Page 1 Symantec™ Network Security Administration Guide...
Page 2 Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014. Trademarks Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are U.S.
Page 3 Technical support As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support group’s primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base.
Page 4 Recent software configuration changes and/or network changes ■ Customer Service To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization ■...
Page 5: Table Of Contents
Overview Chapter 1 Introduction About the Symantec Network Security foundation ........15 About the Symantec Network Security 7100 Series ....... 15 About other Symantec Network Security features ......... 17 Finding information .................... 20 About 7100 Series appliance documentation .......... 20 About Network Security software documentation .........
Page 6 6 Contents Managing user passphrases ............... 57 Controlling user access ................59 Planning the deployment ................... 60 Deploying single nodes ..................61 Deploying a single Network Security software node ......61 Deploying a single 7100 Series appliance node ........62 Configuring single-node parameters ............
Page 7 Contents Selecting pre-defined policies ..............114 Setting policies to interfaces ..............115 Applying to save changes .................115 Overriding blocking rules globally ............115 Undoing policy settings ................116 Adjusting the view of event types ..............117 Searching to create a subset of event types ...........117 Adjusting the view by columns ..............119 Viewing event type details ...............119 Defining new protection policies ..............120...
Page 8 Table element parameters ................ 173 Segment parameters ................. 175 Configuring port mapping ................177 Configuring signature detection ..............179 About Symantec signatures ..............179 About user-defined signatures ..............180 Managing signatures ................. 180 Managing signature variables ..............184 Section 3...
Page 9 Contents Examining event data ................196 Managing incident and event data ..............201 Selecting columns ..................202 Selecting view filters .................205 Marking and annotating ................207 Saving, copying, and printing data ............209 Emailing incident or event data ..............211 Tuning incident parameters ................213 Setting Incident Idle Time ................213 Setting Maximum Incidents ..............214 Setting Maximum Active Incident Life ..........214 Setting Incident Unique IP Limit ............215...
Page 10 Transferring via SCP ................. 264 Chapter 11 Advanced configuration About advanced setup ..................269 Updating Symantec Network Security ............269 About LiveUpdate ..................270 Scanning for available updates ............... 271 Applying updates ..................271 Setting the LiveUpdate server ..............272 Scheduling live updates ..................
Page 11 Contents Backup up cluster-wide data ..............282 Integrating third-party events ................282 Integrating via Smart Agents ..............283 Integrating with Symantec Decoy Server ..........285 Establishing high availability failover ............287 Monitoring node availability ..............287 Configuring availability for single nodes ..........288 Configuring availability for multiple nodes ..........289 Configuring watchdog processes .............293...
Page 12 12 Contents Index...
Page 13 The Symantec Network Security 7100 Series is a family of highly scalable integrated hardware and software intrusion detection appliances, designed to detect and prevent attacks across multiple network segments at multi-gigabit speeds.
Page 15: Chapter 1 Introduction
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 16 MS Blaster and SQL Slammer. In addition to the features it shares with the Symantec Network Security 4.0 software, the Symantec Network Security 7100 Series appliance offers: In-line Operation: The 7100 Series appliance can be deployed in-line as a ■...
Page 17: About Other Symantec Network Security Features
17. About other Symantec Network Security features Symantec Network Security is highly scalable, and meets a range of needs for aggregate network bandwidth. Symantec Network Security reduces the total cost of implementing a complete network security solution through simplified and rapid deployment, centralized management, and cohesive and streamlined security content, service, and support.
Page 18 Customized policies provide immediate response to intrusions or denial-of-service attacks based on the type and the location of the event within the network. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack, and custom responses to be combined with email and SNMP notifications to protect an enterprise's most critical assets.
Page 19 Enterprise Reporting Capabilities: Symantec Network Security provides ■ cluster-wide, on-demand, drill-down, console-based reports that can be generated in text, HTML, and PDF formats and can also be emailed, saved, or printed. In addition, Symantec Network Security provides cluster-wide...
Page 20: Finding Information
About this guide ■ About 7100 Series appliance documentation The documentation set for the Symantec Network Security 7100 Series includes: Symantec Network Security 7100 Series Implementation Guide (printed and ■ PDF). This guide explains how to install, configure, and perform key tasks on the Symantec Network Security 7100 Series.
Page 21: About Network Security Software Documentation
Symantec Network Security In-line Bypass Unit Getting Started Card (printed ■ and PDF). This card provides the procedures for installing the optional Symantec Network Security In-line Bypass unit. The bypass unit may be purchased separately from Symantec. Symantec Network Security 716x Service Manual (printed and PDF). This ■...
Page 22: About The Web Sites
“Finding information” on page 20. About the Web sites You can view the entire documentation set on the Symantec Network Security Web site, as well as the continually updated Hardware Compatibility Reference, Knowledge Base, and patch Web sites. About the Knowledge Base The Knowledge Base provides a constantly updated reference of FAQs and troubleshooting tips as they are developed.
Page 23: About This Guide
Describes deployment and setup options of a ■ Symantec Network Security intrusion detection system. Part 2 Getting Started: This section explains how to set up your Symantec ■ Network Security intrusion detection system, populate a network topology database, configure basic detection capabilities, and establish initial protection and response policies.
