring ................................................ 64
Powering the 7161 on or off ............................................................... 66
Chapter 5 Initializing Symantec Network Security
About initializing Symantec Network Security ..............................................67
LCD panel initial configuration .........................................................................68
Using the LCD panel to configure a master node ...................................69
Using the LCD panel to configure a slave node ....................................... 72
Serial console initial configuration ..................................................................76
Starting a serial console ............................................................................. 77
Configuring a master node using the serial console ..............................77
Configuring a slave node using the serial console ..................................80
Compact flash initial configuration .................................................................. 83
Default login accounts ........................................................................................84
Chapter 6 Starting the Network Security console
About the Network Security console ................................................................85
Network Security console requirements ..........................................................85
Console requirements on Windows ..........................................................86
Console requirements on Linux .................................................................86
Installing the console ..........................................................................................86
Installing the Java Runtime Environment ...............................................87
Installing the console on Windows ........................................................... 87
Installing the console on Linux .................................................................88
Launching the console ........................................................................................88
Using the correct administration IP address ..........................................89
Launching the console on Windows .........................................................89
Launching the console on Linux ................................................................89
3Contents
Chapter 7 Licensing
About licensing ....................................................................................................91
Bandwidth licensing options ..............................................................92
Installing licenses ................................................................................................92
Requesting a license file .............................................................................94
Determining the serial numbers .......................................................94
Determining the Symantec System ID ............................................. 94
Requesting the license file ..................................................................95
Installing a license file ................................................................................ 96
Installing a license file on a master node ......................................... 96
Installing a license file on a slave node ............................................96
Checking the license status ................................................................................97
Adding to licenses ................................................................................................98
Understanding excessive traffic ................................................................98
Requesting an additive license ..................................................................98
Installing the additive license file ............................................................. 99
Calling for help .....................................................................................................99
4 Contents
Chapter 8 Configuring nodes and interfaces
About configuring nodes and interfaces ........................................................101
Configuring appliance nodes ...........................................................................102
About appliance node fields .....................................................................102
Node Options tab fields .....................................................................103
Advanced Network Options tab fields ............................................104
Adding or editing an appliance node ......................................................105
Configuring appliance interfaces ....................................................................106
Configuring monitoring interfaces .........................................................107
About monitoring interface fields ...................................................107
Editing a monitoring interface ........................................................108
Configuring an in-line pair .......................................................................109
About in-line pair fields ....................................................................109
Adding or editing an in-line pair .....................................................111
Configuring an interface group ...............................................................112
About interface group fields ............................................................112
Adding or editing an interface group .............................................113
Chapter 9 Configuring detection and response
About detection and response .........................................................................115
Starting a sensor on an appliance interface ..................................................115
About protection policies .........................................................................116
Creating and applying protection policies .....................................................116
Viewing a protection policy .....................................................................117
Setting policies to interfaces ...................................................................118
Unapplying or removing policies from interfaces ...............................118
Enabling/disabling blocking on in-line pairs ........................................119
Adding a new protection policy ...............................................................119
Cloning existing protection policies .......................................................119
Modifying custom protection policies ....................................................120
Using Search Events ..................................................................................120
Setting logging or blocking on events in a policy .................................121
Deleting custom protection policies .......................................................123
About response rules .........................................................................................124
Adding response rules ..............................................................................124
Deleting response rules ............................................................................126
Chapter 10 Monitoring and reporting events and status
About monitoring and reporting events and status .....................................127
Viewing events and incidents ..........................................................................128
Viewing incident data ...............................................................................128
Viewing incident details ...........................................................................128
Viewing event details ................................................................................129
Managing incident data ............................................................................129
Generating reports ............................................................................................129
Monitoring appliance status ............................................................................130
Viewing status on the LEDs ......................................................................130
Viewing status on the LCD screen ...........................................................131
Viewing status on the Network Security console .................................132
Node status parameters ....................................................................132
Interface status parameters .............................................................133
In-line pair status parameters .........................................................134
Interface group status parameters .................................................136
Chapter 11 Maintaining and administering the 7100 Series
About maintaining and administering the appliance ..................................137
Managing log files and backups ......................................................................138
Rotating log files with SCP .......................................................................138
Generating SSH keys .........................................................................138
Using SCP to rotate log files .............................................................139
Backing up and restoring ..........................................................................140
Backing up a configuration ..............................................................141
Restoring a configuration .................................................................141
About the compact flash ...........................................................................142
Making a non-bootable compact flash card ...........................................143
Making a non-bootable CF card on Windows ................................143
Making a non-bootable CF card on Linux ......................................143
Using the compact flash for backup and restore ..................................144
Using the compact flash for backup ...............................................145
Using the compact flash for restore ...............................................145
Saving initial configuration .....................................................................146
Saving initial configuration to compact flash ...............................146
Viewing a configuration file .....................................................................147
Using the compact flash during re-imaging and upgrading ...............148
Restarting, rebooting, and powering off ........................................................148
Stopping, starting, and restarting Symantec Network Security ........148
Stopping Network Security from the LCD .....................................149
Stopping Network Security from the serial console ....................149
Starting Network Security from the LCD .......................................150
Starting Network Security from the serial console ......................150
Restarting Network Security from the Network Security console 150
Restarting Network Security from the serial console ..................151
Rebooting the appliance ...........................................................................151
Rebooting the appliance from the Network Security console ....151
Rebooting the appliance from the LCD ..........................................151
5Contents
6 Contents
Rebooting the appliance from the serial console .........................152
Powering off the appliance ......................................................................152
Powering off the appliance from the LCD ...................................... 152
Powering off the appliance from the serial console .....................153
Using the LCD run menu ..................................................................................154
Running commands on the LCD run menu ............................................155
Unlocking the LCD panel ..........................................................................155
Enabling or disabling LCD locking ..........................................................156
Changing the IP address ...........................................................................156
Using the serial console ....................................................................................158
About serial console commands ..............................................................158
Changing passwords ..................................................................................160
Changing the root password ............................................................160
Changing the secadm password ......................................................161
Installing the SESA bridge .......................................................................161
Preparing to use SESA ......................................................................161
Running install-bridge ......................................................................163
Uninstalling the SESA bridge ..................................................................164
Starting the SESA agent manually ..........................................................165
Stopping the SESA agent manually ........................................................165
Chapter 12 Re-imaging and unconfiguring
About re-imaging and unconfiguring .............................................................167
Unconfiguring Symantec Network Security .................................................168
Running Unconfigure in the Network Security console ......................168
Running Unconfig SNS on the LCD ........................................................169
Running unconfigure on the serial console ...........................................170
Preparing for re-imaging ..................................................................................170
Saving your configuration ........................................................................170
Creating a bootable compact flash ..........................................................171
Creating a bootable compact flash via the serial console ............ 171
Creating a bootable compact flash using the Imaging Server ....172
Setting up an Imaging Server ..........................................................................173
Setting up an automatic Imaging Server ...............................................173
Setting up a standard Imaging Server ....................................................174
Installing the Recovery Software CD onto the Imaging Server .. 175
Connecting the Imaging Server to the appliance .................................176
Connecting the Imaging Server to a 7120 ...................................... 177
Connecting the Imaging Server to a 7160 ...................................... 177
Connecting the Imaging Server to a 7161 ...................................... 178
Re-imaging the appliance .................................................................................178
Upgrading the console application .................................................................181
About migration .................................................................................................181
Appendix A Troubleshooting
About troubleshooting ......................................................................................183
Accessing troubleshooting information ........................................................183
Appendix B Specifications and safety
Product Specifications ......................................................................................185
Safety guidelines ................................................................................................186
Product certifications .......................................................................................188
Appendix C Service Manual
About the removable hard drive ......................................................................191
Removing the hard drive ..................................................................................192
Index
7Contents
8 Contents
Introduction
This chapter includes the following topics:
About the Symantec Network Security 7100 Series
About this guide
About the documentation set
Chapter
1
About the Web sites
Verifying the materials
About the Symantec Network Security 7100 Series
Symantec Network Security 7100 Series appliances provide real-time network intrusion prevention and detection to protect critical enterprise assets from the threat of known, unknown (zero-day), and denial of service (DoS) attacks. Designed to monitor multiple network segments at multi-gigabit speeds, the 7100 Series combines superior detection and prevention capabilities with flexible deployment options and ease of installation.
Network Security 7100 Series are highly scalable, purpose built appliances that meet a range of needs for aggregate network bandwidth from 50 Mbps to 2 Gbps across as many as eight network segments. They provide zero-day protection against the latest threats and automated real-time blocking of malicious activity. With intrusion prevention and detection built into a single network security appliance, users can easily switch between deployment modes based on their security policy.
Network Security 7100 Series appliances reduce the total cost of implementing a complete network security solution through:
Simplified and rapid deployment
Centralized management
10 Introduction
About the Symantec Network Security 7100 Series
Cohesive, streamlined security content, service, and support
About the core software
The 7100 Series appliances run Symantec Network Security 4.0 software, which provides detection, analysis, management, storage, and response functionality. The standard software and the appliance version utilize the core functionality in the same way, and most procedures apply to both. In addition to the full software functionality at its core, the appliance provides unique features, such as in-line mode and interface grouping.
About the detection architecture
The 7100 Series appliances employ the new and innovative network threat mitigation architecture that combines anomaly, signature, statistical, and vulnerability detection techniques into an Intrusion Mitigation Unified Network Engine (IMUNE). IMUNE proactively prevents and provides immunity against malicious attacks, including:
Denial of service attempts
Intrusions and malicious code
Network infrastructure attacks
Application exploits
Scans and reconnaissance activities
Backdoors
Buffer overflow attempts
Blended threats like MS Blaster and SQL Slammer
About the management system
Symantec Network Security 7100 Series appliances are centrally managed via the Symantec Network Security 4.0 Management Console, a powerful and scalable security management system. The management console supports large, distributed enterprise deployments and provides:
Comprehensive configuration
Policy management
Real-time threat analysis
Enterprise reporting
Flexible visualization
The Network Security Management System automates the process of delivering security and product updates to the 7100 Series appliances using Symantec Live Update to provide real-time protection against the latest threats.
In addition, the Network Security Management System can be used to expand the intrusion protection umbrella using the Symantec Network Security Smart Agents to provide enterprise-wide, multi-source intrusion management by aggregating, correlating, and responding to events from multiple Symantec and third-party host and network security products.
About the 7100 Series models
The Symantec Network Security 7100 Series is available in three models that provide both intrusion prevention and intrusion detection in a single appliance:
The 7120:
Monitors up to four 10/100 Base-T network segments
11Introduction
About this guide
Provides a maximum bandwidth license of 200 Mbps
The 7160:
Monitors up to eight 10/100/1000 Base-T network segments
Provides a maximum bandwidth license of 2 Gbps
Provides in-line mode maximum bandwidth of 1 Gbps
The 7161:
Monitors up to four 1000 Base-SX fiber optic network segments
Monitors up to four 10/100/1000 Base-T network segments
Provides a maximum bandwidth license of 2 Gbps
Provides in-line mode maximum bandwidth of 1 Gbps
About this guide
This manual is intended for system managers or administrators responsible for administering the Symantec Network Security 7100 Series, and is organized as follows:
Table 1-1 Implementation Guide structure
Chapter Title Content
Chapter 2 Introducing the 7100 Series
components
Describes the externally visible hardware components in each model of the Symantec Network Security 7100 Series.
12 Introduction
About this guide
Table 1-1 Implementation Guide structure
Chapter Title Content
Chapter 3 Deploying the 7100 Series Discusses what to consider when deciding
how best to deploy the 7100 Series.
Chapter 4 Installing the 7100 Series Describes how to physically install the
appliance, including rack-mounting, cabling, and connecting to an In-line Bypass unit for fail-open.
Chapter 5 Initializing Symantec Network
Security
Chapter 6 Starting the Network Security
console
Chapter 7 Licensing Describes licensing options and how to
Chapter 8 Configuring nodes and
interfaces
Chapter 9 Configuring detection and
response
Chapter 10 Monitoring and reporting
events and status
Describes the initial configuration procedures using LCD, serial console, and compact flash.
Describes how to install and launch the Symantec Network Security console.
install a license, check license status, and renew or add bandwidth to a license.
Describes how to add and edit 7100 Series nodes and interfaces, including in-line pairs and interface groups.
Describes how to start sensors by configuring and applying protection policies. Also describes how to add and edit response rules.
Describes how to view incidents and events, and how to generate reports. Describes several methods of monitoring status.
Chapter 11 Maintaining and administering
Chapter 12 Re-imaging and unconfiguring Describes how to unconfigure Symantec
the 7100 Series
Describes maintenance and administration tasks, including backup and restore, restarting software and hardware, using the LCD run menu, and using the serial console. Includes a section on setting up SESA.
Network Security and how to re-image the appliance. Discusses upgrading the Network Security console. Discusses migration from an existing Symantec supported IDS platform to the Symantec Network Security 7100 Series.
