Page 2
Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. Trademarks Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are U.S.
Page 3
Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base.
Page 4
Recent software configuration changes and/or network changes ■ Customer Service To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization ■...
Contents Chapter 1 Introduction About the Symantec Network Security foundation ..........9 About the Symantec Network Security 7100 Series .........9 About other Symantec Network Security features ........ 11 Finding information .................... 14 About 7100 Series appliance documentation ......... 14 About software documentation ..............15 About the Web sites ..................
Page 6
Viewing the topology tree ................48 Viewing objects in the topology tree ..............51 Viewing auto-generated objects ..............51 About location objects .................51 About Symantec Network Security objects ..........52 About router objects ..................59 About Smart Agents ..................60 About managed network segments ............62 Launching Symantec Decoy Server ............63...
Page 7
Viewing sensor parameters ............... 87 About port mapping .................... 87 Viewing port mappings ................87 About signature detection ................. 87 About Symantec signatures ............... 88 About user-defined signatures ..............88 Viewing signatures ..................89 About signature variables ................89 About refinement rules ..................89...
Page 8
8 Contents Reports of top events ................111 Reports per incident schedule ..............112 Reports per event schedule ..............113 Reports by event characteristics ............113 Reports per Network Security device ............. 115 Drill-down-only reports ................116 About querying flows ..................117 Viewing current flows ................
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 10
MS Blaster and SQL Slammer. In addition to the features it shares with the Symantec Network Security 4.0 software, the Symantec Network Security 7100 Series appliance offers: In-line Operation: The 7100 Series appliance can be deployed in-line as a ■...
11. About other Symantec Network Security features Symantec Network Security is highly scalable, and meets a range of needs for aggregate network bandwidth. Symantec Network Security reduces the total cost of implementing a complete network security solution through simplified and rapid deployment, centralized management, and cohesive and streamlined security content, service, and support.
Page 12
Customized policies provide immediate response to intrusions or denial-of-service attacks based on the type and the location of the event within the network. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack, and custom responses to be combined with email and SNMP notifications to protect an enterprise's most critical assets.
Page 13
Enterprise Reporting Capabilities: Symantec Network Security provides ■ cluster-wide, on-demand, drill-down, console-based reports that can be generated in text, HTML, and PDF formats and can also be emailed, saved, or printed. In addition, Symantec Network Security provides cluster-wide...
You can find detailed information about Symantec Network Security software and Symantec Network Security 7100 Series appliances in the documentation sets, on the product CDs, and on the Symantec Web sites. This section includes the following topics: About 7100 Series appliance documentation ■...
Symantec Network Security In-line Bypass Unit Getting Started Card (printed ■ and PDF). This card provides the procedures for installing the optional Symantec Network Security In-line Bypass unit. The bypass unit may be purchased separately from Symantec. Symantec Network Security 716x Service Manual (printed and PDF). This ■...
“Finding information” on page 14. About the Web sites You can view the entire documentation set on the Symantec Network Security Web site, as well as the continually updated Knowledge Base, Hardware Compatibility Reference, and patch Web sites. About the Knowledge Base The Knowledge Base provides a constantly updated reference of FAQs and troubleshooting tips as they are developed.
This guide contains the following chapters: Chapter 1 Introduction: Describes the Symantec Network Security intrusion ■ detection system and the Symantec Network Security 7100 Series appliance, documentation, and multiple sources of information. Chapter 2 Architecture: Describes the system components, compatibility, ■...
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
About response ■ About detection Symantec Network Security uses multiple methods of threat detection that provide both broad and deep detection of network-borne threats. These include Protocol Anomaly Detection (PAD), traffic rate monitoring, and network pattern matching, or signature-based detection.
Page 21
For example, if a protocol defines the size of a field, and Symantec Network Security detects a field that breaches the defined size, it will trigger an alert.
Page 22
Symantec Network Security to your particular environment. User-defined signatures significantly extend the functionality and allow you to leverage the power of Symantec Network Security, such as providing a flexible mechanism for making short-term updates during rapid...
