Any technical documentation that is made available by Symantec Corporation is the copyrighted work
of Symantec Corporation and is owned by Symantec Corporation.
NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec
Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the
information contained therein is at the risk of the user. Documentation may include technical or other
inaccuracies or typographical errors. Symantec reserves the right to make changes without prior
notice.
No part of this publication may be copied without the express written permission of Symantec
Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton
AntiVirus are U.S. registered trademarks of Symantec Corporation. Symantec AntiVirus, Symantec
Enterprise Security Architecture, and Symantec Security Response are trademarks of Symantec
Corporation.
Other brands and product names mentioned in this manual may be trademarks or registered
trademarks of their respective companies and are hereby acknowledged.
Windows is a registered trademark, and 95, 98, NT and 2002 are trademarks of Microsoft Corporation.
Pentium is a registered trademark of Intel Corporation. Sun is a registered trademark, and Java, Solaris,
Ultra, Enterprise, and SPARC are trademarks of Sun Microsystems. UNIX is a registered trademark of
UNIX System Laboratories, Inc. Cisco and Catalyst are registered trademarks of Cisco Systems, Inc.
Foundry is a registered trademark of Foundry Networks. Juniper is a registered trademark of Juniper
Networks, Inc. iButton is a trademark of Dallas Semiconductor Corp. Dell is a registered trademark of
Dell Computer Corporation. Check Point and OPSEC are trademarks and FireWall-1 is a registered
trademark of Check Point Software Technologies, Ltd. Tripwire is a registered trademark of Tripwire,
Inc.
Symantec Network Security software contains/includes the following Third Party Software from
external sources:
Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Technical support
As part of Symantec Security Response, the Symantec global Technical Support
group maintains support centers throughout the world. The Technical Support
group’s primary role is to respond to specific questions on product feature/
function, installation, and configuration, as well as to author content for our
Web-accessible Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering as well as Symantec Security Response to provide
Alerting Services and Virus Definition Updates for virus outbreaks and security
alerts.
Symantec technical support offerings include:
■A range of support options that give you the flexibility to select the right
amount of service for any size organization
■Telephone and Web support components that provide rapid response and
up-to-the-minute information
3
■Upgrade insurance that delivers automatic software upgrade protection
■Content Updates for virus definitions and security signatures that ensure
the highest level of protection
■Global support from Symantec Security Response experts, which is
available 24 hours a day, 7 days a week worldwide in a variety of languages
■Advanced features, such as the Symantec Alerting Service and Technical
Account Manager role, offer enhanced response and proactive security
support
Please visit our Web site for current information on Support Programs. The
specific features available may vary based on the level of support purchased and
the specific product that you are using.
Licensing and registration
If the product that you are implementing requires registration and/or a license
key, the fastest and easiest way to register your service is to access the
Symantec licensing and registration site at www.symantec.com/certificate.
Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html,
select the product that you wish to register, and from the Product Home Page,
select the Licensing and Registration link.
Contacting Technical Support
Customers with a current support agreement may contact the Technical
Support group via phone or online at www.symantec.com/techsupp.
Customers with Platinum support agreements may contact Platinum Technical
Support via the Platinum Web site at www-secure.symantec.com/platinum/.
4
Customer Service
When contacting the Technical Support group, please have the following:
■Product release level
■Hardware information
■Available memory, disk space, NIC information
■Operating system
■Version and patch level
■Network topology
■Router, gateway, and IP address information
■Problem description
■Error messages/log files
■Troubleshooting performed prior to contacting Symantec
To contact Enterprise Customer Service online, go to www.symantec.com, select
the appropriate Global Site for your country, then choose Service and Support.
Customer Service is available to assist with the following types of issues:
■Questions regarding product licensing or serialization
■Product registration updates such as address or name changes
■General product information (features, language availability, local dealers)
■Latest information on product updates and upgrades
■Information on upgrade insurance and maintenance contracts
■Information on Symantec Value License Program
■Advice on Symantec's technical support options
■Nontechnical presales questions
■Missing or defective CD-ROMs or manuals
Contents
Chapter 1Introduction
About the Symantec Network Security foundation ..........................................9
About the Symantec Network Security 7100 Series .................................9
About other Symantec Network Security features ................................ 11
Finding information ............................................................................................ 14
About 7100 Series appliance documentation ......................................... 14
About software documentation ................................................................. 15
About the Web sites .................................................................................... 16
About this guide ........................................................................................... 17
Chapter 2Architecture
About Symantec Network Security .................................................................. 19
About the core architecture ............................................................................... 19
About detection ........................................................................................... 20
About analysis .............................................................................................. 24
About response ............................................................................................ 25
About management and detection architecture ............................................. 26
About the Network Security console ........................................................ 26
About the node architecture ...................................................................... 28
About the 7100 Series appliance node ..................................................... 31
Chapter 3Getting Started
Getting started ..................................................................................................... 35
About the management interfaces ................................................................... 35
About the Network Security console ........................................................ 36
About management of 7100 Series appliances ....................................... 38
About user permissions .............................................................................. 39
About user passphrases .............................................................................. 39
About deployment ............................................................................................... 40
About deploying single nodes ........................................................................... 41
About deploying single Network Security software nodes ................... 41
About deploying single 7100 Series appliance nodes ............................ 42
About deploying node clusters .......................................................................... 43
Monitoring groups within a cluster .......................................................... 44
6 Contents
Chapter 4Topology Database
About the network topology ...............................................................................47
Viewing the topology tree ...........................................................................48
Viewing objects in the topology tree .................................................................51
Viewing live log files ................................................................................. 123
Refreshing the list of log files ................................................................. 123
Chapter
1
Introduction
This chapter includes the following topics:
■About the Symantec Network Security foundation
■Finding information
About the Symantec Network Security foundation
The Symantec™ Network Security software and the Symantec Network Security
7100 Series appliance employ a common core architecture that provides
detection, analysis, storage, and response functionality. Most procedures in this
section apply to both the 7100 Series appliance and the Symantec Network
Security 4.0 software. The 7100 Series appliance also provides additional
functionality that is unique to an appliance. This additional functionality is
described in detail in each section.
This section includes the following topics:
■About the Symantec Network Security 7100 Series
■About other Symantec Network Security features
About the Symantec Network Security 7100 Series
Symantec™ Network Security 7100 Series security appliances provide real-time
network intrusion prevention and detection to protect critical enterprise assets
from the threat of known, unknown (zero-day) and DoS attacks. The 7100 Series
appliances employ the new and innovative Network Threat Mitigation
Architecture that combines anomaly, signature, statistical and vulnerability
detection techniques into an Intrusion Mitigation Unified Network Engine
(IMUNE), that proactively prevents and provides immunity against malicious
attacks including denial of service attempts, intrusions and malicious code,
network infrastructure attacks, application exploits, scans and reconnaissance
10 Introduction
About the Symantec Network Security foundation
activities, backdoors, buffer overflow attempts and blended threats like MS
Blaster and SQL Slammer.
In addition to the features it shares with the Symantec Network Security 4.0
software, the Symantec Network Security 7100 Series appliance offers:
■In-line Operation: The 7100 Series appliance can be deployed in-line as a
transparent bridge to perform real-time monitoring and blocking of
network-based attacks. This ability to prevent attacks before they reach
their targets takes network security to the next level over passive event
identification and alerting. The 7100 Series appliance's One-Click Blocking
feature enables users to automatically enable blocking on all in-line
interfaces with the click of a single button, saving critical time in the event
of worm attacks.
■Policy-based Attack Prevention: Deployed in-line, the 7100 Series appliance
is able to perform session-based blocking against malicious traffic,
preventing attacks from reaching their targets. Predefined and customizable
protection policies enable users to tailor their protection based on their
security policies and business need. Policies can be tuned based on threat
category, severity, intent, reliability and profile of protected resources, and
common or individualized policies can be applied per sensor for both in-line
and passive monitoring.
■Interface Grouping: 7100 Series appliance users can configure up to four
monitoring interfaces as an interface group to perform detection of attacks
for large networks that have asymmetric routed traffic. A single sensor
handles all network traffic seen by the interface group, keeping track of
state even when traffic enters the network on one interface and departs on
another. This feature greatly increases the attack detection capacity of the
7100 Series and allows it to operate more effectively in enterprise network
environments.
■Dedicated Response Ports: The Symantec Network Security 7100 Series
provides special network interfaces for sending anonymous TCP resets to
attackers. With this configuration, network monitoring continues
uninterrupted even when sending resets.
■Reduced Total Cost of Solution: A single 7100 Series appliance can monitor
up to eight network segments or VLANs. The Symantec Network Security
7100 Series reduces the cost of a network security solution by enhancing the
security and reliability of the hardware, simplifying deployment and
management, and providing a single point of service and support.
■Flexible Licensing Options: Each model of the Symantec Network Security
7100 Series offers licensing at multiple bandwidth levels. Whether you
About the Symantec Network Security foundation
deploy the appliance at a slow WAN connection or on your gigabit backbone,
you can select the license that fits your needs.
■Fail-open: When using in-line mode, the Symantec Network Security 7100
Series appliance is placed directly into the network path. The optional
Symantec Network Security In-line Bypass unit provides fail-open capability
to prevent an unexpected hardware failure from causing a loss of network
connectivity. The Symantec In-line Bypass Unit provides a customized
solution that will keep your network connected even if the appliance has a
sudden hardware failure.
See also “About other Symantec Network Security features” on page 11.
About other Symantec Network Security features
Symantec Network Security is highly scalable, and meets a range of needs for
aggregate network bandwidth. Symantec Network Security reduces the total
cost of implementing a complete network security solution through simplified
and rapid deployment, centralized management, and cohesive and streamlined
security content, service, and support.
11Introduction
Symantec Network Security is centrally managed via the Symantec™ Network
Security Management Console, a powerful and scalable security management
system that supports large, distributed enterprise deployments and provides
comprehensive configuration and policy management, real-time threat analysis,
enterprise reporting, and flexible visualization.
The Network Security Management System automates the process of delivering
security and product updates to Symantec Network Security using Symantec™
LiveUpdate to provide real-time detection of the latest threats. In addition, the
Network Security Management System can be used to expand the intrusion
protection umbrella using the Symantec Network Security Smart Agents to
provide enterprise-wide, multi-source intrusion management by aggregating,
correlating, and responding to events from multiple Symantec and third-party
host and network security products.
Symantec Network Security provides the following abilities:
■Multi-Gigabit Detection for High-speed Environments: Symantec Network
Security sets new standards with multi-gigabit, high-speed traffic
monitoring allowing implementation at virtually any level within an
organization, even on gigabit backbones. On a certified platform, Symantec
Network Security can maintain 100% of its detection capability at 2Gbps
across 6 gigabit network interfaces with no packet loss.
■Hybrid Detection Architecture: Symantec Network Security uses an array of
detection methodologies for effective attack detection and accurate attack
identification. It collects evidence of malicious activity with a combination
12 Introduction
About the Symantec Network Security foundation
of protocol anomaly detection, stateful signatures, event refinement, traffic
rate monitoring, IDS evasion handling, flow policy violation, IP
fragmentation reassembly, and user-defined signatures.
detection helps detect previously unknown and new attacks as they occur.
This capability, dubbed “zero-day” detection, closes the window of
vulnerability inherent in signature-based systems that leave networks
exposed until signatures are published.
■Symantec SecurityUpdates with LiveUpdate: Symantec Network Security
now includes LiveUpdate, allowing users to automated the download and
deployment of regular and rapid response SecurityUpdates from Symantec
Security Response, the world's leading Internet security research and
support organization. Symantec Security Response provides top-tier
security protection and the latest security context information, including
exploit and vulnerability information, event descriptions, and event
refinement rules to protect against ever-increasing threats.
■Real-Time Event Correlation and Analysis: Symantec Network Security's
correlation and analysis engine filters out redundant data and analyzes only
the relevant information, providing threat awareness without data overload.
Symantec Network Security gathers intelligence across the enterprise using
cross-node analysis to quickly spot trends and identify related events and
incidents as they happen. In addition, new user-configurable correlation
rules enable users to tune correlation performance to meet the needs of
their own organization and environment.
■Full packet capture, session playback and flow querying capabilities:
Symantec Network Security can be configured on a per-interface basis to
capture the entire packet when an attack is detected so that you can quickly
determine if the offending packet is a benign event that can be filtered or
flagged for further investigation. Automated response actions can initiate
traffic recording and flow exports, and you can query existing or saved flows
as well as playback saved sessions to further assist in drill-down analysis of
a security event.
■Proactive Response Rules: Contains and controls the attack in real-time and
initiates other actions required for incident response. Customized policies
provide immediate response to intrusions or denial-of-service attacks based
on the type and the location of the event within the network. Symantec
Network Security implements session termination, traffic recording and
playback, flow export and query, TrackBack, and custom responses to be
combined with email and SNMP notifications to protect an enterprise's most
critical assets.
About the Symantec Network Security foundation
■Policy-Based Detection: Predefined policies speed deployment by allowing
users quickly configure immediate response to intrusions or
denial-of-service attacks based on the type and the location of the event
within the network. Independently configurable detection settings make it
easy for users to create granular responses. Using the robust policy editor,
users can quickly create monitoring policies that are customized to the
needs of their particular environment. Policies can applied at the cluster,
node, or interface level for complete, scalable control.
■Role-based Administration: Symantec Network Security provides the ability
to define administrative users and assign them roles to grant them varying
levels of access rights. Administrative users can be assigned roles all the
way from full SuperUser privileges down to RestrictedUser access that only
allows monitoring events without packet inspection capabilities. All
administrative changes made from the Network Security console are logged
for auditing purposes.
■TrackBack and FlowChaser: Symantec Network Security incorporates
sophisticated FlowChaser technology that uses flow information from both
Network Security software nodes and 7100 Series appliance nodes, and from
other network devices to trace attacks to the source.
13Introduction
■Cost-effective Scalable Deployment: A single Network Security software node
or 7100 Series appliance node can monitor multiple segments or VLANs.
Each node can be configured to monitor up to 12 Fast Ethernet ports or 6 to
8 Gigabit Ethernet ports. As the network infrastructure grows, network
interface cards can be added to the same node to support additional
monitoring requirements.
■High Availability Deployment: Network Security software nodes and 7100
Series appliance nodes can be deployed in a High Availability (H/A)
configuration to ensure continuous attack detection without any loss of
traffic or flow data in your mission-critical environment.
■Centralized Cluster Management: A Symantec Network Security deployment
can consist of multiple clusters, each cluster consisting of up to 120 nodes,
and an entire Network Security cluster can be securely and remotely
managed from a centralized management console. The Network Security
console provides complete cluster topology and policy management, node
and sensor management, incident and event monitoring, and drill-down
incident analysis and reporting.
cluster-wide, on-demand, drill-down, console-based reports that can be
generated in text, HTML, and PDF formats and can also be emailed, saved,
or printed. In addition, Symantec Network Security provides cluster-wide
14 Introduction
Finding information
scheduled reports generated on the software and appliance nodes that can
be emailed or archived to a remote computer using secure copy.
Security Smart Agents enable enterprise-wide, multi-source intrusion event
collection, helping companies to expand the security umbrella and enhance
the threat detection value of their existing security assets. Third-party
intrusion events are aggregated into a centralized location, leveraging the
power of the Symantec Network Security correlation and analysis
framework, along with the ability to automate responses to intrusions
across the enterprise.
See also “About the Symantec Network Security 7100 Series” on page 9.