Page 24 Chapter 8 Monitoring: Describes the types of information displayed for ■ incidents and their related events, and how to view incident data in the Network Security console. Chapter 9 Reporting: Describes the types of reports that Symantec ■ Network Security can generate, and how to generate them. Chapter 10...
Page 25: Chapter 2 Architecture
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 26: About Detection
About response ■ About detection Symantec Network Security uses multiple methods of threat detection that provide both broad and deep detection of network-borne threats. These include Protocol Anomaly Detection (PAD), traffic rate monitoring, and network pattern matching, or signature-based detection.
Page 27 For example, if a protocol defines the size of a field, and Symantec Network Security detects a field that breaches the defined size, it will trigger an alert.
Page 28 Symantec Network Security to your particular environment. User-defined signatures significantly extend the functionality and allow you to leverage the power of Symantec Network Security, such as providing a flexible mechanism for making short-term updates during rapid...
Page 29 Symantec Network Security's aggregate analysis detects both denial-of-service and distributed denial-of-service attacks. These attacks are recognized as unusual spikes in traffic volume. Using the same data, Symantec Network Security can also recommend proper remediation of the problem. Beyond attack detection, Symantec Network Security uses traffic analysis to detect many information-gathering probes.
Page 30: About Analysis
30 Architecture About the core architecture data from the native format to the Symantec Network Security format, and transmits the data to the software or appliance node. “About detection” on page 159. “About Smart Agents” on page 37. About analysis...
Page 31: About Response
If two peer nodes detect an attack, each node treats it as a separate incident and has no knowledge of what the other node detects. However, when Symantec Network Security applies cross-node correlation to the incidents detected by two nodes in a cluster, each adds a reference to the other and maintains awareness that this may be the same or a related attack.
Page 32: About Management And Detection Architecture
Multiple responses can be configured for the same event type, as well as the order in which Symantec Network Security executes the responses. Symantec Network Security reviews each event, and iterates through the list of response rules configured by the user.
Page 33 Symantec Network Security automatically installs a SuperUser login account that is authenticated with full administrative capabilities. The SuperUser can create additional login accounts in the following user groups: SuperUsers: A user authenticated with full administrative capabilities.
Page 34: About The Node Architecture
The following diagram illustrates how Symantec Network Security’s arsenal of tools work together to provide protection: Figure 2-2...
Page 35 About analysis Symantec Network Security’s analysis framework aggregates event data on possible attacks from all event sources. The analysis framework also performs statistical correlation analysis on events to identify event patterns that vary significantly from usual network activity and to identify individual events that are highly related, such as a port scan followed closely by an intrusion attempt.
Page 36 Therefore, the ESP places these events in separate queues. The analysis framework can then analyze the events related to the hidden attack. In this way, Symantec Network Security analyzes and responds to both attacks quickly and effectively.
Page 37: About The 7100 Series Appliance Node
Smart Agents enable Symantec Network Security to collect data from third-party hosts and network IDS products in real time. Smart Agents collect event data from external sensors such as Symantec Decoy Server®, as well as from third-party sensors, log files, SNMP, and source APIs. They send this data to be analyzed, aggregated, and correlated with all other Symantec Network Security events.
Page 38 ■ About management on the 7100 Series ■ About detection on the 7100 Series In addition to the detection facilities of Symantec Network Security software, the 7100 Series appliance provides a new detection feature called interface grouping. About interface grouping Interface grouping, also called port clustering, enables up to four monitoring interfaces to be grouped together as a single logical interface.
Page 39 About the serial console ■ About the compact flash ■ About the LCD panel The Symantec Network Security 7100 Series appliance is equipped with an LCD screen and push buttons on the front bezel. The screen can display two lines of...
Page 40 LCD screen displays system statistics in a rotating sequence, and provides a menu of tasks including stopping and starting Symantec Network Security, rebooting or shutting down the appliance, and changing the IP address. About the serial console You can use the serial console for initial configuration of the appliance and for command line access to the operating system utilities and filesystems.
Page 41: Chapter 3 Getting Started
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 42: General Checklist
General checklist General checklist This section provides a broad outline of the basic steps to set up a core Symantec Network Security intrusion detection system for the first time. It also describes additional deployment options that are unique to the 7100 Series appliance.
Page 43: Additional Appliance-Specific Checklist
TrackBack, and more. Additional appliance-specific checklist Deploying a new Symantec Network Security 7100 Series appliance for the first time involves some additional considerations. Preparing the appliance In-line or passive mode: Decide whether to deploy some or all appliance ■...
Page 44: About The Management Interfaces
About the management interfaces Symantec Network Security provides a management interface called the Network Security console. Both the Symantec Network Security software and the 7100 Series appliance utilize the Network Security console for the majority of tasks.
Page 45 Caution: The first time you launch the Network Security console after installation, expect a wait time of a few minutes while the database files load. Symantec Network Security caches the files after that first load, and makes subsequent launches faster.
Page 46 46 Getting started About the management interfaces If in a cluster, all nodes must use the same port number. In Username, enter the user name. Access and permissions depend on the user group of your login account. In Passphrase, enter the passphrase established for your user login account, and click OK.
