Symantec 10268947 - Network Security 7160 User Manual

User guide
Table of Contents

Advertisement

Quick Links

Symantec™ Network Security
User Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 10268947 - Network Security 7160 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for Symantec 10268947 - Network Security 7160

  • Page 1 Symantec™ Network Security User Guide...
  • Page 2 Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. Trademarks Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are U.S.
  • Page 3 Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/ function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base.
  • Page 4 Recent software configuration changes and/or network changes ■ Customer Service To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization ■...
  • Page 5: Table Of Contents

    Contents Chapter 1 Introduction About the Symantec Network Security foundation ..........9 About the Symantec Network Security 7100 Series .........9 About other Symantec Network Security features ........ 11 Finding information .................... 14 About 7100 Series appliance documentation ......... 14 About software documentation ..............15 About the Web sites ..................
  • Page 6 Viewing the topology tree ................48 Viewing objects in the topology tree ..............51 Viewing auto-generated objects ..............51 About location objects .................51 About Symantec Network Security objects ..........52 About router objects ..................59 About Smart Agents ..................60 About managed network segments ............62 Launching Symantec Decoy Server ............63...
  • Page 7 Viewing sensor parameters ............... 87 About port mapping .................... 87 Viewing port mappings ................87 About signature detection ................. 87 About Symantec signatures ............... 88 About user-defined signatures ..............88 Viewing signatures ..................89 About signature variables ................89 About refinement rules ..................89...
  • Page 8 8 Contents Reports of top events ................111 Reports per incident schedule ..............112 Reports per event schedule ..............113 Reports by event characteristics ............113 Reports per Network Security device ............. 115 Drill-down-only reports ................116 About querying flows ..................117 Viewing current flows ................
  • Page 9: Chapter 1 Introduction

    7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
  • Page 10 MS Blaster and SQL Slammer. In addition to the features it shares with the Symantec Network Security 4.0 software, the Symantec Network Security 7100 Series appliance offers: In-line Operation: The 7100 Series appliance can be deployed in-line as a ■...
  • Page 11: About Other Symantec Network Security Features

    11. About other Symantec Network Security features Symantec Network Security is highly scalable, and meets a range of needs for aggregate network bandwidth. Symantec Network Security reduces the total cost of implementing a complete network security solution through simplified and rapid deployment, centralized management, and cohesive and streamlined security content, service, and support.
  • Page 12 Customized policies provide immediate response to intrusions or denial-of-service attacks based on the type and the location of the event within the network. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack, and custom responses to be combined with email and SNMP notifications to protect an enterprise's most critical assets.
  • Page 13 Enterprise Reporting Capabilities: Symantec Network Security provides ■ cluster-wide, on-demand, drill-down, console-based reports that can be generated in text, HTML, and PDF formats and can also be emailed, saved, or printed. In addition, Symantec Network Security provides cluster-wide...
  • Page 14: Finding Information

    You can find detailed information about Symantec Network Security software and Symantec Network Security 7100 Series appliances in the documentation sets, on the product CDs, and on the Symantec Web sites. This section includes the following topics: About 7100 Series appliance documentation ■...
  • Page 15: About Software Documentation

    Symantec Network Security In-line Bypass Unit Getting Started Card (printed ■ and PDF). This card provides the procedures for installing the optional Symantec Network Security In-line Bypass unit. The bypass unit may be purchased separately from Symantec. Symantec Network Security 716x Service Manual (printed and PDF). This ■...
  • Page 16: About The Web Sites

    “Finding information” on page 14. About the Web sites You can view the entire documentation set on the Symantec Network Security Web site, as well as the continually updated Knowledge Base, Hardware Compatibility Reference, and patch Web sites. About the Knowledge Base The Knowledge Base provides a constantly updated reference of FAQs and troubleshooting tips as they are developed.
  • Page 17: About This Guide

    This guide contains the following chapters: Chapter 1 Introduction: Describes the Symantec Network Security intrusion ■ detection system and the Symantec Network Security 7100 Series appliance, documentation, and multiple sources of information. Chapter 2 Architecture: Describes the system components, compatibility, ■...
  • Page 18 18 Introduction Finding information...
  • Page 19: Chapter 2 Architecture