Finding information
You can find detailed information about Symantec Network Security software
and Symantec Network Security 7100 Series appliances in the documentation
sets, on the product CDs, and on the Symantec Web sites.
This section includes the following topics:
■About 7100 Series appliance documentation
■About software documentation
■About the Web sites
■About this guide
About 7100 Series appliance documentation
The documentation set for the Symantec Network Security 7100 Series includes:
■Symantec Network Security 7100 Series Implementation Guide (printed and
PDF). This guide explains how to install, configure, and perform key tasks on
the Symantec Network Security 7100 Series.
■Symantec Network Security Administration Guide (printed and PDF). This
guide provides the main reference material, including detailed descriptions
of the Symantec Network Security features, infrastructure, and how to
configure and manage effectively.
■Depending on your appliance model, one of the following:
■Symantec Network Security 7100 Series: Model 7120 Getting Started
Card
■Symantec Network Security 7100 Series: Models 7160 and 7161 Getting
Started Card
Finding information
This card provides the minimum procedures necessary for installing,
configuring, and starting to operate the Symantec Network Security
7100 Series appliance (printed and PDF).
■Symantec Network Security In-line Bypass Unit Getting Started Card (printed
and PDF). This card provides the procedures for installing the optional
Symantec Network Security In-line Bypass unit. The bypass unit may be
purchased separately from Symantec.
■Symantec Network Security 716x Service Manual (printed and PDF). This
document provides instructions for removing the hard drive on the 7160
and 7161.
■Symantec Network Security 7100 Series Product Specifications and Safety
Information (printed and PDF). This document provides specifications for all
7100 Series models as well as safety warnings and certification information.
■Symantec Network Security User Guide (PDF). This guide provides basic
introductory information about Symantec Network Security core software.
15Introduction
■Symantec Network Security 7100 Series Readme (on CD). This document
provides the late-breaking information about the Symantec Network
Security 7100 Series, including limitations, workarounds, and
troubleshooting tips.
See also “Finding information” on page 14.
About software documentation
The documentation set for Symantec Network Security core software includes:
■Symantec Network Security Getting Started (printed and PDF): This guide
provides basic introductory information about the Symantec Network
Security software product, an abbreviated list of system requirements, and a
basic checklist for getting started.
■Symantec Network Security Installation Guide (printed and PDF): This guide
explains how to install, upgrade, and migrate Symantec Network Security
software on supported platforms.
■Symantec Network Security Administration Guide (printed and PDF): This
guide provides the main reference material, including detailed descriptions
of the Symantec Network Security features, infrastructure, and how to
configure and manage effectively.
■Symantec Network Security User Guide (PDF): This guide provides basic
introductory information about Symantec Network Security core software.
16 Introduction
Finding information
About the Web sites
■Symantec Network Security Readme (on CD): This document provides the
late-breaking information about Symantec Network Security core software,
limitations, workarounds, and troubleshooting tips.
See also “Finding information” on page 14.
You can view the entire documentation set on the Symantec Network Security
Web site, as well as the continually updated Knowledge Base, Hardware
Compatibility Reference, and patch Web sites.
About the Knowledge Base
The Knowledge Base provides a constantly updated reference of FAQs and
troubleshooting tips as they are developed. You can view the Knowledge Base on
the Symantec Network Security Web site.
The Symantec Network Security Hardware Compatibility Reference provides a
detailed list of platforms supported by Symantec Network Security. You can
view the Hardware Compatibility Reference on the Symantec Network Security
Web site.
methods of intrusion, anomaly, and signature detection.
■Chapter 8 Incidents and Events—Describes detected incidents and their
related events, and how to view incident data from the Network Security
console.
■Chapter 9 Reports and Queries—Describes the types of reports that
Symantec Network Security can generate and how to generate them.
■Chapter 10 Managing log files: Describes the Network Security log
databases and how to view them.
See also “Finding information” on page 14.
18 Introduction
Finding information
Architecture
This chapter includes the following topics:
■About Symantec Network Security
■About the core architecture
■About management and detection architecture
Chapter
2
About Symantec Network Security
This chapter describes the underlying architecture of both the Symantec
Network Security core software and the Symantec Network Security 7100 Series
appliances. It describes how the components work together to gather attack
information, analyze behavior, and initiate effective responses.
The Symantec Network Security software and the Symantec Network Security
7100 Series appliance employ a common core architecture that provides
detection, analysis, storage, and response functionality. Most procedures in this
section apply to both the 7100 Series appliance and the Symantec Network
Security 4.0 software. The 7100 Series appliance also provides additional
functionality that is unique to an appliance. Each section describes this
additional functionality in detail.
About the core architecture
Symantec Network Security’s challenges are to detect malicious or
unauthorized behavior, to analyze the behavior, and to determine an
appropriate response. Symantec Network Security provides a three-pronged
approach to meet this challenge: detection, analysis, and response. The
following diagram describes this basic approach:
20 Architecture
About the core architecture
Figure 2-1Core Architecture of Symantec Network Security
Protocol Anomaly
Detection
Network
Traffic
External
Sources
Stateful Signatures
User-defined
Signatures
DoS Detection
t
n
e
m
e
n
i
f
e
R
Scan Detection
EDP
Detection
Analysis
This section describes the following topics:
■About detection
■About analysis
■About response
e
n
o
i
n
o
i
t
a
l
e
r
r
o
C
t
a
c
i
ppl
A
y
c
i
l
Po
s
n
o
p
s
e
R
d
e
t
a
m
o
t
u
A
Response
About detection
Symantec Network Security uses multiple methods of threat detection that
provide both broad and deep detection of network-borne threats. These include
Protocol Anomaly Detection (PAD), traffic rate monitoring, and network pattern
matching, or signature-based detection.
Each of these methods has strengths and weaknesses. Signature-based
approaches can miss new attacks; protocol anomaly detection can miss attacks
that are not considered anomalies; traffic anomaly detection misses single-shot
or low-volume attacks; and behavioral anomaly detection misses attacks that
are difficult to differentiate from normal behavior.
Symantec Network Security combines multiple techniques and technologies
into a single solution. In addition, it adapts to the changing threat landscape by
adopting new techniques and technologies that improve upon or replace
existing ones.
About the core architecture
Users can increase the detection capabilities by using Flow Alert Rules and
adding user-defined signatures. Flow alert rules allow users to monitor network
policy and respond to traffic to or from IP address and port combinations.
User-defined signatures allow users to add network patterns to the supported
set, and tune them to a specific network environment. Examples include
monitoring proprietary protocols, searching for honey-tokens, or detecting
disallowed application versions.
Symantec Network Security can also integrate event data from third-party
devices, enabling you to combine existing intrusion detection products with
Symantec Network Security’s high speed and zero-day attack detection
capabilities.
This section describes the layers of the detection model:
■About protocol anomaly detection
■About Symantec signatures
■About user-defined signatures
21Architecture
■Monitoring traffic rate
■About DoS detection
■About external EDP
About protocol anomaly detection
Symantec Network Security's Protocol Anomaly Detection (PAD) is a form of
anomaly detection. PAD detects threats by noting deviations from expected
activity, rather than known forms of misuse. Anomaly detection looks for
expected or acceptable traffic, and alerts when it does not see it. This is the
compliment of a signature-based approach, which looks for abnormal,
unexpected, or unacceptable traffic.
Symantec Network Security provides in-depth models of the most frequently
used network protocols, providing extensive detection capability that goes
beyond simpler forms of protocol analysis. These models provide much deeper
detection and fewer false positives because they are able to follow a client-server
exchange throughout the life of the connection. For example, if a protocol
defines the size of a field, and Symantec Network Security detects a field that
breaches the defined size, it will trigger an alert.
Symantec Network Security has overcome the issue of overly generic alerts,
which is one of the major issues surrounding PAD. During a zero-day attack, a
general PAD alert is often all that is possible. However, soon after a new threat is
discovered, it is often identified by a name and assigned a unique identifier by
authorities. These organizations publish descriptions of the threat and provide
22 Architecture
About the core architecture
pointers to vendor patches or other remediation tools. When this happens, it is
better to have specific threat identification instead of a protocol anomaly alert.
Symantec Network Security provides event refinement to address this issue.
Threats identified by PAD are further analyzed to determine if they are known
or unknown. This processing is done after the traffic has been identified and
recorded, so that it does not interfere with the detection performance. This
provides the high performance of PAD with the granular identification of a
signature matching engine.
About Symantec signatures
Symantec Network Security uses network pattern matching, or signatures, to
provide a powerful layer of detection. Signature detection involves detecting
threats by looking for a specific pattern or fingerprint of a known bad or
harmful thing. This known-bad pattern is called a signature. These patterns are
traditionally based on the observed network behavior of a specific tool or tools.
Signature detection operates on the basic premise that each threat has some
observable property that can be used to uniquely identify it. This can be based
on any property of the particular network packet or packets that carry the
threat. In some cases, this may be a literal string of characters found in one
packet, or it may be a known sequence of packets that are seen together. In any
case, every packet is compared against the pattern. Matches trigger an alert,
while failure to match is processed as non-threatening traffic.
Symantec Network Security uses signatures as a compliment to PAD. The
combination provides robust detection without the weaknesses of either PAD
alone or signatures alone. Symantec Network Security's high performance is
maintained by matching against the smallest set of signatures as is possible
given the current context. Since many threats are detected and refined through
the PAD functionality, Symantec Network Security minimizes the set of
required signatures to maximize performance.
Symantec Network Security also uses methods of rapid response in creating
signatures that detect attempts to exploit new vulnerabilities as soon as they hit
the network, independent of the exploit tool. This results in earlier prevention
of threats and more complete coverage.
About user-defined signatures
Symantec Network Security provides the ability to define and apply
user-defined signatures to tune Symantec Network Security to your particular
environment. User-defined signatures significantly extend the functionality
and allow you to leverage the power of Symantec Network Security, such as
providing a flexible mechanism for making short-term updates during rapid
outbreaks. Symantec Network Security provides an effective way to create,
About the core architecture
define, manage, and apply user-defined signatures from the Network Security
console.
Monitoring traffic rate
Symantec Network Security detects malicious flow and traffic shape, provides
multi-gigabit traffic monitoring, and maintains 100% of its detection capability
on a fully saturated gigabit network.
Symantec Network Security performs passive traffic monitoring on its detection
interfaces. It uses this data to perform both aggregate traffic analysis and
individual packet inspection. Individual packets are inspected and traffic is
analyzed per interface. It also uses Netflow data that is locally collected, or
forwarded from a remote device, to augment its traffic analysis.
Symantec Network Security's aggregate analysis detects both denial-of-service
and distributed denial-of-service attacks. These attacks are recognized as
unusual spikes in traffic volume. Using the same data, Symantec Network
Security can also recommend proper remediation of the problem.
23Architecture
Beyond attack detection, Symantec Network Security uses traffic analysis to
detect many information-gathering probes. It detects not only the common
probing methods, but also many stealth modes that slip through firewalls and
other defenses. For example, many firewalls reject attempts to send SYN
packets, yet allow FIN packets. This results in a common port scan method.
Symantec Network Security recognizes this anomaly and triggers an alert.
About DoS detection
Symantec Network Security provides passive traffic monitoring on its detection
interfaces that allows it to detect a variety of DoS attacks such as flooding,
resource reservation, and malformed traffic. Symantec Network Security also
detects a variety of reconnaissance efforts, such as various forms of stealth
scans.
About external EDP
The Event Dispatch Protocol (EDP) provides a generalized framework for
sending events to software and appliance nodes for correlation, investigation,
analysis, and response. Using EDP, Symantec Network Security can collect
security data not only from its own sensors, but also from arbitrary third-party
sources such as firewalls, IDS sensors, and host-based IDS devices. The process
of integrating a third-party sensor generally involves three steps: collection,
conversion, and transmission. First, Symantec Network Security collects the
data from the third-party sensor in its usual collection format, such as flat text
files, SNMP, and source APIs. Then Symantec Network Security converts the
24 Architecture
About the core architecture
About analysis
data from the native format to the Symantec Network Security format, and
transmits the data to the software or appliance node.
Symantec Network Security includes state-of-the-art correlation and analysis
that filters out irrelevant information and refines only what is meaningful,
providing threat awareness without data overload. Symantec Network Security
correlates common events together within an incident to compress and relate
the displayed information.
This section describes the analysis mechanism in greater detail:
■About refinement
■About correlation
■About cross-node correlation
About refinement
Symantec Network Security detects both known and unknown (zero-day)
attacks, using multiple detection technologies concurrently. Event refinement
rules extend the Protocol Anomaly Detection capabilities. Symantec Network
Security matches generic anomalies against a database of refinement rules, and
for known attacks, reclassifies an anomaly event by retagging it with its specific
name.
About correlation
Symantec Network Security uses event correlation, the process of grouping
related events together into incidents. This produces a shorter, more
manageable list to sift through. Some types of intrusions, such as DDoS attacks,
generate hundreds of events. Others, such as buffer-overflow exploits, might
generate only one event. Event correlation brings each key event to the
forefront in an incident so that it remains visible despite floods of events from
other activities. It automates the process of sorting through individual events
and frees the user to focus on responding directly to the security incident.
Symantec Network Security correlates security events (intrusions, attacks,
anomalies, or any other suspicious activity), response action events (automated
actions taken by Symantec Network Security in response to an attack), and
operational events (action taken in the administration of the product, such as
logging in or rotating logs).
About the core architecture
About cross-node correlation
Cross-node correlation is a feature that enables software and appliance nodes in
a cluster to communicate with each other and to recognize when similar
incidents are monitored by different nodes. Symantec Network Security collects
events from both local and remote sources, and organizes the events into a
single, rate-controlled stream. It compares new events to existing event groups,
and judges similarity. It writes all events and analysis results to a local database,
evaluates against protection and response policies, and then takes action if
appropriate.
If two peer nodes detect an attack, each node treats it as a separate incident and
has no knowledge of what the other node detects. However, when Symantec
Network Security applies cross-node correlation to the incidents detected by
two nodes in a cluster, each adds a reference to the other and maintains
awareness that this may be the same or a related attack. The Network Security
console displays both as a single incident.
25Architecture
About response
Protection policies and response rules are collections of rules configured to
detect specific events, and to take specific actions in response to them.
Protection policies can take action at the point of detection. Using a 7100 Series
appliance, you can configure Symantec Network Security to block events before
they enter the network. Response rules can be configured to react automatically
and immediately contain and respond to intrusion attempts.
The response mechanism is described further in the following sections:
■About protection policies
■About response rules
About protection policies
Symantec Network Security applies protection policies to interfaces at the point
of detection, before they enter the network. Each protection policy indicates the
specific signatures that the sensor will hunt for on the applied interface, in
addition to protocol anomaly detection events. If a 7100 Series appliance is
deployed in-line, it can use blocking rules to prevent traffic from entering the
network.
About response rules
Symantec Network Security’s automated rule-based response system includes
alerting, pinpoint traffic recording, flow tracing, session resetting, and custom
responses on both the software and appliance nodes and the Network Security
26 Architecture
About management and detection architecture
console. Symantec Network Security generates responses based on multiple
criteria such as event targets, attack types or categories, event sources, and
severity or confidence levels. Multiple responses can be configured for the same
event type, as well as the order in which Symantec Network Security executes
the responses.
Symantec Network Security reviews each event, and iterates through the list of
response rules configured by the user. It compares each event against
configurable match parameters. If a match occurs on all parameters, it then
executes the specified action. After Symantec Network Security processes one
rule, it proceeds to one of three alternatives: to the rule indicated by the Next
parameter, to a following rule beyond the Next rule, or it stops policy
application altogether for this event.
