Home » Symantec Manuals » Networking » Symantec 10521146 » Manual Viewer

Symantec 10521146 Administration Guide - Page 31

About cross-node correlation, About response, About protection policies

UPC - 037648268134

Add to My Manuals
Save this manual to your list of manuals

Page 31 highlights

Architecture 31 About the core architecture About cross-node correlation Cross-node correlation is a feature that enables software and appliance nodes in a cluster to communicate with each other and to recognize when similar incidents are monitored by different nodes. Symantec Network Security collects events from both local and remote sources, and organizes the events into a single, rate-controlled stream. It compares new events to existing event groups, and judges similarity. It writes all events and analysis results to a local database, evaluates against protection and response policies, and then takes action if appropriate. If two peer nodes detect an attack, each node treats it as a separate incident and has no knowledge of what the other node detects. However, when Symantec Network Security applies cross-node correlation to the incidents detected by two nodes in a cluster, each adds a reference to the other and maintains awareness that this may be the same or a related attack. The Network Security console displays both as a single incident. About response Protection policies and response rules are collections of rules configured to detect specific events, and to take specific actions in response to them. Protection policies can take action at the point of detection. Using a 7100 Series appliance, you can configure Symantec Network Security to block events before they enter the network. Response rules can be configured to react automatically and immediately contain and respond to intrusion attempts. The response mechanism is described further in the following sections: ■ About protection policies ■ About response rules About protection policies Symantec Network Security applies protection policies to interfaces at the point of detection, before they enter the network. Each protection policy indicates the specific signatures that the sensor will hunt for on the applied interface, in addition to protocol anomaly detection events. If a 7100 Series appliance is deployed in-line, it can use blocking rules to prevent traffic from entering the network. About response rules Symantec Network Security's automated rule-based response system includes alerting, pinpoint traffic recording, flow tracing, session resetting, and custom responses on both the software and appliance nodes and the Network Security