    7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
  • Page 20: About Detection

    About response ■ About detection Symantec Network Security uses multiple methods of threat detection that provide both broad and deep detection of network-borne threats. These include Protocol Anomaly Detection (PAD), traffic rate monitoring, and network pattern matching, or signature-based detection.
  • Page 21 For example, if a protocol defines the size of a field, and Symantec Network Security detects a field that breaches the defined size, it will trigger an alert.
  • Page 22 Symantec Network Security to your particular environment. User-defined signatures significantly extend the functionality and allow you to leverage the power of Symantec Network Security, such as providing a flexible mechanism for making short-term updates during rapid...
  • Page 23 Symantec Network Security's aggregate analysis detects both denial-of-service and distributed denial-of-service attacks. These attacks are recognized as unusual spikes in traffic volume. Using the same data, Symantec Network Security can also recommend proper remediation of the problem. Beyond attack detection, Symantec Network Security uses traffic analysis to detect many information-gathering probes.
  • Page 24: About Analysis

    24 Architecture About the core architecture data from the native format to the Symantec Network Security format, and transmits the data to the software or appliance node. About analysis Symantec Network Security includes state-of-the-art correlation and analysis that filters out irrelevant information and refines only what is meaningful, providing threat awareness without data overload.
  • Page 25: About Response

    If two peer nodes detect an attack, each node treats it as a separate incident and has no knowledge of what the other node detects. However, when Symantec Network Security applies cross-node correlation to the incidents detected by two nodes in a cluster, each adds a reference to the other and maintains awareness that this may be the same or a related attack.
  • Page 26: About Management And Detection Architecture

    Multiple responses can be configured for the same event type, as well as the order in which Symantec Network Security executes the responses. Symantec Network Security reviews each event, and iterates through the list of response rules configured by the user.
  • Page 27 Symantec Network Security automatically installs a SuperUser login account that is authenticated with full administrative capabilities. The SuperUser can create additional login accounts in the following user groups: SuperUsers: A user authenticated with full administrative capabilities.
  • Page 28: About The Node Architecture

    The following diagram illustrates how Symantec Network Security’s arsenal of tools work together to provide protection: Figure 2-2...
  • Page 29 About analysis Symantec Network Security’s analysis framework aggregates event data on possible attacks from all event sources. The analysis framework also performs statistical correlation analysis on events to identify event patterns that vary significantly from usual network activity and to identify individual events that are highly related, such as a port scan followed closely by an intrusion attempt.
  • Page 30 Therefore, the ESP places these events in separate queues. The analysis framework can then analyze the events related to the hidden attack. In this way, Symantec Network Security analyzes and responds to both attacks quickly and effectively.
  • Page 31: About The 7100 Series Appliance Node

    Smart Agents enable Symantec Network Security to collect data from third-party hosts and network IDS products in real time. Smart Agents collect event data from external sensors such as Symantec Decoy Server®, as well as from third-party sensors, log files, SNMP, and source APIs. They send this data to be analyzed, aggregated, and correlated with all other Symantec Network Security events.
  • Page 32 ■ About response on the 7100 Series ■ About detection on the 7100 Series In addition to the detection facilities of Symantec Network Security software, the 7100 Series appliance provides a new detection feature called interface grouping. About interface grouping Interface grouping, also called port clustering, enables up to four monitoring interfaces to be grouped together as a single logical interface.
  • Page 33 About fail-open When you configure in-line mode on the Symantec Network Security 7100 Series appliance, you place the in-line interface pair directly into the network path. If the appliance or one of those interfaces has a hardware or software failure, all associated network traffic is blocked.
  • Page 34 34 Architecture About management and detection architecture...
  • Page 35: Chapter 3 Getting Started

    Getting started This chapter provides a general outline of major tasks involved in setting up a core Symantec Network Security intrusion detection system. It describes basic tasks, including accessing the management interfaces (Network Security console, serial console, and LCD panel), accessing nodes and sensors, and establishing user permissions and access.
  • Page 36: About The Network Security Console