Page 47 The Network Security console provides a way to restart both Network Security software nodes and 7100 Series appliance nodes easily. Restarting includes the Symantec Network Security software and enables you to address an intermittent problem. Note: SuperUsers can restart both software and appliance nodes from the Network Security console;...
Page 48 53. Stopping Symantec Network Security via the command line Symantec Network Security provides a way to shut down software nodes from the command line. You must have root access to shut down software nodes from the command line.
Page 49: Using The Serial Console
Symantec System ID. Using the serial console In addition to the Network Security console, Symantec Network Security 7100 Series appliances also provide a serial port. You can connect a serial console to an appliance to perform some basic initial configuration tasks. The serial...
Page 50 Restarting via the serial console The Symantec Network Security 7100 Series provides a way to restart appliance nodes using the serial console. You must have secadm access to restart Symantec Network Security on the serial console. Restarting includes the Symantec Network Security software and enables you to address an intermittent problem.
Page 51: Using The Lcd Panel
Type the command: reboot Stopping via the serial console You must have secadm access to stop Symantec Network Security on the appliance from the serial console. To stop Symantec Network Security from the serial console Connect your laptop or other serial device to the appliance with the serial console cable.
Page 52 ■ Shutting down via the LCD panel ■ See the Symantec Network Security 7100 Series Implementation Guide for the full range of procedures available on the LCD panel. Unlocking the LCD panel The LCD panel may be locked. If so, you must use the secadm password to unlock it before you can perform any other tasks.
Page 53 About the management interfaces Restarting from the LCD panel The Symantec Network Security 7100 Series provides a way to restart Symantec Network Security on appliance nodes using the LCD panel. Restarting includes the Symantec Network Security software and enables you to address an intermittent problem.
Page 54: Managing User Access
54 Getting started Managing user access Stopping via the LCD panel You must have the secadm password to stop Symantec Network Security on the appliance from the LCD panel. If the LCD panel is locked, see Unlocking the LCD panel. After it is unlocked, follow this procedure to restart Symantec Network Security.
Page 55: Managing User Login Accounts
Note: The four user groups are unique to the Network Security console and do not extend to the serial console or the LCD panel. See the Symantec Network Security 7100 Series Implementation Guide for more information about the serial console and the LCD panel.
Page 56 56 Getting started Managing user access To add a new user login account In the Network Security console, click Admin > Manage Users > Add. In Add User, enter the Username, Passphrase, and confirm the passphrase. In Group, select one of the four predefined groups from the pull-down list, and click OK.
Page 57: Managing User Passphrases
Click OK to save and close. Managing user passphrases Symantec Network Security provides an efficient way to control access to the Network Security console for both software and appliance nodes by managing user passphrases. You can control access to the serial console on an appliance by managing root and secadm passwords.
Page 58 58 Getting started Managing user access Changing passwords on the 7100 Series node The SuperUser password for a master 7100 Series node is entered during the initial configuration of the appliance. This password is used for the Network Security console login, root login, secadm login, and for unlocking the LCD panel.
Page 59: Controlling User Access
Setting Maximum Login Failures Maximum Login Failures determines the number of login attempts that Symantec Network Security can accept before it locks the user out. The limit applies to Administrators, StandardUsers, and RestrictedUsers. The SuperUser is not subject to this limitation, and can reset the password of a locked-out account to re-enable it.
Page 60: Planning The Deployment
Click OK to save the changes to this sensor and close. Tracking user actions Symantec Network Security logs all user actions on the Network Security console that modify the configuration. When you set the operational log to verbose mode, Symantec Network Security extends logging to include user actions that do not affect the configuration.
Page 61: Deploying Single Nodes
287. Deploying single nodes Symantec Network Security can be deployed as one or more single nodes that operate independently of each other within your network. The following figure illustrates the relationship between a single Network Security software node or...
Page 62: Deploying A Single 7100 Series Appliance Node
Deploying a single 7100 Series appliance node You can deploy a Symantec Network Security 7100 Series node just as you would a Network Security software node. It can operate independently or as part of a cluster. A 7100 Series appliance also has several extra deployment options. You can configure it for interface grouping, in-line mode, and fail-open, in addition to passive monitoring mode.
Page 63: Configuring Single-Node Parameters
The Symantec Network Security In-line Bypass unit has been custom designed to provide fail-open capability for the Symantec Network Security 7100 Series.
Page 64: Deploying Node Clusters
A cluster of software or appliance nodes enables Symantec Network Security to monitor all parts of a network from the central Network Security console, and share information between nodes.
Page 65: Deploying Software And Appliance Nodes In A Cluster
Deploying software and appliance nodes in a cluster ■ Monitoring groups within a cluster ■ See the Symantec Network Security Installation Guide and the Symantec Network Security 7100 Series Implementation Guide for special considerations when upgrading or migrating clusters. Deploying software and appliance nodes in a cluster Both Network Security software nodes and 7100 Series appliance nodes can be deployed as master nodes or slave nodes in a cluster.
Page 66: Monitoring Groups Within A Cluster
This increases performance as well, because it reduces the number of incidents that a single Network Security console must load. When subdivided by monitoring groups, Symantec Network Security continues to perform cross-node correlation across all nodes in the cluster, even though the Network Security console displays incidents only from the subset.
