Symantec 10268947 User Guide - Page 29

Architecture 29 About management and detection architecture ■ About sensor processes ■ About Smart Agents ■ About FlowChaser About the alert manager The Network Security Alerting Manager provides three types of alerts: a Network Security console action alert, an email alert, and an SNMP trap alert. About the sensor manager The Sensor Manager maintains a pool of sub-processes to manage sensor-related functionality. This includes sensor processes for event detection, traffic recording, and FlowChaser sub-processes that handle network device configuration, starting, and stopping. About the administration service All communication across the network passes through the QSP Proxy, an administration service with 256-bit AES encryption and passphrase authentication. This ensures that all communication between the Network Security console and the master node, and between software and appliance nodes within a cluster, are properly authenticated and encrypted. In addition, this service enforces role-base administration and thus prevents any circumvention of established access policy. About analysis Symantec Network Security's analysis framework aggregates event data on possible attacks from all event sources. The analysis framework also performs statistical correlation analysis on events to identify event patterns that vary significantly from usual network activity and to identify individual events that are highly related, such as a port scan followed closely by an intrusion attempt. About the databases Symantec Network Security provides multiple databases to store information about attacks, the network topology, and configuration information. ■ Topology database: Stores information about local network devices and interfaces and the network configuration. Symantec Network Security uses this data to direct the FlowChaser toward the area of the network in which an attack occurs.