    Caution: The first time you launch the Network Security console after installation, expect a wait time of a few minutes while the database files load. Symantec Network Security caches the files after that first load, and makes subsequent launches faster.
  • Page 37 Getting Started About the management interfaces In Username, enter the user name. Access and permissions depend on the user group of your login account. In Passphrase, enter the passphrase established for your user login account, and click OK. Caution: If a non-SuperUser uses the wrong passphrase, an Incorrect Username or Passphrase message appears.
  • Page 38: About Management Of 7100 Series Appliances

    7100 Series appliance, as well as the Network Security console. About the LCD panel The Symantec Network Security 7100 Series appliance is equipped with an LCD screen and push buttons on the front bezel. The screen can display two lines of sixteen characters each, and there are six buttons: four arrow buttons and two function buttons labeled s (start) and e (enter).
  • Page 39: About User Permissions

    Note: The four user groups are unique to the Network Security console and do not extend to the serial console or the LCD panel. See the Symantec Network Security 7100 Series Implementation Guide for more information about the serial console and LCD panel.
  • Page 40: About Deployment

    Both software and appliance nodes can be deployed using passive mode; only 7100 Series appliances can be deployed using in-line mode: In-line deployment: Only the Symantec Network Security 7100 Series ■ appliance can be deployed in-line at this time. In-line mode enables multiple features such as the ability to block specified traffic from entering the network.
  • Page 41: About Deploying Single Nodes

    About deploying single nodes About deploying single nodes Symantec Network Security can be deployed as one or more single nodes that operate independently of each other within your network. This section describes both Network Security software nodes and 7100 Series appliance nodes deployed in this manner.
  • Page 42: About Deploying Single 7100 Series Appliance Nodes

    About deploying single 7100 Series appliance nodes You can deploy a Symantec Network Security 7100 Series node just as you would a Network Security software node. It can operate independently or as part of a cluster. A 7100 Series appliance also has several extra deployment options. You can configure it for interface grouping, in-line mode, and fail-open, in addition to passive monitoring mode.
  • Page 43: About Deploying Node Clusters

    A cluster of software or appliance nodes enables Symantec Network Security to monitor all parts of a network from the central Network Security console, and share information between nodes.
  • Page 44: Monitoring Groups Within A Cluster

    Network Security console displays incidents only from the subset. Selecting a monitoring group Symantec Network Security provides a way to display a subset of the incident list focused on only those software or appliance nodes that are included in the...
  • Page 45 Getting Started About deploying node clusters To focus the incident view on a monitoring group In the Network Security console, click Configuration > Monitoring Groups. In Choose Monitoring Groups, select a group or check Default. Click OK to view incidents from the selected monitoring group. Note: Always assign at least one node to each monitoring group.
  • Page 46 46 Getting Started About deploying node clusters...
  • Page 47: Chapter 4 Topology Database

    About the network topology The Network Security console displays the topology tree on the Devices tab. The topology tree represents the elements of your network, and provides Symantec Network Security with the necessary information about the topology of the network or portion of the distributed network that it monitors. Network Security also requires information about connections to autonomous systems or other segments within a distributed network.
  • Page 48: Viewing The Topology Tree

    Locations: Objects that represent physical or logical groups of one or more ■ network segments. The installation procedure automatically creates the first location object, named Enterprise by default. Symantec Network Security nodes: The object category for both software ■ and appliance nodes. Software nodes: Objects that represent the Symantec Network Security ■...
  • Page 49 About the network topology Routers: Objects that represent devices that store data packets and ■ forward them along the most expedient route. Symantec Network Security monitors this connection between hosts or networks. Interfaces: Objects that represent boundaries across which separate ■...
  • Page 50 50 Topology Database About the network topology A red X or Node Status Indicator signifies that Network Security processes or network connectivity failed on a software or appliance node. Viewing node details When you click an object in the topology tree, the Network Security console displays the description, if applicable, and other pertinent details about the software or appliance node, such as its IP address or subnet mask.
  • Page 51: Viewing Objects In The Topology Tree