Table 1-1 Implementation Guide structure
Chapter Title Content
Appendix A Troubleshooting Describes how to access the online
Appendix B Specifications and safety Lists product specifications and provides
Appendix C Service Manual Describes the removable hard drive in the
Index Index Lists topics covered in this guide, using
About the documentation set
13Introduction
About the documentation set
knowledge base for troubleshooting information.
safety instructions and certifications.
7160 and 7161.
index format.
The documentation set for the Symantec Network Security 7100 Series includes:
Symantec Network Security 7100 Series Implementation Guide (printed and
PDF). This guide explains how to install, configure, and perform key tasks on the Symantec Network Security 7100 Series.
Symantec Network Security Administration Guide (printed and PDF). This
guide provides the main reference material, including detailed descriptions of the Symantec Network Security features, infrastructure, and how to configure and manage effectively.
Depending on your appliance model, one of the following:
Symantec Network Security 7100 Series: Model 7120 Getting Started
Card
Symantec Network Security 7100 Series: Models 7160 and 7161 Getting
Started Card
This card provides the minimum procedures necessary for installing,
configuring, and starting to operate the Symantec Network Security
7100 Series appliance (printed and PDF).
Symantec Network Security 716x Service Manual (printed and PDF). This
document provides instructions for removing the hard drive on the 7160 and 7161.
Symantec Network Security 7100 Series Product Specifications and Safety
Information (printed and PDF). This document provides specifications for all 7100 Series models as well as safety warnings and certification information.
14 Introduction
About the Web sites
Symantec Network Security User Guide (PDF). This guide provides basic
introductory information about Symantec Network Security software.
Symantec Network Security 7100 Series Readme (on CD). This document
provides a feature summary, support and licensing information, key task tips, and provides a link to late-breaking information about the Symantec Network Security 7100 Series, including limitations, workarounds, and troubleshooting tips.
About the Web sites
You can view the entire documentation set on the Symantec Network Security Web site. You can get up to date information from the Knowledge Base and patch sites:
To view the documentation set, open http://www.symantec.com/techsupp/
enterprise/select_product_manuals.html, and click Intrusion Detection >
Symantec Network Security 4.0.
The Knowledge Base provides a constantly updated reference of FAQs and
troubleshooting tips as they are developed. To view the Knowledge Base, open http://www.symantec.com/techsupp/
enterprise/products/select_product_kb.html, and click Intrusion Detection
> Symantec Network Security 4.0.
The patch site provides downloadable patches as they are released.
To access the patch site, open http://www.symantec.com/techsupp/
enterprise/select_product_updates.html, and click Intrusion Detection >
Symantec Network Security 4.0.
Verifying the materials
Once you have unpacked your Symantec Network Security 7100 Series appliance, verify that you have received the following materials:
Table 1-2 Materials list
Part Description
Appliance A single device that is one of three models:
7120
7160
7161
Verifying the materials
Table 1-2 Materials list
Part Description
Management Console CD Contains:
Symantec Network Security management
console software for Windows and Linux platforms
SESA SIPI software for the appliance
Product documentation in PDF format
Recovery Software CD Contains software for re-imaging the appliance to the
original manufacturing settings.
15Introduction
Cables
Power cord for the country of operation (two
power cords for 7160 and 7161)
Null modem serial console cable
Ethernet crossover cable for imaging and
diagnostics
Rack mounting hardware
2 metal L-brackets
8 screws for attaching the brackets to the
appliance
4 rubber feet For use when installing the appliance on a shelf or
other flat surface
Printed documentation
Symantec Network Security Version 4.0
Administration Guide
Symantec Network Security 7100 Series
Implementation Guide
Symantec Network Security 7100 Series Getting
Started Card
Symantec Network Security 7100 Series Product
Specifications and Safety Information
Printed documentation only for
Symantec Network Security 716x Service Manual
7160 and 7161
16 Introduction
Verifying the materials
Chapter
Introducing the 7100 Series components
This chapter includes the following topics:
About the 7100 Series components
About 7100 Series models
2
About core components
About additional components
About the 7100 Series components
The Symantec Network Security 7100 Series combines high speed networking interfaces, multi-gigahertz CPUs, and plenty of memory with a number of convenience features into a fast, simple, and reliable appliance. Additionally, the LCD subsystem, compact flash, removable hard drive, and serial port make administration tasks easy and efficient.
About 7100 Series models
The Symantec Network Security 7100 Series appliance is available in three models. The specific hardware configuration for each model is described in the following sections:
Model 7120
Model 7160
Model 7161
18 Introducing the 7100 Series components
About 7100 Series models
Model 7120
The 7120 is the Fast Ethernet model of the Symantec Network Security 7100 Series. It has six 10/100Base-T monitoring interfaces, and comes in a 1U configuration for a 19” rack.
Figure 2-1 shows the 7120 back panel components described in Table 2-1.
Figure 2-1 7120 back panel
Table 2-1 describes the components on the 7120 back panel.
Table 2-1 7120 back panel components
Diagram location
1 Power supply Connection for the AC power cord; standard power supply
2 Master power
3 DB9 serial port Connection for the serial console cable
4 USB ports Either port can be connected to the USB port of a bypass
5 eth0 Monitoring interface; also the Imaging Server connection
6 eth1 Monitoring interface; 10/100Base-T
7 eth2 Monitoring interface; 10/100Base-T
8 eth3 Monitoring interface; 10/100Base-T
9 eth4 Reset interface for sending TCP resets to malicious or
10 eth5 Management interface; 10/100Base-T
Component name
switch
Description
Switch that turns the appliance on or off
unit for fail-open capability
for re-imaging the appliance; 10/100Base-T
unwanted flows; 10/100Base-T
11 Compact flash
12 Power reset
adapter
switch
Read/write drive for compact flash cards of up to 1 GB capacity
Switch for cycling power on appliance
Model 7160
19Introducing the 7100 Series components
About 7100 Series models
The 7160 is the all gigabit copper Symantec Network Security 7100 Series model. It provides eight 10/100/1000Base-T monitoring interfaces, and comes in a 2U configuration for a 19” rack.
Figure 2-2 shows the back panel components described in Table 2-2:
Figure 2-2 7160 back panel
Table 2-2 describes the components on the 7160 back panel.
Table 2-2 7160 back panel components
Diagram location
1Dual
2 Power switch Switch that turns the appliance on or off
3 USB ports Either port can be connected to the USB port of a bypass
4 DB9 serial port Connection for the serial console cable
5Compact flash
6 re1000g0 Monitoring interface; also the Imaging Server connection
7 re1000g1 Monitoring interface; 10/100/1000Base-T
Component name
redundant power supplies
adapter
Description
Connections for the AC power cords; two redundant power supplies including four fans for cooling the appliance interior
unit for fail-open capability
Read/write drive for compact flash cards of up to 1 GB capacity
for re-imaging the appliance; 10/100/1000Base-T
8 re1000g2 Monitoring interface; 10/100/1000Base-T
9 re1000g3 Monitoring interface; 10/100/1000Base-T
10 re1000g4 Monitoring interface; 10/100/1000Base-T
20 Introducing the 7100 Series components
About 7100 Series models
Table 2-2 7160 back panel components
Model 7161
Diagram location
11 re1000g5 Monitoring interface; 10/100/1000Base-T
12 re1000g6 Monitoring interface; 10/100/1000Base-T
13 re1000g7 Monitoring interface; 10/100/1000Base-T
14 eth8 RST0 reset interface for sending TCP resets to malicious or
15 eth9 RST1 reset interface for sending TCP resets to malicious or
16 eth10 RST2 reset interface for sending TCP resets to malicious or
17 eth11 Management interface; 10/100/1000Base-T
Component name
Description
unwanted flows; 10/100/1000Base-T
unwanted flows; 10/100/1000Base-T
unwanted flows; 10/100/1000Base-T
The 7161 is very similar to the 7160, except that it provides four gigabit fiber ports and four gigabit copper ports rather than all copper ports.
Figure 2-3 shows the back panel components described in Table 2-3:
Figure 2-3 7161 back panel
Table 2-3 describes the components on the 7161 back panel.
Table 2-3 7161 back panel components
21Introducing the 7100 Series components
About core components
Diagram location
1Dual
2 Power switch Switch that turns the appliance on or off
3 USB ports Standard USB ports
4 DB9 serial port Connection for the serial console cable
5Compact flash
6 re1000g0 Monitoring interface; also the Imaging Server connection
7 re1000g1 Monitoring interface; 1000Base-SX (fiber)
8 re1000g2 Monitoring interface; 1000Base-SX (fiber)
9 re1000g3 Monitoring interface; 1000Base-SX (fiber)
10 re1000g4 Monitoring interface; 10/100/1000Base-T
Component name
redundant power supplies
adapter
Description
Connections for the AC power cords; two redundant power supplies including four fans for cooling the appliance interior
Read/write drive for compact flash cards of up to 1 GB capacity
for re-imaging the appliance; 1000Base-SX (fiber)
11 re1000g5 Monitoring interface; 10/100/1000Base-T
12 re1000g6 Monitoring interface; 10/100/1000Base-T
13 re1000g7 Monitoring interface; 10/100/1000Base-T
14 eth8 RST0 reset interface for sending TCP resets to malicious or
15 eth9 RST1 reset interface for sending TCP resets to malicious or
16 eth10 RST2 reset interface for sending TCP resets to malicious or
17 eth11 Management interface; 10/100/1000Base-T
About core components
In addition to the processors, memory, and networking interfaces, which vary in specifics between appliance models, certain core components are standard.
unwanted flows; 10/100/1000Base-T
unwanted flows; 10/100/1000Base-T
unwanted flows; 10/100/1000Base-T
22 Introducing the 7100 Series components
About core components
See the following sections for more information:
LCD panel
LED lights
Serial port
USB ports
Compact flash adapter
Figure 2-4 shows these components on the front and back panels of a 7160.
Figure 2-4 7160 core components
LCD panel
LCD Panel LED Lights
Compact Flash adapter
USB Ports Serial Port
The LCD panel includes the LCD screen and six push buttons. These components are located on the front bezel of the Symantec Network Security 7100 Series
About core components
appliance. There is no significant difference between the models in the arrangement of the LCD panel components.
Table 2-4 describes the LCD panel components.
Table 2-4 LCD panel components
23Introducing the 7100 Series components
Diagram location
1 LCD screen Provides a backlit, 2 line by 16 character display.
2Left arrow
3Up arrow
4Down arrow
5Right arrow
6 s (start)
7 e (enter)
Component name
button
button
button
button
button
button
Description
Scrolls through menu choices and moves the cursor backward when entering input.
Scrolls up through characters and numbers when answering initial configuration questions or entering the password.
Scrolls down through characters and numbers when answering initial configuration questions or entering the password.
Scrolls through menu choices and moves the cursor forward when entering input.
Starts over when entering input. Also starts a network boot during re-imaging or upgrading.
Enters the selected choice. Also, enters the line of input after using the arrow buttons to edit it.
The LCD serves multiple purposes. When a new appliance is first booted, use the LCD and buttons to select the method for initial configuration and continue, if you like, through the entire configuration process. Otherwise, you can use the serial console or the compact flash for initial configuration.
See “LCD panel initial configuration” on page 68.
See “Serial console initial configuration” on page 76.
24 Introducing the 7100 Series components
About core components
See “Compact flash initial configuration” on page 83.
After you configure the appliance and install Symantec Network Security, the LCD panel goes into status mode, in which it cycles through various system statistics. See “Monitoring appliance status” on page 130.
You can use the LCD panel to perform certain administrative tasks, such as starting and stopping Symantec Network Security, rebooting or shutting down the appliance, changing the appliance IP address, or rolling back Symantec Network Security to the unconfigured state.
See “Using the LCD run menu” on page 154.
See “Restarting, rebooting, and powering off” on page 148.
See “Unconfiguring Symantec Network Security” on page 168.
Using the Network Security console, you can lock the LCD panel to prevent unauthorized access. You can unlock it from the console or by entering the administrator account password with the LCD panel buttons.
LED lights
See “Unlocking the LCD panel” on page 155.
The front panel of every Symantec Network Security 7100 Series appliance contains five LED lights.
Table 2-5 describes the function of each LED light.
Table 2-5 LED lights
Diagram location
1 Power Glows when the appliance is powered on.
2 Disk activity Blinks when the hard drive is accessed.
Component name
Description
3Network
activity (Rx)
Blinks when network traffic is arriving on the eth1 interface on the 7120. This LED is disabled for the 7160 and 7161.
Table 2-5 LED lights
25Introducing the 7100 Series components
About core components
Serial port
Diagram location
4Network
5 Temperature Blinks to indicate temperature status, blinking slowly for
The serial port is a standard male DB9 port that provides direct access from the Symantec Network Security 7100 Series to a serial console.
You can connect a null modem RS232 cable from the appliance to any laptop, PC or other serial-enabled device, and log in to the appliance using a serial terminal application with VT100 emulation. You can use the serial console during initial configuration, for administrative tasks, and when troubleshooting.
Using a serial console for the initial configuration, rather than the LCD panel, allows you to view the configuration questions on a monitor rather than on the 16 character LCD screen. See “Serial console initial configuration” on page 76.
