Home » Symantec Manuals » Networking » Symantec 10521148 » Manual Viewer

Symantec 10521148 Implementation Guide - Page 123

Configuring detection and response, About detection and response, Starting a sensor on an appliance

Add to My Manuals
Save this manual to your list of manuals

Page 123 highlights

9 Chapter Configuring detection and response This chapter includes the following topics: ■ About detection and response ■ Starting a sensor on an appliance interface ■ Creating and applying protection policies ■ About response rules About detection and response The fundamental purpose of Symantec Network Security is to detect malicious traffic and respond in a way that helps protect your network. Network Security sensor processes monitor traffic and detect suspicious events on each monitoring interface, in-line pair, or interface group. The detected events are handled according to policies that you apply. You can also create and apply response rules for specific event types and source or destination addresses. Response rules provide a means of automating actions for Network Security to take when it detects the configured events. Starting a sensor on an appliance interface You must start a sensor on an interface, interface group, or in-line pair before Symantec Network Security will detect traffic or attacks. Sensors function on a per interface basis. It is possible for sensors to be running on some appliance interfaces, and not running on others. To start a sensor, you must apply a protection policy to the interface.

Section	Page
Introduction	17
About the Symantec Network Security 7100 Series	17
About the core software	18
About the detection architecture	18
About the management system	18
About the 7100 Series models	19
About this guide	19
About the documentation set	21
About the Web sites	22
Verifying the materials	22
Introducing the 7100 Series components	25
About the 7100 Series components	25
About 7100 Series models	25
Model 7120	26
Model 7160	27
Model 7161	28
About core components	29
LCD panel	30
LED lights	32
Serial port	33
USB ports	33
Compact flash adapter	33
About additional components	35
Removable disk drive	35
Dual redundant power supplies	36
Deploying the 7100 Series	37
About deploying the 7100 Series	37
Deployment options	37
Bandwidth licensing options	38
Passive mode	38
In-line mode	39
Blocking and alerting	39
In-line pairs	40
Deployment using in-line mode	41
Comparing in-line mode to passive mode	41
Interface grouping	41
Fail-open	43
About the In-line Bypass unit	43
The 2 In-line Bypass unit	44
The 4 In-line Bypass unit	44
Port groups and the management port on the bypass unit	45
Online and bypass modes	46
Link parameters on bypass unit interfaces	46
Front panel LEDs on the bypass unit	47
Rear panel LEDs on the bypass unit	48
Clustering	49
External IDS products	50
Network Security console accessibility	50
SESA server accessibility	50
Symantec LiveUpdate accessibility	51
Installing the 7100 Series	53
About installing the 7100 Series	53
Rack mounting	54
Mounting the appliance to a two-post rack	54
Mounting the appliance to a four-post rack	55
Cabling	57
Cabling for model 7120	57
Connecting the management, reset, and serial ports	58
Cabling for passive mode monitoring	58
Cabling for in-line mode monitoring	58
Cabling a bypass unit for fail-open	59
Powering the 7120 on or off	62
Powering the 7120 off before initial configuration	62
Cabling for model 7160	62
Connecting the management, reset, and serial ports	63
Cabling for passive mode monitoring	64
Cabling for in-line mode monitoring	64
Cabling a bypass unit for fail-open	65
Powering the 7160 on or off	70
Powering the 7160 off before initial configuration	70
Cabling for model 7161	70
Connecting the management, reset, and serial ports	71
Cabling for passive mode monitoring	72
Cabling for in-line mode monitoring	72
Powering the 7161 on or off	74
Powering the 7161 off before initial configuration	74
Initializing Symantec Network Security	75
About initializing Symantec Network Security	75
LCD panel initial configuration	76
Using the LCD panel to configure a master node	77
Using the LCD panel to configure a slave node	80
Serial console initial configuration	84
Starting a serial console	85
Configuring a master node using the serial console	85
Configuring a slave node using the serial console	88
Compact flash initial configuration	91
Default login accounts	92
Starting the Network Security console	93
About the Network Security console	93
Network Security console requirements	93
Console requirements on Windows	94
Console requirements on Linux	94
Installing the console	94
Installing the Java Runtime Environment	95
Installing the console on Windows	95
Installing the console on Linux	96
Launching the console	96
Using the correct administration IP address	97
Launching the console on Windows	97
Launching the console on Linux	97
Licensing	99
About licensing	99
Bandwidth licensing options	100
Installing licenses	100
Requesting a license file	102
Determining the serial numbers	102
Determining the Symantec System ID	102
Requesting the license file	103
Installing a license file	104
Installing a license file on a master node	104
Installing a license file on a slave node	104
Checking the license status	105
Adding to licenses	106
Understanding excessive traffic	106
Requesting an additive license	106
Installing the additive license file	107