    Enterprise. A location object represents any physical or logical group of managed network segments. Each location must contain one or more network segments. A cluster of Symantec Network Security nodes can contain multiple locations, and you can add more objects to represent them. At least one location object must exist in the topology tree before you can add software or appliance nodes, device objects, or interface objects.
  • Page 52: About Symantec Network Security Objects

    SuperUsers can add objects to represent each Network Security software node and 7100 Series appliance node. About software nodes Software nodes are the objects that represent Symantec Network Security software installed on designated computers. Under Enterprise, the location object created automatically during the installation process, SuperUsers can add an object to the topology tree to represent each Network Security software node.
  • Page 53 Click Cancel to close the view. About monitoring interfaces Monitoring interfaces communicate between the Symantec Network Security software or appliance node, and the network device, such as a router. The software or appliance node receives data about traffic on the router via the monitoring interface.
  • Page 54 In Edit Monitoring Interfaces, click the Networks tab to view the networks that this interface monitors. Click Cancel to close the view. About appliance nodes 7100 Series appliance nodes are the objects that represent Symantec Network Security software installed on the new Symantec Network Security 7100 Series appliance.
  • Page 55 Network Security 7100 Series appliance node. Viewing 7100 Series nodes The Network Security console provides a way to view Symantec Network Security 7100 Series nodes. The installation process populates the fields in the Advanced Network Options tab blank. After installation, you can view the Advanced Network Options.
  • Page 56 Click Cancel to close the view. About 7100 Series interfaces Each Symantec Network Security 7100 Series interface is a point of contact between the 7100 Series node and a network device. The node accesses traffic on the network device via the interface.
  • Page 57 Topology Database Viewing objects in the topology tree Viewing a monitoring interface on a 7100 Series node The Network Security console provides a way to view the automatically generated interface objects on a 7100 Series node. Note: Both StandardUsers and RestrictedUsers can view monitoring interfaces, but cannot add, edit, or delete them.
  • Page 58 58 Topology Database Viewing objects in the topology tree Click an existing interface group to view summary information in the ■ right pane. Right-click an existing interface group, and click Edit to view detailed ■ information. In Edit Interface Group, in the Interface Group tab. The following list describes the interface fields: Name Indicates the descriptive name of the object, established when...
  • Page 59: About Router Objects

    About router objects Routers store data packets and forward them along the most expedient route between hosts or networks. Symantec Network Security monitors this connection. Add an object to the topology tree to represent each router that you want Symantec Network Security to monitor.
  • Page 60: About Smart Agents

    About Smart Agents Symantec Network Security Smart Agents are translation software that enable Symantec Network Security to receive event data from external sensors, and correlate that data with all other events. Smart Agents expand the security umbrella and enhance the threat detection...
  • Page 61 About Smart Agent interfaces Smart Agent interface objects serve as a visual reminder of the location of any Symantec Network Security Smart Agents in the network. They also make Symantec Network Security aware for the TrackBack response action. To view Smart Agent interfaces...
  • Page 62: About Managed Network Segments

    The Network Security console automatically creates an object in the topology tree to represent each such managed network segment in your network. Each time you add a new interface object, Symantec Network Security adds a new object for the network segment in which the interface resides, if not already represented.
  • Page 63: Launching Symantec Decoy Server

    Viewing objects in the topology tree Launching Symantec Decoy Server Now you can launch and log into the Symantec Decoy Server console by simply right-clicking any external sensor object in the topology tree and selecting Start Decoy Console. Note that the Symantec Decoy Server console remains open, even if you close the Network Security console.
  • Page 64 64 Topology Database Viewing objects in the topology tree...
  • Page 65: Chapter 5 Protection Policies

    7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
  • Page 66: Viewing Protection Policies

    Viewing protection policies Viewing protection policies Symantec Network Security provides a set of pre-defined protection policies that include attack policies, audit policies, and prevention policies. They can be immediately activated by setting them to interfaces and applying them. You can also define your own policies and activate them using the same procedures.
  • Page 67: Understanding The Protection Policy View

    The following list describes each tab more fully: Protection Policies tab: Symantec Network Security installs with a set of ■ pre-defined policies that you can use immediately by setting them to interfaces, override existing blocking rules, and applying them.
  • Page 68: Adjusting The View Of Event Types