About management and detection architecture
Symantec Network Security combines two main physical components:
management and detection. The management component, called the Network
Security console, provides management functionality such as incident review,
logging, and reporting. The detection component is available as a Network
Security software node or a Symantec Network Security 7100 Series appliance
node. Both are based upon the same basic architecture, and both provide
detection, analysis, storage, and response functionality. The 7100 Series node
includes the functionality of the Network Security software node, with
additional unique functionality.
This section describes the following components in greater detail:
■About the Network Security console
■About the node architecture
■About the 7100 Series appliance node
About the Network Security console
Symantec Network Security’s administrative and management component is
the powerful but easy-to-use Network Security console. It communicates over an
encrypted and authenticated link to ensure that authorized administrators may
log in from any secure or insecure network. The Network Security console
manages all operations, including incident and event filtering, drill-down
incident analysis, full packet capture, detailed event descriptions, and allows
event annotations and incident marking for tracking.
The Network Security console provides an interface from which you can
monitor events and devices, edit parameters, configure response rules, apply
About management and detection architecture
protection policies, and view log data. You can generate reports and view them
immediately in the Network Security console, or you can schedule them to
generate automatically.
The Network Security console contains three main tabs that provide a view of
the Devices tab, Incidents tab, and Policies tab.
■Devices tab: Provides a hierarchical tree view of the network topology, with
a detailed summary of each device.
■Incidents tab: Provides detailed descriptions of incidents and events taking
place in the monitored network, and can be drilled down to reveal detailed
packet information.
■Policies tab: Provides the tools to create, manage, and apply user-defined
signatures, signature variables, and protection policies.
Reporting in the Network Security console includes dynamic chart and graph
generation, with information drill-down and data retrieval. Pre-defined reports
can be saved and printed. Users can send flow queries and play back traffic
sequences from the Network Security console as well.
27Architecture
About role-based administration
The Network Security console provides a simple yet powerful interface that is
useful for all levels of administration, from the Network Operation Center (NOC)
operator who watches for a red light, to the skilled security administrator who
examines and analyzes packets.
Four pre-defined user groups provide efficient management. Each group
includes a set of permissions for specific management operations. Each user’s
login identity indicates their role and permission assignment during an
administrative session.
Symantec Network Security automatically installs a SuperUser login account
that is authenticated with full administrative capabilities. The SuperUser can
create additional login accounts in the following user groups:
■SuperUsers: A user authenticated with full administrative capabilities. This
user is allowed to perform all administrative tasks that the Network Security
console can execute.
■Administrators: A user authenticated with partial administrative
capabilities. This user is allowed to perform most administrative tasks, with
the exception of some advanced actions.
■StandardUsers: A user authenticated with full read-only capabilities. This
user is allowed to view all information in the Network Security console.
28 Architecture
About management and detection architecture
■RestrictedUsers: A user authenticated with partial read-only capabilities.
This user is allowed to view most information in the Network Security
Console with the exception of some advanced information and
network-sensitive data.
About the node architecture
The Network Security software node or 7100 Series appliance node contains a
variety of tools and techniques that work together to gather attack information,
analyze the attacks, and initiate responses appropriate to specific attack
circumstances.
The following diagram illustrates how Symantec Network Security’s arsenal of
tools work together to provide protection:
Figure 2-2Core architecture of a software or appliance node
Alert Manager
Sensor Manager
Analysis
Admin Service
(QSP Proxy)
Databases
Event Stream Provider
Sensor Process
Smart Agent Receiver
FlowChaser
The components of the core node architecture apply to both Network Security
software nodes and 7100 Series appliance nodes as follows:
■About the alert manager
■About the sensor manager
■About the administration service
■About analysis
■About the databases
■About Event Stream Provider
About management and detection architecture
■About sensor processes
■About Smart Agents
■About FlowChaser
About the alert manager
The Network Security Alerting Manager provides three types of alerts: a
Network Security console action alert, an email alert, and an SNMP trap alert.
About the sensor manager
The Sensor Manager maintains a pool of sub-processes to manage
sensor-related functionality. This includes sensor processes for event detection,
traffic recording, and FlowChaser sub-processes that handle network device
configuration, starting, and stopping.
29Architecture
About the administration service
All communication across the network passes through the QSP Proxy, an
administration service with 256-bit AES encryption and passphrase
authentication. This ensures that all communication between the Network
Security console and the master node, and between software and appliance
nodes within a cluster, are properly authenticated and encrypted. In addition,
this service enforces role-base administration and thus prevents any
circumvention of established access policy.
About analysis
Symantec Network Security’s analysis framework aggregates event data on
possible attacks from all event sources. The analysis framework also performs
statistical correlation analysis on events to identify event patterns that vary
significantly from usual network activity and to identify individual events that
are highly related, such as a port scan followed closely by an intrusion attempt.
About the databases
Symantec Network Security provides multiple databases to store information
about attacks, the network topology, and configuration information.
■Top olo gy da ta ba se : Stores information about local network devices and
interfaces and the network configuration. Symantec Network Security uses
this data to direct the FlowChaser toward the area of the network in which
an attack occurs.
30 Architecture
About management and detection architecture
■Protection policy database: Stores the pre-defined protection policies that
installed with the product and those added through LiveUpdate, as well as
any user-defined signatures.
■Response rule database: Stores the rules that define the actions to take
when an attack is identified, the priority to give to the attack incidents, and
the necessity for further investigation of the attack.
■Configuration database: Stores configurable parameters that SuperUsers
and Administrators can use to configure tasks at the node level and to
configure detection at the sensor level.
■Incident and event databases: Stores information about events and
incidents. The event log can be signed periodically by the i
token to verify that the log has not been tampered with or altered in any
way. The i
certificate and confirms the identity of a Network Security software node.
■LiveUpdate database: Stores data relevant for LiveUpdate.
Button or soft
Button is a hardware device that safeguards the signature
■User database: Stores information about each user login account.
About Event Stream Provider
The Event Stream Provider (ESP) prevents event flood invasions by intelligently
processing them in multiple event queues, based on key criteria. In this way, if
multiple identical events bombard the network, the ESP treats the flood of
events as a single unit. This prevents any one event type or event source from
overloading a security administrator. Thus, the events that are forwarded are
representative of the actual activity on the network. If it is necessary to drop
events for stability and security, the ESP does so in a manner that loses as little
important information as possible.
If a second attack is hidden beneath the volume of an event flood attack, the
events related to the hidden attack will differ from the flood events. Therefore,
the ESP places these events in separate queues. The analysis framework can
then analyze the events related to the hidden attack. In this way, Symantec
Network Security analyzes and responds to both attacks quickly and effectively.
About sensor processes
Symantec Network Security sensors can operate using in-line or passive mode,
and using interface groups or single monitoring interfaces. In-line deployment
and interface groups are possible using a Symantec Network Security 7100
Series appliance only.
Independent of the deployment mode of a particular sensor, Symantec Network
Security applies the same comprehensive detection strategy and protection,
About management and detection architecture
tuned to maximize detection while retaining network performance and
reliability. For example, using in-line mode, the sensor tunes itself to minimize
latency and maximize throughput across a pair of interfaces. Using interface
groups, the sensor correctly adjusts itself to compensate for the fact that a
single network session may be conducted using multiple, asymmetric links.
Using single monitoring interfaces, the sensor batches process packets to
maximize detection coverage.
About Smart Agents
Symantec Network Security Smart Agents® (Smart Agents) combine an
investment in first-generation network intrusion detection products with
Symantec Network Security’s high speed and zero-day attack detection
capabilities. Using Smart Agents as the bridge between Symantec Network
Security and other intrusion detection and firewall products, users can
centralize management of events and incidents from the Network Security
console.
31Architecture
Smart Agents enable Symantec Network Security to collect data from
third-party hosts and network IDS products in real time. Smart Agents collect
event data from external sensors such as Symantec Decoy Server®, as well as
from third-party sensors, log files, SNMP, and source APIs. They send this data
to be analyzed, aggregated, and correlated with all other Symantec Network
Security events.
About FlowChaser
FlowChaser serves as a data source in coordination with TrackBack, a response
mechanism that traces a DoS attack or network flow back to its source, or to the
edges of an administrative domain. FlowChaser receives network flow data from
multiple devices, such as Network Security sensors and network routers.
FlowChaser stores the flow data in an optimized fashion that enhances analysis,
correlation, and advanced responses.
About the 7100 Series appliance node
The Symantec Network Security 7100 Series is a dedicated, scalable appliance
designed to monitor and protect multiple network segments at multi-gigabit
speeds using Symantec Network Security software. The appliance provides
advanced intrusion detection and prevention on enterprise-class networks. The
Symantec Network Security 7100 Series runs an optimized, hardened operating
system with limited user services to further increase security and performance.
32 Architecture
About management and detection architecture
The appliance provides all the functionality of a Network Security software
node, with additional capabilities in the areas of detection, response, and
management.
This section describes the following topics:
■About detection on the 7100 Series
■About response on the 7100 Series
About detection on the 7100 Series
In addition to the detection facilities of Symantec Network Security software,
the 7100 Series appliance provides a new detection feature called interface
grouping.
About interface grouping
Interface grouping, also called port clustering, enables up to four monitoring
interfaces to be grouped together as a single logical interface. This is especially
useful in asymmetrically routed environments, where incoming traffic is seen
on one interface and outbound traffic passes through another. Grouping the
interfaces into one logical interface with a single sensor allows state to be
maintained during the session, making it possible to detect attacks.
About response on the 7100 Series
An important new 7100 Series response capability is provided by the addition of
in-line monitoring mode.
About in-line monitoring mode
In-line monitoring mode places the full capabilities of the Symantec Network
Security 7100 Series directly into the network path, enabling you to detect and
block malicious traffic before it enters your network. With an active sensor
monitoring traffic on an in-line interface pair, all packets are examined in real
time so that you can prevent intrusions from reaching their targets. By
comparison, passive mode supplies monitoring, alerting, and response
capabilities, while in-line mode provides all these plus proactive intrusion
prevention.
About blocking or alerting mode
In-line mode protection policies are configurable so that you can choose to block
and alert on designated events. You can easily switch between blocking and
alerting in the Network Security console.
About management and detection architecture
In blocking mode, all network traffic is examined by the Network Security
detection software before it enters your network, and is blocked if malicious.
When a protocol anomaly event or an event matching an enabled signature is
detected, the offending packet is dropped. For TCP/IP traffic, a reset is sent to
the TCP connection.
In alerting mode, the Network Security detection software still analyzes all
packets as they enter your network, but does not prevent an intrusion attempt
from proceeding. You can configure a non-blocking protection policy to send a
reset and an alert, based on event ID.
With only alerting enabled under in-line mode, there is no risk of inadvertently
blocking legitimate network traffic. The advantage of in-line alerting mode over
operating in passive mode is that you can enable blocking with a single
mouse-click from the Network Security console. You don’t need to halt network
traffic while changing cabling and configuration to switch between in-line
alerting and blocking modes.
33Architecture
About fail-open
When you configure in-line mode on the Symantec Network Security 7100
Series appliance, you place the in-line interface pair directly into the network
path. If the appliance or one of those interfaces has a hardware or software
failure, all associated network traffic is blocked. You can avoid this risk with the
addition of the 2 In-line Bypass unit or 4 In-line Bypass unit, custom fail-open
devices available from Symantec specifically for the appliance. These devices
provide the fail-open capability, allowing your network to stay up while you
make repairs.
At this time, the bypass units are only available for copper interfaces. There is
currently no fail-open solution for the fiber interfaces of the appliance model
7161.
34 Architecture
About management and detection architecture
Getting Started
This chapter includes the following topics:
■Getting started
■About the management interfaces
■About user permissions
■About deployment
Chapter
3
■About deploying single nodes
■About deploying node clusters
Getting started
This chapter provides a general outline of major tasks involved in setting up a
core Symantec Network Security intrusion detection system. It describes basic
tasks, including accessing the management interfaces (Network Security
console, serial console, and LCD panel), accessing nodes and sensors, and
establishing user permissions and access. It also describes most often used
deployment scenarios.
About the management interfaces
Symantec Network Security provides a management interface called the
Network Security console. Both the Symantec Network Security software and
the 7100 Series appliance utilize the Network Security console for the majority
of tasks. Users can also use a serial console or LCD panel for initial configuration
of the 7100 Series appliance.
36 Getting Started
About the management interfaces
About the Network Security console
The Network Security console serves as the main management interface for
both Network Security software nodes and 7100 Series appliance nodes. The
Network Security console uses QSP 256-bit AES encryption.
This section describes how to launch the Network Security console and adjust
the view:
■Launching the Network Security console
■Viewing the Network Security console
■Adjusting the Devices view
■Adjusting the Incidents view
■Viewing node status
Caution: The first time you launch the Network Security console after
installation, expect a wait time of a few minutes while the database files load.
Symantec Network Security caches the files after that first load, and makes
subsequent launches faster.
Launching the Network Security console
All users can launch the Network Security console on Windows, Solaris, and
Linux, and view the main tabs and menus.
To launch the Network Security console
1Depending on the operating system, do one of the following:
■For Windows, double-click the Symantec Network Security icon on the
desktop.
■For Solaris or Linux, run the following command:
<path to java>/bin/java -Xmx256M -jar snsadmin.jar
For example:
/usr/SNS/java/jre/bin/java -jar snsadmin.jar
Note: The Network Security console must have Java 1.4 installed to run.
2In Hostname, enter the hostname or IP address of the software or appliance
node you want to monitor.
3In Po rt, enter the port number.
If in a cluster, all nodes must use the same port number.
About the management interfaces
4In Username, enter the user name. Access and permissions depend on the
user group of your login account.
5In Passphrase, enter the passphrase established for your user login account,
and click OK.
Caution: If a non-SuperUser uses the wrong passphrase, an Incorrect
Username or Passphrase message appears. If this occurs multiple times (as
specified by the Maximum Login Failures parameter), the Network Security
console locks the non-SuperUser out. Even if the correct passphrase is used
at that point, access is denied. Contact the SuperUser to create a new
passphrase.
Viewing the Network Security console
The Network Security console contains three main tabs that provide a view of
the network topology, the network traffic, and the detection and response
functionality:
37Getting Started
■The Devices tab provides a hierarchical tree view of the network topology
with a detailed summary of each device.
■The Incidents tab provides detailed descriptions of security incidents and
their correlated events taking place in the network, including sub-levels of
packet detail.
■The Policies tab provides the area for managing protection policies and
automated responses at the point of entry.
Adjusting the Devices view
You can adjust the display of the network topology tree in the Devices tab as
follows:
To display the entire topology tree
■In the Devices tab, click To po l og y > Expand All Objects.
To display all device objects and hide all interface objects
■In the Devices tab, click To po l og y > Expand Categories.
To display the first level of objects in the topology tree
■In the Devices tab, click To po l og y > Collapse All Objects.
38 Getting Started
About the management interfaces
Adjusting the Incidents view
You can adjust the display of the events and incidents tables in the Incidents tab
as follows:
To adjust the font size of the display
■In the Incidents tab, click Configuration > Tabl e Fo nt Si ze > OK.
Adjusting the Policies view
You can adjust the display of the list of event types in the Policies tab, to view a
workable subset. To do this, see “Adjusting the view of event types” on page 68.