Section	Page
Symantec™ Network Security Administration Guide	1
Overview	13
Introduction	15
About the Symantec Network Security foundation	15
About the Symantec Network Security 7100 Series	15
About other Symantec Network Security features	17
Finding information	20
About 7100 Series appliance documentation	20
About Network Security software documentation	21
About the Web sites	22
About the Knowledge Base	22
About the Hardware Compatibility Reference	22
About the Product Updates site	22
About this guide	23
Architecture	25
About Symantec Network Security	25
About the core architecture	25
About detection	26
About protocol anomaly detection	27
About Symantec signatures	28
About user-defined signatures	28
Monitoring traffic rate	29
About DoS detection	29
About external EDP	29
About analysis	30
About refinement	30
About correlation	30
About cross-node correlation	31
About response	31
About protection policies	31
About response rules	31
About management and detection architecture	32
About the Network Security console	32
About role-based administration	33
About the node architecture	34
About the alert manager	35
About the sensor manager	35
About the administration service	35
About analysis	35
About the databases	35
About Event Stream Provider	36
About sensor processes	36
About Smart Agents	37
About FlowChaser	37
About the 7100 Series appliance node	37
About detection on the 7100 Series	38
About interface grouping	38
About response on the 7100 Series	38
About in-line monitoring mode	38
About blocking or alerting mode	38
About fail-open	39
About management on the 7100 Series	39
About the LCD panel	39
About the serial console	40
About the compact flash	40
Getting started	41
Getting started	41
General checklist	42
General software and appliance checklist	42
Preparing to set up Symantec Network Security	42
Setting up Symantec Network Security	42
Using Symantec Network Security	43
Additional appliance-specific checklist	43
Preparing the appliance	43
Setting up appliance features in Symantec Network Security	44
About the management interfaces	44
Using the Network Security console	44
Launching the Network Security console	45
Viewing the Network Security console	46
Adjusting the Devices view	46
Adjusting the Incidents view	47
Adjusting the Policies view	47
Viewing node status	47
Restarting via the Network Security console	47
Rebooting nodes via the Network Security console	48
Stopping Symantec Network Security via the command line	48
Restarting sensors via the Network Security console	49
Checking and applying licenses	49
Using the serial console	49
Restarting via the serial console	50
Rebooting nodes via the serial console	50
Stopping via the serial console	51
Shutting down via the serial console	51
Using the LCD panel	51
Unlocking the LCD panel	52
Restarting from the LCD panel	53
Rebooting nodes via the LCD panel	53
Stopping via the LCD panel	54
Shutting down via the LCD panel	54
Managing user access	54
Managing user login accounts	55
Adding user login accounts	55
Editing user login accounts	56
Deleting user login accounts	56
Managing user passphrases	57
Changing user passphrases	57
Changing passwords on the 7100 Series node	58
Changing the root password via the serial console	58
Changing the secadm password via the serial console	58
Controlling user access	59
Setting Maximum Login Failures	59
Setting Lock LCD Screen	59
Tracking user actions	60
Planning the deployment	60
Deploying single nodes	61
Deploying a single Network Security software node	61
Deploying a single 7100 Series appliance node	62
About interface grouping	62
About in-line mode	62
About fail-open	63
Configuring single-node parameters	63
Deploying node clusters	64
Deploying software and appliance nodes in a cluster	65
Monitoring groups within a cluster	66
Creating a monitoring group	66
Assigning a monitoring group	67
Renaming a monitoring group	67
Deleting a monitoring group	68
Choosing monitoring groups	68
Initial Configuration	69
Populating the topology database	71
About the network topology	71
About the Devices tab	72
Types of objects	72
Viewing object details	74
About topology mapping	74
Mapping the existing network	75
Gathering information	76
Managing the topology tree	78
Viewing auto-generated objects	79
Viewing node details	79
Viewing node status	79
Adding objects for the first time	80
Editing objects	81
Deleting objects	81
Reverting changes	82
Saving changes	82
Forcing nodes to synchronize	83
Backing up	83
Adding nodes and objects	83
About location objects	83
Adding or editing location objects	84
About nodes and interfaces	85
About Network Security software nodes	86
Adding or editing software nodes	86
Viewing advanced network options	88
About monitoring interfaces on software nodes	89
Adding or editing monitoring interface on software nodes	90
About the Networks tab	91
About 7100 Series appliance nodes	92
Adding or editing 7100 Series nodes	92
Viewing advanced network options	94
About 7100 Series interfaces	95
Editing monitoring interfaces on 7100 Series nodes	96
About the Networks tab	97
Adding or editing interface groups	98
Adding or editing in-line pairs	100
About router objects	101
Adding or editing router objects	102
About router interfaces	103
Adding or editing router interface objects	103
About Smart Agents	104
Adding or editing Smart Agent objects	105
About Smart Agent interfaces	106
Adding or editing Smart Agent interface objects	107
About managed network segments	108
Editing network segment objects	108
Protection policies	111
About protection policies	111
Responding to malicious or suspicious events	112
Understanding the protection policy work area	112
Using protection policies	113
Selecting pre-defined policies	114
Setting policies to interfaces	115
Applying to save changes	115
Overriding blocking rules globally	115
Undoing policy settings	116
Unapplying protection policies	116
Removing policies set to interfaces	116
Reverting policy applications	117
Adjusting the view of event types	117
Searching to create a subset of event types	117
Adjusting the view by columns	119
Viewing event type details	119
Defining new protection policies	120
Adding or editing user-defined protection policies	121
Cloning existing protection policies	121
Enabling or disabling logging rules	122
Enabling or disabling blocking rules	123
Deleting user-defined protection policies	125
Updating policies automatically	125
Annotating policies and events	126
Annotating an entire policy	126
Annotating an event type in a policy	127
Annotating an instance of an event	127
Backing up protection policies	128
Responding	129
About response rules	129
About automated responses	131
Managing response rules	132
Viewing response rules	132
Interpreting color coding	133
Adding new response rules	133
Editing response rules	134
Searching event types	134
Deleting response rules	135
Saving or reverting changes	135
Backing up response rules	135
Setting response parameters	136
Setting event targets	136
Setting event types	136
Setting severity levels	137
Setting the severity level	138
Setting confidence levels	139
Setting event sources	139
Setting response actions	140
Setting next actions	140
Setting response actions	141
Setting no response action	142
Setting email notification	142
Setting email notification response actions	142
Setting email notification parameters	143
Setting From Address	143
Setting Subject Line	144
Setting SMTP Server	144
Setting Hostname Used for Email Notifications	145
Setting SNMP notification	145
Setting SNMP notification response actions	145
Setting SNMP notification parameters	146
SNMP Manager	146
SNMP Community String	146
Setting TrackBack response action	147
Setting TrackBack response actions	147
Setting a custom response action	147
Table of response variables	148
Preventing logging of passwords in cleartext	149
Escaping the % directive	150
Setting a TCP reset response action	150
Setting traffic record response action	150
Setting a console response action	152
Enabling console response actions	152
Setting export flow response action	153
Managing flow alert rules	154
Viewing flow alert rules	155
Adding flow alert rules	155
Editing flow alert rules	156
Deleting flow alert rules	156
Providing an appropriate mask	157
Using the permit rule type	157