    ■ Adjusting the view by searching Symantec Network Security provides search functionality so that you can focus the view on a manageable subset of possible event types with specific characteristics. The policy still detects and acts on the full list of event types;...
  • Page 69: Adjusting The View By Columns

    Protection Policies Adjusting the view of event types In Category, select a category from the pull-down list. ■ In Severity, set a severity level from the pull-down list. ■ In Confidence, set a confidence level from the pull-down list. ■ In Intent, select an intention from the pull-down list.
  • Page 70: Viewing Logging And Blocking Rule Details

    Note: Both StandardUsers and Restricted Users can adjust the view of events in protection policies by showing and hiding columns. Viewing logging and blocking rule details Symantec Network Security provides a view of the logging and blocking rules applied to each event type in a policy. To view individual protection policies On the Policies tab, select a protection policy.
  • Page 71: Annotating Policies Or Events

    Protection Policies Adjusting the view of event types automatically adds them to the policy. Even if the LiveUpdate occurs in the middle of the night, Symantec Network Security immediately starts logging the matching events. To view LiveUpdate In the Policies tab, click Protection Policies > View > Auto Update Rules.
  • Page 72 72 Protection Policies Adjusting the view of event types To view notes about an event types in a policy In the Policies tab, click View. In View Protection Policy, do one of the following: In Search Events, double-click an event. ■...
  • Page 73: Chapter 6 Response Rules

    7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional...
  • Page 74: About Automated Responses

    74 Response Rules About automated responses functionality that is unique to an appliance. Each section describes this additional functionality in detail. Symantec Network Security can take the following types of actions to respond to attacks, individually or in sequence: Predefined actions ■...
  • Page 75: Viewing Response Rules

    Response Rules About automated responses Note: Both StandardUsers and RestrictedUsers can view response rules, but cannot configure, edit, or delete them. Viewing response rules All users can view the response rules in the Network Security console. To view Response Rules In the Network Security console, click Configuration >...
  • Page 76: Searching Event Types

    In Configuration > Response Rules, SuperUsers and Administrators can edit and configure response rule parameters to specify the characteristics of the events and incidents that Symantec Network Security responds to. Each response rule contains the following response parameters: About event targets ■...
  • Page 77: About Event Types

    Web server. By itself, this example might represent a medium level of intrinsic severity. Level of traffic, if it is a counter event: If Symantec Network Security ■ determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received.
  • Page 78: About Confidence Levels

    This interface is not necessarily the target of the attack, but may in fact be the point in the network at which Symantec Network Security is currently tracking the attack. If the interfaces being inspected are receiving VLAN encapsulated traffic, you can also specify that a rule applies to a specific VLAN ID.
  • Page 79: About Next Actions

    Possible values are Stop, Continue to Next Rule, and Jump to Rule. The Continue to Next Rule value directs Symantec Network Security to search for the next matching response rule after executing the current response rule. This enables Symantec Network Security to make multiple responses to any particular incident type, in combination with each other and in a desired sequence.
  • Page 80: About No Response Action

    The None option directs Symantec Network Security not to respond to particular types of incidents. Selecting the None option, followed by Stop as the next action configures Symantec Network Security to take no action in response to specified types of incidents. SuperUsers and Administrators can also configure Symantec Network Security to ignore specific attacks by setting a filter.
  • Page 81: About Custom Response Action

    About traffic record response action The traffic record response dynamically records network traffic in response to an event. With this option, Symantec Network Security can record traffic for a specified period of time, or until a specified number of packets has been collected.
  • Page 82: About Console Response Action

    In Local Console Configuration, click OK to save and close. Note: The Network Security console must be running in order for Symantec Network Security to execute the console response action. If a Network Security console starts after console response events are sent, it does not execute the actions.
  • Page 83: About Flow Alert Rules

    Note: StandardUsers can view flow alert rules; and RestrictedUsers have no access at all. Viewing flow alert rules Symantec Network Security provides a way to view flow alert rules from the Network Security console. To view flow alert rules ◆...
  • Page 84: Replaying Recorded Traffic Flow Data