Component name
activity (Tx)
Description
Blinks when there is network traffic on the eth0 interface on the 7120. This LED is disabled on the 7160 and 7161.
temperature warnings and quickly for temperature failures. If the Symantec Network Security 7100 Series is in danger of overheating, a log message is sent to the appliance log file.
You can use the serial console to create a bootable compact flash card, which is required to initiate the network boot process used during re-imaging or upgrading the appliance. See “Preparing for re-imaging” on page 170.
Use the serial console to access the appliance operating system or Symantec Network Security software for troubleshooting. See “Using the serial console” on page 158.
USB ports
There are two USB ports on the back of every Symantec Network Security 7100 Series appliance. Either port can be used for the keep-alive connection to the optional In-line Bypass unit. The bypass unit provides fail-open capability when you configure the appliance for in-line mode. See “Fail-open” on page 35.
Compact flash adapter
The compact flash (CF) adapter is a device which reads from and writes to compact flash cards of up to 1 GB capacity. Each Symantec Network Security
26 Introducing the 7100 Series components
About core components
7100 Series appliance is equipped with a compact flash adapter, located on the back panel. A compact flash card must be purchased separately. The CF adapter has a button for ejecting the card.
Compact flash cards are removable storage media that you can use for several purposes, including:
Eject button
Saving initial configuration information for a new slave appliance
Loading initial configuration information onto a new slave appliance
Backing up node logs, databases, and configuration information
Restoring node logs, databases, and configuration information
Upgrading to a major new version of Symantec Network Security
Upgrading to a major new version of the operating system
Booting from compact flash during appliance re-imaging or upgrading
You can use the Network Security console to access the compact flash adapter. The compact flash card is treated as an internal device, so you must insert the CF card into the adapter before booting the appliance. When the CF card is present at boot time, it is automatically mounted as a filesystem.
See “Compact flash initial configuration” on page 83.
See “Preparing for re-imaging” on page 170.
See “Creating a bootable compact flash” on page 171.
See “Making a non-bootable compact flash card” on page 143.
See “Using the compact flash for backup and restore” on page 144.
About additional components
The high-end models of the Symantec Network Security 7100 Series include additional features that the 7120 does not. These include a removable hard drive and dual redundant power supplies.
Removable disk drive
The 7160 and 7161 have a hard drive that you can easily remove by means of a pullout panel on the bottom of the appliance.
27Introducing the 7100 Series components
About additional components
If you should ever need to ship your appliance to Symantec for support, this provides a convenient method of extracting the drive before shipping the appliance. This allows you to protect proprietary or sensitive data contained on the drive.
The pullout panel is held in place by four captive screws which can be turned by hand or with a Phillips (cross) head screwdriver.
Warning: Turn off the power and unplug the appliance before attempting to open the panel and remove the disk drive. The drive is not hot-swappable.
See “Service Manual” on page 191.
28 Introducing the 7100 Series components
About additional components
Dual redundant power supplies
The 7160 and 7161 have dual redundant power supplies. The dual power supplies ideally connect to separate power sources.
Dual redundant power supplies
Each of the redundant power supplies has two internal power-main connections. In the event of a failure of one power-main, the other one continues to provide uninterrupted power.
In case of failure or when only one power supply is connected to a power source, the power supply emits a high-pitched alarm.
Chapter
Deploying the 7100 Series
This chapter includes the following topics:
About deploying the 7100 Series
Deployment options
Network Security console accessibility
SESA server accessibility
3
Symantec LiveUpdate accessibility
About deploying the 7100 Series
When deciding how best to deploy your Symantec Network Security 7100 Series appliance, consider both the capabilities of the product and the specifics of your network. You can deploy the appliance in a variety of modes depending on your needs. These choices include passive mode, in-line mode (with or without blocking), interface grouping, fail-open, clustering, high availability, and in combination with third-party IDS products.
The Symantec Network Security 7100 Series provides the flexibility to meet the needs of complex enterprise networks. It supports multiple external network connections, asymmetric routing, servers containing sensitive and important information, multiple VLANs, and more.
Deployment options
You can deploy the Symantec Network Security 7100 Series appliance in different modes, including passive and in-line. If your network exhibits asymmetric traffic patterns, you may want to configure interface grouping. If you deploy the appliance in-line, you can add fail-open capabilities. You can combine it in a cluster with other Symantec Network Security nodes, which may
30 Deploying the 7100 Series
Deployment options
be appliances or software versions on other platforms. You can integrate the appliance with third party intrusion detection products as well.
See the following sections for more information:
Bandwidth licensing options
Passive mode
In-line mode
Interface grouping
Fail-open
Clustering
External IDS products
Bandwidth licensing options
Passive mode
The Symantec Network Security 7100 Series offers extremely flexible bandwidth deployment licensing. You can choose from three bandwidth levels for the 7120, and four levels for a 7160 or 7161. If your network traffic increases beyond your licensed rate, you can add to your license in 50 Mbps increments for the 7120, and in 250 Mbps increments for the 7160 and 7161. For more information about licensing, see “Licensing” on page 91.
Passive mode is the default method of monitoring traffic on network segments. It provides intrusion detection with logging, alerting, and response capabilities. Passive mode also provides maximum performance. Symantec Network Security
4.0 software provides the same functionality on other platforms as passive mode on the 7100 Series.
When configuring monitoring interfaces to monitor network segments:
The 7120 can monitor four different network segments with a total
bandwidth up to 200 Mbps of network traffic.
The 7160 and 7161 models can each monitor up to eight network segments,
with a total bandwidth up to 2 Gbps.
In passive mode, Network Security detects attacks as they enter the monitored network. You can configure response rules to provide alerts, send TCP resets, execute scripts, or take other actions. See the Symantec Network Security Administration Guide for more information on response rules.
In-line mode
31Deploying the 7100 Series
Deployment options
Note: Passive mode does not provide the ability to block malicious traffic from reaching its destination. The attack is detected on its way to the target. Blocking is only available using in-line mode. See “In-line mode” on page 31 and “About
protection policies” on page 116.
In-line mode is a powerful mode of deployment that is available only on the Symantec Network Security 7100 Series.
This section provides the following information:
Blocking and alerting
In-line pairs
Deployment using in-line mode
Comparing in-line mode to passive mode
Blocking and alerting
You can configure in-line mode on your appliance to operate in either of two modes:
Alerting: Sends configurable alerts using email, pagers, SNMP, and console
pop-ups. Provides configurable responses such as sending TCP resets, executing scripts or programs, traffic recording, and more.
Blocking: Prevents malicious traffic from entering your network. Also
provides the same configurable alerts and responses offered in alerting mode.
Both operating modes provide logging of suspicious or malicious events, including the display of events and incidents on the Network Security console.
In-line alerting mode provides the same capabilities as passive mode provides (see “Passive mode” on page 30). The advantage of in-line alerting mode over passive mode is that you can quickly switch from alerting to blocking mode in the Network Security console.
In-line blocking mode is an important tool for securing your network, because it allows you to stop attacks at the point of detection. Blocking mode on the 7100 Series utilizes Symantec Network Security’s powerful analysis software to identify both zero-day attacks and those with known signatures. You can find more information about Network Security’s analysis and detection capabilities in the Symantec Network Security Administration Guide.
32 Deploying the 7100 Series
Deployment options
In-line pairs
In-line mode requires two interfaces configured as an in-line pair. The interfaces in each in-line pair are pre-determined, and the Network Security console enforces the pairing.
Figure 3-1 shows the interfaces designated for in-line pair 0 and pair 1 on the
7120.
Figure 3-1 In-line pairs on the 7120
1 - In-line pair 0 2 - In-line pair 1
3 - eth0 (0) 4 - eth1 (1) 5 - eth2 (2) 6 - eth3 (3)
Figure 3-2 shows the interfaces designated for in-line pairs 0, 1, 2, and 3 on the
7160 and 7161.
Figure 3-2 In-line pairs on the 7160 and 7161
1 - In-line pair 0 2 - In-line pair 1 3 - In-line pair 2 4 - In-line pair 3
5 - re1000g0 (0) 6 - re1000g2 (2) 7 - re1000g4 (4) 8 - re1000g6 (6)
9 - re1000g1 (1) 10 - re1000g3 (3) 11 - re1000g5 (5) 12 - re1000g7 (7)
Deployment options
The 7100 Series node receives incoming network traffic on one interface of the in-line pair, then the Network Security detection software analyzes the traffic for malicious content. Once the analysis is complete, Network Security sends the traffic out on the other interface.
You can select alerting or blocking mode for each in-line pair by customizing and applying a protection policy to the in-line pair. A protection policy is a collection of attack types combined with configurable responses. Some protection policies support blocking, and others do not. You can only enable blocking for in-line pairs. For more information about protection policies, see
“About protection policies” on page 116, and the Symantec Network Security
Administration Guide.
Deployment using in-line mode
The initial setup for in-line mode requires an interruption to network traffic while you make the necessary cabling changes. The appliance must be physically connected as part of the network path to block malicious traffic from reaching its target inside your network. See “Cabling” on page 49.
33Deploying the 7100 Series
Comparing in-line mode to passive mode
Table 3-1 illustrates the differences and similarities between in-line mode and
passive mode on the Symantec Network Security 7100 Series.
Table 3-1 In-line mode compared to passive mode
Feature or characteristic In-line mode Passive mode
Alerting Yes Yes
Blocking Yes No
Interrupts traffic during setup Yes No
Number of interfaces used 2 1
Interface grouping
You can use interface grouping when asymmetric traffic patterns appear in your network. Asymmetric routing occurs when network traffic to and from a given IP address does not follow the same path. Interface grouping is the solution to this problem.
34 Deploying the 7100 Series
Deployment options
Figure 3-3 Asymmetric traffic pattern
Router Router
Inflow of sessions
Multi­layered switch
Outflow of sessions
Outflow of sessions
Inflow of sessions
Multi­layered switch
You can configure up to four monitoring interfaces into one interface group. Symantec Network Security starts a single sensor for the group, with the result that all network traffic seen on any interface within the group is analyzed in the group context, as if the traffic were being seen on a single interface. Any policy you create for an interface group applies to all interfaces in the group. Interfaces that are part of a group cannot be configured individually.
An interface group can only include passive mode interfaces. Interface grouping of in-line pairs is not supported.
You can only create an interface group using interfaces from the same node. Interfaces groups spanning multiple nodes in a cluster are not supported.
Servers Servers
Fail-open
35Deploying the 7100 Series
Deployment options
Fail-open refers to a configuration that allows network traffic to continue even if the Symantec Network Security 7100 Series appliance has a hardware or software failure that affects one or more of its in-line interface pairs. For in-line interface pairs on the appliance, fail-open is an option that requires the purchase and installation of another device called the Symantec Network Security In-line Bypass unit.
See the following sections for more information:
About the In-line Bypass unit
The 2 In-line Bypass unit
The 4 In-line Bypass unit
Port groups and the management port on the bypass unit
Online and bypass modes
Link parameters on bypass unit interfaces
Front panel LEDs on the bypass unit
Rear panel LEDs on the bypass unit
About the In-line Bypass unit
Since in-line mode by definition places the appliance into the network path, a hardware or software failure affecting the interface pair will interrupt network traffic, or fail closed. To avoid this you can install the In-line Bypass unit. The bypass unit monitors the 7100 Series status, and if it senses a failure, the bypass unit provides direct network connectivity.
There are two bypass unit models, called the 2 In-line Bypass unit and the 4 In-line Bypass unit. The two models are designed to accommodate 7100 Series appliances with either four or eight copper monitoring interface ports. The following table summarizes the features of the bypass unit models:
Table 3-2 Bypass unit features
Feature 2 In-line Bypass
unit
4 In-line Bypass unit
Supported appliance model 7120 7160
Supported number of in-line interface pairs (equals number of port groups on bypass unit)
10/100/1000 Base-TX (MDIX) interfaces 2 4
24
36 Deploying the 7100 Series
Deployment options
Table 3-2 Bypass unit features
Feature 2 In-line Bypass
unit
10/100/1000 Base-T (MDI) interfaces 6 12
USB ports 1 1
4 In-line Bypass unit
Both the 2 In-line Bypass unit and the 4 In-line Bypass unit are equipped with gigabit (10/100/1000) copper interfaces. The interfaces can accommodate both Fast Ethernet and Gigabit Ethernet connections.
Because the bypass unit is only available for copper interfaces, fail-open cannot be provided at this time for the optical fiber in-line interface pairs on the appliance model 7161.
Both bypass unit models operate at wire speeds and have no impact on performance.
The 2 In-line Bypass unit
You can deploy the 2 In-line Bypass unit with a 7120.
Figure 3-4 shows the rear panel of the 2 In-line Bypass unit.
Figure 3-4 2 In-line Bypass unit
1 - Serial port 2 - Mgmt USB 3 - Power Supply 1 4 - Power Supply 2
5 - NetA 6 - AppA 7 - AppB 8 - NetB 9 - Port group 1 10 - Port group 0
The 4 In-line Bypass unit
You can deploy the 4 In-line Bypass unit with a 7160.