Page 67 Getting started Deploying node clusters Click OK. Assigning a monitoring group The Network Security console provides an efficient way to assign a node to a monitoring group. Note: SuperUsers can add, assign, and rename monitoring groups; Administrators, StandardUsers, and RestrictedUsers can choose them. See “User groups reference”...
Page 68 “Choosing monitoring groups” on page 68. Choosing monitoring groups Symantec Network Security provides a way to display a subset of the incident list focused on only those software or appliance nodes that are included in the selected monitoring group. To focus the incident view on a monitoring group In the Network Security console, click Configuration >...
Page 69: Initial Configuration
Part II Initial Configuration This section explains how to set up your Symantec Network Security intrusion detection system. After getting started, indicate what to monitor by creating a network topology database, what kind of activity to look for by configuring...
Page 71: Chapter 4 Populating The Topology Database
■ About the network topology The first step in the initial configuration of Symantec Network Security is to establish the topology database. Do this by adding objects to the topology tree to represent routers, network segments, and intrusion detection devices in your network.
Page 72: About The Devices Tab
The Devices tab provides a tree-oriented view of the network topology with a detailed summary of each device. When you select an object from the topology tree in the left pane, the right pane displays related information. Symantec Network Security updates this information at frequent intervals, so the status remains current.
Page 73 Locations: Objects that represent physical or logical groups of one or more ■ network segments. The installation procedure automatically creates the first location object, named Enterprise by default. Symantec Network Security nodes: The object category for both software ■ and appliance nodes. Software nodes: Objects that represent the Symantec Network Security ■...
Page 74: About Topology Mapping
Active Security Incidents: Displays the active incidents of the selected ■ topology object, with name, state, node number, and last date modified. About topology mapping To configure Symantec Network Security, first populate the topology database. This includes the following basic steps: Mapping the existing network ■...
Page 75 Before building the network topology database, we recommend that you create a map of your network topology. Include the devices and device interfaces that you want Symantec Network Security to monitor, or through which you want it to track attacks.
Page 76 Gathering information After you have taken an inventory of your existing network, you can provide this information to the Symantec Network Security database by populating the topology tree. To prepare for this, we recommend that you gather information specific to each element of your topology.
Page 77 Populating the topology database About the network topology You can save time if you review both the general information, and each procedure, and verify that you have all the necessary data before starting the procedure. The following table describes the kind of information you will need to provide when populating the topology tree: Table 4-1 Information to gather...
Page 78: Managing The Topology Tree
Managing the topology tree To configure Symantec Network Security, first populate the topology database to provide key information about your network. Collect this key information described in the Gathering information section.
Page 79: Viewing Auto-Generated Objects
Enterprise by default. You can add more location objects to represent other locations. Symantec Network Security also automatically creates objects for managed network segments in the topology tree.
Page 80: Adding Objects For The First Time
“About router objects” on page 101. For each device object, create an interface object for the interfaces you want Symantec Network Security to either be aware of or to monitor. “About nodes and interfaces” on page 85. Click Topology > Save Changes to save the network topology tree. You will lose any unsaved changes when you exit.
Page 81: Editing Objects
Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. Note: SuperUsers can add, edit, and delete Symantec Network Security software and appliance nodes. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot add, edit, or delete them.
Page 82: Reverting Changes
82 Populating the topology database Managing the topology tree Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. Caution: When an object is deleted, all of its sub-objects are also deleted. Note: SuperUsers can add, edit, and delete any nodes (both software and appliance nodes) or objects that they create.
Page 83: Forcing Nodes To Synchronize
About managed network segments ■ About location objects The Symantec Network Security installation process automatically adds one location named Enterprise. A location object represents any physical or logical group of managed network segments. Each location must contain one or more...
Page 84 84 Populating the topology database Adding nodes and objects network segments. A cluster of Symantec Network Security nodes can contain multiple locations, and you can add more objects to represent them. At least one location object must exist in the topology tree before you can add software or appliance nodes, device objects, or interface objects.
Page 85: About Nodes And Interfaces
92. Node interfaces: Interface objects represent the point of contact between ■ Symantec Network Security and the devices in the network. Some interface objects are mandatory, others are optional. “About monitoring interfaces on software nodes” on page 89.
Page 86: About Network Security Software Nodes
86 Populating the topology database Adding nodes and objects Note: SuperUsers can add, edit, and delete both software or appliance nodes. Administrators, StandardUsers, and RestrictedUsers can view them only. See “User groups reference” on page 319 for more about permissions. About Network Security software nodes Under Enterprise, the location object created automatically during the installation process, SuperUsers can add an object to the topology tree to...
Page 87 77. Enter the IP address for the node. You can position Symantec Network Security in front of and/or behind a NAT device. If behind, provide a local IP address and an administration IP address. Use the administration IP address when adding the node to the topology tree.
Page 88 88 Populating the topology database Adding nodes and objects Use the same passphrase when you install Symantec Network Security on the designated computer. “Synchronization passphrases” on page 78. If editing a software node, proceed to the next step. ■ In Description, enter an optional description of up to 255 characters, and click OK.