Viewing node status
The Network Security console displays an object in the topology tree
representing devices and interfaces in the network. When a software or
appliance node experiences a process failure of any kind, the Network Security
console displays the node with a red X, called the Node Status Indicator. This
signifies that Network Security processes or connectivity to the network has
failed.
To view node status
◆See the Node Status Indicator for the software or appliance node.
A red X or Node Status Indicator signifies that Network Security
processes or network connectivity failed on a software or
appliance node.
About management of 7100 Series appliances
Users can also use a serial console or LCD panel for initial configuration of the
7100 Series appliance, as well as the Network Security console.
About the LCD panel
The Symantec Network Security 7100 Series appliance is equipped with an LCD
screen and push buttons on the front bezel. The screen can display two lines of
sixteen characters each, and there are six buttons: four arrow buttons and two
function buttons labeled s (start) and e (enter).
You can use the LCD panel for initial configuration of your appliance. After
initial configuration, the LCD screen displays system statistics in a rotating
sequence, and provides a menu of tasks including stopping and starting
Symantec Network Security, rebooting or shutting down the appliance, and
changing the IP address.
About the serial console
You can use the serial console for initial configuration of the appliance and for
command line access to the operating system utilities and filesystems. The
serial console provides an alternative to using the LCD panel for initial
configuration.
Serial console access requires a valid username and password.
Note: See the Symantec Network Security 7100 Series Implementation Guide for
more information about the serial console and LCD panel.
About user permissions
Symantec Network Security provides an efficient way to administer user access
using four predefined groups: SuperUser, Administrator, StandardUser, and
RestrictedUser. The installation procedure creates one user login account in the
SuperUser group with full access and all permissions. At any time after
installation, this SuperUser can create additional user login accounts in any of
the four groups, from the Network Security console. Each group includes a
predefined set of permissions and access that cannot be modified.
39Getting Started
About the management interfaces
Note: The four user groups are unique to the Network Security console and do
not extend to the serial console or the LCD panel. See the Symantec Network Security 7100 Series Implementation Guide for more information about the
serial console and LCD panel.
About user passphrases
The SuperUser password for a master 7100 Series node is entered during the
initial configuration of the appliance. This password is used for the Network
Security console login, root login, secadm login, and for unlocking the LCD
panel. For security reasons, we recommend that you change passwords
periodically for the root, secadm, and Network Security console user login
accounts.
Symantec Network Security provides an efficient way to control access to the
Network Security console for both software and appliance nodes by managing
user passphrases.
The passphrase identifies each user with a user group that includes a predefined
set of permissions and access. All users can change their own passphrase at any
time.
40 Getting Started
About deployment
To change login account passphrases
1In the Network Security console, click Admin > Change Current
Passphrase.
2In Change Passphrase for <user>, enter the existing passphrase.
3Enter a new passphrase from 6 to 16 characters, inclusive, and confirm it.
4Click OK to save and close.
Note: If a non-SuperUser uses an incorrect passphrase, an Incorrect
Username or Passphrase message appears. If this happens multiple times
(as specified by the Maximum Login Failures parameter), the user can be
locked out. Even if the correct passphrase is used at that point, access is
denied. Contact the SuperUser to create a new passphrase.
Note: Both StandardUsers and RestrictedUsers can modify their own
passphrases, but cannot add, edit, or delete those of other users.
About deployment
Both software and appliance nodes can be deployed singly or clustered:
■Single-node deployment: A peer relationship between one or more
individual single nodes, viewed from one or more independent Network
Security consoles.
■Cluster deployment: A hierarchical relationship between one master node
and up to 120 slave nodes that synchronize to the master node.
Both software and appliance nodes can be deployed using passive mode; only
7100 Series appliances can be deployed using in-line mode:
■In-line deployment: Only the Symantec Network Security 7100 Series
appliance can be deployed in-line at this time. In-line mode enables multiple
features such as the ability to block specified traffic from entering the
network.
■Passive deployment: Both software and appliance nodes can be deployed in
passive mode, and positioned near the network, where they do not impede
network performance as a point of failure. No service is ever lost, even if the
node fails. The possibility of failure can be mitigated by failover groups that
maintain the availability of all nodes.
About deploying single nodes
Symantec Network Security can be deployed as one or more single nodes that
operate independently of each other within your network. This section describes
both Network Security software nodes and 7100 Series appliance nodes
deployed in this manner.
This figure shows the relationship between a fictitious network, a single
software or appliance node, and a possible intruder:
Figure 3-1Fictitious Network Map with Intruder
Internet
41Getting Started
About deploying single nodes
Router
Network
Security
console
Software
or appliance
node
Host 1
Host 2
Host 4Host 3
About deploying single Network Security software nodes
Symantec Network Security can be deployed using one or more single Network
Security software nodes. Each node functions independently as the master node
in a cluster of one.
Managing a single node is simpler than managing a cluster. For example, you
can partition your network to make each security administrator responsible for
only one segment, without the need to communicate with other segments or
with other software or appliance nodes. In this scenario, the nodes have no
method of communication with each other. Using a single Network Security
console, you can log in to any single node in your network, and view it
individually. With single-node deployment, users cannot view all nodes
Attacker
42 Getting Started
About deploying single nodes
simultaneously from the Network Security console. Also, failover groups do not
function for single nodes.
About deploying single 7100 Series appliance nodes
You can deploy a Symantec Network Security 7100 Series node just as you would
a Network Security software node. It can operate independently or as part of a
cluster. A 7100 Series appliance also has several extra deployment options. You
can configure it for interface grouping, in-line mode, and fail-open, in addition
to passive monitoring mode. You can also deploy the appliance using a
combination of these modes in a way that best suits your network.
About interface grouping
Interface grouping provides a solution when your network employs asymmetric
routing. Asymmetric routing occurs when traffic arrives on one interface and
departs on another. Because the request and reply sides of the client/server
traffic are on different interfaces, a standard monitoring interface cannot see
the full conversation to analyze it properly. With the Symantec Network
Security 7100 Series, you can place up to four interfaces into a single group. One
sensor is started for the interface group, allowing Symantec Network Security to
analyze the different traffic flows as if they were combined on one interface.
This is a very effective deployment mode for a network with asymmetric
routing.
About in-line mode
In-line mode is another mode of deployment available only with the Symantec
Network Security 7100 Series appliance. In-line mode uses an interface pair to
place the appliance directly into the network path. Both interfaces connect to
the monitored network segment, effectively separating it into two sides.
Incoming packets are fully analyzed before being allowed to continue into the
other side of the network. Because of the nature of the connection, it is
necessary to interrupt network traffic briefly while you connect the cables to the
appliance interfaces.
You can configure a policy for an in-line pair that alerts on or blocks malicious
traffic. When a malicious packet is detected in alerting mode, the appliance
software executes the configured responses, which may be email, Network
Security console displays, or other choices available on both appliances and
Network Security software nodes. Blocking mode prevents malicious traffic of
the designated event types from being transmitted into your protected network.
When a blocked TCP/IP event is detected, the node sends TCP resets to both
About deploying node clusters
interfaces in the pair. For a blocked UDP event, the appliance drops the packet
and marks the flow as dropped.
For policies configured with both blocking and alerting, you can run Network
Security with blocking disabled until you are sure the policy is correct. If you
decide that the configured event types should be blocked, you can change the
policy to enable blocking with a single mouse-click in the Network Security
console.
About fail-open
Fail-open is an option when using in-line mode and is the default for passive
mode. Fail-open means that if the appliance has a hardware failure, network
traffic will continue. Since the Symantec Network Security 7100 Series
appliance is directly in the network path while deployed using in-line mode,
fail-open capability requires the purchase and installation of a separate device.
The Symantec Network Security In-line Bypass unit has been custom designed
to provide fail-open capability for the Symantec Network Security 7100 Series.
The bypass unit is available in two models, which accommodate two or four
in-line interface pairs respectively. Fail-open is available for all copper gigabit
or Fast Ethernet interfaces on the appliance. It is not an option for fiber
interfaces at this time. The In-line Bypass unit is only necessary for fail-open
when appliance interfaces are configured for in-line mode. All interfaces
configured in passive mode are fail-open by default.
43Getting Started
About deploying node clusters
The full power and advanced features of Symantec Network Security become
available when you create a group or cluster of nodes, and establish one node as
the master. A cluster of software or appliance nodes enables Symantec Network
Security to monitor all parts of a network from the central Network Security
console, and share information between nodes. In a clustered deployment, the
master node can check, update, and synchronize all nodes in the cluster.
High-availability failover deployment becomes available using pair
configurations of active and standby nodes. Users can view all Network Security
44 Getting Started
About deploying node clusters
software nodes and 7100 Series appliance nodes in your network
simultaneously, and make full use of advanced capabilities.
Clusters provide efficient administration of
multiple nodes from a single console.
Network
Security
console
Master node
Monitoring groups within a cluster
The Network Security console provides a way to subdivide a cluster into
different monitoring groups. You can then configure the Network Security
console to display only the incidents of selected monitoring groups. In this way,
you can manage the delegation of responsibilities in a large installation where
each operator is responsible for only a subset of software or appliance nodes.
This increases performance as well, because it reduces the number of incidents
that a single Network Security console must load.
When subdivided by monitoring groups, Symantec Network Security continues
to perform cross-node correlation across all nodes in the cluster, even though
the Network Security console displays incidents only from the subset.
Selecting a monitoring group
Slave nodes
Symantec Network Security provides a way to display a subset of the incident
list focused on only those software or appliance nodes that are included in the
selected monitoring group.
About deploying node clusters
To focus the incident view on a monitoring group
1In the Network Security console, click Configuration > Monitoring Groups.
2In Choose Monitoring Groups, select a group or check Default.
3Click OK to view incidents from the selected monitoring group.
Note: Always assign at least one node to each monitoring group. If you
create groups without assigning nodes to them, you can miss events even
though the sensors detect them. In other words, you can inadvertently hide
your view of the events by creating groups that you do not use.
Note: Both StandardUsers and RestrictedUsers can choose monitoring
groups, but cannot add, edit, or delete them.
45Getting Started
46 Getting Started
About deploying node clusters
Topology Database
This chapter includes the following topics:
■About the network topology
■Viewing objects in the topology tree
■Viewing the topology tree
■Launching Symantec Decoy Server
Chapter
4
About the network topology
The Network Security console displays the topology tree on the Devices tab. The
topology tree represents the elements of your network, and provides Symantec
Network Security with the necessary information about the topology of the
network or portion of the distributed network that it monitors. Network
Security also requires information about connections to autonomous systems or
other segments within a distributed network.
Note: Both StandardUsers and RestrictedUsers can view the topology tree
displayed on the Devices tab, but cannot modify it.
The Network Security console displays the network topology as a hierarchical
tree structure. At a glance, you can see a representation of each network
location, network segment, and router in your network, as well as the 7100
Series appliance nodes and/or Network Security software nodes and interfaces
that monitor your network. The installation process generates some objects
automatically. Security administrators can add the others, providing Symantec
Network Security with the information it needs to monitor your network.
48 Topology Database
About the network topology
The following figure shows an example:
Viewing the topology tree
The topology tree can be modified at any time to adjust to new information, to
network reorganization, or to make other network changes. This section
describes how to view object information, refresh the topology tree view, and to
check the status of an individual Network Security software node.
Types of objects
The Devices tab displays the following types of objects to represent the elements
of your network and security system:
■Locations: Objects that represent physical or logical groups of one or more
network segments. The installation procedure automatically creates the
first location object, named Enterprise by default.
■Symantec Network Security nodes: The object category for both software
and appliance nodes.
■Software nodes: Objects that represent the Symantec Network Security
software installed on a designated computer.
■7100 Series nodes: Objects that represent the Symantec Network
Security 7100 Series appliances.
■Network devices: The object category for both routers and router interfaces.
About the network topology
■Routers: Objects that represent devices that store data packets and
forward them along the most expedient route. Symantec Network
Security monitors this connection between hosts or networks.
■Interfaces: Objects that represent boundaries across which separate
elements can communicate. Interfaces provide the point of contact
between Symantec Network Security and routers.
■Smart Agents: Objects that represent the entry point for event data from
Symantec Decoy Server, Symantec Network Security Smart Agents, and
other third-party sensors.
■Managed network segments: Objects that represent subnets in which the
network devices and interfaces reside. The Network Security console
automatically creates a network segment object for each unique subnet.
■Interfaces: Objects that represent boundaries across which separate
elements can communicate. Interfaces provide the point of contact between
Symantec Network Security and your network devices.
49Topology Database
■Monitoring interfaces: Objects that represent dedicated ports that
mirror incoming or outgoing traffic on a software or appliance node.
■In-line pairs: Objects that represent pairs of interfaces on a 7100 Series
appliance node that are directly in the network traffic path. For a given
flow, one interface connects to inbound traffic and the other to
outbound traffic. Only in-line pairs can be configured to block
malicious traffic.
■Interface groups: Objects that represent groups of two to four
interfaces on a 7100 Series appliance node that share a common
sensor. Interface groups are used to monitor asymmetrically routed
network environments, and are configurable only on 7100 Series
nodes.
Viewing node status
The Network Security console displays an object in the topology tree
representing devices and interfaces in the network. When a software or
appliance node experiences a process failure of any kind, the Network Security
console displays the node with a red X, called the Node Status Indicator. This
signifies that Network Security processes or connectivity to the network has
failed.
To view node status
◆See the Node Status Indicator for the software or appliance node.
50 Topology Database
About the network topology
A red X or Node Status Indicator signifies that Network Security processes
or network connectivity failed on a software or appliance node.
Viewing node details
When you click an object in the topology tree, the Network Security console
displays the description, if applicable, and other pertinent details about the
software or appliance node, such as its IP address or subnet mask.
To view node details
◆Click the corresponding device object.
The Network Security console displays the details and optional description
in the right pane.
Viewing object details
When you select an object in the Devices tab, the right pane displays
information about that object. Depending on the selected object, the following
information can appear in the right pane:
■Device Type: Displays the type of device selected.
■IP address: Displays the IP address of the selected device, or the
management IP address for a device with multiple IP addresses.
■Node Number: Displays the node number assigned to the software or
appliance node, between 1 and 120.
■Customer ID: Displays an optional user-defined ID. Customer IDs for in-line
pairs and interface groups reflect the 7100 Series appliance nodes to which
they belong.
■Model: Displays the model number of a 7100 Series appliance, either 7120,
7160, or 7161.
■Monitoring Group: Identifies the monitoring group of the selected device, if
any.
■Monitored Networks: Identifies the networks for which port usage patterns
are tracked and anomalies detected. Displayed only if you entered network
IP addresses on the Network tab when editing interfaces, adding in-line
pairs, or adding interface groups. Available only on 7100 Series interfaces.
■TCP Reset Interface: Displays the interface that sends TCP resets; either
eth0, eth1, or eth2, corresponding to your choice of RST0, RST1, or RST2
when you added the interface group.
■Bandwidth: Displays the expected throughput for the selected object.
■Sensor Status: Displays the current status of the related sensor.
■Description: Displays a brief optional description of the object.
■Active Security Incidents: Displays the active incidents of the selected
topology object, with name, state, node number, and last date modified.
Viewing objects in the topology tree
This section describes the following network elements represented on the
topology tree in the Devices tab of Network Security:
■About location objects
■About router objects
■About Symantec Network Security objects
■About Smart Agents
■Viewing the topology tree
51Topology Database
Viewing objects in the topology tree
■Viewing the topology tree
Viewing auto-generated objects
The installation process automatically creates a number of objects in the
topology tree. These objects can be renamed and configured, and in some cases,
you can add more of them to the topology tree. For example, the installation
process creates an object for one location in the topology tree, called Enterprise
by default. Users can add more location objects to represent other locations.