Figure 3-5 shows the rear panel of the 4 In-line Bypass unit.
Figure 3-5 4 In-line Bypass unit
37Deploying the 7100 Series
Deployment options
1 - Serial port 2 - Mgmt USB 3 - Power Supply 1 4 - Power Supply 2
5 - Port group 0 6 - Port group 1 7 - Port group 2 8 - Port group 3
Port groups and the management port on the bypass unit
Each bypass unit contains groups of ports called port groups. Each port group contains four ports that connect to the network and to the in-line pair ports on the appliance.
Each bypass unit also has a USB port for communication with the appliance.
The Net A port of each port group on the bypass unit is implemented as 10/100/1000Base-TX. It is a Medium Dependent Interface, crossed (MDIX). You may need a crossover cable to connect Net A to some devices. The Net B port of each port group is implemented as 10/100/1000Base-T (MDI). Consult the documentation for your network devices to determine whether they require crossover connections.
You must supply at least four connections to each port group in use on the bypass unit, plus one USB connection per bypass unit. Table 3-3 describes these connections.
Table 3-3 Connections needed for deploying bypass unit
Connection Bypass port Description
The appliance USB port
One side of the network
Mgmt USB Connects to either USB port on the appliance. The
two devices communicate over the USB connection.
Net A Connects to one side of the network that you are
protecting. Net A is the Base-TX port (MDIX).
38 Deploying the 7100 Series
Deployment options
Table 3-3 Connections needed for deploying bypass unit
Connection Bypass port Description
The even-numbered interface on the appliance
The odd-numbered interface on the appliance
The other side of the network
App A Connects to the interface in the in-line pair that is
associated with one side of the network. App A always connects to the even-numbered interface (for example, re1000g0 or eth2).
App B Connects to the interface in the in-line pair that is
associated with the other side of the network. App B always connects to the odd-numbered interface (for example, re1000g1 or eth3).
Net B Connects to the other side of the network.
Online and bypass modes
The bypass units can operate in two modes:
Online mode: Network traffic passes from the bypass unit to the 7100 Series
for analysis, then goes back to the bypass unit and out through the other network interface. Also called online state.
Bypass mode: Network traffic entering the bypass unit passes directly from
one side of the network to the other. Also called bypass state.
After connecting the bypass unit to the 7100 Series and powering on, all port groups are initially in bypass mode. In bypass mode, network traffic does not pass through the appliance for event detection. To change the port group to online mode, you must start a sensor on the in-line pair that is connected to that port group. Event detection can only occur when the bypass unit is in online mode.
See “Starting a sensor on an appliance interface” on page 115.
While the appliance is running, the bypass unit stays in online mode. If the appliance has a hardware or software failure, fail-open is activated when the bypass unit senses the failure via the USB connection and switches to bypass mode.
Link parameters on bypass unit interfaces
The interface link parameters, including speed and duplex mode, should be auto-negotiated between Net A and App A, and Net B and App B. You should not force the link speed or duplex mode to a specific setting on network devices that connect to Net A or Net B. Forcing the link parameters to a certain value may
Deployment options
result in link speed or duplex mismatches which could cause degraded performance or possible loss of connectivity.
After connecting the bypass unit to a 7100 Series appliance, you should verify the link speed and duplex parameters for all interfaces in the port group. To verify the link parameters for Net A and Net B, log on to the connected network devices and display the status for the connected interfaces. Ensure that the connected interfaces are configured for auto-negotiation of link parameters.
To verify the link parameters for App A and App B, use the Network Security console. After starting a sensor on the corresponding in-line pair, you can view the link parameters by clicking each interface object in the in-line pair.
See “Interface status parameters” on page 133.
The parameter values for all interfaces in the port group should be the same when the bypass unit is in online mode. For a 2 In-line Bypass unit connected to a 7120, all interfaces should auto-negotiate to 100 Mbps in online mode. However, when Net A and Net B on a 2 In-line Bypass unit are connected to gigabit interfaces on both network devices, the bypass unit can run at up to 1000 Mbps in bypass mode.
39Deploying the 7100 Series
Front panel LEDs on the bypass unit
Both In-line Bypass units share a common front panel that contains a number of status LEDs.
Figure 3-6 shows the bypass unit front panel LED configuration.
Figure 3-6 Bypass unit front panel LEDs
45
01236 7
Table 3-4 describes the LEDs shown in the diagram.
Table 3-4 Bypass unit front panel LED descriptions
Diagram location
LED label LED name Description
ONLINE
40 Deploying the 7100 Series
Deployment options
Table 3-4 Bypass unit front panel LED descriptions
Diagram
LED label LED name Description
location
0 P0 Port group 0 The P0 LED glows when port group 0 is
operating in online mode.
1 P1 Port group 1 The P1 LED glows when port group 1 is
operating in online mode.
2 P2 Port group 2 The P2 LED glows when port group 2 is
operating in online mode.
3 P3 Port group 3 The P3 LED glows when port group 3 is
operating in online mode.
MGMT
4 TX Transmit data The TX LED blinks when the bypass unit is
transmitting data on the USB connection.
5 RX Receive data The RX LED blinks when the bypass unit is
receiving data on the USB connection.
PWR
6 PS1 Power supply 1 The PS1 LED glows when power supply 1 is
connected to a power source.
7 PS2 Power supply 2 The PS2 LED glows when power supply 2 is
connected to a power source.
Rear panel LEDs on the bypass unit
The rear panel status LEDs are located in the top left and top right corners of each port in the port groups. On the bypass unit, the LEDs are labeled only for the top ports, but the labels apply to the ports in the lower port group as well.
Figure 3-7 shows the bypass unit rear panel LED configuration.
Deployment options
Figure 3-7 Bypass unit rear panel LEDs
Table 3-5 describes the LEDs shown in the diagram.
Table 3-5 Bypass unit rear panel LED descriptions
LED label LED name Description
LT Link test The LT LED glows green to indicate an active link signal on
the port.
41Deploying the 7100 Series
Clustering
ALM Alarm The ALM LED in the top right corner of the Net A port glows
red for an alarm condition such as lack of a link signal on one or more ports in the port group.
BYP Bypass The BYP LED in the top right corner of the App A port glows
yellow when the port group is operating in bypass mode.
ON Online The ON LED in the top right corner of the App B port glows
green when the port group is operating in online mode.
GIG Gigabit The GIG LED in the top right corner of the Net B port glows
green when the port group is operating in gigabit mode (1000Mbps). It is off when the port group is operating at 100 Mbps or 10 Mbps).
You can combine the Symantec Network Security 7100 Series appliance with other nodes and appliances into a cluster. One node within the cluster functions as the master node, and the others act as slaves. You can access and configure all nodes in the cluster from the same Network Security console. You can configure cluster parameters on the master node, which then propagate to the slave nodes. This is discussed in more detail in the Symantec Network Security Administration Guide.
42 Deploying the 7100 Series
Network Security console accessibility
When you deploy your appliance as part of a cluster, it has certain compatibility requirements. Whether an appliance is a master or a slave node, it can only be combined in a cluster with other nodes that are either:
Symantec Network Security 7100 Series appliances
Symantec Network Security 4.0 nodes
External IDS products
The Symantec Network Security 7100 Series appliance can be deployed in conjunction with certain intrusion detection products made by other vendors. The appliance can receive event data from these products if you purchase and install the corresponding Symantec Network Security Smart Agent software. Once the event data is received, the appliance analyzes it in the same way that it handles data from its own sensors. For more information, see the Symantec Network Security Administration Guide.
Network Security console accessibility
The Network Security console is a Java application that runs on a separate computer. You can deploy the console on any computer that can access the 7100 Series management network.
See “Installing the console” on page 86.
You should locate the console in a secure area to prevent unauthorized access. Symantec Network Security controls console application access with user names and passphrases. You can create users with different access permissions. For more information, see the Symantec Network Security Administration Guide.
SESA server accessibility
Symantec Network Security can export event data to Symantec Enterprise Security Administrator (SESA) via the management interface. Configuring your appliance for integration with SESA provides an opportunity to share the event data with other Symantec products. Symantec Network Security and SESA communicate over the management network.
See “Installing the SESA bridge” on page 161.
See the Symantec Network Security Administration Guide for more information about using SESA.
Symantec LiveUpdate accessibility
Symantec Network Security provides product updates and enhancements in the form of Security Updates, Engine Updates, and patches, using LiveUpdate. Not to be confused with upgrading, LiveUpdate enables you to check for new updates, apply updates to single nodes or node clusters, schedule automatic updates, view current and applied versions, and keep your systems updated to the latest levels.
You can configure the 7100 Series for automatic updates, or you can set up a separate system to receive the updates for later disbursement to Symantec Network Security nodes. Your choice affects whether the 7100 Series node needs access to the Symantec Web site or only to a local server.
For more information about LiveUpdate, see the Symantec Network Security Administration Guide.
43Deploying the 7100 Series
Symantec LiveUpdate accessibility
44 Deploying the 7100 Series
Symantec LiveUpdate accessibility
Chapter
Installing the 7100 Series
This chapter includes the following topics:
About installing the 7100 Series
Rack mounting
Cabling
4
About installing the 7100 Series
To install the Symantec Network Security 7100 Series you need to:
Mount it on the rack or shelf
Cable it to other network devices
The Symantec Network Security 7100 Series is designed to be installed in a data center with other networking devices and servers. Its dimensions are suitable for a 19” rack. You must position it within cabling distance of any switches or other devices that access the network segments that you want to protect.
The appliance can be mounted facing either direction in your rack, so consider which side will have access to the ports and compact flash, and which will have access to the LCD panel and LED lights.
You may need port access during installation and to reconfigure between passive mode and in-line mode monitoring.
You may need access to the compact flash adapter for backing up and restoring, log archiving, re-imaging, upgrading, or initial configuration of slave appliances.
You may need to use the LCD panel during initial configuration. System statistics are displayed on the LCD screen during normal operation. You can also perform certain administrative functions from the LCD panel, such as stopping and starting Symantec Network Security, and rebooting the appliance.
46 Installing the 7100 Series
Rack mounting
Rack mounting
Access to the LED lights allows you to see indicators for power, disk usage, network traffic in and out, and appliance temperature.
The Symantec Network Security 7100 Series comes with two metal L-brackets and eight screws for attaching the brackets to the appliance. Using the brackets, you can mount the appliance to a standard 19” two-post or four-post rack. This procedure is the same for all models.
Note: Due to the distribution of weight in models 7160 and 7161, you may wish to mount the brackets at the rear of the appliance. Alternatively, you can use other mounting hardware to attach the appliance to your rack, such as sliding rails or a shelf.
Warning: Installing the appliance into a rack may require two people or a lifting device, especially for the 2U models. The 7160 and 7161 weigh approximately
16.33 kg (36 lbs).
Mounting the appliance to a two-post rack
This section describes the procedure for mounting the appliance onto a two-post rack.
To mount the appliance to a two-post rack
1 Place the long side of an L-bracket against one side of the appliance near
either the front or the back of the appliance. Turn the bracket to position the short side of the bracket closer to the midpoint of the appliance.
Rack mounting
2 Attach the bracket by inserting four of the provided screws through the slots
in the bracket into the holes in the appliance casing. Tighten the screws completely.
3 Attach the other L-bracket in the same way to the opposite side of the
appliance.
4 With assistance, lift the appliance into place so that the short flanges of the
L-brackets are pressed against the rack posts.
5 Using the screws supplied with your rack, attach the L-brackets to the posts
on both sides of the appliance.
47Installing the 7100 Series
Mounting the appliance to a four-post rack
This section describes the procedure for mounting the appliance onto a four-post rack.
48 Installing the 7100 Series
Rack mounting
To mount the appliance to a four-post rack
1 Place the long side of an L-bracket against one side of the appliance near
either the front or the back of the appliance. Position the bracket so that its short flange is lined up with the front or back of the appliance.
2 Attach the bracket by inserting four of the provided screws through the slots
in the bracket into the holes in the appliance casing. Tighten the screws completely.
3 Attach the other L-bracket in the same way to the opposite side of the
appliance.
4 With assistance, lift the appliance into place so that the short flanges of the
L-brackets are pressed against the rack posts on both sides.
5 Using the screws supplied with your rack, attach the L-brackets to the posts
on both sides of the appliance.
Cabling
Most of the cabling on the appliance has to do with network connections. There are no keyboard, mouse, or video interfaces to connect. You need to connect cables to the monitoring ports, management port, reset ports, and power supply. Optionally, you may wish to cable the serial port and, if you have a Symantec Network Security In-line Bypass unit, a USB port.
Cabling for model 7120
This section describes cabling for model 7120. If you have a different model, refer to the appropriate section.
See “Cabling for model 7160” on page 54.
See “Cabling for model 7161” on page 62.
The following topics are covered here:
49Installing the 7100 Series
Cabling
Connecting the management, reset, and serial ports
Cabling for passive mode monitoring
Cabling for in-line mode monitoring
Cabling a bypass unit for fail-open
Powering the 7120 on or off
Warning: To prevent a possible electric shock, do not connect the power until all other cabling is done.