Page 89 89. About monitoring interfaces on software nodes Monitoring interfaces communicate between the Symantec Network Security software or appliance node, and the network device, such as a router. The software or appliance node receives data about traffic on the router via the monitoring interface.
Page 90 90 Populating the topology database Adding nodes and objects Adding or editing monitoring interface on software nodes The Network Security console provides a way to add monitoring interfaces to the topology tree. To add or edit a monitoring interface to a software node On the Devices tab, do one of the following: Right-click the software node, and select Add Monitoring Interface ■...
Page 91 Populating the topology database Adding nodes and objects Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. “Deleting objects” on page 81. About the Networks tab The Networks tab lists the networks that this interface monitors. Replace the default entry with valid monitored networks before starting a sensor on the interface.
Page 92: About 7100 Series Appliance Nodes
Network Security 7100 Series appliance node. Adding or editing 7100 Series nodes The Network Security console provides a way to add or edit Symantec Network Security 7100 Series nodes. The installation process populates the fields in the Advanced Network Options tab blank. After installation, you can view the Advanced Network Options.
Page 93 Populating the topology database Adding nodes and objects Note: The model number of a 7100 Series node cannot be edited. To change it, you must delete the node object and add a new one using the desired model number. In Add 7100 Series Node or Edit 7100 Series Node, enter a descriptive name of up to 40 characters for the device.
Page 94 94 Populating the topology database Adding nodes and objects In Description, enter an optional description of up to 255 characters, and click OK. You may want to enter the serial number of the appliance here for later reference. The serial number is found on the label on the back panel of the appliance, with the prefix S/N.
Page 95 “Adding or editing in-line pairs” on page 100. About 7100 Series interfaces Each Symantec Network Security 7100 Series interface is a point of contact between the 7100 Series node and a network device. The node accesses traffic on the network device via the interface.
Page 96 96 Populating the topology database Adding nodes and objects In-line pair Two interfaces cabled into the actual network traffic path, ■ and configured for in-line mode. Allows blocking of malicious traffic. The monitoring interface objects of a 7100 Series appliance node are automatically generated when the node is added to the topology.
Page 97 In TCP Reset Interface, click the reset interface on the pull-down list. The reset interface must be cabled to access the monitored network. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters, and click OK.
Page 98 98 Populating the topology database Adding nodes and objects To add or edit monitored networks On the Networks tab, do one of the following: Click Add. ■ Select the network, and click Edit. ■ Replace the default 0.0.0.0/0 with all valid network IP addresses monitored by this interface, in CIDR format.
Page 99 In TCP Reset Interface, click the reset interface on the pull-down list. The reset interface must be cabled to access the monitored network. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters.
Page 100 In Pair, click the interface pair on the drop-down list. The selected interfaces must be cabled for in-line mode. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters.
Page 101: About Router Objects
About router objects Routers store data packets and forward them along the most expedient route between hosts or networks. Symantec Network Security monitors this connection. Add an object to the topology tree to represent each router that you want Symantec Network Security to monitor.
Page 102 102 Populating the topology database Adding nodes and objects Adding or editing router objects The Network Security console provides a way to add router objects to the topology tree. To add or edit a router object On the Devices tab, do one of the following: Right-click Network Devices or Location, and select Add Router from ■...
Page 103 81. ■ About router interfaces An interface object represents each router interface through which Symantec Network Security tracks attacks. Adding or editing router interface objects The Network Security console provides a way to add interface objects in the topology tree to represent each router interface through which you want Symantec Network Security to track attacks.
Page 104: About Smart Agents
About Smart Agents Symantec Network Security Smart Agents are translation software that enable Symantec Network Security to receive event data from external sensors, and correlate that data with all other events. Smart Agents expand the security umbrella and enhance the threat detection...
Page 105 Populating the topology database Adding nodes and objects Adding or editing Smart Agent objects The Network Security console provides a way to add Smart Agent objects to the topology tree. To add or edit a Smart Agent object On the Devices tab, do one of the following: Right-click Enterprise or Smart Agents, and select Add Smart Agent ■...
Page 106 Symantec Network Security Smart Agents in the network. They also make Symantec Network Security aware for the TrackBack response action. You do not need to add the optional Smart Agent interface objects for Symantec Network Security to accept event data from them. However, to apply the...
Page 107 Populating the topology database Adding nodes and objects Adding or editing Smart Agent interface objects The Network Security console provides a way to add and edit Smart Agent interface objects on the topology tree. To add or edit a Smart Agent interface object On the Devices tab, do one of the following: Right-click the Smart Agent object for which you want to create an ■...
Page 108: About Managed Network Segments
The Network Security console automatically creates an object in the topology tree to represent each such managed network segment in your network. Each time you add a new interface object, Symantec Network Security adds a new object for the network segment in which the interface resides, if not already represented.
Page 109 Populating the topology database Adding nodes and objects “Description” on page 77. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
Page 110 110 Populating the topology database Adding nodes and objects...
Page 111: Chapter 5 Protection Policies
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 112: Responding To Malicious Or Suspicious Events
The option to block is available only using a Symantec Network Security 7100 Series appliance that is deployed in-line. “Overriding blocking rules globally”...