Symantec Network Security also automatically creates objects for managed
network segments in the topology tree.
See the following for related information:
See “About location objects” on page 51.
See “About managed network segments” on page 62.
About location objects
The Symantec Network Security installation process automatically adds one
location named Enterprise. A location object represents any physical or logical
group of managed network segments. Each location must contain one or more
network segments. A cluster of Symantec Network Security nodes can contain
multiple locations, and you can add more objects to represent them. At least one
location object must exist in the topology tree before you can add software or
appliance nodes, device objects, or interface objects.
52 Topology Database
Viewing objects in the topology tree
About Symantec Network Security objects
The installation process automatically creates an object in the topology tree to
represent the first software or appliance node. This defaults to master node
status, and the installation program automatically assigns it a node number of 1.
By default, all software and appliance nodes installed in the network after this
master node default to slave node status. The master node synchronizes the
databases on all slave nodes in a cluster to its topology, detection and response
policy, and configuration databases.
Under Enterprise, the location object created automatically during the
installation process, SuperUsers can add objects to represent each Network
Security software node and 7100 Series appliance node.
About software nodes
Software nodes are the objects that represent Symantec Network Security
software installed on designated computers. Under Enterprise, the location
object created automatically during the installation process, SuperUsers can
add an object to the topology tree to represent each Network Security software
node.
Viewing software nodes
The Devices tab displays detailed information about each object in the topology
tree, upon selection. The Advanced Network Options tab contains information
about the designated computer that this node represents in the topology tree.
The installation process automatically provides this information.
Note: Both StandardUsers and RestrictedUsers can view software or appliance
nodes, but cannot add, edit, or delete them.
To vie w so ft wa re n od e s
1On the Devices tab, do one of the following:
■Click an existing monitoring interface to view summary information in
the right pane.
■Right-click an existing software node, and click Edit to view detailed
information.
2In Edit Software Node, click the Node Options tab.
The following list describes the node option fields:
■NameIndicates the descriptive name of the object, established
when added to the topology tree.
Viewing objects in the topology tree
■Customer IDIndicates an optional identification.
■IPIndicates the IP address for the node; administration IP
address if the node is positioned behind a NAT device.
■Node NumberIndicates the unique node number.
53Topology Database
■Monitoring
Group
■Failover GroupIndicates the failover group and identifying group number, if
Indicates the monitoring group the node is assigned to, if
any.
any.
■Master Node
Sync Info
■DescriptionIncludes any optional notes about the selected node.
Indicates the synchronization password and confirmation, if
the node is part of a cluster.
3In Edit Software Node, click the Advanced Network Options tab.
The following list describes the advanced network option fields:
■Local IPIndicates the internal IP address for a node behind a NAT
router.
■NetmaskIndicates which part of the node’s IP address applies to the
network.
■Default RouterIndicates the IP address of the router that sends network
traffic to and from the node.
■DNS Server 1Indicates the primary Domain Name Service server for the
node, which maps hostnames to IP addresses.
■DNS Server 2Indicates the secondary Domain Name Service server for the
■HostnameIndicates the name of the host.
4Click Cancel to close the view.
About monitoring interfaces
Monitoring interfaces communicate between the Symantec Network Security
software or appliance node, and the network device, such as a router. The
software or appliance node receives data about traffic on the router via the
monitoring interface. SuperUsers can add objects to represent monitoring
interfaces that connect software or appliance nodes to network devices.
node.
54 Topology Database
Viewing objects in the topology tree
Viewing monitoring interface objects
The Network Security console provides a way to view monitoring interfaces to
the topology tree. The Interface and Networks tabs contain information about
the designated computer that this node represents in the topology tree. The
installation process automatically provides this information.
Note: Both StandardUsers and RestrictedUsers can view monitoring interfaces,
but cannot add, edit, or delete them.
To view monitoring interfaces on software nodes
1On the Devices tab, do one of the following:
■Click an existing monitoring interface to view summary information in
the right pane.
■Right-click an existing monitoring interface, and click Edit to view
detailed information.
2In Edit Monitoring Interfaces, click the Interface tab.
The following list describes the interface fields:
■Descriptive Name Indicates the descriptive name of the object, established
when added to the topology tree.
■Interface NameIndicates the name of the interface, established when
added to the topology tree.
■Customer IDIndicates an optional identification.
■Expected
throughput
■DescriptionIncludes any optional notes about the selected node.
Indicates the expected throughput as established when
added to the topology tree.
3In Edit Monitoring Interfaces, click the Networks tab to view the networks
that this interface monitors.
4Click Cancel to close the view.
About appliance nodes
7100 Series appliance nodes are the objects that represent Symantec Network
Security software installed on the new Symantec Network Security 7100 Series
appliance.
Viewing objects in the topology tree
Under Enterprise, the location object created automatically during the
installation process, SuperUsers can add objects to represent each Symantec
Network Security 7100 Series appliance node.
Viewing 7100 Series nodes
The Network Security console provides a way to view Symantec Network
Security 7100 Series nodes. The installation process populates the fields in the
Advanced Network Options tab blank. After installation, you can view the
Advanced Network Options.
The Advanced Network Options tab contains information about the designated
appliance that this node represents in the topology tree. The initial
configuration process automatically provides this information. The fields
remain blank until then.
Note: Both StandardUsers and RestrictedUsers can view software or appliance
nodes, but cannot add, edit, or delete them.
55Topology Database
To view 7100 Series nodes
1On the Devices tab, do one of the following:
■Click an existing 7100 Series node to view summary information in the
right pane.
■Right-click an existing 7100 Series node, and click Edit to view detailed
information.
2In Edit 7100 Series nodes, in the Node Options tab, the following list
describes the fields:
■ModelIndicates the model number of the 7100 Series node.
■NameIndicates the descriptive name of the object, established
when added to the topology tree.
■Customer IDIndicates an optional identification.
■IPIndicates the IP address for the node; administration IP
address if the node is positioned behind a NAT device.
■Node NumberIndicates the unique node number.
■Monitoring Group Indicates the monitoring group the node is assigned to, if
any.
■Failover GroupIndicates the failover group and identifying group number,
if any.
56 Topology Database
Viewing objects in the topology tree
■Master Node Sync
Info
■DescriptionIncludes any optional notes about the selected node.
Indicates the synchronization password and confirmation,
if the node is part of a cluster.
3In Edit 7100 Series Node, click the Advanced Network Options tab.
The following list describes the advanced network option fields for a 7100
Series node:
■Local IPIndicates the internal IP address for a node behind a NAT router.
■NetmaskIndicates which part of the node’s IP address applies to the
network. Required field.
■Default
Router
■DNS Server 1 Indicates the primary Domain Name Service server for the node,
■DNS Server 2 Indicates the secondary Domain Name Service server for the
■HostnameIndicates the hostname of the 7100 Series node.
Indicates the IP address of the router that sends network traffic
to and from the node. Required field.
which maps hostnames to IP addresses.
node.
4Click Cancel to close the view.
About 7100 Series interfaces
Each Symantec Network Security 7100 Series interface is a point of contact
between the 7100 Series node and a network device. The node accesses traffic on
the network device via the interface.
There are three interface types available on a 7100 Series node:
■Monitoring interfaceA single interface that monitors network traffic copied to it
from a network device. Also known as a passive mode
interface. Monitoring interface objects are automatically
generated when a node object is added.
■Interface groupTwo to four passive mode interfaces sharing a single sensor.
Used in an asymmetrically routed environment.
■In-line pairTwo interfaces cabled into the actual network traffic path,
and configured for in-line mode. Allows blocking of
malicious traffic.
Viewing objects in the topology tree
Viewing a monitoring interface on a 7100 Series node
The Network Security console provides a way to view the automatically
generated interface objects on a 7100 Series node.
Note: Both StandardUsers and RestrictedUsers can view monitoring interfaces,
but cannot add, edit, or delete them.
To view monitoring interfaces on 7100 Series nodes
1On the Devices tab, do one of the following:
■Click an existing monitoring interface to view summary information in
the right pane.
■Right-click an existing monitoring interface, and click Edit to view
detailed information.
2In Edit Monitoring Interfaces, click the Interface tab.
The following list describes the interface fields:
57Topology Database
■Descriptive NameIndicates the descriptive name of the object, established
when added to the topology tree.
■Interface NameIndicates the name of the interface, established when
added to the topology tree.
■Customer IDIndicates an optional identification.
■Expected
throughput
■TCP Reset
Interface
■DescriptionIncludes any optional notes about the selected node.
Indicates the expected throughput as established when
added to the topology tree.
Indicates the interface to TCP resets.
3In Edit Monitoring Interfaces, click the Networks tab to view the networks
that this interface monitors.
4Click Cancel to close the view.
Viewing interface groups
The Network Security console provides a way to view interface group objects on
a 7100 Series node.
To view an interface group
1On the Devices tab, do one of the following:
58 Topology Database
Viewing objects in the topology tree
■Click an existing interface group to view summary information in the
right pane.
■Right-click an existing interface group, and click Edit to view detailed
information.
2In Edit Interface Group, in the Interface Group tab.
The following list describes the interface fields:
■NameIndicates the descriptive name of the object, established when
added to the topology tree.
■Expected
throughput
■TCP Reset
Interface
■DescriptionIncludes any optional notes about the selected node.
Indicates the expected throughput as established when added to
the topology tree.
Indicates the interface to TCP resets.
3In Edit Interface Group, click the Networks tab to view the networks that
this interface monitors.
4In Edit Interface Group, click the Interface tab to view the interfaces that
belong to this group.
5Click Cancel to close the view.
Viewing in-line pairs
The Network Security console provides a way to view in-line pairs on a 7100
Series node.
To view an in-line pair
1On the Devices tab, do one of the following:
■Click an existing in-line pair to view summary information in the right
pane.
■Right-click an existing in-line pair, and click Edit to view detailed
information.
2In Edit In-line Pair, in the In-line Pair tab, view the following information:
■NameIndicates the descriptive name of the object, established
■Expected
throughput
■PairIndicates the interfaces included in the pair.
when added to the topology tree.
Indicates the expected throughput as established when
added to the topology tree.
■DescriptionIncludes any optional notes about the selected node.
3In Edit In-line Pair, click the Networks tab to view the networks that this
interface monitors.
4In Edit In-line Pair, click the Interface tab to view the interfaces that belong
to this group.
5Click Cancel to close the view.
About router objects
Routers store data packets and forward them along the most expedient route
between hosts or networks. Symantec Network Security monitors this
connection. Add an object to the topology tree to represent each router that you
want Symantec Network Security to monitor.
59Topology Database
Viewing objects in the topology tree
Viewing router objects
The Network Security console provides a way to view routers.
To vie w a r out er o bj ect
1On the Devices tab, do one of the following:
■Click an existing router object to view summary information in the
right pane.
■Right-click an existing router object, and click Edit to view detailed
information.
2In Edit Router, the following list describes the information fields:
■NameIndicates the descriptive name of the object, established when
■SNMPIndicates the optional SNMP password and confirmation, if
any.
■DescriptionIncludes any optional notes about the selected node.
3Click Cancel to close the view.
60 Topology Database
Viewing objects in the topology tree
About router interfaces
An interface object represents each router interface through which Symantec
Network Security tracks attacks.
To view a router interface
1On the Devices tab, do one of the following:
■Click an existing router interface to view summary information in the
right pane.
■Right-click an existing router interface, and click Edit to view detailed
information.
2In Edit Router Interface, the following information is displayed:
■NameIndicates the descriptive name of the object, established
when added to the topology tree.
■Interface NameIndicates the name of the selected interface according to the
manufacturer’s naming conventions.
■Customer IDIndicates an optional unique identification.
■IPIndicates the IP address for the interface.
■NetmaskIndicates the netmask for the interface.
■DescriptionIncludes any optional notes about the selected node.
3Click Cancel to close the view.
About Smart Agents
Symantec Network Security Smart Agents are translation software that enable
Symantec Network Security to receive event data from external sensors, and
correlate that data with all other events.
Smart Agents expand the security umbrella and enhance the threat detection
value of existing security assets by aggregating third-party intrusion events into
Symantec Network Security, which leverages its correlation, analysis, and
response functionality.
Symantec Network Security contains an internal Smart Agent configuration to
integrate Symantec Decoy Server events. To integrate events from any other
external sensor, you must install an external Smart Agent
sensor, and add a Smart Agent object to the topology tree to represent it.
designedfor that
Viewing objects in the topology tree
To view a Smart Agent
1On the Devices tab, do one of the following:
■Click an existing Smart Agent object to view summary information in
the right pane.
■Right-click an existing Smart Agent object, and click Edit to view
detailed information.
2In Edit Smart Agent, the following information is displayed:
■NameIndicates the descriptive name of the object, established when
added to the topology tree.
■Customer IDIndicates an optional unique identification.
■IPIndicates the IP address for the Smart Agent.
■TypeIndicates the type of external sensor.
■ReceiverIndicates the node that will receive data from an external
sensor.
61Topology Database
■EDP PasswordIndicates the EDP password and confirmation.
■DescriptionIncludes any optional notes about the selected node.
3Click Cancel to close the view.
About Smart Agent interfaces
Smart Agent interface objects serve as a visual reminder of the location of any
Symantec Network Security Smart Agents in the network. They also make
Symantec Network Security aware for the TrackBack response action.
To view Smart Agent interfaces
1On the Devices tab, do one of the following:
■Click an existing Smart Agent interface to view summary information
in the right pane.
■Right-click an existing Smart Agent interface, and click Edit to view
detailed information.
2In Edit Smart Agent, the following information is displayed:
■NameIndicates the descriptive name of the object, established when
■Customer IDIndicates an optional unique identification.
added to the topology tree.
62 Topology Database
Viewing objects in the topology tree
■IPIndicates the IP address for the Smart Agent.
■NetmaskIndicates the netmask.
■DescriptionIncludes any optional notes about the selected node.
3Click Cancel to close the view.
About managed network segments
Managed network segments include each unique subnet in which the network
devices and interfaces reside. The Network Security console automatically
creates an object in the topology tree to represent each such managed network
segment in your network. Each time you add a new interface object, Symantec
Network Security adds a new object for the network segment in which the
interface resides, if not already represented. SuperUsers can edit the default
name (Untitled) and the description.
Symantec Network Security automatically creates a managed network segment
object for each unique subnet in which the network devices and interfaces
reside. When a new interface object is created, Network Security adds a new
object for the network segment in which the interface resides, if that segment
has not already been represented by an object.
To view network segments
1On the Devices tab, do one of the following:
■Click an existing network segment object to view summary information
in the right pane.
■Right-click an existing network segment object, and click Edit to view
detailed information.
2In Edit Network Segment, the following information is displayed:
■NameIndicates the descriptive name of the object, established when
added to the topology tree.
■NetworkIndicates the selected network.
■NetmaskIndicates the netmask.
■Description Includes any optional notes about the selected node.
3Click Cancel to close the view.
Launching Symantec Decoy Server
Now you can launch and log into the Symantec Decoy Server console by simply
right-clicking any external sensor object in the topology tree and selecting Start Decoy Console. Note that the Symantec Decoy Server console remains open,
even if you close the Network Security console.
This section includes the following:
■Launching from a new location
■Launching from a known location
Launching from a new location
This section describes how to launch the Symantec Decoy Server console from a
new location on the network.