Figure 4-1 shows the back panel of the 7120.
Figure 4-1 7120 back panel
1 - Power supply 2 - Master power switch 3 - Serial port 4 - USB ports 5 - Monitoring port 0 6 - Monitoring port 1
7 - Monitoring port 2 8 - Monitoring port 3 9 - Reset port 10 - Management port 11 - Compact flash adapter 12 - Reset power switch
50 Installing the 7100 Series
Cabling
Connecting the management, reset, and serial ports
You need two Ethernet cables of an appropriate length to connect the management and reset ports to your network.
Use the provided serial console cable to connect the serial port to your serial device.
To connect the management port
Connect the management port on the appliance to your management
network.
To connect the reset port
Connect the reset port on the appliance to the monitored network where you
want to send TCP resets.
To connect the serial port
Connect the serial port on the appliance to a laptop, PC, or other serial
device.
Cabling for passive mode monitoring
The 7120 appliance can monitor up to four separate network segments. Note that ports 0 through 2 use a faster bus than port 3, which may be a consideration depending on how busy your network segments are. All ports are 10/100 Base-T Ethernet ports.
To cable the 7120 for passive mode monitoring
Connect ports 0, 1, 2, and 3 of the appliance to the network segments that
you want to monitor.
Cabling for in-line mode monitoring
The 7120 appliance can provide in-line mode monitoring for up to two network segments. In-line mode requires an interface pair for each monitored network segment. The interface pair can be ports 0 and 1, or ports 2 and 3. Other port combinations are not supported.
Within each interface pair, each port is connected to the network, splitting it into two sides.
To use in-line mode for monitoring a single network segment, you may choose either interface pair (ports 0/1, or ports 2/3). You can use the remaining ports for monitoring other network segments in passive mode.
Figure 4-2 depicts a 7120 using in-line mode to monitor two network segments.
Figure 4-2 7120 using in-line mode
To cable the 7120 for in-line mode monitoring
1 Connect port 0 of the appliance to one side of network 1.
51Installing the 7100 Series
Cabling
2 Connect port 1 of the appliance to the other side of network 1.
3 Connect port 2 of the appliance to one side of network 2.
4 Connect port 3 of the appliance to the other side of network 2.
Cabling a bypass unit for fail-open
This section describes how to install a Symantec Network Security In-line Bypass unit to provide fail-open capability. The 2 In-line Bypass unit is recommended for operation with the 7120 appliance.
Note: Only the 2 In-line Bypass unit is supported for use with model 7120.
Figure 4-3 shows the 2 In-line Bypass unit.
Figure 4-3 Use the 2 In-line Bypass unit with the 7120
Port Group 0
Port Group 1
The 2 In-line Bypass unit contains two port groups, each with four ports. The Net A and App A ports in the port group, along with the even-numbered port of the 7120 in-line pair, handle traffic on one side of the network connection. The other two ports in the port group, Net B and App B, are associated with the other port of the 7120 in-line pair and the other side of the network connection.
52 Installing the 7100 Series
Cabling
Figure 4-4 depicts a 2 In-line Bypass unit deployed with a 7120 and other
network devices.
Figure 4-4 2 In-line Bypass unit deployed with 7120
AppA AppB
2 In-line Bypass unit
NetA
NetB
Port group 0
Port group 1
7120
0 - Port 0 1 - Port 1 2 - Port 2 3 - Port 3
4 - In-line pair 0 5 - In-line pair 1
Note: Follow the cabling instructions carefully to match each in-line interface pair with its associated port group on the bypass unit. Connect in-line pair 0 (ports 0/1 on the appliance) to port group 0 on the bypass unit. Connect in-line pair 1 on the 7120 to port group 1 on the bypass unit.
The Net A port of each port group on the bypass unit is implemented as 10/100/1000Base-TX. You may need a crossover cable to connect Net A to some devices. This is more likely when connecting Net A to an older switch that does not provide automatic pair reversal. The Net B port of each port group is
Cabling
implemented as 10/100/1000Base-T. Consult the documentation for your network devices to determine whether they require crossover connections.
The following procedures do not anticipate the type of cable. It is up to you to select a crossover cable if your network device requires one.
The link parameters, including speed and duplex mode, should be auto-negotiated between Net A and App A, and Net B and App B. Do not force the link speed or duplex mode to a specific setting on network devices that connect to Net A or Net B.
See “About the In-line Bypass unit” on page 35.
To connect the bypass unit App A and App B ports to the 7120 in-line pair, use the Ethernet cables provided with the bypass unit.
Note: After connecting the bypass unit to the 7100 Series and powering both on, all port groups are initially in bypass mode. To change the port group to online mode, you must start a sensor on the in-line pair that is connected to that port group. Event detection can occur only when the port group is in online mode.
53Installing the 7100 Series
See “Starting a sensor on an appliance interface” on page 115.
To cable in-line pair 0 with port group 0
1 Shut down the 7120 appliance if it is running.
2 On the bypass unit, connect Net A of port group 0 to one side of the network.
3 Connect App A of port group 0 to port 0 on your appliance.
4 Connect App B of port group 0 to port 1 on your appliance.
5 On the bypass unit, connect Net B of port group 0 to the other side of the
network.
6 Using the USB cable, plug one USB connector into either USB port on the
7120 appliance, and plug the other connector into the Mgmt USB port on the 2 In-line Bypass unit.
To cable in-line pair 1 with port group 1
1 Shut down the 7120 appliance if it is running.
2 On the bypass unit, connect Net A of port group 1 to one side of the network.
3 Connect App A of port group 1 to port 2 on your appliance.
4 Connect App B of port group 1 to port 3 on your appliance.
5 On the bypass unit, connect Net B of port group 1 to the other side of the
network.
54 Installing the 7100 Series
Cabling
6 If the USB cable is not yet connected, plug one USB connector into either
USB port on the 7120 appliance, and plug the other connector into the Mgmt USB port on the 2 In-line Bypass unit.
Powering the 7120 on or off
As the last step in the physical installation of the 7120 appliance, connect and turn on the power. When the appliance powers on, you should hear the hard drive spin up and the fans turn on, and see the LEDs and LCD screen light up.
An uninterruptible power supply (UPS) is recommended. Do not use an extension cord.
To power the 7120 on for the first time
Connect one end of the power cord to the AC power socket on the appliance,
and plug the other end into the power source. The 7120 powers up automatically.
Powering the 7120 off before initial configuration
If you need to power the 7120 off before performing initial configuration, you can use the master power switch or the Shutdown Host option on the LCD. After initial configuration, you should power the appliance off by using the LCD menu item or a command on the serial console.
See “Powering off the appliance” on page 152.
To power the 7120 off before initial configuration
Do one of the following:
On the LCD panel, use the buttons to navigate to the Shutdown Host
option on the LCD screen and press e.
On the back panel of the 7120, press and hold the master power switch
for approximately 5 seconds until you hear the fans stop.
Cabling for model 7160
This section describes cabling for model 7160. If you have a different model, refer to the appropriate section.
See “Cabling for model 7120” on page 49.
See “Cabling for model 7161” on page 62.
The following topics are covered here:
Connecting the management, reset, and serial ports
Cabling
Cabling for passive mode monitoring
Cabling for in-line mode monitoring
Cabling a bypass unit for fail-open
Powering the 7160 on or off
Warning: To prevent a possible electric shock, do not connect the power until all other cabling is done. An alarm will sound if you connect only one power cord.
Figure 4-5 shows the back panel of the 7160.
Figure 4-5 7160 back panel
55Installing the 7100 Series
1 - Power supplies 2 - Power switch 3 - USB ports 4 - Serial port 5 - Compact flash adapter 6 - Port 0 7 - Port 1 8 - Port 2
10 - Port 4 11 - Port 5 12 - Port 6 13 - Port 7 14 - RST0 15 - RST1 16 - RST2 17 - Management port
9 - Port 3
Connecting the management, reset, and serial ports
You need four Ethernet cables of an appropriate length to connect the management and reset ports to your network.
Use the provided serial console cable to connect the serial port to your serial device.
To connect the management port
Connect the management port on the appliance to your management
network.
56 Installing the 7100 Series
Cabling
To connect the reset ports
1 Connect the first reset port (RST0) on the appliance to a monitored network
where you want to send TCP resets.
2 Connect the second reset port (RST1) on the appliance to a monitored
network where you want to send TCP resets.
3 Connect the third reset port (RST2) on the appliance to a monitored network
where you want to send TCP resets.
To connect the serial port
Connect the serial port on the appliance to a laptop, PC, or other serial
device.
Cabling for passive mode monitoring
The 7160 appliance can monitor up to eight separate network segments. All monitoring ports are 10/100/1000 Base-T Ethernet, capable of handling up to 1 Gbps of network traffic.
To access network segments for monitoring, you can connect each port to a hub, a router, or a switch.
To cable the 7160 for passive mode monitoring
Connect ports 0 through 7 of the appliance to the eight network segments
that you want to monitor.
Cabling for in-line mode monitoring
The 7160 appliance provides in-line mode monitoring for up to four network segments. In-line mode requires an interface pair for each monitored network segment. The interface pair can be ports 0 and 1, ports 2 and 3, ports 4 and 5, or ports 6 and 7. Other port combinations are not supported.
Within each interface pair, the lower numbered port (the top port on the NIC) connects to one side of the network, while the port with the higher number connects to the other side of the network.
To use in-line mode for monitoring fewer than four network segments, you may use any of the supported interface pairs (ports 0/1, ports 2/3, ports 4/5, or ports 6/7). You can use the remaining ports for monitoring other network segments in passive mode.
Figure 4-6 depicts a 7160 using in-line mode to monitor four network segments.
Figure 4-6 7160 using in-line mode
57Installing the 7100 Series
Cabling
7160
Network segment 1
Network segment 1
Network segment 2
Network segment 2
Network segment 3
Network segment 3
Network segment 4
Network segment 4
To cable the 7160 for in-line mode monitoring
1 Connect port 0 of the appliance to one side of network segment 1.
2 Connect port 1 of the appliance to the other side of network segment 1.
3 Connect port 2 of the appliance to one side of network segment 2.
4 Connect port 3 of the appliance to the other side of network segment 2.
5 Connect port 4 of the appliance to one side of network segment 3.
6 Connect port 5 of the appliance to the other side of network segment 3.
7 Connect port 6 of the appliance to one side of network segment 4.
8 Connect port 7 of the appliance to the other side of network segment 4.
Cabling a bypass unit for fail-open
This section describes how to install a Symantec Network Security In-line Bypass unit to provide fail-open capability. The 4 In-line Bypass unit is recommended for operation with the 7160.
58 Installing the 7100 Series
Cabling
Note: Only the 4 In-line Bypass unit is supported for use with model 7160.
Figure 4-7 shows the 4 In-line Bypass unit.
Figure 4-7 4 In-line Bypass unit
The 4 In-line Bypass unit contains four port groups, each with four ports. Two ports, Net A and App A, are associated with one port of the 7160 in-line pair and the corresponding side of the network. The other two ports in the port group, Net B and App B, are associated with the other port of the 7160 in-line pair and the other network connection.
Figure 4-8 depicts a 4 In-line Bypass unit deployed with a 7160 and other
network devices.
Figure 4-8 4 In-line Bypass unit deployed with 7160
Port group 0
59Installing the 7100 Series
Cabling
Port group 2
Port group 1
7160
0 - Port 0 1 - Port 1 2 - Port 2 3 - Port 3 4 - Port 4 5 - Port 5 6 - Port 6 7 - Port 7 8 - RST0 9 - RST1
Port group 3
10 - RST 2 11 - Management port 12 - Mgmt USB on bypass unit 13 - USB ports 14 - In-line pair 0 15 - In-line pair 1 16 - In-line pair 2 17 - In-line pair 3
60 Installing the 7100 Series
Cabling
Note: Follow the cabling instructions carefully to match each in-line interface pair with its associated port group on the bypass unit. Connect in-line pair 0 (ports 0/1 on the appliance) to port group 0 on the bypass unit. Connect in-line pair 1 on the 7160 to port group 1 on the bypass unit. Connect in-line pair 2 to port group 2, and connect in-line pair 3 to port group 3.
The Net A port of each port group on the bypass unit is implemented as 10/100/1000Base-TX. You may need a crossover cable to connect Net A to some devices. The Net B port of each port group is implemented as 10/100/1000Base-T. Consult the documentation for your network devices to determine whether they require crossover connections.
The following procedures do not anticipate the type of cable. It is up to you to select a crossover cable if your network device requires one.
The link parameters, including speed and duplex mode, should be auto-negotiated between Net A and App A, and Net B and App B. Do not force the link speed or duplex mode to a specific setting on network devices that connect to Net A or Net B.
See “About the In-line Bypass unit” on page 35.
To connect the bypass unit App A and App B ports to the 7160 in-line pair, use the Ethernet cables provided with the bypass unit.
Note: After connecting the bypass unit to the 7100 Series and powering both on, all port groups are initially in bypass mode. To change the port group to online mode, you must start a sensor on the in-line pair that is connected to that port group. Event detection can occur only when the port group is in online mode.