Page 113: Using Protection Policies
Protection policies Using protection policies The following list describes each tab: Protection Policies tab: Symantec Network Security installs with a set of ■ pre-defined policies that you can use immediately by setting them to interfaces, override existing blocking rules, and applying them.
Page 114: Selecting Pre-Defined Policies
114 Protection policies Using protection policies immediately activate them by setting them to interfaces and applying them. You can also define your own policies and activate them using the same procedures. 1. Select a pro- tection policy. 2. Set to inter- faces.
Page 115: Setting Policies To Interfaces
Using protection policies Setting policies to interfaces You can immediately set the Symantec protection policies to work by setting them to specific node interfaces and applying the settings. You can set protection policies to both software and appliance nodes, with some important differences.
Page 116: Undoing Policy Settings
116 Protection policies Using protection policies by configuring a protection policy with blocking enabled. You can enable blocking only on in-line interface pairs on a 7100 Series node. To make sure that blocking is enabled at the event list level, see also “Enabling or disabling blocking rules”...
Page 117: Adjusting The View Of Event Types
If an event type is a known characteristic of your network, you can instruct Symantec Network Security not to alert on it by setting logging rules. This section describes the following topics: Searching to create a subset of event types ■...
Page 118 118 Protection policies Adjusting the view of event types 2. Click Logged and/or 1. Set search parame- Blocked to display event ters to select event types that have logging types that match cer- or blocking rules. tain characteristics. 3. Click Search Events to display a manageable subset of event types.
Page 119: Adjusting The View By Columns
Viewing event type details The Network Security console provides a way to view and clone the pre-defined Symantec protection policies, but you cannot edit or delete them. To view individual protection policies On the Policies tab, select a protection policy.
Page 120: Defining New Protection Policies
120 Protection policies Defining new protection policies Defining new protection policies The Network Security console provides a way to define new policies, and clone and modify existing policies. For software and appliance nodes, you can add logging rules that specify which event types trigger events displayed in the Incidents tab.
Page 121: Adding Or Editing User-Defined Protection Policies
The Network Security console provides a way to add and edit user-defined protection policies. Symantec protection policies cannot be modified. If you want to modify a Symantec protection policy, clone it and modify the clone. To add or edit user-defined protection policies In the Policies tab, do one of the following: Click New.
Page 122: Enabling Or Disabling Logging Rules
121. Enabling or disabling logging rules The Network Security console provides the tools to determine how Symantec Network Security monitors the network. Do this by setting logging rules that specify which event types deserve alerting, and which can be ignored. This section describes how to enable or disable event logging rules.
Page 123: Enabling Or Disabling Blocking Rules
197. Enabling or disabling blocking rules The Symantec Network Security 7100 Series now provides the ability to prevent malicious traffic from entering your network. If sensors indicate that unexpected traffic is penetrating the firewall or router, you can block it by...
Page 124 Defining new protection policies configuring a protection policy with blocking rules enabled. You can enable blocking rules only on interface pairs on Symantec Network Security 7100 Series appliances that are deployed in-line. To override these blocking rules globally without redefining the policy itself, see also “Overriding blocking rules globally”...
Page 125: Deleting User-Defined Protection Policies
Auto Update Rules selects those signatures that match your criteria, and automatically adds them to this policy. Even if the LiveUpdate occurs in the middle of the night, Symantec Network Security immediately starts logging the matching events. To add auto update rules In the Policies tab, do one of the following: Click Protection Policies >...
Page 126: Annotating Policies And Events
123. Note: EngineUpdates trigger the sensors to restart automatically when you apply them. See also “Updating Symantec Network Security” on page 269. Annotating policies and events The Network Security console provides a way to take notes on events at the...
Page 127 Protection policies Annotating policies and events Click Add. ■ Select a policy and click Edit. ■ In the Policies tab, click the Notes tab. Enter a note regarding this policy, and click OK. To view a note about a policy In the Policies tab, hover the cursor over the policy to display the note as a ◆...
Page 128: Backing Up Protection Policies
128 Protection policies Backing up protection policies In the upper pane, click an incident, and then in the lower pane, ■ double-click the related event. In Incident Details or Event Details, click Analyst Note. Enter your annotation, and click Add Note. Click Close.
Page 129: Chapter 6 Responding
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional...
Page 130 130 Responding About response rules functionality that is unique to an appliance. Each section describes this additional functionality in detail. Symantec Network Security can take the following types of actions to respond to attacks, individually or in sequence: Predefined actions ■...
Page 131: About Automated Responses
Multiple responses can be configured for the same event type, as well as the order in which Symantec Network Security executes the responses. Symantec Network Security reviews each event, and iterates through the list of response rules configured by the user.
Page 132: Managing Response Rules
Managing response rules Managing response rules The Network Security console provides a way to view, add, insert, duplicate, and delete the responses that make up Symantec Network Security’s automated rule-based response system. This section describes the following: Viewing response rules ■...
Page 133: Adding New Response Rules
Responding Managing response rules Interpreting color coding At a glance, you can tell which response rules have been saved, and which remain to be saved, by the background colors: Color Indication White Indicates the response rule has been saved Yellow Indicates the response rule has not been saved Purple Indicates the response rule is currently selected...