Page 23
Symantec Network Security's aggregate analysis detects both denial-of-service and distributed denial-of-service attacks. These attacks are recognized as unusual spikes in traffic volume. Using the same data, Symantec Network Security can also recommend proper remediation of the problem. Beyond attack detection, Symantec Network Security uses traffic analysis to detect many information-gathering probes.
24 Architecture About the core architecture data from the native format to the Symantec Network Security format, and transmits the data to the software or appliance node. About analysis Symantec Network Security includes state-of-the-art correlation and analysis that filters out irrelevant information and refines only what is meaningful, providing threat awareness without data overload.
If two peer nodes detect an attack, each node treats it as a separate incident and has no knowledge of what the other node detects. However, when Symantec Network Security applies cross-node correlation to the incidents detected by two nodes in a cluster, each adds a reference to the other and maintains awareness that this may be the same or a related attack.
Multiple responses can be configured for the same event type, as well as the order in which Symantec Network Security executes the responses. Symantec Network Security reviews each event, and iterates through the list of response rules configured by the user.
Page 27
Symantec Network Security automatically installs a SuperUser login account that is authenticated with full administrative capabilities. The SuperUser can create additional login accounts in the following user groups: SuperUsers: A user authenticated with full administrative capabilities.
The following diagram illustrates how Symantec Network Security’s arsenal of tools work together to provide protection: Figure 2-2...
Page 29
About analysis Symantec Network Security’s analysis framework aggregates event data on possible attacks from all event sources. The analysis framework also performs statistical correlation analysis on events to identify event patterns that vary significantly from usual network activity and to identify individual events that are highly related, such as a port scan followed closely by an intrusion attempt.
Page 30
Therefore, the ESP places these events in separate queues. The analysis framework can then analyze the events related to the hidden attack. In this way, Symantec Network Security analyzes and responds to both attacks quickly and effectively.
Smart Agents enable Symantec Network Security to collect data from third-party hosts and network IDS products in real time. Smart Agents collect event data from external sensors such as Symantec Decoy Server®, as well as from third-party sensors, log files, SNMP, and source APIs. They send this data to be analyzed, aggregated, and correlated with all other Symantec Network Security events.
Page 32
■ About response on the 7100 Series ■ About detection on the 7100 Series In addition to the detection facilities of Symantec Network Security software, the 7100 Series appliance provides a new detection feature called interface grouping. About interface grouping Interface grouping, also called port clustering, enables up to four monitoring interfaces to be grouped together as a single logical interface.
Page 33
About fail-open When you configure in-line mode on the Symantec Network Security 7100 Series appliance, you place the in-line interface pair directly into the network path. If the appliance or one of those interfaces has a hardware or software failure, all associated network traffic is blocked.
Page 34
34 Architecture About management and detection architecture...
Getting started This chapter provides a general outline of major tasks involved in setting up a core Symantec Network Security intrusion detection system. It describes basic tasks, including accessing the management interfaces (Network Security console, serial console, and LCD panel), accessing nodes and sensors, and establishing user permissions and access.
Caution: The first time you launch the Network Security console after installation, expect a wait time of a few minutes while the database files load. Symantec Network Security caches the files after that first load, and makes subsequent launches faster.
Page 37
Getting Started About the management interfaces In Username, enter the user name. Access and permissions depend on the user group of your login account. In Passphrase, enter the passphrase established for your user login account, and click OK. Caution: If a non-SuperUser uses the wrong passphrase, an Incorrect Username or Passphrase message appears.
7100 Series appliance, as well as the Network Security console. About the LCD panel The Symantec Network Security 7100 Series appliance is equipped with an LCD screen and push buttons on the front bezel. The screen can display two lines of sixteen characters each, and there are six buttons: four arrow buttons and two function buttons labeled s (start) and e (enter).
Note: The four user groups are unique to the Network Security console and do not extend to the serial console or the LCD panel. See the Symantec Network Security 7100 Series Implementation Guide for more information about the serial console and LCD panel.
Both software and appliance nodes can be deployed using passive mode; only 7100 Series appliances can be deployed using in-line mode: In-line deployment: Only the Symantec Network Security 7100 Series ■ appliance can be deployed in-line at this time. In-line mode enables multiple features such as the ability to block specified traffic from entering the network.