To launch the Symantec Decoy Server console from a new location
63Topology Database
Viewing objects in the topology tree
1Right-click any external sensor object in the topology tree, and click Start
Decoy Console.
2The first time, a Decoy Console Not Found message appears. Click OK.
3In Select the Symantec Decoy Server Console Directory, navigate to the
directory containing
This file is typically located in
mtadmin.jar, and click Open.
Program Files\Symantec\Mantrap.
4In Start Decoy Console, click Yes to confirm the path to the jar file.
After launching the Symantec Decoy Server console from this new location,
the location of the
mtadmin.jar file is stored in memory.
Launching from a known location
This section describes how to launch the Symantec Decoy Server console from a
known location on the network.
To launch the Symantec Decoy Server console from a known location
1Right-click any external sensor object in the topology tree, and click Start
Decoy Console.
2In Start Decoy Console, click Yes to confirm the path to the
file.
mtadmin.jar
Note: The Symantec Decoy Server console must be closed independently of
the Network Security console. The Symantec Decoy Server console remains
open, even if you close the Network Security console.
64 Topology Database
Viewing objects in the topology tree
Protection Policies
This chapter includes the following topics:
■About protection policies
■Viewing protection policies
■Adjusting the view of event types
Chapter
5
About protection policies
Symantec Network Security provides a new functionality called protection
policies, which utilize multiple components such as signature and protocol
anomaly detection to take action directly at the point of entry into the network.
Protection policies enable users to tailor the protection based on security
policies and business need. Policies can be tuned by threat category, severity,
intent, reliability, and profile of protected resources. Common or individualized
policies can be applied per sensor, for both in-line and passive monitoring.
The Symantec Network Security software and the Symantec Network Security
7100 Series appliance employ a common core architecture that provides
detection, analysis, storage, and response functionality. Most procedures in this
section apply to both the 7100 Series appliance and the Symantec Network
Security 4.0 software. The 7100 Series appliance also provides additional
functionality that is unique to an appliance. Each section describes this
additional functionality in detail.
For example, when the 7100 Series appliance is deployed in-line, it can perform
session-based blocking against malicious traffic and prevent attacks from
reaching their targets.
66 Protection Policies
Viewing protection policies
Viewing protection policies
Symantec Network Security provides a set of pre-defined protection policies
that include attack policies, audit policies, and prevention policies. They can be
immediately activated by setting them to interfaces and applying them. You can
also define your own policies and activate them using the same procedures.
On the Protection Policies tab, you can view all available protection policies in
the left pane, and the node interfaces that they are applied to, in the right pane.
To see all available protection policies and interfaces
1On the Policies tab, click Protection Policies.
2Select an existing policy, and click View.
Understanding the protection policy view
The Protection Policies view contains five main tabs, as follows:
67Protection Policies
Viewing protection policies
Protection Policies
* Set policies
to interfaces
* Override
blocking rules
* Apply/Unapply
policies
Search Events
* Set search criteria
* Search
* View Search Events
* Adjust view of list
Full Event List
* View unaltered event list
* Adjust view of list
* Select events to apply
logging and/or blocking
rules
Auto Update
* Configure LiveUpdate so any
new event types that match
criteria are logged
Notes
* Select events to apply
logging and/or block
rules
* Annotate policies to
show notes as tool tips
The following list describes each tab more fully:
■Protection Policies tab: Symantec Network Security installs with a set of
pre-defined policies that you can use immediately by setting them to
interfaces, override existing blocking rules, and applying them.
■Viewing protection policies
■Search Events tab: At first, the Search Events tab displays the full list of
event types that the selected policy can detect. You can reduce this list to a
more manageable size by setting search parameters. Then the Search
Results pane displays a subset of the types of events that you specified. You
can apply logging and/or blocking rules from this tab, and add new
protection policies that you define yourself.
■Adjusting the view by searching
■Full Event List tab: The Full Event List displays all event types that the
selected policy can detect. Even after you define the display on the Search
Events tab, you can use the Full Event List to view the total list of all event
types. You can also set logging and blocking rules from this tab.
■Auto Update tab: Provides the ability to establish automatic policy,
signature, and engine updates through LiveUpdate.
■Viewing policy automatic update
68 Protection Policies
Adjusting the view of event types
■Notes tab: Provides the ability to annotate policies so that your note is
displayed as a tool tip when you hover the cursor over the annotated policy.
■Annotating policies or events
Adjusting the view of event types
You can adjust the view of the event types list by using the Search Events tab.
You can also select which columns to show or hide, and sort the column data.
This section describes the following topics:
■Adjusting the view by searching
■Adjusting the view by columns
■Viewing event detailed descriptions
Adjusting the view by searching
Symantec Network Security provides search functionality so that you can focus
the view on a manageable subset of possible event types with specific
characteristics. The policy still detects and acts on the full list of event types;
but you have a shorter list to sift through as you decide what to block and what
to log. This section describes how to narrow or widen the view by searching for
event types that match certain characteristics.
1. Set search parameters to select event
types that match certain characteristics.
2. Click Logged and/or
Blocked to display event
types that have logging
or blocking rules.
3. Click Search Events
to display a manageable
subset of event types.
To adjust the view by searching for specific characteristics
1In the Pol icies tab, do one of the following:
■Select a policy, and click View > Search Events.
2Provide some or all of the following search criteria:
■In Event Name, enter a name.
■In Protocol, select a protocol from the pull-down list.
Adjusting the view of event types
■In Category, select a category from the pull-down list.
■In Severity, set a severity level from the pull-down list.
■In Confidence, set a confidence level from the pull-down list.
■In Intent, select an intention from the pull-down list.
■In Blocked, specify whether you want to view events with blocking
rules.
■In Logged, specify whether you want to view events with logging rules.
■In Note, specify the contents of the Note to search for events
containing the specified contents.
3Click Search Events.
Search Results displays the total number of items shown in the subset.
4Click OK to save and exit.
Note: Remember that the policy still contains the full list of event types.
This search has provided a shorter, more manageable subset to view.
69Protection Policies
Note: Both StandardUsers and RestrictedUsers can adjust the view of event
types in a policy by searching for a subset of the list.
Adjusting the view by columns
Both the Search Events and Full Event List provide the ability to adjust the
display by selecting, moving, and sorting columns.
To adjust the view of both full and search events
1In the Pol icies tab, do one of the following:
■Click New.
■Select a protection policy, and click Vi ew.
2Do one of the following:
■Click Search Events.
■Click Full Event List.
3Click Columns.
4In Ta ble Col u mn Cho ose r, click each column that you want to see, and
unclick each that you want to hide.
5Click a column heading to sort the table by one level.
6Click OK.
70 Protection Policies
Adjusting the view of event types
Note: Both StandardUsers and Restricted Users can adjust the view of events in
protection policies by showing and hiding columns.
Viewing logging and blocking rule details
Symantec Network Security provides a view of the logging and blocking rules
applied to each event type in a policy.
To view individual protection policies
1On the Policies tab, select a protection policy.
2Click View.
3In Full Event List, select an event type, and clicking Log/Block.
4Click Cancel to exit.
Note: StandardUsers can view event details; RestrictedUsers cannot.
Viewing event detailed descriptions
Symantec Network Security provides detailed descriptions of the event types in
each policy through a browser display.
To view individual protection policies
1On the Policies tab, select a protection policy.
2Click View.
3In Full Event List, right-click an event type
4Click View Description to display a detailed description in your browser.
5Click Cancel to exit.
Note: StandardUsers can view event details; RestrictedUsers cannot.
Viewing policy automatic update
The LiveUpdate functionality puts newly developed signatures to work
immediately by applying four criteria (category, protocol, severity, and
confidence). When LiveUpdate downloads new signatures into your system,
Auto Update Rules selects those signatures that match the criteria, and
automatically adds them to the policy. Even if the LiveUpdate occurs in the
middle of the night, Symantec Network Security immediately starts logging the
matching events.
To vie w Li veU p da te
1In the Pol icies tab, click Protection Policies > View > Auto Update Rules.
2Click Cancel to close the view.
Note: Both StandardUsers and RestrictedUsers can view Auto Update rules, but
cannot add, edit, or delete them.
Annotating policies or events
You can take notes on events at the following three levels:
71Protection Policies
Adjusting the view of event types
■Viewing policy annotations
■Viewing event type annotations
■Annotating event instances
Viewing policy annotations
If notes were taken about a particular policy, then when you hover the cursor
over that policy in the policy list, the note appears as a tool tip.
To view a policy annotation
◆In the Po licie s tab, hover the cursor over the policy to display the note as a
tool tip.
Note: Both StandardUsers and RestrictedUsers can view tool tips to protection
policies, but cannot add, edit, or delete them.
Viewing event type annotations
The Network Security console provides a field in which to make notes about an
event type within a policy. When the event is triggered, the note is displayed in
the Event Details. For example, a note might indicate that this event is a false
positive if it occurs within a certain IP range. The note is specific to that event
type when it occurs in that policy. The Event Details pane displays the note each
time this policy detects the annotated event.
72 Protection Policies
Adjusting the view of event types
To view notes about an event types in a policy
1In the Pol icies tab, click View.
2In View Protection Policy, do one of the following:
■In Search Events, double-click an event.
■In Full Event List, double-click an event.
3In Note for Selected Event Type(s) in the lower pane, view the annotation
about the selected event type.
4Click Cancel to close the view.
Note: Both StandardUsers and RestrictedUsers can view notes to event types,
but cannot add, edit, or delete them.
Annotating event instances
The Network Security console provides a field in which to make notes about a
specific instance of an event. This provides assistance to system analysts in
resolving security incidents.
To view note about an instance of an event
1In the Incidents tab, do one of the following:
■Double-click an incident.
■In the upper pane, click an incident, and then in the lower pane,
double-click the related event.
2In Incident Details or Event Details, click Analyst Note.
3Enter your annotation, and click Add Note.
4Click Close.
Note: Both StandardUsers and RestrictedUsers can add notes to instances of an
event.
Response Rules
This chapter includes the following topics:
■About response rules
■About automated responses
■Viewing response rules
■About response parameters
Chapter
6
■About response actions
■About flow alert rules
About response rules
In addition to the ability to start detection and response immediately using
protection policies, Symantec Network Security also provides an automated,
rule-based response system. The response module responds to incidents
immediately, even if you cannot maintain system analysts on site around the
clock. The response module identifies, prioritizes, and responds appropriately to
whole classes of attacks, without requiring a separate response rule for each of
hundreds of individual base events. SuperUsers and Administrators can create
separate response rules specific to an individual event type, to any subset of
specified event types, or to all event types. This affords fast, effective responses
to suspicious behavior, and enables you to move quickly to stop attacks, even
DoS attacks, to mitigate potential damage, lost revenue, and the costs of
recovery.
The Symantec Network Security software and the Symantec Network Security
7100 Series appliance employ a common core architecture that provides
detection, analysis, storage, and response functionality. Most procedures in this
section apply to both the 7100 Series appliance and the Symantec Network
Security 4.0 software. The 7100 Series appliance also provides additional
74 Response Rules
About automated responses
functionality that is unique to an appliance. Each section describes this
additional functionality in detail.
Symantec Network Security can take the following types of actions to respond to
attacks, individually or in sequence:
■Predefined actions
See “About response actions” on page 79.
■Configured custom response actions
See “About custom response action” on page 81.
■Triggered actions from third-party applications via Smart Agents
See “Integrating third-party events” on page 282.
■No actions
See “About no response action” on page 80.
■Responding at the point of entry
See “Defining new protection policies” on page 120.
About automated responses
Symantec Network Security’s automated rule-based response system includes
alerting, pinpoint traffic recording, flow tracing, session resetting, and custom
responses on both the software and appliance nodes and the Network Security
console. Symantec Network Security generates responses based on multiple
criteria such as event targets, attack types or categories, event sources, and
severity or confidence levels. Multiple responses can be configured for the same
event type, as well as the order in which Symantec Network Security executes
the responses.
Symantec Network Security reviews each event, and iterates through the list of
response rules configured by the user. It compares each event against
configurable match parameters. If a match occurs on all parameters, it then
executes the specified action. After Symantec Network Security processes one
rule, it proceeds to one of three alternatives: to the rule indicated by the Next
parameter, to a following rule beyond the Next rule, or it stops policy
application altogether for this event.
Some automated responses also use node parameters through Configuration >
Node > Network Security Parameters. Symantec Network Security installs with
some of the response rule parameters defaulted; however, they require more
information to run successfully.
Note: Both StandardUsers and RestrictedUsers can view response rules, but
cannot configure, edit, or delete them.
Viewing response rules
All users can view the response rules in the Network Security console.
To view Response Rules
1In the Network Security console, click Configuration > Response Rules.
2In Response Rules, select a response rule. The background of the selected
response rule turns purple.
3Click a column to view the following response parameters:
■Event Target
■Event Type
75Response Rules
About automated responses
■Severity
■Confidence
■Event Source
■Response Action
■Next Action
4Click the Response Actions column of a response rule to see all possible
response actions.
Interpreting color coding
At a glance, you can tell which response rules have been saved, and which
remain to be saved, by the background colors:
ColorIndication
WhiteIndicates the response rule has been saved
YellowIndicates the response rule has not been saved
PurpleIndicates the response rule is currently selected
Select an entire row by clicking the number cell.
Note: Make sure to click OK to save yellow response rules before proceeding.
76 Response Rules
About automated responses
Searching event types
All users can view a more manageable subset of the entire event list by using any
or all of the search criteria to shorten the list of event types in the Search Event
List.
In Configuration > Response Rules, SuperUsers and Administrators can edit and
configure response rule parameters to specify the characteristics of the events
and incidents that Symantec Network Security responds to.
Each response rule contains the following response parameters:
■About event targets
■About event types
■About severity levels
■About confidence levels
■About event sources
■About response actions
■About next actions
About event targets
The event target parameter specifies the location where the detected incident
occurs. The possible values for this parameter include the locations, network
segments, and network border interfaces defined in the network topology
database.
About event types
The event type parameter specifies the base event or events for which the
response rule is defined. Event types are grouped into several larger protocol
and service attack categories. When Symantec Network Security detects a
suspicious event, it analyzes the event to match it to an event type.
About severity levels
The severity parameter describes the relationship between the action to take in
response to an incident and the severity of that incident. Before the analysis
process assigns a severity level to an incident, it analyzes the various events
that make up the incident according to the following factors:
77Response Rules
About automated responses
■Intrinsic severity of the type of event: An event might consist of an FTP
packet transmitted on port 80. Because port 80 is used for HTTP traffic, this
event might represent an attack on a Web server. By itself, this example
might represent a medium level of intrinsic severity.
■Level of traffic, if it is a counter event: If Symantec Network Security
determines that a series of packets make up a flood attack, the height of the
severity level depends on the number and frequency of packets received.
■Severity of other events in the same incident: Symantec Network Security
correlates severity levels from all events in the same incident.
By using these variables to perform statistical analysis, Symantec Network
Security assigns different severity levels as they apply to an incident. As the
system gains information about the network, it integrates characteristics that
influence the levels to reflect the current state of the network security.
Because the traffic on every network is different, the severity levels specified in
the response rule parameters are relative values and contain no inherent
absolute definition. The creation of response rules in general and the selection
of severity levels for the specific response rules requires fine-tuning to existing
security response rules, as well as to the network traffic and ambient conditions.