Page 134: Editing Response Rules
134 Responding Managing response rules Editing response rules The Network Security console provides a way to modify response rules easily. To view Response Policy Configuration In the Network Security console, click Configuration > Response Rules. In Response Rules, select a response rule. The background of the selected response rule turns purple.
Page 135: Deleting Response Rules
Note: It can take a few minutes for response policy changes to take effect. You can bypass the wait interval by clicking Admin > Force Database Sync. Backing up response rules We recommend that you periodically back up your Symantec Network Security response policy database. “Backing up and restoring”...
Page 136: Setting Response Parameters
The event type parameter specifies the base event or events for which the response rule is defined. Event types are grouped into several larger protocol and service attack categories. When Symantec Network Security detects a suspicious event, it analyzes the event to match it to an event type.
Page 137: Setting Severity Levels
Web server. By itself, this example might represent a medium level of intrinsic severity. Level of traffic, if it is a counter event: If Symantec Network Security ■ determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received.
Page 138 If the severity assigned during analysis equals the severity level defined in the response rule, as well as all other parameters defined in the response rule, then Symantec Network Security responds to the incident by performing the action associated with the response rule. SuperUsers and Administrators can also specify that the action execute only if the incident priority level falls above or below that of a particular severity level.
Page 139: Setting Confidence Levels
This interface is not necessarily the target of the attack, but may in fact be the point in the network at which Symantec Network Security is currently tracking the attack. If the interfaces being inspected are receiving VLAN encapsulated traffic, you can also specify that a rule applies to a specific VLAN ID.
Page 140: Setting Response Actions
Possible values are Stop, Continue to Next Rule, and Jump to Rule. The Continue to Next Rule value directs Symantec Network Security to search for the next matching response rule after executing the current response rule. This enables Symantec Network Security to make multiple responses to any particular incident type, in combination with each other and in a desired sequence.
Page 141: Setting Response Actions
Responding Setting response actions to Rule 8. The Stop value directs Symantec Network Security to discontinue searching for matching response rules. To set the next action In the Network Security console, click Configuration > Response Rules. Select a Next Action to do one of the following: Stop searching for matching response rules.
Page 142: Setting No Response Action
The None option directs Symantec Network Security not to respond to particular types of incidents. Selecting the None option, followed by Stop as the next action configures Symantec Network Security to take no action in response to specified types of incidents. SuperUsers and Administrators can also configure Symantec Network Security to ignore specific attacks by setting a filter.
Page 143 Delay between email notifications (mins): Enter the time in minutes ■ that you want Symantec Network Security to wait before sending another notification. In Configure Response Action, click OK to save and exit.
Page 144 144 Responding Setting response actions Setting Subject Line Subject Line indicates the subject line used when Symantec Network Security sends automatic email notifications. The default value is Symantec Network Security Alert You can use response variables to set the subject line. For example, to set the...
Page 145: Setting Snmp Notification
Click OK to save the changes to this node and close. Setting SNMP notification Symantec Network Security can initiate an SNMP notification in response to an attack. The SNMP notification option directs Symantec Network Security to send SNMP traps to an SNMP manager with a minimum delay of 1 minute between responses.
Page 146 Delay between SNMP notifications (mins): Enter the time in minutes ■ that you want Symantec Network Security to wait before sending another notification. In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.
Page 147: Setting Trackback Response Action
Sensor require interfaces with applied protection policies to run, as well as sensor parameters for flow statistics. Setting TrackBack response actions Symantec Network Security can begin tracking in response to an attack. The minimum delay between responses is 1 minute. To enable TrackBack In the Network Security console, click Configuration >...
Page 148 Delay between executions (mins): Enter the time in minutes that you ■ want Symantec Network Security to wait per incident, before making another execution. In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.
Page 149 Responding Setting response actions The following is an example of a custom response command: /usr/local/bin/myscript.sh -i %i -t %t -s %s admin@organization.org The following table describes the variables that can be used in the command line of custom response actions, console response actions, and email responses: Table 6-1 Response Variables Variable...
Page 150: Setting A Tcp Reset Response Action
Setting traffic record response action The traffic record response dynamically records network traffic in response to an event. With this option, Symantec Network Security can record traffic for a specified period of time, or until a specified number of packets has been collected.
Page 151 Maximum time to record (mins): Enter the time in minutes that you ■ want Symantec Network Security to record per incident. Click traffic record match parameters to select them: Source IP: Click this parameter if you want to record only traffic with ■...
Page 152: Setting A Console Response Action
240. Setting a console response action Symantec Network Security can initiate an action on the Network Security console in response to an attack. A SuperUser or Administrator can configure the response rule to play an alert sound and/or to execute a program on the Network Security console.
Page 153: Setting Export Flow Response Action
In Local Console Configuration, click OK to save and close. Note: The Network Security console must be running in order for Symantec Network Security to execute the console response action. If a Network Security console starts after console response events are sent, it does not execute the actions.
Page 154: Managing Flow Alert Rules
Managing flow alert rules Delay between flow export actions (mins): Enter the time in minutes ■ that you want Symantec Network Security to wait between actions per incident. The default delay is 10, the minimum is 1, and the maximum is 256.