About deploying single nodes About deploying single nodes Symantec Network Security can be deployed as one or more single nodes that operate independently of each other within your network. This section describes both Network Security software nodes and 7100 Series appliance nodes deployed in this manner.
About deploying single 7100 Series appliance nodes You can deploy a Symantec Network Security 7100 Series node just as you would a Network Security software node. It can operate independently or as part of a cluster. A 7100 Series appliance also has several extra deployment options. You can configure it for interface grouping, in-line mode, and fail-open, in addition to passive monitoring mode.
A cluster of software or appliance nodes enables Symantec Network Security to monitor all parts of a network from the central Network Security console, and share information between nodes.
Network Security console displays incidents only from the subset. Selecting a monitoring group Symantec Network Security provides a way to display a subset of the incident list focused on only those software or appliance nodes that are included in the...
Page 45
Getting Started About deploying node clusters To focus the incident view on a monitoring group In the Network Security console, click Configuration > Monitoring Groups. In Choose Monitoring Groups, select a group or check Default. Click OK to view incidents from the selected monitoring group. Note: Always assign at least one node to each monitoring group.
Page 46
46 Getting Started About deploying node clusters...
About the network topology The Network Security console displays the topology tree on the Devices tab. The topology tree represents the elements of your network, and provides Symantec Network Security with the necessary information about the topology of the network or portion of the distributed network that it monitors. Network Security also requires information about connections to autonomous systems or other segments within a distributed network.
Locations: Objects that represent physical or logical groups of one or more ■ network segments. The installation procedure automatically creates the first location object, named Enterprise by default. Symantec Network Security nodes: The object category for both software ■ and appliance nodes. Software nodes: Objects that represent the Symantec Network Security ■...
Page 49
About the network topology Routers: Objects that represent devices that store data packets and ■ forward them along the most expedient route. Symantec Network Security monitors this connection between hosts or networks. Interfaces: Objects that represent boundaries across which separate ■...
Page 50
50 Topology Database About the network topology A red X or Node Status Indicator signifies that Network Security processes or network connectivity failed on a software or appliance node. Viewing node details When you click an object in the topology tree, the Network Security console displays the description, if applicable, and other pertinent details about the software or appliance node, such as its IP address or subnet mask.
Enterprise. A location object represents any physical or logical group of managed network segments. Each location must contain one or more network segments. A cluster of Symantec Network Security nodes can contain multiple locations, and you can add more objects to represent them. At least one location object must exist in the topology tree before you can add software or appliance nodes, device objects, or interface objects.
SuperUsers can add objects to represent each Network Security software node and 7100 Series appliance node. About software nodes Software nodes are the objects that represent Symantec Network Security software installed on designated computers. Under Enterprise, the location object created automatically during the installation process, SuperUsers can add an object to the topology tree to represent each Network Security software node.
Page 53
Click Cancel to close the view. About monitoring interfaces Monitoring interfaces communicate between the Symantec Network Security software or appliance node, and the network device, such as a router. The software or appliance node receives data about traffic on the router via the monitoring interface.
Page 54
In Edit Monitoring Interfaces, click the Networks tab to view the networks that this interface monitors. Click Cancel to close the view. About appliance nodes 7100 Series appliance nodes are the objects that represent Symantec Network Security software installed on the new Symantec Network Security 7100 Series appliance.
Page 55
Network Security 7100 Series appliance node. Viewing 7100 Series nodes The Network Security console provides a way to view Symantec Network Security 7100 Series nodes. The installation process populates the fields in the Advanced Network Options tab blank. After installation, you can view the Advanced Network Options.
Page 56
Click Cancel to close the view. About 7100 Series interfaces Each Symantec Network Security 7100 Series interface is a point of contact between the 7100 Series node and a network device. The node accesses traffic on the network device via the interface.
Page 57
Topology Database Viewing objects in the topology tree Viewing a monitoring interface on a 7100 Series node The Network Security console provides a way to view the automatically generated interface objects on a 7100 Series node. Note: Both StandardUsers and RestrictedUsers can view monitoring interfaces, but cannot add, edit, or delete them.