Detecting	159
About detection	159
Configuring sensor detection	160
Configuring sensor parameters	161
Restarting or stopping sensors	161
Basic sensor parameters	162
Data collection parameters	163
Enable Flow Statistics Collection	163
Enable Full Packet Capture	163
Threshold parameters	164
TCP Flood Alert Threshold	164
UDP Flood Alert Threshold	165
Slow Scan Alert Threshold	165
Saturation parameters	165
ICMP Saturation Alert Threshold	166
UDP Saturation Alert Threshold	166
IP Fragment Saturation Alert Threshold	166
Bad Service Saturation Alert Threshold	166
Other Saturation Alert Threshold	167
Miscellaneous parameters	167
Event Delay Time	167
Traffic Mode	168
Checksum validation parameters	168
Enable IPv4 Header Checksum Validation	168
Enable TCP Checksum Validation	169
Enable UDP Checksum Validation	169
Advanced sensor parameters	169
Interval and flow parameters	170
Packet Counter Interval	170
Streak Interval	171
TCP Minimum Flows	171
UDP Minimum Flows	171
TCP Number of Streak Packets	172
UDP Number of Streak Packets	172
Counter Number of Streak Packets	172
Miscellaneous parameters	172
Saturation Counter Lapse Time	173
Maximum Time to Streak Analysis	173
Slow Scan Maximum IP Addresses Limit	173
Table element parameters	173
Maximum IPv4 Fragment Reassembly Table Elements	174
TCP Maximum Flow Table Elements (Fast Ethernet)	174
TCP Maximum Flow Table Elements (Gigabit)	174
UDP Maximum Flow Table Elements (Fast Ethernet)	175
UDP Maximum Flow Table Elements (Gigabit)	175
Segment parameters	175
TCP Keepalive Timeout	175
TCP Flow Max Queued Segments	176
TCP Global Max Queued Segments (Fast Ethernet)	176
TCP Global Max Queued Segments (Gigabit)	176
TCP 2MSL Timeout	177
TCP Default Window Size	177
Configuring port mapping	177
Adding or editing port mappings	178
Delete port mappings	178
Configuring signature detection	179
About Symantec signatures	179
About user-defined signatures	180
Managing signatures	180
Viewing signatures	181
Adding or editing user-defined signatures	181
Deleting user-defined signatures	183
Importing user-defined signatures	183
Resolving signature compile errors	183
Managing signature variables	184
Adding new signature variables	184
Editing signatures variables	184
Deleting signatures variables	185
Resetting signatures variables	185
Applying signatures variables	185
Reverting signatures variables	186
Using Symantec Network Security	187
Monitoring	189
About incident and event data	189
Viewing incident and event data	190
Adjusting the view	191
Setting font size	192
Sorting column data	192
Examining incident and event data	192
Examining incident data	193
Viewing top-level incident data	193
Viewing incident details	193
Viewing an incident’s top event	195
Loading cross-node correlated events	196
Examining event data	196
Viewing top-level event data	197
Interpreting severity and confidence levels	197
Viewing event details	197
Viewing an event’s detailed description	199
About operational event notices	199
Managing incident and event data	201
Selecting columns	202
Selecting incident columns	202
Selecting event columns	203
Selecting view filters	205
Selecting incident filters	205
Selecting event filters	206
Marking and annotating	207
Marking incidents as read	207
Annotating incident data	208
Customizing annotation templates	208
Saving, copying, and printing data	209
Saving incident data	209
Copying and pasting incidents	209
Copying an incident’s top event	210
Copying event details	210
Printing incident data	211
Emailing incident or event data	211
Configuring email	211
Emailing incident data	212
Tuning incident parameters	213
Setting Incident Idle Time	213
Setting Maximum Incidents	214
Setting Maximum Active Incident Life	214
Setting Incident Unique IP Limit	215
Setting Event Correlation ‘Name’ Weight	215
Event Correlation ‘Source IP’ Weight	216
Event Correlation ‘Destination IP’ Weight	217
Event Correlation ‘Source Port’ Weight	217
Event Correlation ‘Destination Port’ Weight	218
Monitoring flow statistics	219
Enabling flow data collection	219
Configuring FlowChaser	220
Setting FlowChaser Maximum Flows Per Device	220
Setting FlowChaser Router Flow Collection Threads	220
Setting FlowChaser Router Flow Collection Port	221
Setting FlowChaser Sensor Threads	222
Reporting	223
About reports and queries	223
Scheduling reports	224
Adding or editing report schedules	224
Refreshing the list of reports	225
Deleting report schedules	226
Managing scheduled reports	226
Viewing saved reports	226
Exporting saved reports	227
Deleting saved reports	228
Reporting top-level and drill-down	228
About report formats	228
About report types	229
About incident/event reports	229
Printing and saving reports	230
About top-level report types	230
Reports of top events	231
Reports per incident schedule	232
Reports per event schedule	233
Reports by event characteristics	233
Reports per Network Security device	235
Drill-down-only reports	236
Querying flows	237
Viewing current flows	238
Viewing Flow Statistics	239
Viewing exported flows	239
Playing recorded traffic	240
Replaying recorded traffic flow data	241
Managing log files	243
About the log files	243
About the install log	243
About the operational log	244
Managing logs	244
Viewing log files	244
Viewing live log files	245
Archiving log files	246
Copying log files	246
Deleting log files	247
Refreshing the list of log files	247
Configuring automatic archiving	248
Setting automatic logging levels	248
Archiving log files	249
Setting Size to Trigger Rotation	249
Setting Limit Size for Archive Directory	250
Setting Limit Size for Traffic Record Directory	251
Compressing log files	252
Setting Compression On/Off Switch	252
Setting Compression Command	253
Exporting data	254
Exporting to file	254
Setting Event Writer File	254
Exporting to SESA	255
Integrating with SESA	255
Setting SESA Bridge Export	256
Exporting to SQL	257
Setting Cluster ID	257
Setting JDBC Driver	258
Setting DB Connection String	258
Setting DB User	259
Setting DB Password	260
Exporting to syslog	260
Setting Syslog Event Export	261
Setting Echo Operational Log to Syslog	262
Setting Remote Syslog Destination Host	262
Setting Remote Syslog Destination Port	263
Setting Syslog Maximum Message Size	264
Transferring via SCP	264
Setting Flag for SCP Usage	265
Setting Destination Host for SCP	265
Setting User Account for SCP	266
Setting Destination Directory for SCP	266
Setting Location of SCP Binary	267
Advanced configuration	269
About advanced setup	269
Updating Symantec Network Security	269
About LiveUpdate	270
Scanning for available updates	271
Applying updates	271
Setting the LiveUpdate server	272
Scheduling live updates	273
Adding or editing automatic updates	273
Deleting automatic update schedules	274
Reverting automatic update schedules	274
Backing up LiveUpdate configurations	274
Managing node clusters	275
Creating a new cluster	275
Building a cluster	275
Establishing a master node	276
Adding slave nodes to clusters	277
Deleting nodes from clusters	277
Managing an established cluster	278
Licensing nodes in a cluster	278
Synchronizing clustered nodes	278
Automatic synchronization	279
Reapplying policy assignments after setting cluster master	279
Forcing synchronization	279
Changing node numbers	280
Changing node passphrases	280
Restarting sensors in a cluster	281
Setting a cluster-wide parameter	281
Setting QSP Port Number	281
Backup up cluster-wide data	282
Integrating third-party events	282
Integrating via Smart Agents	283
Setting EDP Port Number	284
Integrating with Symantec Decoy Server	285
Integrating with Symantec Decoy Server	285
Launching from a known location	287
Establishing high availability failover	287
Monitoring node availability	287
Configuring availability for single nodes	288
Setting Watchdog Process Restart Only	289
Configuring availability for multiple nodes	289
Configuring a failover group	290
Removing nodes from a failover group	292
Viewing incidents during failover	292
Configuring watchdog processes	293
Setting Enable Watchdog Process	294
Setting Watchdog Process Stop Window	295
Setting Watchdog Process Maximum Resets	295
Setting Watchdog Process Restart Only	296
Setting Watchdog Process Email	297
Backing up and restoring	297
Backing up and restoring on the Network Security console	298