Calling for help	107
Configuring nodes and interfaces	109
About configuring nodes and interfaces	109
Configuring appliance nodes	110
About appliance node fields	110
Node Options tab fields	111
Advanced Network Options tab fields	112
Adding or editing an appliance node	113
Configuring appliance interfaces	114
Configuring monitoring interfaces	115
About monitoring interface fields	115
About Interface tab fields	115
About Networks tab fields	116
Editing a monitoring interface	116
Configuring an in-line pair	117
About in-line pair fields	117
About In-line Pair tab fields	118
About Networks tab fields	118
Adding or editing an in-line pair	119
Configuring an interface group	120
About interface group fields	120
About Interface Group tab fields	120
About Networks tab fields	121
About Interfaces tab fields	121
Adding or editing an interface group	121
Configuring detection and response	123
About detection and response	123
Starting a sensor on an appliance interface	123
About protection policies	124
Creating and applying protection policies	124
Viewing a protection policy	125
Setting policies to interfaces	126
Unapplying or removing policies from interfaces	126
Enabling/disabling blocking on in-line pairs	127
Adding a new protection policy	127
Cloning existing protection policies	127
Modifying custom protection policies	128
Using Search Events	128
Setting logging or blocking on events in a policy	129
Deleting custom protection policies	131
About response rules	132
Adding response rules	132
Deleting response rules	134
Monitoring and reporting events and status	135
About monitoring and reporting events and status	135
Viewing events and incidents	136
Viewing incident data	136
Viewing incident details	136
Viewing event details	137
Managing incident data	137
Generating reports	137
Monitoring appliance status	138
Viewing status on the LEDs	138
Viewing status on the LCD screen	139
Viewing status on the Network Security console	140
Node status parameters	140
Interface status parameters	141
In-line pair status parameters	142
Interface group status parameters	144
Maintaining and administering the 7100 Series	145
About maintaining and administering the appliance	145
Managing log files and backups	146
Rotating log files with SCP	146
Generating SSH keys	146
Using SCP to rotate log files	147
Backing up and restoring	148
Backing up a configuration	149
Restoring a configuration	149
About the compact flash	150
Making a non-bootable compact flash card	151
Making a non-bootable CF card on Windows	151
Making a non-bootable CF card on Linux	151
Using the compact flash for backup and restore	152
Using the compact flash for backup	153
Using the compact flash for restore	153
Saving initial configuration	154
Saving initial configuration to compact flash	154
Viewing a configuration file	155
Using the compact flash during re-imaging and upgrading	156
Restarting, rebooting, and powering off	156
Stopping, starting, and restarting Symantec Network Security	156
Stopping Network Security from the LCD	157
Stopping Network Security from the serial console	157
Starting Network Security from the LCD	158
Starting Network Security from the serial console	158
Restarting Network Security from the Network Security console	158
Restarting Network Security from the serial console	159
Rebooting the appliance	159
Rebooting the appliance from the Network Security console	159
Rebooting the appliance from the LCD	159
Rebooting the appliance from the serial console	160
Powering off the appliance	160
Powering off the appliance from the LCD	160
Powering off the appliance from the serial console	161
Using the LCD run menu	162
Running commands on the LCD run menu	163
Unlocking the LCD panel	163
Enabling or disabling LCD locking	164
Changing the IP address	164
Using the serial console	166
About serial console commands	166
Changing passwords	168
Changing the root password	168
Changing the secadm password	169
Installing the SESA bridge	169
Preparing to use SESA	169
Making the host name resolvable	169
Making the SIP file available on the SESA manager	170
Running install-bridge	171
Uninstalling the SESA bridge	172
Starting the SESA agent manually	173
Stopping the SESA agent manually	173
Re-imaging and unconfiguring	175
About re-imaging and unconfiguring	175
Unconfiguring Symantec Network Security	176
Running Unconfigure in the Network Security console	176
Running Unconfig SNS on the LCD	177
Running unconfigure on the serial console	178
Preparing for re-imaging	178
Saving your configuration	178
Creating a bootable compact flash	179
Creating a bootable compact flash via the serial console	179
Creating a bootable compact flash using the Imaging Server	180
Setting up an Imaging Server	181
Setting up an automatic Imaging Server	181
Setting up a standard Imaging Server	182
Installing the Recovery Software CD onto the Imaging Server	183
Connecting the Imaging Server to the appliance	184
Connecting the Imaging Server to a 7120	185
Connecting the Imaging Server to a 7160	185
Connecting the Imaging Server to a 7161	186
Re-imaging the appliance	186
Upgrading the console application	189
About migration	189
Troubleshooting	191
About troubleshooting	191
Accessing troubleshooting information	191
Specifications and safety	193
Product Specifications	193
Safety guidelines	194
Product certifications	196
Service Manual	199
About the removable hard drive	199
Removing the hard drive	200