See “Starting a sensor on an appliance interface” on page 115.
To cable in-line pair 0 with port group 0
1 Shut down the 7160 appliance if it is running.
2 On the bypass unit, connect Net A of port group 0 to one side of the network.
3 Connect App A of port group 0 to port 0 on your appliance.
4 Connect App B of port group 0 to port 1 on your appliance.
5 On the bypass unit, connect Net B of port group 0 to the other side of the
network.
6 Using the USB cable, plug one USB connector into either USB port on the
7160 appliance, and plug the other connector into the Mgmt USB port on the 4 In-line Bypass unit.
Cabling
To cable in-line pair 1 with port group 1
1 Shut down the 7160 appliance if it is running.
2 On the bypass unit, connect Net A of port group 1 to one side of the network.
3 Connect App A of port group 1 to port 2 on your appliance.
4 Connect App B of port group 1 to port 3 on your appliance.
5 On the bypass unit, connect Net B of port group 1 to the other side of the
network.
6 If the USB cable is not yet connected, plug one USB connector into either
USB port on the 7160 appliance, and plug the other connector into the Mgmt USB port on the 4 In-line Bypass unit.
To cable in-line pair 2 with port group 2
1 Shut down the 7160 appliance if it is running.
2 On the bypass unit, connect Net A of port group 2 to one side of the network.
61Installing the 7100 Series
3 Connect App A of port group 2 to port 4 on your appliance.
4 Connect App B of port group 2 to port 5 on your appliance.
5 On the bypass unit, connect Net B of port group 2 to the other side of the
network.
6 If the USB cable is not yet connected, plug one USB connector into either
USB port on the 7160 appliance, and plug the other connector into the Mgmt USB port on the 4 In-line Bypass unit.
To cable in-line pair 3 with port group 3
1 Shut down the 7160 appliance if it is running.
2 On the bypass unit, connect Net A of port group 3 to one side of the network.
3 Connect App A of port group 3 to port 6 on your appliance.
4 Connect App B of port group 3 to port 7 on your appliance.
5 On the bypass unit, connect Net B of port group 3 to the other side of the
network.
6 If the USB cable is not yet connected, plug one USB connector into either
USB port on the 7160 appliance, and plug the other connector into the Mgmt USB port on the 4 In-line Bypass unit.
62 Installing the 7100 Series
Cabling
Powering the 7160 on or off
As the last step in the physical installation of the 7160 appliance, connect and turn on the power. When the appliance powers on, you should hear the hard drive spin up and the fans turn on, and see the LEDs and LCD screen light up.
The dual redundant power supplies on the 7160 are designed to connect to two different power sources. An uninterruptible power supply (UPS) is recommended. Do not use extension cords.
Note: A high pitched alarm sounds when power is supplied to only one power supply on the appliance. To stop the alarm, connect the other power supply to a power source.
To power the 7160 on for the first time
1 Connect the two power cords to the power sockets on the 7160.
2 Plug one of the power cords into an AC power source.
The 7160 powers up automatically and the alarm will sound.
3 Plug the second power cord into a different AC power source.
Powering the 7160 off before initial configuration
If you need to power the 7160 off before performing initial configuration, you can use the master power switch or the Shutdown option on the LCD. After initial configuration, you should power the appliance off by using the LCD menu item or a command on the serial console.
See “Powering off the appliance” on page 152.
To power the 7160 off before initial configuration
Do one of the following:
On the LCD panel, use the buttons to navigate to the Shutdown Host
option on the LCD screen and press e.
On the back panel of the 7160, press and hold the master power switch
for approximately 5 seconds until you hear the fans stop.
Cabling for model 7161
This section describes cabling for the 7161. If you have a different model, refer to the appropriate section.
See “Cabling for model 7120” on page 49.
See “Cabling for model 7160” on page 54.
Cabling
The following topics are covered here:
Connecting the management, reset, and serial ports
Cabling for passive mode monitoring
Cabling for in-line mode monitoring
Powering the 7161 on or off
Warning: To prevent a possible electric shock, do not connect the power until all other cabling is done. An alarm will sound if you connect only one power cord.
Figure 4-9 shows the back panel of the 7161.
Figure 4-9 7161 back panel
63Installing the 7100 Series
1 - Power supplies 2 - Power switch 3 - USB ports 4 - Serial port 5 - Compact flash adapter 6 - Port 0 7 - Port 1 8 - Port 2
10 - Port 4 11 - Port 5 12 - Port 6 13 - Port 7 14 - RST0 15 - RST1 16 - RST2 17 - Management port
9 - Port 3
Connecting the management, reset, and serial ports
You need four Ethernet cables of an appropriate length to connect the management and reset ports to your network.
Use the provided serial console cable to connect the serial port to your serial device.
64 Installing the 7100 Series
Cabling
To connect the management port
Connect the management port (port 11) on the appliance to your
management network.
To connect the reset ports
1 Connect the first reset port (port 8) on the appliance to a monitored network
where you want to send TCP resets.
2 Connect the second reset port (port 9) on the appliance to a monitored
network where you want to send TCP resets.
3 Connect the third reset port (port 10) on the appliance to a monitored
network where you want to send TCP resets.
To connect the serial port
Connect the serial port on the appliance to a laptop, PC, or other serial
device.
Cabling for passive mode monitoring
The 7161 appliance can monitor up to eight separate network segments. Four of the 7161 monitoring ports are 1000 Base-SX optical fiber ports, and four are 10/100/1000 Base-T Ethernet ports. Use multimode fiber cables with LC fiber optic connectors for the 7161 fiber ports, and Ethernet cables with RJ45 connectors for the copper ports.
To access network segments for monitoring, you can connect each port to a hub, a router, or a switch.
To cable the 7161 for passive mode monitoring
Connect ports 0 through 7 of the appliance to the eight network segments
that you want to monitor.
Cabling for in-line mode monitoring
The 7161 appliance provides in-line mode monitoring for up to four network segments. In-line mode requires an interface pair for each monitored network segment. The interface pair can be ports 0 and 1, ports 2 and 3, ports 4 and 5, or ports 6 and 7. Other port combinations are not supported.
Within each interface pair, the lower numbered port (the top port on the NIC) connects to one side of the network, while the port with the higher number connects to the other side of the network.
To use in-line mode for monitoring fewer than four network segments, you may use any of the supported interface pairs (ports 0/1, ports 2/3, ports 4/5, or ports
Cabling
6/7). You can use the remaining ports for monitoring other network segments in passive mode.
Figure 4-10 depicts a 7161 using in-line mode to monitor four network
segments.
Figure 4-10 7161 using in-line mode
65Installing the 7100 Series
7161
Network segment 1
Network segment 1
Network segment 2
Network segment 2
Network segment 3
Network segment 3
Network segment 4
Network segment 4
To cable the 7161 for in-line mode monitoring
1 Connect port 0 of the appliance to one side of network segment 1.
2 Connect port 1 of the appliance to the other side of network segment 1.
3 Connect port 2 of the appliance to one side of network segment 2.
4 Connect port 3 of the appliance to the other side of network segment 2.
5 Connect port 4 of the appliance to one side of network segment 3.
6 Connect port 5 of the appliance to the other side of network segment 3.
7 Connect port 6 of the appliance to one side of network segment 4.
8 Connect port 7 of the appliance to the other side of network segment 4.
66 Installing the 7100 Series
Cabling
Powering the 7161 on or off
As the last step in the physical installation of the 7161 appliance, connect and turn on the power. When the appliance powers on, you should hear the hard drive spin up and the fans turn on, and see the LEDs and LCD screen light up.
The dual redundant power supplies on the 7161 are designed to connect to two different power sources. An uninterruptible power supply (UPS) is recommended. Do not use extension cords.
Note: A high pitched alarm sounds when power is supplied to only one power supply on the appliance. To stop the alarm, connect the other power supply to a power source.
To power the 7161 on for the first time
1 Connect the two power cords to the power sockets on the 7161.
2 Plug one of the power cords into an AC power source.
The 7161 powers up automatically and the alarm will sound.
3 Plug the second power cord into a different AC power source.
To power the 7161 on after the initial cabling
The 7161 powers on automatically when first connected to a power source.
Powering the 7161 off before initial configuration
If you need to power the 7161 off before performing initial configuration, you can use the master power switch or the Shutdown option on the LCD. After initial configuration, you should power the appliance off by using the LCD menu item or a command on the serial console.
See “Powering off the appliance” on page 152.
To power the 7161 off before initial configuration
Do one of the following:
On the LCD panel, use the buttons to navigate to the Shutdown Host
option on the LCD screen and press e.
On the back panel of the 7161, press and hold the master power switch
for approximately 5 seconds until you hear the fans stop.
Chapter
Initializing Symantec Network Security
This chapter includes the following topics:
About initializing Symantec Network Security
LCD panel initial configuration
5
Serial console initial configuration
Compact flash initial configuration
Default login accounts
About initializing Symantec Network Security
Initial configuration of the Symantec Network Security 7100 Series appliance is quick and straightforward. The configuration process prompts you for information, after which Symantec Network Security is installed on the 7100 Series node.
Some of the required information depends on whether you are adding the appliance as a master or a slave node. You can deploy one or more master nodes independently in your network. Multiple independent master nodes are known as single nodes. You can also deploy a master node as part of a cluster. A cluster can include multiple slave nodes that operate in sync with the master. For more information, see the Symantec Network Security Administration Guide.
You can choose among three methods for answering the questions:
LCD panel
Serial console
Compact flash
68 Initializing Symantec Network Security
LCD panel initial configuration
The LCD subsystem contains a 2-line by 16-character liquid crystal diode display screen and six push buttons for entering input. It is located on the front bezel of the appliance.
To use the LCD panel or the compact flash method for initial configuration, you must use the LCD panel to select your choice. To use the serial console method, you can access the appliance directly from the serial console by logging in using the default username (secadm) and password (Symantec).
LCD panel initial configuration
When the appliance boots up for the first time, the LCD displays a menu with the three configuration method choices and a fourth menu item for shutting down the appliance. After a minute or so of inactivity, the LCD reverts to displaying the date and time. You can access the menu again by pressing one of the buttons.
Figure 5-1 LCD initial menu
This section describes the LCD method of initial configuration.
During initial configuration, the LCD screen displays one question or prompt at a time on the top line, and your input appears on the bottom line.
Use the four arrow buttons to compose your input.
To scroll through characters or numbers, press the up or down arrow
buttons.
To speed up the scrolling rate, hold the button.
To move the cursor position, press the left or right arrow buttons.
To enter your answer and move to the next question, press the e button.
To start over, press the s button.
LCD panel initial configuration
Procedures for configuring a master or slave node are provided in the sections below.
Using the LCD panel to configure a master node
Using the LCD panel to configure a slave node
The procedures show each prompt as it appears on the LCD display, and what is the expected input. The questions are limited to 16 characters.
Figure 5-2 shows the LCD panel on the front bezel of the appliance.
Figure 5-2 LCD panel
69Initializing Symantec Network Security
1 - LCD screen 2 - Arrow buttons 3 - s button 4 - e button
5 - Power LED 6 - Disk activity LED 7 - Traffic in LED 8 - Traffic out LED 9 - Temperature LED
Using the LCD panel to configure a master node
This section contains the procedure for initial configuration of a master node by using the LCD panel.
To configure your appliance as a slave node, see “Using the LCD panel to
configure a slave node” on page 72.
To use the LCD panel for initial configuration of a master node
1 Use the master power switch to turn on the power, if necessary.
During the boot process, the LCD screen displays:
Symantec v1.03
OK
Wait for the appliance to boot up.
2 When the LCD screen displays the first menu choice, for example:
SNS7120
1. LCD Config
press the e button. Press s at any time to start over. If this menu item is not displayed, press any button to return to the menu or
press the up or down arrow buttons to scroll through the menu.
70 Initializing Symantec Network Security
LCD panel initial configuration
3 For:
Local IP Address [000]000.000.000
use the arrow buttons to enter the local IP address for the appliance. Use the up or down buttons to scroll through the numbers for each three-digit part of the address. Use the right or left buttons to move the cursor brackets.
Note: If this node is not behind a NAT router, the Network Security console will use the local IP address to connect to the node. Otherwise, it uses the NAT address that is provided later in the procedure.
Press e.
4 For:
Local IP Netmask [000]000.000.000
use the arrow buttons to enter the netmask for the local subnet, for example:
255.255.255.000. The netmask designates the part of the address that refers to the network, as opposed to the host.
Press e.
5 For:
Default Gateway [000]000.000.000
use the arrow buttons to enter the default gateway for the local subnet. The default gateway is the router on the local network.
Press e.
6 For:
Master Node? [Yes] No
leave the cursor on Ye s . The node number is automatically set to 1 for a master node. Press e.
7 For:
QSP Port Number 6234[5]
use the arrow buttons to change the QSP port number. The QSP port number is used when connecting to the 7100 Series node from the Network Security console and for communication between master and slave nodes in a cluster.