If the severity assigned during analysis equals the severity level defined in the
response rule, as well as all other parameters defined in the response rule, then
Symantec Network Security responds to the incident by performing the action
associated with the response rule. SuperUsers and Administrators can also
specify that the action execute only if the incident priority level falls above or
below that of a particular severity level. Possible severity parameter values
include informational, low, medium, high, and critical.
78 Response Rules
About automated responses
About confidence levels
Symantec Network Security indicates the confidence level, a measure of the
likelihood of an actual attack. It determines the confidence level of the event by
analyzing the traffic behavior.
About event sources
The Network Security console can apply response rules to specific locations or
interfaces in the network using Event Source. The event source parameter
indicates that a rule applies only to events detected on a given interface. This
interface is not necessarily the target of the attack, but may in fact be the point
in the network at which Symantec Network Security is currently tracking the
attack. If the interfaces being inspected are receiving VLAN encapsulated
traffic, you can also specify that a rule applies to a specific VLAN ID.
About response actions
The Network Security console provides a way to apply the response rule to take
a specific action when triggered using Response Action. The Response
parameter determines the action Symantec Network Security takes if an
incident matches the event target, attack type, severity, confidence level, and
event source parameters. SuperUsers and Administrators can set multiple
response actions to react to specific types of incidents, or set custom response
actions to launch third-party applications in response to an incident.
Note: StandardUsers and RestrictedUsers can view response rules, but cannot
apply, edit, or delete them.
Symantec Network Security can take the following action or sequence of actions
in response to an event that matches the criteria:
■About no response action
■About email notification
■About SNMP notification
■About TrackBack response action
■About custom response action
■About TCP reset response action
■About traffic record response action
■About console response action
■About export flow response action
About next actions
The Network Security console provides a way to direct a sequence of response
rules that conclude with a follow-up action by using Next Action.
The Next parameter determines whether or not Symantec Network Security
continues checking for additional response rules that match the incident.
Possible values are Stop, Continue to Next Rule, and Jump to Rule. The Continue
to Next Rule value directs Symantec Network Security to search for the next
matching response rule after executing the current response rule. This enables
Symantec Network Security to make multiple responses to any particular
incident type, in combination with each other and in a desired sequence. The
Jump to Rule value directs Symantec Network Security to skip over intervening
response rules and go directly to a particular response rule, such as from Rule 5
to Rule 8. The Stop value directs Symantec Network Security to discontinue
searching for matching response rules.
79Response Rules
About response actions
About response actions
Configurable response parameters indicate which action Symantec Network
Security will take if the event target, attack type, severity, confidence level, and
event source parameters match the incident. The SuperUser or Administrator
can define and customize response actions from the Network Security console.
If you specify a Smart Agent response action, the policy manager sends the
respective values to the appropriate Smart Agent. In Configuration > Response
Rules, select a rule, and click the Response Actions column to view the list of
actions that Symantec Network Security can take in response to an incident.
Symantec Network Security can respond to an incident via the following
response actions:
■About no response action
■About email notification
■About SNMP notification
■About TrackBack response action
■About custom response action
■About TCP reset response action
■About traffic record response action
■About console response action
80 Response Rules
About response actions
■About export flow response action
About no response action
The None option directs Symantec Network Security not to respond to
particular types of incidents. Selecting the None option, followed by Stop as the
next action configures Symantec Network Security to take no action in response
to specified types of incidents. SuperUsers and Administrators can also
configure Symantec Network Security to ignore specific attacks by setting a
filter.
About email notification
Alerting is a standard component of most intrusion detection systems because
security analysts must be kept informed of attack activity without having to
constantly monitor the Network Security console. Unfortunately, many IDS
products use the same interface for detection as for notification. In such a
configuration, a flood attack could prevent the console from sending email
notifications because the flood attack would overload the interface.
Symantec Network Security uses a separate, independent interface for
notification, thus enabling the Network Security console to successfully send
email notification even during an attack.
About SNMP notification
Symantec Network Security can initiate an SNMP notification in response to an
attack. The SNMP notification option directs Symantec Network Security to
send SNMP traps to an SNMP manager with a minimum delay of 1 minute
between responses. The IP address of the SNMP manager must be provided, and
the SNMP manager made aware of the Management Information Base (MIB).
Refer to the SNMP manager documentation for this information.
About TrackBack response action
Symantec Network Security provides the TrackBack™ response to track attacks
back to their sources. This capability is especially important for tracking
denial-of-service attacks that must be traced to their source in order to shut
them down most effectively. TrackBack automatically tracks a data stream to its
source within the cluster, or, if the source is outside the cluster, to its entry
point into the cluster. It does this by gathering information from routers or its
own sensor resources. Sensor require interfaces with applied protection policies
to run, as well as sensor parameters for flow statistics.
About custom response action
The Network Security console provides a way to set custom response actions to
launch third-party applications in response to an incident. To do this, a
command is entered in the Custom Response field which executes when the
response rule is triggered. The minimum delay between responses is 0.
Note: Both StandardUsers and RestrictedUsers can view custom response
actions, but cannot write them.
About TCP reset response action
The TCP reset response action directs Symantec Network Security to terminate
a TCP connection to prevent further damage from an attack. The minimum
delay between responses is 0.
81Response Rules
About response actions
About traffic record response action
The traffic record response dynamically records network traffic in response to
an event. With this option, Symantec Network Security can record traffic for a
specified period of time, or until a specified number of packets has been
collected.
The traffic record response action begins recording traffic when triggered. It
continues to record based on the number of minutes and the number of packets
specified in the response configuration. Traffic recording stops when either
limit is reached, whichever comes first. If the maximum number of packets is
reached before the maximum time, then traffic record stops recording, but waits
until the maximum time has expired before starting a new record action. The
number of responses per incident is also determined by the response
configuration. The minimum delay between responses is 1 minute.
The traffic record response action begins recording traffic when triggered. It
continues to record based on the number of minutes and the number of packets
specified in the response configuration. Traffic recording stops when either
limit is reached, whichever comes first. If the maximum number of packets is
reached before the maximum time, then traffic record stops recording, but waits
until the maximum time has expired before starting a new record action. The
number of responses per incident is also determined by the response
configuration. The minimum delay between responses is 1 minute.
82 Response Rules
About response actions
Note: This response action records only fully assembled packets from actual
flows, not malformed packets or packet fragments. You can view detected
packet contents in the Advanced tab of Event Details.
See “Viewing event details” on page 197.
About console response action
Symantec Network Security can initiate an action on the Network Security
console in response to an attack. A SuperUser or Administrator can configure
the response rule to play an alert sound and/or to execute a program on the
Network Security console. Any user can enable each Network Security console
individually to execute console response actions. The minimum delay between
responses is 1 minute.
Enabling console response actions
You must enable console response actions on each Network Security console
individually.
To enable specific console response actions
1In the Network Security console, click Configuration > Response Rules.
3In Local Console Configuration, choose from the following checkboxes:
■Play Alert Sounds: Click this to enable this Network Security console
to emit an alert sound when triggered by an event.
■Execute Programs: Click this to enable this Network Security console
to perform the console response action.
4In Local Console Configuration, click OK to save and close.
Note: The Network Security console must be running in order for Symantec
Network Security to execute the console response action. If a Network
Security console starts after console response events are sent, it does not
execute the actions. Instead, upon startup, it displays a prompt indicating
that the actions did not execute.
About export flow response action
The export flow response action exports matching flows stored in the flow data
store. The action is based on the characteristics of the triggering events, which
are specified by parameters that the SuperUser provides when creating the rule.
The SuperUser or Administrator can use Export Flow to specify the event
characteristics of the triggering event. Flows that match the specified
characteristics are exported and saved. The minimum delay between responses
is 1 minute.
About flow alert rules
In addition to response rules, Symantec Network Security can respond to
network traffic according to flow alert rules. Flow alert rules respond to traffic
flows that violate defined policies on monitored networks. Flow alert rules can
be configured to notify you when a sensor or router detects flows that match
specific criteria.
Symantec Network Security collects data about network flows from various
devices. It optimizes the data to enable advanced response actions such as
TrackBack, and notifies you about illegal flows. Symantec Network Security uses
FlowChaser to store the data, in coordination with TrackBack, which traces a
DoS attack or network flow back to its source, or to the edges of the
administrative domain.
83Response Rules
About flow alert rules
Note: StandardUsers can view flow alert rules; and RestrictedUsers have no
access at all.
Viewing flow alert rules
Symantec Network Security provides a way to view flow alert rules from the
Network Security console.
In Flow Alert Rule, you can view the rule details.
Playing recorded traffic
Like the FlowChaser, Query Current Flows, and Query Exported Flows, the
Traffic Playback Tool provides another way to search recorded data outside of
the Network Security reporting system. When you set a response rule to record
events of a particular description, you can then use the Traffic Playback Tool to
replay and scrutinize the records of those events.
See “Managing response rules” on page 132.
84 Response Rules
Playing recorded traffic
Replaying recorded traffic flow data
The Network Security console provides a way to review recorded traffic data in
two ways: from the Query button or from the Incidents tab on the main menu of
the Network Security console. The record of events is displayed as a table with
each row corresponding to one event. By selecting an event, you can display the
flow or delete the event. In the flow view, you can replay the details of the traffic
flow data.
To replay traffic flow data
1Choose one of the following:
■Click Flows > Traffic Playback > select a node > OK.
■Click Incidents > double-click the Traffic Record Finished event >
Event Message.
Skip Steps 2 and 3, and proceed directly to Step 4.
2In Traffic Playback Configuration, you can adjust the view as follows:
■To adjust your view of Recorded Events, click Column.
■To remove events you do not want to view, click the event, and then
click Delete.
3In Recorded Events, click the row corresponding to an event to view the
flow of that event in Flows of Selected Record.
4In Flows of Selected Record, click a row corresponding to a flow, then click
Playback.
5In Packet Replay Tool, view the detailed packet data, one packet at a time.
6To view all packet data in a session that includes multiple packets, on
Symantec Packet Replay Tool, click View > Show Session Window.
7Return to Symantec Packet Replay Tool, and click Go.
Note: SuperUsers can view playbacks of recorded traffic; Administrators,
StandardUsers, and RestrictedUsers cannot. See “User groups reference” on
page 319 for more about permissions.
Detection Methods
This chapter includes the following topics:
■About detection
■About sensor detection
■About port mapping
■About signature detection
Chapter
7
■About refinement rules
About detection
In addition to the ability to start detection immediately using protection
policies, Symantec Network Security also provides the tools to fine-tune the
detection to a particular environment using sensor parameters and port
mappings, and to enhance the detection using user-defined signatures.
Symantec Network Security can run multiple detection methods concurrently,
including protocol anomaly detection, signatures, IP traffic rate monitoring, IDS
evasion detection, and IP fragment reassembly.
The Symantec Network Security software and the Symantec Network Security
7100 Series appliance employ a common core architecture that provides
detection, analysis, storage, and response functionality. Most procedures in this
section apply to both the 7100 Series appliance and the Symantec Network
Security 4.0 software. The 7100 Series appliance also provides additional
functionality that is unique to an appliance. Each section describes this
additional functionality in detail.
■Protocol anomaly detection
Symantec Network Security provides a way to tune the sensors to look for
particular types of anomalies and signatures on a port by reconfiguring the
default port mapping, or adding new mappings. For example, mappings can be
86 Detection Methods
About sensor detection
added to run services on non-standard ports or to ignore ports on which you
normally run non-standard protocols, to mitigate common violations of protocol
from being falsely reported as events.
■Signature detection
Symantec Network Security provides the functionality to begin detection
immediately by applying protection policies. In addition to this initial ability,
detection can also be enhanced and tuned to a particular network environment
by creating and applying user-defined signatures.
■Refinement rule detection
Symantec Network Security detects both known and unknown (zero-day)
attacks, using multiple detection technologies concurrently. Event refinement
rules extend the Protocol Anomaly Detection capabilities. Symantec Network
Security matches generic anomalies against a database of refinement rules, and
for known attacks, reclassifies an anomaly event by retagging it with its specific
name.
New refinement rules are available as part of SecurityUpdates on a periodic
basis. Each software or appliance node downloads the refinement rules from
LiveUpdate and stores them individually.
About sensor detection
Symantec Network Security provides an array of sensor parameters that are
preset for optimum performance and sensitivity. They can be tuned to address
specific network environments, and each sensor can be set individually to
devote it to specific tasks. These parameters perform multiple tasks, such as
enabling the collection of flow statistics and full packet data, setting threshold
levels for floods, scans, and sweeps, and regulating the percentage of traffic
types that the sensor tolerates before it notifies you.
The parameters also provide counter-based detection of floods and
denial-of-service attacks such as resource reservation and pipe filling, regulate
the suppression of duplicate events and enabling asymmetric routing, and
enable checksum validation for a variety of traffic types.
Viewing sensor parameters
The Network Security console provides a way to view descriptions of sensor
parameters. The upper right pane of the Sensor Parameters dialog displays a
description of the parameter. The lower right pane displays the current value.
To view the sensor parameters
1On the Devices tab, right-click the sensor.
2Click Configure Sensor Parameters.
3In Sensor Parameters, scroll through the list and select a parameter to view.
4Click OK to close.
About port mapping
Symantec Network Security provides a way to tune the sensors to look for
particular types of anomalies and signatures on a port by reconfiguring the
default port mapping, or adding new mappings. For example, mappings can be
added to run services on non-standard ports or to ignore ports on which you
normally run non-standard protocols, to mitigate common violations of protocol
from being falsely reported as events.
87Detection Methods
About port mapping
Viewing port mappings
The types of anomalies and signatures that the Symantec Network Security
sensors look for on a port can be viewed in the Network Security console. With
any user account, you can view the port mappings for any supported protocol.
To view port mappings
1In the Network Security console, click Configuration >
Mappings.
2In Local Node Selection, select the node for which you want to view the
mappings.
About signature detection
Symantec Network Security provides the functionality to begin detection
immediately by applying protection policies. In addition to this initial ability,
detection can also be enhanced and tuned to a particular network environment
by creating and applying user-defined signatures.
Node > Port
88 Detection Methods
About signature detection
About Symantec signatures
Symantec Network Security uses network pattern matching, or signatures, to
provide a powerful layer of detection. Signature detection involves detecting
threats by looking for a specific pattern or fingerprint of a known bad or
harmful thing. This known-bad pattern is called a signature. These patterns are
traditionally based on the observed network behavior of a specific tool or tools.
Signature detection operates on the basic premise that each threat has some
observable property that can be used to uniquely identify it. This can be based
on any property of the particular network packet or packets that carry the
threat. In some cases, this may be a literal string of characters found in one
packet, or it may be a known sequence of packets that are seen together. In any
case, every packet is compared against the pattern. Matches trigger an alert,
while failure to match is processed as non-threatening traffic.
Symantec Network Security uses signatures as a compliment to PAD. The
combination provides robust detection without the weaknesses of either PAD
alone or signatures alone. Symantec Network Security's high performance is
maintained by matching against the smallest set of signatures as is possible
given the current context. Since many threats are detected and refined through
the PAD functionality, Symantec Network Security minimizes the set of
required signatures to maximize performance.
Symantec Network Security also uses methods of rapid response in creating
signatures that detect attempts to exploit new vulnerabilities as soon as they hit
the network, independent of the exploit tool. This results in earlier prevention
of threats and more complete coverage.
About user-defined signatures
The Network Security console provides a way to configure and enable additional
user-defined signatures on a per-sensor basis, as well as global signature
variables, such as creating the variable name
User-defined signatures are synchronized across clusters so that each node has
the title, severity, and definition of the user-defined signature. SuperUsers can
create, define, edit, and delete user-defined signatures. All users can view them.