    In Packet Replay Tool, view the detailed packet data, one packet at a time. To view all packet data in a session that includes multiple packets, on Symantec Packet Replay Tool, click View > Show Session Window. Return to Symantec Packet Replay Tool, and click Go.
  • Page 85: Chapter 7 Detection Methods

    Protocol anomaly detection ■ Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be...
  • Page 86: About Sensor Detection

    LiveUpdate and stores them individually. About sensor detection Symantec Network Security provides an array of sensor parameters that are preset for optimum performance and sensitivity. They can be tuned to address specific network environments, and each sensor can be set individually to devote it to specific tasks.
  • Page 87: Viewing Sensor Parameters

    Click OK to close. About port mapping Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be...
  • Page 88: About Symantec Signatures

    Matches trigger an alert, while failure to match is processed as non-threatening traffic. Symantec Network Security uses signatures as a compliment to PAD. The combination provides robust detection without the weaknesses of either PAD alone or signatures alone.
  • Page 89: Viewing Signatures

    On the Policies tab, click Policies > Policies Applied to Interfaces to see ◆ interfaces with policies applied. To see applied signatures On the Policies tab, click Policies > Policies to see the Symantec signatures ◆ that are applied. To see available signatures ◆...
  • Page 90 90 Detection Methods About refinement rules New refinement rules are available as part of SecurityUpdates on a periodic basis. Each software or appliance node downloads the refinement rules from LiveUpdate and stores them individually.
  • Page 91: Chapter 8 Incidents And Events

    Incidents to which no new events have been added for a given amount of time are considered idle, so Symantec Network Security closes them. The condition of the incident can be viewed in the State column of the Incidents table.
  • Page 92 The Devices tab provides a tree-oriented view of the network topology with a detailed summary of each device. When you select an object from the topology tree in the left pane, the right pane displays related information. Symantec Network Security updates this information at frequent intervals, so the status remains current.
  • Page 93 Incidents and Events About incidents and events Viewing interface details If you click on a monitoring interface object in the Devices tab, the Details of Selected Topology Object dialog box displays the following information: Customer ID: Displays the customer ID that you assigned to the monitored ■...
  • Page 94: About The Incidents Tab

    The sensors notify the software or appliance node of any suspicious actions or occurrences that might warrant a response, such as a probe. Symantec Network Security also monitors operational occurrences that the user should be aware of, such as a Symantec Network Security license approaching the expiration date.
  • Page 95 Incidents and Events About incidents and events To view incident data ◆ In the Network Security console, click the Incidents tab. All users can modify the view by adjusting font size, selecting and sorting columns, and/or applying filters. Viewing priority color codes All users can sort the incident data by clicking on the column heading.
  • Page 96: Monitoring Incidents

    96 Incidents and Events Monitoring incidents Note: If an incident changes after it was marked, such as a new event being added to it, the red hash mark changes to a red circle to flag you. Monitoring incidents An incident is a set of events that are related. An event is a significant security occurrence that appears to exploit a vulnerability of the system or application.
  • Page 97 Incidents and Events Monitoring incidents The Incidents tab can display the following incident data Last Mod. ■ Indicates the date and time when Symantec Network Security Time last modified the incident record. Name he user group of the current user.
  • Page 98: Filtering The View Of Incidents

    98 Incidents and Events Monitoring incidents “Marking incidents as viewed” on page 95. ■ Filtering the view of incidents You can filter the view of incident data to provide a shorter list to sift through, using the Incident Filter. For example, you can set the Incidents table to display only active incidents.
  • Page 99: Monitoring Events

    Incidents and Events Monitoring events In Node List, do one of the following: In Show Incidents from Node #, click 1 from the pull-down list to show ■ only incidents from the selected software or appliance node, or All (except standby) to view incidents from all the software or appliance nodes within the topology excluding standby nodes.
  • Page 100 ■ Click OK to save and close. The Events at Selected Incident can display the following information: Time Indicates the date and time when Symantec Network Security first ■ detected and logged the event. Event Indicates the event category of the detected event.
  • Page 101: Filtering The View Of Events

    If the event is merely suspicious, then it is assigned a lower confidence level. If Symantec Network Security collects more data on the event to substantiate its confidence, the confidence is adjusted upward.
  • Page 102: Viewing Event Notices