LCD panel initial configuration
Warning: Randomly choose a unique number between 1025 and 65535. A random, unique QSP port number prevents profiling by intruders. All slave nodes must use the same QSP port number that the master node uses.
Press e.
8 For:
Timezone (GMT):
[+0]
use the up/down arrow buttons to scroll to the hour offset of your time zone from Greenwich Mean Time (GMT). For example, the offset in Tokyo is +9 and the offset in San Francisco is -8 (PST) or -7 (PDT).
Press e.
9 For:
Date: MMDDhhmmYY
[0]
use the arrow buttons to input the month, date, hour, minute, and year using two digits for each. Use 24-hour format for the hour. For example, May 12, 2004 at 1:05pm is entered as: 0512130504.
Press e.
71Initializing Symantec Network Security
10 For:
Superuser Pswd
[a]
use the arrow buttons to input a 6 to 14 character password to use for:
superuser account on the Network Security console
Unlocking the LCD panel
operating system secadm account
operating system root account
elevate command used by secadm
Note: You can change to separate passwords for root, secadm, and
superuser after initial configuration. The matches the
root password, and the password for unlocking the LCD
elevate password always
matches the secadm password.
You can select lower and upper case letters, numbers, and a subset of special characters for the password.
Press e.
11 For:
NAT Addressed?
72 Initializing Symantec Network Security
LCD panel initial configuration
Yes [N o]
do one of the following:
If Network Address Translation (NAT) is not used, leave the cursor on
No
If the node is behind a NAT router, use the arrow buttons to move the
cursor to Ye s , press e, and at the display: NAT Address [000]000.000.000
use the arrow buttons to enter the externally visible IP address. This is the address the Network Security console will use to connect to
the appliance.
Press e.
12 For:
Configure SNS? [Yes] No
do one of the following:
To proceed with installation of Symantec Network Security, leave the
cursor on Yes.
To start the initial configuration process over, use the arrow buttons to
move the cursor to No.
Press e.
13 For:
Success Press any button
press any button.
14 For:
Reboot Now? [Yes] No
press e to reboot the appliance and start Symantec Network Security.
Using the LCD panel to configure a slave node
This section contains the procedure for initial configuration of a slave node by using the LCD panel.
Note: A Symantec Network Security 7100 Series appliance can only be deployed as a slave node to another 7100 Series appliance or to a master node running Symantec Network Security 4.0.
LCD panel initial configuration
For more information about master and slave nodes, see the Symantec Network Security Administration Guide.
If you wish to configure your appliance as a master node, see “Using the LCD
panel to configure a master node” on page 69.
To use the LCD panel for initial configuration of a slave node
1 Use the master power switch to turn on the power, if necessary.
During the boot process, the LCD screen displays:
Symantec v1.03
OK
Wait for the appliance to boot up.
2 When the LCD screen displays the first menu choice, for example:
SNS7120
1. LCD Config
press the e button. Press s at any time to start over. If this menu item is not displayed, press any button to return to the menu, or
press the up or down arrow buttons to scroll through the menu.
73Initializing Symantec Network Security
3 For:
Local IP Address
[000]000.000.000
use the arrow buttons to enter the local IP address for the appliance. Use the up or down buttons to scroll through the numbers for each three-digit part of the address. Use the right or left buttons to move the cursor brackets.
Note: If this node is not behind a NAT router, this is the address the master node will use to communicate with this slave node. Otherwise, the master uses the NAT address that is provided later in the procedure.
Press e.
4 For:
Local IP Netmask
[000]000.000.000
use the arrow buttons to enter the netmask for the local subnet, for example:
255.255.255.000. The netmask designates the part of the address that refers to the network, as opposed to the host.
Press e.
5 For:
Default Gateway
[000]000.000.000
74 Initializing Symantec Network Security
LCD panel initial configuration
use the arrow buttons to enter the default gateway for the local subnet. The default gateway is the router on the local network.
Press e.
6 For:
Master Node? [Yes] No
use the arrow buttons to move the cursor to No. Press e.
7 For:
Slave Node Nmbr [2]
do one of the following:
Leave the node number as is.
Use the arrow buttons to enter a unique node number.
Press e.
Note: The node number must match the number you provide when adding the slave node object to the topology tree in the Network Security console. You can assign a unique number between 2 and 120.
8 For:
Master Node Nmbr [1]
do one of the following:
If 1 is the correct master node number, leave it as is.
Use the arrow buttons to enter the master node number.
Press e.
9 For:
Master Node IP [000]000.000.000
use the arrow buttons to enter the master node management IP address. Press e.
10 For:
Master Node Pswd [a]
use the arrow buttons to input the master node synchronization password. Press e.
LCD panel initial configuration
Warning: The Master Node Pswd you input here must match the Master Node Sync Password you enter when adding the slave node object to the
topology tree in the Network Security console. See “Configuring appliance
nodes” on page 102.
Use this password for:
Unlocking the LCD panel
operating system secadm account
operating system root account
elevate command used by secadm
Note: You can change to separate passwords for root and secadm after initial configuration. The password, and the password for unlocking the LCD matches the
elevate password always matches the root
secadm
password.
75Initializing Symantec Network Security
You can select lower and upper case letters, numbers, and a subset of special characters.
11 For:
QSP Port Number
6234[5]
use the arrow buttons to change the QSP port number. On a slave node, the QSP port number is used for communication with the master node in the cluster.
Warning: Randomly choose a unique number between 1025 and 65535. A random, unique QSP port number prevents profiling by intruders. All slave nodes must use the same QSP port number that the master node uses.
Press e.
12 For:
Timezone (GMT):
[+0]
use the up or down arrow buttons to scroll to the hour offset of your time zone from Greenwich Mean Time (GMT). For example, the offset in Tokyo is +9 and the offset in San Francisco is -8 (PST) or -7 (PDT).
Press e.
13 For:
Date: MMDDhhmmYY
[0]
76 Initializing Symantec Network Security
Serial console initial configuration
use the arrow buttons to input the month, date, hour, minute, and year using two digits for each. Use 24-hour format for the hour. For example, May 12, 2004 at 1:05pm is entered as: 0512130504.
Press e.
14 For:
NAT Addressed? Yes [N o]
do one of the following:
If you do not use Network Address Translation (NAT) when accessing
the appliance, leave the cursor on No
If the node is behind a NAT router, use the arrow buttons to move the
cursor to Ye s , press e, and at the display: NAT Address [000]000.000.000
use the arrow buttons to enter the externally visible IP address.
Press e.
15 For:
Configure SNS? [Yes] No
do one of the following:
To proceed with installation of Symantec Network Security, leave the
cursor on Yes.
To start the initial configuration process over, use the arrow buttons to
move the cursor to No.
Press e.
16 For:
Success Press any button
press any button.
17 For:
Reboot Now? [Yes] No
press e to reboot the appliance and start Symantec Network Security.
Serial console initial configuration
You can use a serial terminal application with VT100 emulation for the initial configuration of your Symantec Network Security 7100 Series appliance. Each appliance has a serial port on the back for connecting to a serial terminal. The
serial console stays on while the appliance is running. To use it you must enter the correct login and password, which have default values for initial configuration.
Some required information depends on whether you are adding the appliance as a master or a slave node. Both procedures are provided in the following sections:
Configuring a master node using the serial console
Configuring a slave node using the serial console
Note: Truncated error messages are sent to the LCD screen if errors occur during initial configuration.
Starting a serial console
Before you can begin the configuration, you must connect the appliance to the serial terminal device and start the serial terminal application.
77Initializing Symantec Network Security
Serial console initial configuration
To start the serial console
1 Connect one end of the serial console cable to the serial port on the back of
the appliance.
2 Connect the other end of the serial console cable to the serial port on your
PC, laptop, or other serial device.
3 Start a serial terminal application on your serial device.
The recommended settings are:
Speed 115200
Data bits 8
Parity None
Stop bits 1
Flow control None
4 Press Enter to get a
login: prompt on the serial console.
Configuring a master node using the serial console
This section contains the procedure for initial configuration of a master node by using the serial console.
78 Initializing Symantec Network Security
Serial console initial configuration
To configure your appliance as a slave node, see “Configuring a slave node using
the serial console” on page 80.
To configure a master node using the serial console
1 At the
login prompt in the serial console window, enter secadm
2 At the password prompt, enter Symantec
3 At the SNS7100> prompt, enter configure
This starts the initial configuration script, which prompts you for information, as shown in the following steps. To quit at any time, enter
4 Enter the local IP address of the administration interface:
Type the local IP address of the appliance.
Note: If this node is not behind a NAT router, the Network Security console will use the local IP address to connect to the node. Otherwise, it uses the NAT address that is provided later in the procedure.
5 Enter the netmask for this node:
Type the netmask. The netmask designates the part of the address that refers to the network, as opposed to the host. A typical netmask is
255.255.255.0
6 Enter the gateway address for this node:
Type the gateway IP address. This is the IP address of the default router on the local network.
q .
7 Is this the first install for this cluster? [YES/no]
Press Enter to take the default, YES, for a master node. The node number is set to 1.
8 Enter qspproxy port number (default: 62432):
Press Enter to accept the randomized default or enter a number between 1024 and 65535.
The qspproxy port number (QSP port number) is used to connect to the 7100 Series node from the Network Security console, and for communication between nodes in a cluster.
Warning: Randomly choose a unique number between 1025 and 65535. A random, unique QSP port number prevents profiling by intruders. All slave nodes must use the same QSP port number that the master node uses.
9 Enter GMT timezone offset (i.e. +5):
Type the number of hours your time zone differs from Greenwich Mean Time (GMT). For example, the offset in Tokyo is +9 and the offset in San Francisco is -8 (PST) or -7 (PDT).
Serial console initial configuration
10 Enter date in MMDDhhmmYY format:
Type the current month, date, hour, minute, and year using two digits for each. For the hour, use 24 hour format. For example, May 12, 2004 at 1:05pm is entered as: 0512130504.
11
Superuser password (6-14 characters):
Type the password for this node. The characters are not displayed on the console window.
This password is used for:
superuser account on the Network Security console
Unlocking the LCD panel
operating system secadm account
operating system root account
elevate command used by secadm
Note: You can change the passwords for root/elevate and secadm / LCD unlocking after initial configuration. You can also change the password for the Network Security console superuser account.
79Initializing Symantec Network Security
12 Please enter the password again:
Re-enter the password for confirmation.
Is this node behind NAT? [yes/NO]
13
Do one of the following:
If you do not use Network Address Translation (NAT) when accessing
the appliance, press Enter to accept the default,
If the node is behind a NAT router, type yes, press Enter, and at the next
NO.
prompt:
Enter NAT address:
type the externally visible IP address. This is the address that the
Network Security console will use to connect to the node.
14 Configuration Information:
Local IP Address : 10.10.10.5
Netmask : 255.255.255.0
Gateway : 10.10.10.1
Master Node? : Yes
Qsp node number : 1
Qsp proxy port : 62432
80 Initializing Symantec Network Security
Serial console initial configuration
Behind NAT : No
Verify that the displayed values are correct. Sample values are shown here.
15 Ready to install? [YES/no]
Do one of the following:
Press Enter to accept the default, YES, to proceed with the installation
if you believe you have entered all of the information correctly. The script displays:
Configuring SNS (this may take a while)
Type no if you need to make a correction or are not ready to proceed
with the installation of Symantec Network Security. The serial console displays the
Done installing. Please reboot.
16
At the SNS7100> prompt, to reboot and start Symantec Network Security, type:
reboot
SNS7100> prompt if you enter no.
Configuring a slave node using the serial console
This section contains the procedure for initial configuration of a slave node by using the serial console.
To configure your appliance as a master node, see “Configuring a master node
using the serial console” on page 77.
Note: A Symantec Network Security 7100 Series appliance can only be deployed as a slave node to another 7100 Series or to a master node running Symantec Network Security 4.0.
To configure a slave node using the serial console
1 At the login prompt in the serial console window, enter
2 At the password prompt, enter Symantec
3 At the SNS7100> prompt, enter configure
This starts the initial configuration script, which prompts you for information, as shown in the following steps. To quit at any time, enter
4 Enter the local IP address of the administration interface:
Type the local IP address of the management interface.
secadm
q .
Serial console initial configuration
Note: If this node is not behind a NAT router, this is the address the master node will use to communicate with this slave node. Otherwise, the master uses the NAT address that is provided later in the procedure.
5 Enter the netmask for this node:
Type the netmask. The netmask designates the part of the address that refers to the network, as opposed to the host. A typical netmask is
255.255.255.0
6 Enter the gateway address for this node:
Type the gateway IP address. This is the IP address of the router on the local network.
7 Is this the first install for this cluster? [YES/no]
no and press Enter for a slave node.
Type
8 Enter the local node number (default 2):
Press Enter to accept the default node number, 2, or enter a unique number between 2 and 120. This node number cannot be changed once you have finished this procedure and installed Symantec Network Security.
81Initializing Symantec Network Security
9 Enter the master node number (default 1):
Press Enter to accept the default, or enter the node number of the master node for this cluster.
10 Master node IP:
Type the management IP address of the master node for this cluster.