Note: Both StandardUsers and RestrictedUsers can view user-defined
signatures, but cannot add, edit, or delete them.
port to stand for a value of 2600.
Viewing signatures
All users can view all available PAD event types and user-defined signatures
from the Policies tab. You can also see which signatures are applied to the
monitoring interfaces, interface pairs, or interface groups, as well as the list of
signature variables.
To see interfaces
◆On the Policies tab, click Policies > Policies Applied to Interfaces to see
To see applied signatures
◆On the Policies tab, click Policies > Policies to see the Symantec signatures
To see available signatures
89Detection Methods
About refinement rules
interfaces with policies applied.
that are applied.
◆On the Policies tab, click the User-defined Signatures tab to see available
user-defined signatures.
To see signature variables
◆On the Policies tab, click the Signature Variables tab to see available
variables to use when defining signatures.
About signature variables
Symantec Network Security provides signature variables for speed and
accuracy, such as the variable name
signature variables apply globally to all signatures, both default Symantec
signatures and any user-defined signatures.
To view signature variables
◆On the Policies tab, click Signature Variables > New.
About refinement rules
port to stand for a value of 2600. The
Symantec Network Security detects both known and unknown (zero-day)
attacks, using multiple detection technologies concurrently. Event refinement
rules extend the Protocol Anomaly Detection capabilities. Symantec Network
Security matches generic anomalies against a database of refinement rules, and
for known attacks, reclassifies an anomaly event by retagging it with its specific
name.
90 Detection Methods
About refinement rules
New refinement rules are available as part of SecurityUpdates on a periodic
basis. Each software or appliance node downloads the refinement rules from
LiveUpdate and stores them individually.
Chapter
Incidents and Events
This chapter includes the following topics:
■About incidents and events
■Monitoring incidents
■Monitoring events
■Managing the incident/event data
8
About incidents and events
The Network Security console provides a central point from which you can
monitor all attack activity in any network location defined in the topology tree.
The Network Security console displays detailed information about incidents and
events, which are the elements of a possible attack.
In the Network Security console, the Incidents tab displays both active and idle
incidents and events taking place in the monitored network, and can be drilled
down for multiple detail levels. Incidents to which no new events have been
added for a given amount of time are considered idle, so Symantec Network
Security closes them. The condition of the incident can be viewed in the State
column of the Incidents table. The incident idle time is a configurable
parameter.
An incident is a set of events that are related. An event is a significant security
occurrence that appears to exploit a vulnerability of the system or application.
When a sensor detects a suspicious event, it sends the data to be analyzed. The
analysis process correlates the event with similar or related events, and
categorizes them in the form of an incident. The incident is named after the
event with the highest priority, and reported in the form of incidents that are
displayed in the Network Security console.
92 Incidents and Events
About incidents and events
About the Devices tab
The Devices tab provides a tree-oriented view of the network topology with a
detailed summary of each device. When you select an object from the topology
tree in the left pane, the right pane displays related information. Symantec
Network Security updates this information at frequent intervals, so the status
remains current.
Viewing device details
When you select an object in the Devices tab, the right pane displays
information about that object. Depending on the selected object, the following
information can appear in the right pane:
■Device Type: Displays the type of device selected.
■IP address: Displays the IP address of the selected device, or the
management IP address for a device with multiple IP addresses.
■Node Number: Displays the node number assigned to the software or
appliance node, between 1 and 120.
■Customer ID: Displays an optional user-defined ID. Customer IDs for in-line
pairs and interface groups reflect the 7100 Series appliance nodes to which
they belong.
■Model: Displays the model number of a 7100 Series appliance, either 7120,
7160, or 7161.
■Monitoring Group: Identifies the monitoring group of the selected device, if
any.
■Monitored Networks: Identifies the networks for which port usage patterns
are tracked and anomalies detected. Displayed only if you entered network
IP addresses on the Network tab when editing interfaces, adding in-line
pairs, or adding interface groups. Available only on 7100 Series interfaces.
■TCP Reset Interface: Displays the interface that sends TCP resets; either
eth0, eth1, or eth2, corresponding to your choice of RST0, RST1, or RST2
when you added the interface group.
■Bandwidth: Displays the expected throughput for the selected object.
■Sensor Status: Displays the current status of the related sensor.
■Description: Displays a brief optional description of the object.
■Active Security Incidents: Displays the active incidents of the selected
topology object, with name, state, node number, and last date modified.
About incidents and events
Viewing interface details
If you click on a monitoring interface object in the Devices tab, the Details of
Selected Topology Object dialog box displays the following information:
■Customer ID: Displays the customer ID that you assigned to the monitored
interface.
■Interface Name: Displays the name of the interface on the software or
appliance node to which the monitored interface sends copied data.
■Media Type: Displays the type of link being monitored, either Ethernet or
gigabit.
■Flow Collection: Displays whether flow status collection is enabled on the
monitored interface.
■Capture Packet Mode: Displays whether packet capture mode is enabled on
the monitored interface. A value of Header Only indicates that packet
capture is not enabled. A value of Entire Packet indicates packet capture is
enabled.
93Incidents and Events
■Description: Displays the optional description of what is happening.
■Sensor running message: Displays whether the sensor is running on the
Network Security interface to the monitored interface.
■Bit rate: Displays the average number of megabits per second (Mbps)
monitored on the interface. This calculation is based on payload, which may
differ slightly from the bit rate calculation on a particular switch or router.
■Packet rate: Displays the number of packets per second (pps) monitored on
the interface.
■Percent of packets dropped: Displays the average percent of packets that
are not being monitored on the interface.
■Aggregate bit rate: Displays the aggregate number of megabits per second
(Mbps) monitored on the gigabit interface.
■Aggregate packet rate: Displays the aggregate number of packets per
second (pps) monitored on the gigabit interface.
■Percent of total traffic per sensor: Displays the percentage of traffic being
sent to each sensor sub-instance monitoring a gigabit link. For example, if
you have 500 Mbps of aggregate bit rate traffic, and Sensor 1 is monitoring
15% of the total traffic, then Sensor 1 is monitoring 500 Mbps x .15 = 75
Mbps.
■Logged Event Count: Displays the number of events associated with this
incident that have been logged to the database.
94 Incidents and Events
About incidents and events
About the Incidents tab
The Network Security console displays incident and event data in the following:
■Incidents tab: Displays both active and idle incidents. When you select an
incident, Events At Selected Incident in the lower pane displays information
about the related events.
■Devices tab: Displays the topology tree. When you select an object in the
topology tree, the Network Security console displays related information in
the right pane, including a link to security incidents that are currently
active on that object.
The Incidents tab provides a multi-level view of both incidents and events.
Incidents are groups of multiple related base events. Base events are the
representation of individual occurrences, either suspicious or operational. The
sensors notify the software or appliance node of any suspicious actions or
occurrences that might warrant a response, such as a probe. Symantec Network
Security also monitors operational occurrences that the user should be aware of,
such as a Symantec Network Security license approaching the expiration date.
The Incidents tab contains an upper and lower pane: Incidents, and Events at Selected Incident. The upper pane displays information about each incident,
taken from the highest-priority event within that incident. The values may
change if an event of higher priority is added to the same incident.
About incidents and events
To view incident data
◆In the Network Security console, click the Incidents tab.
All users can modify the view by adjusting font size, selecting and sorting
columns, and/or applying filters.
Viewing priority color codes
All users can sort the incident data by clicking on the column heading. The
toggle sorts the column in ascending or descending order.
To sort the incidents
◆Do one of the following:
■Click the heading of the column you want to sort.
■Click the column heading again to reverse the order.
95Incidents and Events
Annotating incidents and events
You can add comments to incidents and events. Each annotation receives a time
stamp and lists the author of the annotation. You can sort multiple annotations
for an event by time stamp in ascending or descending order.
To annotate an incident or event
1On the Incidents tab, double-click an incident or event.
2Click Analyst Note.
3Enter the information relevant to this incident.
The Note field can include guidelines established by the SuperUser, such as
ticket number, owner, and the last action taken in response to the event.
4Click Add Note to preserve your annotation.
5In Analyst Note, click Close to save and close.
Marking incidents as viewed
All users can mark incidents to distinguish new incidents from reviewed
incidents.
To mark incidents already viewed
1On the Incidents tab, right-click an incident.
2In the pop-up list, click Mark Incident.
The Marked column of the incident displays a red hash mark to
indicate that it has been viewed.
96 Incidents and Events
Monitoring incidents
Note: If an incident changes after it was marked, such as a new event being
added to it, the red hash mark changes to a red circle to flag you.
Monitoring incidents
An incident is a set of events that are related. An event is a significant security
occurrence that appears to exploit a vulnerability of the system or application.
When a sensor detects a suspicious event, it sends the data to be analyzed. The
analysis process correlates the event with similar or related events, and
categorizes them in the form of an incident. The incident is named after the
event with the highest priority, and reported in the form of incidents that are
displayed in the Network Security console.
Viewing incident data
The Incidents tab contains an upper and lower pane: Incidents, and Events at
Selected Incident. In the upper pane, information about each incident is
displayed. This information is taken from the highest-priority event within that
incident. Therefore, the values may change if an event of higher priority is added
to the same incident.
To view incident data
◆In the Network Security console, click the Incidents tab.
Selecting incident columns
Not all incidents contain data in every category, so you may want to remove
empty columns or add others to customize the display.
display of incident data by selecting columns.
To customize the incident columns
1On the Incidents tab, in the upper Incidents pane, click Columns.
2In Table Column Chooser, do one of the following:
■Click Select All to display all columns.
All users can modify the
■Click the individual columns that you want to view.
3Click OK to save and close.
The Incidents tab can display the following incident data:
97Incidents and Events
Monitoring incidents
■Last Mod.
Time
■NameIndicates the user group of the current user.
■SeverityIndicates the severity level assigned to the incident. An
Indicates the date and time when Symantec Network Security
last modified the incident record.
incident’s severity is a measure of the potential damage that it
can cause.
■SourceIndicates the IP address of the attack source. If the source is
made up of multiple addresses, then the Network Security
console displays (multiple IPs) and you can view the list of
addresses by double-clicking the event to see Event Details.
■DestinationIndicates the IP address of the attack target. If the destination is
made up of multiple addresses, then the Network Security
console displays (multiple IPs) and you can view the list of
addresses by double-clicking the event to see Event Details.
■Event Count
Indicates the total number of events associated with this incident
that have been logged to the database.
■Device Name
Indicates the name of the device where the incident was
detected.
■Location
Indicates the location of the device where the incident was
detected.
■State
Indicates the condition of the incident, either Active or
Closed. Incidents to which no new events have been added for a
given amount of time are considered idle, and Symantec
Network Security closes them.
■Marked
■Node #
Indicates whether you marked the incident as viewed.
Indicates the number of the software or appliance node that
detected the incident.
■Node Name
Indicates the name of the software or appliance node that
detected the incident.
■Other Node
#’s
Indicates the numbers of the software or appliance node that the
incident was cross-node correlated to, if any.
See the following related information:
■See “About incidents and events” on page 91.
■See “Selecting event columns” on page 100.
98 Incidents and Events
Monitoring incidents
■See “Marking incidents as viewed” on page 95.
Filtering the view of incidents
You can filter the view of incident data to provide a shorter list to sift through,
using the Incident Filter. For example, you can set the Incidents table to display
only active incidents. You can choose between viewing the incidents detected by
all software and appliance nodes, and viewing only those detected by a particular
software or appliance node. By default, incidents from all nodes are displayed.
Note: When you apply incident view filters, they apply only to the incidents, not
to the events correlated to the incidents. For example, even if you select the
Sensor Only filter, an operational event that is correlated to a sensor incident will
still be displayed.
To filter the view of incidents or events
1In the Incidents tab, in the upper Incidents pane, click Filters.
2Click Hide Closed Incidents to show only active incidents in the cluster.
3In Incident Class, do one of the following:
■Click Hide All Operational to show only those incidents classified as
sensor events, and filter out all operational notice events.
■Click Hide Sensor to show only operational events, such as Network
Security console logins.
■Click Show All Operational and Sensor to show both operational and
sensor events.
4In Marked State, do one of the following:
■Click Hide Unmarked to show only the incidents that have been marked
in the Network Security console.
■Click Hide Marked to show only the incidents that have not been
marked in the Network Security console.
■Click Show Both to include both marked and unmarked incidents.
5In Analyst Notes, do one of the following:
■Click Hide Unannotated to show only incidents with annotations and
incidents that contain events with annotations.
■Click Hide Annotated to show only incidents that do not have
annotations or that contain events with annotations.
■Click Show Both to include both annotated and unannotated incidents.
Monitoring events
6In Node List, do one of the following:
■In Show Incidents from Node #, click 1 from the pull-down list to show
only incidents from the selected software or appliance node, or All
(except standby) to view incidents from all the software or appliance
nodes within the topology excluding standby nodes.
■Click Include Backup Nodes to preserve incidents during a failover
scenario.
7In Incident Hours, do one of the following:
■In Maximum Incident Hours to Display, enter a value to limit the total
number of hours.
■In Maximum Incidents Within Incident Hours, enter a value to limit
the total number of incidents within the hour limit.
8Click Apply to save and exit.
See the following for related information:
99Incidents and Events
■See “Marking incidents as viewed” on page 95.
Monitoring events
An incident is a possible attack composed of multiple related events. When the
sensor detects a suspicious event, it correlates the event to an incident
containing related events. Event types are group names for one or more base
events. Incidents consist of one or more event types, and event types consist of
one or more base events. The Network Security console displays event data in
the lower pane below the Incident table.
With any account, you can annotate events and mark incidents to improve
incident tracking, management, assignment, and response to enterprise threats.
Viewing event data
The Incidents tab contains an upper and lower pane: Incidents, and Events at
Selected Incident. In the upper pane, information about each incident is
displayed. View the event data that is specific to a particular incident by clicking
the respective incident row. The related event information is then displayed in
the lower pane.
To view event data
1In the Incidents tab, click an incident row.
2Related events are displayed in the lower Events at Selected Incident pane.
100 Incidents and Events
Monitoring events
Note: Both StandardUsers and RestrictedUsers can modify the view by selecting
which columns to display, sorting columns, and applying view filters.
Selecting event columns
Not all events contain data in every category, so you may want to remove empty
or irrelevant columns, or add others to customize the display. All users can
modify the display of event information by selecting columns.
To select event columns
1In the Incidents tab, in the lower Events at Selected Incidents pane, click
Columns.
2In Ta ble Col u mn Cho ose r, do one of the following:
■Click Select All to select all columns.
■Click the individual columns you want to view.
3Click OK to save and close.
The Events at Selected Incident can display the following information:
■TimeIndicates the date and time when Symantec Network Security first
detected and logged the event.
■Event
Ty pe
■NameIndicates the user group of the current user.
■SourceIndicates the IP address of the packet that triggered the event. If
■Destination Indicates the IP address of the attack target. If the destination is
■SeverityIndicates the severity level assigned to the event. An event’s
Indicates the event category of the detected event.
the source is made up of multiple addresses, then the Network
Security console displays (multiple IPs) and you can view the
list of addresses by double-clicking the event to see Event Details.
made up of multiple addresses, then the Network Security console
displays (multiple IPs) and you can view the list of addresses
by double-clicking the event to see Event Details.
severity is a measure of the potential damage that it can cause.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.