Symantec 10521146 Administration Guide - Page 31
About cross-node correlation, About response, About protection policies
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 31 highlights
Architecture 31 About the core architecture About cross-node correlation Cross-node correlation is a feature that enables software and appliance nodes in a cluster to communicate with each other and to recognize when similar incidents are monitored by different nodes. Symantec Network Security collects events from both local and remote sources, and organizes the events into a single, rate-controlled stream. It compares new events to existing event groups, and judges similarity. It writes all events and analysis results to a local database, evaluates against protection and response policies, and then takes action if appropriate. If two peer nodes detect an attack, each node treats it as a separate incident and has no knowledge of what the other node detects. However, when Symantec Network Security applies cross-node correlation to the incidents detected by two nodes in a cluster, each adds a reference to the other and maintains awareness that this may be the same or a related attack. The Network Security console displays both as a single incident. About response Protection policies and response rules are collections of rules configured to detect specific events, and to take specific actions in response to them. Protection policies can take action at the point of detection. Using a 7100 Series appliance, you can configure Symantec Network Security to block events before they enter the network. Response rules can be configured to react automatically and immediately contain and respond to intrusion attempts. The response mechanism is described further in the following sections: ■ About protection policies ■ About response rules About protection policies Symantec Network Security applies protection policies to interfaces at the point of detection, before they enter the network. Each protection policy indicates the specific signatures that the sensor will hunt for on the applied interface, in addition to protocol anomaly detection events. If a 7100 Series appliance is deployed in-line, it can use blocking rules to prevent traffic from entering the network. About response rules Symantec Network Security's automated rule-based response system includes alerting, pinpoint traffic recording, flow tracing, session resetting, and custom responses on both the software and appliance nodes and the Network Security