    Token Failure: The iButton, used only by Network Security software ■ nodes, stores the private key portion of the Symantec Network Security signature certificate to safeguard the private key against being stolen or compromised. The iButton also confirms the identity of a software node.
  • Page 103: Managing The Incident/Event Data

    Symantec Network Security. SNMP Alert Successful, but Truncated: An SNMP trap was successfully ■ sent by Symantec Network Security, but the message was too long and was truncated. SNMP Alert Failed: An error occurred while sending an SNMP alert from ■...
  • Page 104: Loading Cross-Node Correlated Events

    Incident Details, or by right-clicking an incident row, and choosing from the menu items displayed. Viewing incident details Symantec Network Security provides a deeper level of information about each incident from the Incidents tab. To view incident details In the Network Security console, click the Incident tab.
  • Page 105 Incidents and Events Managing the incident/event data Customer ID This is the customer ID entered in the topology for the ■ interface where the event was detected. End Time The time at which Network Security stopped monitoring the ■ event. CVE Number The CVE (Common Vulnerabilities and Exposures) number, ■...
  • Page 106 106 Incidents and Events Managing the incident/event data Right-click an incident row, and click Save. Choose a file format from the following: Click Save as PDF. ■ Click Save as HTML. ■ Click Save as PS. ■ Enter the desired filename, and click Save. Printing incident data All users can print detailed information about each incident on the Network Security console Incidents tab.
  • Page 107 Incidents and Events Managing the incident/event data Emailing incident data All users can send detailed information about each incident via email, on the Network Security console Incidents tab. To email incident data In the Network Security console, click the Incidents tab. Right-click an incident row, and click Email.
  • Page 108 108 Incidents and Events Managing the incident/event data Open the desired email or file, and paste the incident data from the clipboard to the email content.
  • Page 109: Chapter 9 Reports And Queries

    You can generate reports that appear in table format, and sort the table columns. Symantec Network Security can generate email reports of incidents logged for all Network Security software nodes in the cluster. You can also generate reports on demand about any Network Security software nodes in the cluster.
  • Page 110: About Report Formats

    110 Reports and Queries About top-level report types can choose the report type. The types of reports that Symantec Network Security generates are described in detail in the following sections. In addition to scheduled reports, you can generate various report types on demand.
  • Page 111: Reports Of Top Events

    For example, generate a report on the top 10 unique events or top 100 unique events. To view the number of times any event type occurred, hover the cursor over the event. Symantec Network Security generates the Top Event Types report in the table, pie chart and bar chart formats.
  • Page 112: Reports Per Incident Schedule

    112 Reports and Queries About top-level report types Reports per incident schedule Symantec Network Security generates the following types of incident reports: Table 9-2 Types of incident reports Type Description Incidents per month This reports displays the total number of incidents that occurred during each month of the time period you specify.
  • Page 113: Reports Per Event Schedule

    Reports and Queries About top-level report types Reports per event schedule Symantec Network Security generates the following types of event reports: Table 9-3 Types of event reports Type Description Events per month This report displays the total number of events detected per month during the time period you specify.
  • Page 114 Symantec Network Security are grouped as RCRS events because RCRS is the vendor ID for Symantec Network Security. You specify the report start and end dates/times. Symantec Network Security generates this report in table, bar, column and pie chart formats. This report has no drill-down reports.
  • Page 115: Reports Per Network Security Device

    You can generate drill-down event lists by source IP from Top Event Sources. Reports per Network Security device Symantec Network Security generates the following types of device reports: Table 9-5 Types of device reports Type...
  • Page 116: Drill-Down-Only Reports

    IP addresses, and the name of the device where the event was detected. Symantec Network Security generates the Event List report in table format only. You can access this report from within any Incidents or Events report, as well as from within the Top Event Destination and Top Event Source reports.
  • Page 117: About Querying Flows