Page 58
58 Topology Database Viewing objects in the topology tree Click an existing interface group to view summary information in the ■ right pane. Right-click an existing interface group, and click Edit to view detailed ■ information. In Edit Interface Group, in the Interface Group tab. The following list describes the interface fields: Name Indicates the descriptive name of the object, established when...
About router objects Routers store data packets and forward them along the most expedient route between hosts or networks. Symantec Network Security monitors this connection. Add an object to the topology tree to represent each router that you want Symantec Network Security to monitor.
About Smart Agents Symantec Network Security Smart Agents are translation software that enable Symantec Network Security to receive event data from external sensors, and correlate that data with all other events. Smart Agents expand the security umbrella and enhance the threat detection...
Page 61
About Smart Agent interfaces Smart Agent interface objects serve as a visual reminder of the location of any Symantec Network Security Smart Agents in the network. They also make Symantec Network Security aware for the TrackBack response action. To view Smart Agent interfaces...
The Network Security console automatically creates an object in the topology tree to represent each such managed network segment in your network. Each time you add a new interface object, Symantec Network Security adds a new object for the network segment in which the interface resides, if not already represented.
Viewing objects in the topology tree Launching Symantec Decoy Server Now you can launch and log into the Symantec Decoy Server console by simply right-clicking any external sensor object in the topology tree and selecting Start Decoy Console. Note that the Symantec Decoy Server console remains open, even if you close the Network Security console.
Page 64
64 Topology Database Viewing objects in the topology tree...
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Viewing protection policies Viewing protection policies Symantec Network Security provides a set of pre-defined protection policies that include attack policies, audit policies, and prevention policies. They can be immediately activated by setting them to interfaces and applying them. You can also define your own policies and activate them using the same procedures.
The following list describes each tab more fully: Protection Policies tab: Symantec Network Security installs with a set of ■ pre-defined policies that you can use immediately by setting them to interfaces, override existing blocking rules, and applying them.
■ Adjusting the view by searching Symantec Network Security provides search functionality so that you can focus the view on a manageable subset of possible event types with specific characteristics. The policy still detects and acts on the full list of event types;...
Protection Policies Adjusting the view of event types In Category, select a category from the pull-down list. ■ In Severity, set a severity level from the pull-down list. ■ In Confidence, set a confidence level from the pull-down list. ■ In Intent, select an intention from the pull-down list.
Note: Both StandardUsers and Restricted Users can adjust the view of events in protection policies by showing and hiding columns. Viewing logging and blocking rule details Symantec Network Security provides a view of the logging and blocking rules applied to each event type in a policy. To view individual protection policies On the Policies tab, select a protection policy.
Protection Policies Adjusting the view of event types automatically adds them to the policy. Even if the LiveUpdate occurs in the middle of the night, Symantec Network Security immediately starts logging the matching events. To view LiveUpdate In the Policies tab, click Protection Policies > View > Auto Update Rules.
Page 72
72 Protection Policies Adjusting the view of event types To view notes about an event types in a policy In the Policies tab, click View. In View Protection Policy, do one of the following: In Search Events, double-click an event. ■...
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional...
74 Response Rules About automated responses functionality that is unique to an appliance. Each section describes this additional functionality in detail. Symantec Network Security can take the following types of actions to respond to attacks, individually or in sequence: Predefined actions ■...
Response Rules About automated responses Note: Both StandardUsers and RestrictedUsers can view response rules, but cannot configure, edit, or delete them. Viewing response rules All users can view the response rules in the Network Security console. To view Response Rules In the Network Security console, click Configuration >...
In Configuration > Response Rules, SuperUsers and Administrators can edit and configure response rule parameters to specify the characteristics of the events and incidents that Symantec Network Security responds to. Each response rule contains the following response parameters: About event targets ■...
Web server. By itself, this example might represent a medium level of intrinsic severity. Level of traffic, if it is a counter event: If Symantec Network Security ■ determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received.