Match case Limit results 1 per page

Architecture

About the core architecture

About cross-node correlation

Cross-node correlation is a feature that enables software and appliance nodes in

a cluster to communicate with each other and to recognize when similar

incidents are monitored by different nodes. Symantec Network Security collects

events from both local and remote sources, and organizes the events into a

single, rate-controlled stream. It compares new events to existing event groups,

and judges similarity. It writes all events and analysis results to a local database,

evaluates against protection and response policies, and then takes action if

appropriate.

If two peer nodes detect an attack, each node treats it as a separate incident and

has no knowledge of what the other node detects. However, when Symantec

Network Security applies cross-node correlation to the incidents detected by

two nodes in a cluster, each adds a reference to the other and maintains

awareness that this may be the same or a related attack. The Network Security

console displays both as a single incident.

About response

Protection policies and response rules are collections of rules configured to

detect specific events, and to take specific actions in response to them.

Protection policies can take action at the point of detection. Using a 7100 Series

appliance, you can configure Symantec Network Security to block events before

they enter the network. Response rules can be configured to react automatically

and immediately contain and respond to intrusion attempts.

The response mechanism is described further in the following sections:

■

About protection policies

■

About response rules

About protection policies

Symantec Network Security applies protection policies to interfaces at the point

of detection, before they enter the network. Each protection policy indicates the

specific signatures that the sensor will hunt for on the applied interface, in

addition to protocol anomaly detection events. If a 7100 Series appliance is

deployed in-line, it can use blocking rules to prevent traffic from entering the

network.

About response rules

Symantec Network Security°s automated rule-based response system includes

alerting, pinpoint traffic recording, flow tracing, session resetting, and custom

responses on both the software and appliance nodes and the Network Security