    Flow Statistics report. About querying flows FlowChaser serves as a data source in coordination with Symantec Network Security TrackBack, a response mechanism that traces a DoS attack or network flow back to its source. The FlowChaser database can be queried for flows by port and arbitrary address.
  • Page 118 118 Reports and Queries About querying flows Choose one of the following tabs: Match Source and Destination: This will make a more focused query ■ on specific source and destination IPs. Match Source or Destination: This will make a broader query on either ■...
  • Page 119: Viewing Exported Flows

    Reports and Queries About querying flows Viewing exported flows Query Exported Flows enables you to search against flow data that has been logged to the disk database. This enables flow data to be saved when a certain condition is triggered. The result is that a new event appears in the Network Security console with a link to the actual flow data.
  • Page 120 120 Reports and Queries About querying flows Note: StandardUsers can query the FlowChaser database for current or exported flow data; RestrictedUsers cannot.
  • Page 121: Log Files

    7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
  • Page 122: About The Operational Log

    About log files About the operational log The operational log records events that Symantec Network Security is processing, such as startup and shutdown of the Network Security software or appliance node, or errors experienced within the node. The Network Security console provides a view of the operational log file of each node via Admin >...
  • Page 123: Viewing Live Log Files

    Log Files About log files Click Next Page to progress forward. ■ Click Previous Page to progress backward. ■ Click Close to exit. Note: Both StandardUsers and RestrictedUsers can view log files. Viewing live log files The Network Security console now provides a view of the live log files easily. To view live log files In the Network Security console, click Admin >...
  • Page 124 124 Log Files About log files...
  • Page 125 Index Numerics about response 32 about serial console 39 7100 Series. See appliances about the 7100 Series 9 documentation 14 fail-open 33 management via consoles 38 accounts monitoring interfaces 57 about user logins 27 single-node deployment 42 adjusting viewing in-line pairs 58 view by columns 69 viewing interface groups 57 view of policies 68...
  • Page 126 22 configuring 82 by refinement rules 89 console. See Network Security console, serial external EDP 23 console, Symantec Decoy Server console, LCD port mapping 87 panel protocol anomaly 21 copy ports. See monitoring interfaces signature 87...
  • Page 127 Index incidents per month 112 modifying the view 38 source destinations 114 modifying the view of types 38 top events 111 next action parameter 79 top level 110 none option 80 notice 102 priority color coding 95 reporting editing per day 113 user passphrases 39 per hour 113 per month 113...
  • Page 128 128 Index devices with statistics 115 about bypass unit 11, 33 replaying traffic 84 about deployment 40 reports by destination address 116 about fail-open 33 reports by destination port 117 sensor processes 30 reports by protocol 117 viewing in-line pairs 58 reports by source address 116 viewing interface groups 57 reports by source port 117...
  • Page 129 Index viewing live 123 accessing 36 changing font size 38 choosing view 37, 38 expanding or collapsing view 37 management console. See Network Security console launching from Windows 36 managers login 36 alert 29 node status indicator 38 sensor 29 viewing 37 managing Network Security node...
  • Page 130 130 Index viewing details 50 ports operational logs flow reports by destination 117 about 122 flow reports by source 117 options mapping 87 about 80 viewing mappings 87 viewing advanced network 52, 55 viewing port mappings 87 portscan top event type 111 primary packets default master node 52...
  • Page 131 Index queries TCP reset 81 replaying traffic flow data 84 TrackBack 80 traffic playback tool 83 viewing 75 querying responses current flows 117 about 25 exported flows 119 about automated 74 policy event type list 76 about parameters 76 assigning priority levels 77 automated 74 configuring confidence level 78 refinement...
  • Page 132 105 configuring 80 incident response 80 traffic Symantec Decoy Server about rate monitoring 23 enable via Symantec Network Security 63 playback tool 83 external sensors 63 record response 81 Symantec Network Security replaying recorded 84 about analysis 24...
  • Page 133 Index protection policies 70 user login accounts establishing 39 user-defined signatures about 22 users about administration of 27 editing passphrases 39 login history 115 Network Security console login 103 variables signatures 89 viewing adjusting policies 68 changing font size 38 color-coded response rules 75 expanding and collapsing the view 37 flow alert rules 83...
  • Page 134 134 Index...

This manual is also suitable for:

Network security

Table of Contents