Symantec 10521146 Administration Guide - Page 29
Monitoring traffic rate, About DoS detection, About external EDP, files, SNMP
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 29 highlights
Architecture 29 About the core architecture define, manage, and apply user-defined signatures from the Network Security console. Monitoring traffic rate Symantec Network Security detects malicious flow and traffic shape, provides multi-gigabit traffic monitoring, and maintains 100% of its detection capability on a fully saturated gigabit network. Symantec Network Security performs passive traffic monitoring on its detection interfaces. It uses this data to perform both aggregate traffic analysis and individual packet inspection. Individual packets are inspected and traffic is analyzed per interface. It also uses Netflow data that is locally collected, or forwarded from a remote device, to augment its traffic analysis. Symantec Network Security's aggregate analysis detects both denial-of-service and distributed denial-of-service attacks. These attacks are recognized as unusual spikes in traffic volume. Using the same data, Symantec Network Security can also recommend proper remediation of the problem. Beyond attack detection, Symantec Network Security uses traffic analysis to detect many information-gathering probes. It detects not only the common probing methods, but also many stealth modes that slip through firewalls and other defenses. For example, many firewalls reject attempts to send SYN packets, yet allow FIN packets. This results in a common port scan method. Symantec Network Security recognizes this anomaly and triggers an alert. About DoS detection Symantec Network Security provides passive traffic monitoring on its detection interfaces that allows it to detect a variety of DoS attacks such as flooding, resource reservation, and malformed traffic. Symantec Network Security also detects a variety of reconnaissance efforts, such as various forms of stealth scans. About external EDP The Event Dispatch Protocol (EDP) provides a generalized framework for sending events to software and appliance nodes for correlation, investigation, analysis, and response. Using EDP, Symantec Network Security can collect security data not only from its own sensors, but also from arbitrary third-party sources such as firewalls, IDS sensors, and host-based IDS devices. The process of integrating a third-party sensor generally involves three steps: collection, conversion, and transmission. First, Symantec Network Security collects the data from the third-party sensor in its usual collection format, such as flat text files, SNMP, and source APIs. Then Symantec Network Security converts the