This interface is not necessarily the target of the attack, but may in fact be the point in the network at which Symantec Network Security is currently tracking the attack. If the interfaces being inspected are receiving VLAN encapsulated traffic, you can also specify that a rule applies to a specific VLAN ID.
Possible values are Stop, Continue to Next Rule, and Jump to Rule. The Continue to Next Rule value directs Symantec Network Security to search for the next matching response rule after executing the current response rule. This enables Symantec Network Security to make multiple responses to any particular incident type, in combination with each other and in a desired sequence.
The None option directs Symantec Network Security not to respond to particular types of incidents. Selecting the None option, followed by Stop as the next action configures Symantec Network Security to take no action in response to specified types of incidents. SuperUsers and Administrators can also configure Symantec Network Security to ignore specific attacks by setting a filter.
About traffic record response action The traffic record response dynamically records network traffic in response to an event. With this option, Symantec Network Security can record traffic for a specified period of time, or until a specified number of packets has been collected.
In Local Console Configuration, click OK to save and close. Note: The Network Security console must be running in order for Symantec Network Security to execute the console response action. If a Network Security console starts after console response events are sent, it does not execute the actions.
Note: StandardUsers can view flow alert rules; and RestrictedUsers have no access at all. Viewing flow alert rules Symantec Network Security provides a way to view flow alert rules from the Network Security console. To view flow alert rules ◆...
In Packet Replay Tool, view the detailed packet data, one packet at a time. To view all packet data in a session that includes multiple packets, on Symantec Packet Replay Tool, click View > Show Session Window. Return to Symantec Packet Replay Tool, and click Go.
Protocol anomaly detection ■ Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be...
LiveUpdate and stores them individually. About sensor detection Symantec Network Security provides an array of sensor parameters that are preset for optimum performance and sensitivity. They can be tuned to address specific network environments, and each sensor can be set individually to devote it to specific tasks.
Click OK to close. About port mapping Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be...
Matches trigger an alert, while failure to match is processed as non-threatening traffic. Symantec Network Security uses signatures as a compliment to PAD. The combination provides robust detection without the weaknesses of either PAD alone or signatures alone.
On the Policies tab, click Policies > Policies Applied to Interfaces to see ◆ interfaces with policies applied. To see applied signatures On the Policies tab, click Policies > Policies to see the Symantec signatures ◆ that are applied. To see available signatures ◆...
Page 90
90 Detection Methods About refinement rules New refinement rules are available as part of SecurityUpdates on a periodic basis. Each software or appliance node downloads the refinement rules from LiveUpdate and stores them individually.
Incidents to which no new events have been added for a given amount of time are considered idle, so Symantec Network Security closes them. The condition of the incident can be viewed in the State column of the Incidents table.
Page 92
The Devices tab provides a tree-oriented view of the network topology with a detailed summary of each device. When you select an object from the topology tree in the left pane, the right pane displays related information. Symantec Network Security updates this information at frequent intervals, so the status remains current.
Page 93
Incidents and Events About incidents and events Viewing interface details If you click on a monitoring interface object in the Devices tab, the Details of Selected Topology Object dialog box displays the following information: Customer ID: Displays the customer ID that you assigned to the monitored ■...
The sensors notify the software or appliance node of any suspicious actions or occurrences that might warrant a response, such as a probe. Symantec Network Security also monitors operational occurrences that the user should be aware of, such as a Symantec Network Security license approaching the expiration date.
Page 95
Incidents and Events About incidents and events To view incident data ◆ In the Network Security console, click the Incidents tab. All users can modify the view by adjusting font size, selecting and sorting columns, and/or applying filters. Viewing priority color codes All users can sort the incident data by clicking on the column heading.
96 Incidents and Events Monitoring incidents Note: If an incident changes after it was marked, such as a new event being added to it, the red hash mark changes to a red circle to flag you. Monitoring incidents An incident is a set of events that are related. An event is a significant security occurrence that appears to exploit a vulnerability of the system or application.
Page 97
Incidents and Events Monitoring incidents The Incidents tab can display the following incident data Last Mod. ■ Indicates the date and time when Symantec Network Security Time last modified the incident record. Name he user group of the current user.
