Table of Contents
Advertisement
Network Sensor Policies
Network Sensor features include:
•
Open tunable signatures which allow implementation, modification, and custom creation of a
set of signatures designed to detect the attacks that apply to each unique environment
•
Multi-interface monitoring that combines multiple network interfaces into a single traffic
stream for analysis, enabling a dual-tap solution
•
IP defragmentation and TCP/UDP stream reassembly that identifies attackers who attempt to
evade an IDS by distributing attacks over multiple packets
•
Protocol decoding for most commonly targeted protocols that identifies attackers who
attempt to hide an attack within the protocol
•
IDS Denial of Service (DoS) countermeasures that defeat tools such as "stick" and "snot" that
attempt to DoS an intrusion detection system
•
Event sniping which terminates an attack session via a TCP reset or ICMP unreachable
message, stopping the attack before real damage can occur
•
Probe prevention that defeats or confuses many scanning techniques by issuing false
responses to the probe, misleading attackers about the true nature of the network and/or
target system
•
Backdoor and rogue server detection using varied techniques
Virtual Network Sensors
Up to four virtual sensors can be created on each physical Network Sensor. Virtualization can be
based on such things as VLAN ID, IP subnet, IP protocol number, TCP/UDP port number, or
physical network interface card. Each virtual sensor can then be configured with individual
policies and signatures suitable for the specific role of that sensor.
Note that at least one virtual sensor must be configured on a Network Sensor device, because
policies and signatures can only be assigned to virtual network sensors.
Network Sensor Policies
Network Sensor policies control aspects of the sensors which do not directly rely on or require
signatures. For example, a policy may include protocol decoders and checks on the header portion
of packets. Signatures, on the other hand, look specifically at the data portion of packets for certain
patterns.
A Network Sensor policy is comprised of "modules" that define the operation of the virtual sensor
to which the policy is applied. Each module provides the parameters to configure the behavior of
the sensor relative to a logical grouping of sensor tasks.
Enterasys provides you with a set of "master" policy modules which, although they cannot be
modified, can be used to create your own custom policies that are associated with a virtual sensor.
You create your custom policies from within the Network Policy view, which is displayed by
clicking on the Network Policy View and Signature Libraries icon in the main EMS window.
Figure 1-1
master policy modules expanded.
1-2 Network Sensor Overview
shows the Network Policies tab within the Network Policy view, with the list of default
Advertisement
Table of Contents