11 Master node sync password (6-14 characters):
Enter the synchronization password of the master node.
Warning: The Master node sync password you input here must match the Master Node Sync Password you enter when adding the slave node object to the topology tree in the Network Security console. See “Configuring
appliance nodes” on page 102.
This password has several initial roles:
Synchronization password for the master node
Unlocking the LCD panel
operating system secadm account
operating system root account and elevate command
Note: You can change the passwords for root/elevate and secadm / LCD unlocking after initial configuration. The linked together, as are the secadm and LCD unlocking passwords.
root and elevate passwords are
82 Initializing Symantec Network Security
Serial console initial configuration
12 Please enter the password again:
Re-enter the password for confirmation.
13 Enter qspproxy port number (default: 62432):
Press Enter to accept the randomized default or enter a number between 1024 and 65535.
This port number is used for communication between nodes in a cluster.
Note: Randomly choose a unique number between 1025 and 65535. A random, unique QSP port number prevents profiling by intruders. All slave nodes must use the same QSP port number that the master node uses.
14 Enter GMT timezone offset (i.e. +5):
Type the number of hours your time zone differs from Greenwich Mean Time (GMT). For example, the offset in Tokyo is +9 and the offset in San Francisco is -8 (PST) or -7 (PDT).
15 Enter date in MMDDhhmmYY format:
Type the current month, date, hour, minute, and year using two digits for each. For the hour, use 24 hour format.
16 Is this node behind NAT? [yes/NO]
Do one of the following:
If you do not use Network Address Translation (NAT) when accessing
the appliance, press Enter to accept the default,
If the node is behind a NAT router, type yes, press Enter, and at the next
NO.
prompt:
Enter NAT address:
type the externally visible IP address.
Configuration Information:
17
Local IP Address : 10.10.10.8
Netmask : 255.255.255.0
Gateway : 10.10.10.1
Master Node? : No
Master node ip : 10.10.10.5
Master node num : 1
Qsp node number : 2
Behind NAT : Yes
Nat address : 10.10.10.7
Compact flash initial configuration
Verify that the displayed values are correct. Sample values are shown here.
18 Ready to install? [YES/no]
Do one of the following:
Press Enter to accept the default, YES, to proceed with the installation
if you believe you have entered all of the information correctly.
The script displays:
Configuring SNS (this may take a while)
Type no if you need to make a correction or are not ready to proceed
with the installation of Symantec Network Security. The serial console
displays the
Done installing. Please reboot.
19
SNS7100> prompt if you enter no.
At the SNS7100> prompt, to reboot and start Symantec Network Security, type:
reboot
83Initializing Symantec Network Security
Compact flash initial configuration
If you have a compact flash card with a Symantec Network Security configuration already written to it, you can use it to configure your appliance. This convenient method provides a known configuration for a new appliance slave node that you are adding to an existing topology.
To prepare the compact flash, use the Network Security console to first add the new node to your topology. As part of this process, configure its IP address, QSP port, and node password. From the console, save these settings onto a compact flash card. During initial configuration, lab personnel can use the compact flash to configure the new node as planned.
See “Saving initial configuration to compact flash” on page 146.
Note: Be sure the compact flash card is not bootable when you use it for initial configuration. See “Making a non-bootable compact flash card” on page 143.
To use a compact flash for initial configuration
1 Insert the non-bootable compact flash into the compact flash adapter on the
back of the appliance.
2 Reboot the appliance to make the compact flash card accessible.
3 On the LCD panel, use the right arrow button to scroll to the Compact Flash
menu option, and press e.
84 Initializing Symantec Network Security
Default login accounts
4 The appliance reads the configuration information from the compact flash
card, automatically decrypts it, and stores it onto the hard drive.
5 The appliance automatically runs the Symantec Network Security silent
installation using the stored configuration information. Any errors are written to the LCD screen.
6 The appliance automatically reboots to start Symantec Network Security.
Default login accounts
The Symantec Network Security 7100 Series comes with two login accounts:
root and secadm. The default password for both of these logins is Symantec.
When you run the initial configuration on the appliance, the passwords are changed for both logins to the node password you enter. After initial configuration, it is recommended that you change the password for each account to a unique value. The password you assign to the secadm account will become the new password for unlocking the LCD panel, either from the panel itself or from the Network Security console.
Under normal operation, all tasks can be completed from the Network Security console or by using the buttons on the LCD panel. Occasionally you may need access to the operating system or the Symantec Network Security filesystem for troubleshooting or to view system log files.
You can use the secadm login account to perform certain Symantec Network Security functions on the serial console if the Network Security console is inoperative or unable to connect to the appliance.
See “Using the serial console” on page 158.
The root account has full permissions on the appliance, so care must be taken. It is recommended that you login as perform a task, use the root password. Once elevated, you have root permissions.
You can access the secadm and root accounts from a serial console connected to the appliance, using a serial terminal application.
See “Starting a serial console” on page 77.
elevate command. The elevate command requires the
secadm, and if you need root permissions to
Chapter
Starting the Network Security console
This chapter includes the following topics:
About the Network Security console
Installing the console
6
Launching the console
About the Network Security console
Once you have installed your Symantec Network Security 7100 Series appliance and performed initial configuration, the next step is to install the Network Security console on a separate machine.
The Network Security console is a Java application that will run on a Windows or Linux machine.
You can use the console to perform key tasks required to configure and operate Symantec Network Security on your appliance.
Network Security console requirements
The Network Security console can be installed on a computer that meets the minimum requirements given in the following sections:
Console requirements on Windows
Console requirements on Linux
86 Starting the Network Security console
Installing the console
Console requirements on Windows
Table 6-1 shows the minimum requirements needed by a Windows computer for
running the Network Security console.
Table 6-1 Console requirements on a Windows system
Parameter Required minimum value
Operating system Microsoft Windows 2000, Microsoft Windows
Memory 512 MB RAM
Disk space 100 MB
Screen resolution 1024 x 768
Java Sun Java™ 2 Runtime Environment (J2RE)
XP
version 1.4.2
Console requirements on Linux
Table 6-2 shows the minimum requirements needed by a Linux computer for
running the Network Security console.
Table 6-2 Console requirements on a Linux system
Parameter Required minimum value
Operating system Red Hat Enterprise Linux 3.0 ES
Memory 512 MB RAM
Disk space 100 MB
Screen resolution 1024 x 768
Java Sun Java™ 2 Runtime Environment (J2RE)
Installing the console
The Network Security console application is provided on the Management Console CD that is included with your appliance. You can install it on a Windows or Linux machine that has the correct version of the Java Runtime Environment.
version 1.4.2
See the following sections:
Installing the Java Runtime Environment
Installing the console on Windows
Installing the console on Linux
Installing the Java Runtime Environment
The Network Security console requires the Java Runtime Environment (JRE) version 1.4.2. You can download this free software from the Internet at:
http://java.sun.com
The package to download is called J2SE v1.4.2_04 JRE. Installation instructions are also available on the site.
Note: If you install the console on a Windows system, the setup.exe installation file on the Management Console CD can install the JRE for you.
87Starting the Network Security console
Installing the console
Installing the console on Windows
This section describes how to install the console on a Windows machine. You should close all other programs before running the console installer.
To install the console on Windows
1 Insert the Management Console CD into the CD drive of the console system.
2 In a My Computer window, double-click the CD drive icon to access the CD.
3 Browse to the ./install/windows folder.
4 Double-click setup.exe.
5 In Symantec Network Security 4.0 Setup, click Next.
6 In We l c om e , click Next.
7 In Symantec Software License Agreement, read the agreement, and then
click Ye s .
8 In Choose Destination Location, do one of the following:
Click Next to accept the default directory:
C:\Program Files\Symantec\SNS
Click Browse to select a different directory, and then click Next.
9 In Select Components, click Next.
88 Starting the Network Security console
Launching the console
The Symantec Network Security and Java Runtime Environment components are selected by default. If you already have JRE 1.4.2_04 installed on this machine, uncheck Java Runtime Environment.
10 In Ready To Install, click Next.
If you chose to install the JRE, the JRE setup is launched.
11 Follow the instructions in the JRE install dialog boxes.
When the JRE installation is finished, the Network Security console installation process completes.
12 In Important Notes, read the text, and then click Next.
13 In Finished, click Close.
Installing the console on Linux
This section describes how to install the console on a Linux machine.
To install the console on Linux
1 Insert the Management Console CD into the CD drive of the console system.
2 Login as root to the console system.
3 Mount the CD filesystem by entering the following:
For Linux, type the command:
mount /mnt/cdrom
4 Create the directory where you want to install the console application. For
example:
mkdir /usr/SNS_console
5 Copy the snsadmin.jar file from the CD filesystem to the install directory on
your hard drive:
For Linux, type the command:
cp /mnt/cdrom/install/unix/snsadmin.jar /usr/SNS_console
Note: Copying the snsadmin.jar file to your hard drive is not required. If you prefer, you can run the console application directly from the CD filesystem after mounting it.
Launching the console
If your appliance is connected to the management network and powered on, you can connect to it by launching the Network Security console.
See the following sections:
Launching the console on Windows
Launching the console on Linux
Using the correct administration IP address
The Network Security console connects to the administration IP address of the appliance. If the appliance is behind a NAT router, the console connects to it using the NAT address. This is true even when the console is also behind the NAT router. The NAT address is the externally visible IP address, which you input during initial configuration of the appliance.
If the appliance is not configured behind a NAT router, the console connects to the local IP address of the appliance. You specify the local IP address during initial configuration as well.
89Starting the Network Security console
Launching the console
Launching the console on Windows
This section describes how to launch the console on a Windows machine.
To launch the console on Windows
1 Double-click the shortcut to Symantec Network Security on your desktop.
2 In Symantec Network Security Console, enter the administration IP
address of the appliance into the Hostname text box. See “Using the correct administration IP address” on page 89.
3 In the Por t text box, enter the qspproxy port number for the appliance.
The port number is set during initial configuration of the appliance.
4 In the Username text box, enter superuser
The superuser username is configured by default during initial configuration. This account has the highest level of privileges when used to log in on the Network Security console.
5 In the Passphrase text box, enter the superuser passphrase that was set
during initial configuration.
6 Click OK.
Launching the console on Linux
This section describes how to launch the console on a Linux machine.
90 Starting the Network Security console
Launching the console
To launch the console on Linux
1 Change to the directory where the console application is installed. For
example:
cd /usr/SNS_console
2 Type the following command:
java -jar -Xmx256m snsadmin.jar
If the location of the java program is not in your PATH environment variable, you can provide the full path in the command. For example:
/usr/local/bin/java -jar -Xmx256m snsadmin.jar
The option -Xmx256m allots the required memory for the application.
3 In Symantec Network Security, enter the administration IP address of the
appliance into the Hostname text box. See “Using the correct administration IP address” on page 89.
4 In the Por t text box, enter the qspproxy (QSP) port number for the
appliance. The port number is set during initial configuration of the appliance.
5 In the Username text box, enter superuser
The superuser username is configured by default during initial configuration. This account has the highest level of privileges when used to log in on the Network Security console.
6 In the Passphrase text box, enter the superuser passphrase that was set
during initial configuration.
7 Click OK.
Licensing
This chapter includes the following topics:
About licensing
Installing licenses
Checking the license status
Chapter
7
Adding to licenses
Calling for help
About licensing
Licenses are required for each 7100 Series node, but not for the console. Symantec Network Security software functionality is activated by license. Only the SuperUser has permission to update licenses.
You can use the Network Security console to install the license file on your 7100 Series node. The first time you use the console to connect to a master node after initial configuration, a licensing window prompts you to supply the license file. To license a slave node, you must connect to the master node and use the menu to access licensing.
When a license expires, a new license must be installed to activate the node. When no license is installed, only the licensing window is active.
Standard Symantec licenses are node locked to the Symantec System ID, and are based on the monitored bandwidth. The license automatically includes maintenance and support for the first year. This consists of technical support, content updates via LiveUpdate, and software upgrades. You can contract for maintenance and support separately from the license after the first year.
See the Symantec licensing Web site at https://licensing.symantec.com for more information about obtaining a license.
92 Licensing
Installing licenses
Bandwidth licensing options
The Symantec Network Security 7100 Series has extremely flexible bandwidth licensing. There are multiple licensing options available for each model as base activation licenses.
Table 7-1 shows the base activation licenses for each 7100 Series model.
Table 7-1 Base activation licenses
Model Base activation license
7120 50 Mbps
100 Mbps
200 Mbps
7160 / 7161 250 Mbps
500 Mbps
1.0 Gbps
2.0 Gbps
You can purchase additive licenses if your initial bandwidth requirement estimate is too low. Additive licenses provide additional bandwidth for your license.
Table 7-2 shows the available additive licenses.
Table 7-2 Additive licenses
Model Additive license
7120 50 Mbps
100 Mbps
7160 / 7161 250 Mbps
500 Mbps
1.0 Gbps
Installing licenses
The Symantec Network Security software functionality is activated by license. A separate license must be installed for each 7100 Series node, but the console
Loading...