98 Incidents and Events Monitoring incidents “Marking incidents as viewed” on page 95. ■ Filtering the view of incidents You can filter the view of incident data to provide a shorter list to sift through, using the Incident Filter. For example, you can set the Incidents table to display only active incidents.
Incidents and Events Monitoring events In Node List, do one of the following: In Show Incidents from Node #, click 1 from the pull-down list to show ■ only incidents from the selected software or appliance node, or All (except standby) to view incidents from all the software or appliance nodes within the topology excluding standby nodes.
Page 100
■ Click OK to save and close. The Events at Selected Incident can display the following information: Time Indicates the date and time when Symantec Network Security first ■ detected and logged the event. Event Indicates the event category of the detected event.
If the event is merely suspicious, then it is assigned a lower confidence level. If Symantec Network Security collects more data on the event to substantiate its confidence, the confidence is adjusted upward.
Token Failure: The iButton, used only by Network Security software ■ nodes, stores the private key portion of the Symantec Network Security signature certificate to safeguard the private key against being stolen or compromised. The iButton also confirms the identity of a software node.
Symantec Network Security. SNMP Alert Successful, but Truncated: An SNMP trap was successfully ■ sent by Symantec Network Security, but the message was too long and was truncated. SNMP Alert Failed: An error occurred while sending an SNMP alert from ■...
Incident Details, or by right-clicking an incident row, and choosing from the menu items displayed. Viewing incident details Symantec Network Security provides a deeper level of information about each incident from the Incidents tab. To view incident details In the Network Security console, click the Incident tab.
Page 105
Incidents and Events Managing the incident/event data Customer ID This is the customer ID entered in the topology for the ■ interface where the event was detected. End Time The time at which Network Security stopped monitoring the ■ event. CVE Number The CVE (Common Vulnerabilities and Exposures) number, ■...
Page 106
106 Incidents and Events Managing the incident/event data Right-click an incident row, and click Save. Choose a file format from the following: Click Save as PDF. ■ Click Save as HTML. ■ Click Save as PS. ■ Enter the desired filename, and click Save. Printing incident data All users can print detailed information about each incident on the Network Security console Incidents tab.
Page 107
Incidents and Events Managing the incident/event data Emailing incident data All users can send detailed information about each incident via email, on the Network Security console Incidents tab. To email incident data In the Network Security console, click the Incidents tab. Right-click an incident row, and click Email.
Page 108
108 Incidents and Events Managing the incident/event data Open the desired email or file, and paste the incident data from the clipboard to the email content.
You can generate reports that appear in table format, and sort the table columns. Symantec Network Security can generate email reports of incidents logged for all Network Security software nodes in the cluster. You can also generate reports on demand about any Network Security software nodes in the cluster.
110 Reports and Queries About top-level report types can choose the report type. The types of reports that Symantec Network Security generates are described in detail in the following sections. In addition to scheduled reports, you can generate various report types on demand.
For example, generate a report on the top 10 unique events or top 100 unique events. To view the number of times any event type occurred, hover the cursor over the event. Symantec Network Security generates the Top Event Types report in the table, pie chart and bar chart formats.
112 Reports and Queries About top-level report types Reports per incident schedule Symantec Network Security generates the following types of incident reports: Table 9-2 Types of incident reports Type Description Incidents per month This reports displays the total number of incidents that occurred during each month of the time period you specify.
Reports and Queries About top-level report types Reports per event schedule Symantec Network Security generates the following types of event reports: Table 9-3 Types of event reports Type Description Events per month This report displays the total number of events detected per month during the time period you specify.
Page 114
Symantec Network Security are grouped as RCRS events because RCRS is the vendor ID for Symantec Network Security. You specify the report start and end dates/times. Symantec Network Security generates this report in table, bar, column and pie chart formats. This report has no drill-down reports.
You can generate drill-down event lists by source IP from Top Event Sources. Reports per Network Security device Symantec Network Security generates the following types of device reports: Table 9-5 Types of device reports Type...
IP addresses, and the name of the device where the event was detected. Symantec Network Security generates the Event List report in table format only. You can access this report from within any Incidents or Events report, as well as from within the Top Event Destination and Top Event Source reports.
Flow Statistics report. About querying flows FlowChaser serves as a data source in coordination with Symantec Network Security TrackBack, a response mechanism that traces a DoS attack or network flow back to its source. The FlowChaser database can be queried for flows by port and arbitrary address.
Page 118
118 Reports and Queries About querying flows Choose one of the following tabs: Match Source and Destination: This will make a more focused query ■ on specific source and destination IPs. Match Source or Destination: This will make a broader query on either ■...
Reports and Queries About querying flows Viewing exported flows Query Exported Flows enables you to search against flow data that has been logged to the disk database. This enables flow data to be saved when a certain condition is triggered. The result is that a new event appears in the Network Security console with a link to the actual flow data.
Page 120
120 Reports and Queries About querying flows Note: StandardUsers can query the FlowChaser database for current or exported flow data; RestrictedUsers cannot.
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
About log files About the operational log The operational log records events that Symantec Network Security is processing, such as startup and shutdown of the Network Security software or appliance node, or errors experienced within the node. The Network Security console provides a view of the operational log file of each node via Admin >...
Log Files About log files Click Next Page to progress forward. ■ Click Previous Page to progress backward. ■ Click Close to exit. Note: Both StandardUsers and RestrictedUsers can view log files. Viewing live log files The Network Security console now provides a view of the live log files easily. To view live log files In the Network Security console, click Admin >...
Page 125
Index Numerics about response 32 about serial console 39 7100 Series. See appliances about the 7100 Series 9 documentation 14 fail-open 33 management via consoles 38 accounts monitoring interfaces 57 about user logins 27 single-node deployment 42 adjusting viewing in-line pairs 58 view by columns 69 viewing interface groups 57 view of policies 68...
Page 126
22 configuring 82 by refinement rules 89 console. See Network Security console, serial external EDP 23 console, Symantec Decoy Server console, LCD port mapping 87 panel protocol anomaly 21 copy ports. See monitoring interfaces signature 87...
Page 127
Index incidents per month 112 modifying the view 38 source destinations 114 modifying the view of types 38 top events 111 next action parameter 79 top level 110 none option 80 notice 102 priority color coding 95 reporting editing per day 113 user passphrases 39 per hour 113 per month 113...
Page 128
128 Index devices with statistics 115 about bypass unit 11, 33 replaying traffic 84 about deployment 40 reports by destination address 116 about fail-open 33 reports by destination port 117 sensor processes 30 reports by protocol 117 viewing in-line pairs 58 reports by source address 116 viewing interface groups 57 reports by source port 117...
Page 129
Index viewing live 123 accessing 36 changing font size 38 choosing view 37, 38 expanding or collapsing view 37 management console. See Network Security console launching from Windows 36 managers login 36 alert 29 node status indicator 38 sensor 29 viewing 37 managing Network Security node...
Page 130
130 Index viewing details 50 ports operational logs flow reports by destination 117 about 122 flow reports by source 117 options mapping 87 about 80 viewing mappings 87 viewing advanced network 52, 55 viewing port mappings 87 portscan top event type 111 primary packets default master node 52...
Page 131
Index queries TCP reset 81 replaying traffic flow data 84 TrackBack 80 traffic playback tool 83 viewing 75 querying responses current flows 117 about 25 exported flows 119 about automated 74 policy event type list 76 about parameters 76 assigning priority levels 77 automated 74 configuring confidence level 78 refinement...
Page 132
105 configuring 80 incident response 80 traffic Symantec Decoy Server about rate monitoring 23 enable via Symantec Network Security 63 playback tool 83 external sensors 63 record response 81 Symantec Network Security replaying recorded 84 about analysis 24...
Page 133
Index protection policies 70 user login accounts establishing 39 user-defined signatures about 22 users about administration of 27 editing passphrases 39 login history 115 Network Security console login 103 variables signatures 89 viewing adjusting policies 68 changing font size 38 color-coded response rules 75 expanding and collapsing the view 37 flow alert rules 83...
Need help?
Do you have a question about the 10268947 - Network Security 7160 and is the answer not in the manual?
Questions and answers