Page 155: Viewing Flow Alert Rules
Adding flow alert rules ■ Viewing flow alert rules Symantec Network Security provides a way to view flow alert rules from the Network Security console. To view flow alert rules In the Network Security console, click Configuration > Flow Alert Rules.
Page 156: Editing Flow Alert Rules
156 Responding Managing flow alert rules In Flow Alert Rules, click OK to save and exit. Editing flow alert rules The Network Security console provides a way to rearrange the sequence of flow alert rules. To rearrange the order of flow alert rules In the Network Security console, click Configuration >...
Page 157 Click OK to save and exit. Providing an appropriate mask Symantec Network Security checks the subnet mask, and sends an error message if the mask is not appropriate for the number of bits specified in the subnet address. For example, if a full 32-bit IP address is entered, then the mask must also be 32.
Page 158 158 Responding Managing flow alert rules...
Page 159: Chapter 7 Detecting
Protocol anomaly detection ■ Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be...
Page 160: Configuring Sensor Detection
LiveUpdate and stores them individually. Configuring sensor detection Symantec Network Security provides an array of sensor parameters that are preset for optimum performance and sensitivity. They can be tuned to address specific network environments, and each sensor can be set individually to devote it to specific tasks.
Page 161: Configuring Sensor Parameters
Detecting Configuring sensor detection Threshold parameters ■ Saturation parameters ■ Miscellaneous parameters ■ Checksum validation parameters ■ Advanced sensor parameters ■ Configuring sensor parameters The Network Security console provides a way to control sensor processes by configuring sensor parameters. To configure the sensor parameters On the Devices tab, right-click the sensor.
Page 162: Basic Sensor Parameters
162 Detecting Configuring sensor detection Table 7-1 Restarting sensors Action Response Modifying some sensor You must restart the sensor for the action configuration parameters to take effect. Applying protection policies Starts the sensor automatically. Unapplying protection policies Stops the sensor automatically. Removing interface groups Stops the sensor automatically.
Page 163: Data Collection Parameters
The default value is false. If your system has performance issues, leaving Enable Flow Statistics Collection turned off can provide a minor improvement. However, some Symantec Network Security features use the data collected by this parameter. For example, if you leave Enable Flow Statistics Collection off for all sensors, FlowChaser will receive no flow data from sensors.
Page 164: Threshold Parameters
For example, if the system suddenly receives more requests than it can respond to, Symantec Network Security flags these events as a possible DoS attack. It generates events when traffic exceeds preset thresholds;...
Page 165: Saturation Parameters
The following parameters regulate the percentage of a variety of types of traffic that the sensor tolerates before it notifies you. Symantec Network Security provides counter-based detection of floods and denial-of-service attacks such as resource reservation and pipe filling. For...
Page 166 166 Detecting Configuring sensor detection ICMP Saturation Alert Threshold ICMP Saturation Alert Threshold regulates the level at which the sensor notifies you that it detects a large amount of ICMP fragmentation traffic. The default is set to 0.25, and valid values range from 0 to 1, representing the percentage of total traffic.
Page 167: Miscellaneous Parameters
Detecting Configuring sensor detection Service traffic in 20% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. You can increase the Threshold if you want to tolerate a high percentage of Bad Service traffic in your environment.
Page 168: Checksum Validation Parameters
The sensor monitors both the client-to-server and the server-to-client sides of the connection. The default is set to duplex, and Symantec Network Security generally performs best in this mode. Change to simplex only under specific conditions or for specific environments. Set this parameter during deployment, when you decide which mode to use.
Page 169: Advanced Sensor Parameters
7100 Series appliances have checksum capability. Advanced sensor parameters Symantec Network Security provides the following parameters for advanced troubleshooting purposes. Defaults are preset for optimum performance and sensitivity and do not need to be changed under most circumstances. Changing the default settings may impact performance, sensitivity, or both.
Page 170: Interval And Flow Parameters
Counter Number of Streak Packets. Note: In versions prior to 4.0, Streak Interval and Counter Interval were controlled by the same parameter. Symantec Network Security now provides two parameters that you can configure independently.
Page 171 Streak Interval regulates how often the sensor checks traffic for port scans. In past versions, Streak Interval and Counter Interval were controlled by the same parameter. Symantec Network Security now provides two parameters that you can configure independently. The default is set to 16,383 for optimum sensitivity and performance, and does not need to be changed under most circumstances.
Page 172: Miscellaneous Parameters
172 Detecting Configuring sensor detection You can troubleshoot a noisy network by increasing the value without changing Streak Interval. The sensor then takes a larger sample at each interval and gets more accurate results, at the cost of impacting system performance somewhat. This parameter should not be changed without a thorough understanding of how it interacts with Streak Interval...
Page 173: Table Element Parameters
Detecting Configuring sensor detection Saturation Counter Lapse Time Saturation Counter Lapse Time regulates the time period to collect packets. The sensor must detect 2,048 packets in the time period set by this parameter and send them to analysis. If traffic moves slower than that, it skips analysis. If traffic exceeds the threshold, then it proceeds to analysis.
Page 174 174 Detecting Configuring sensor detection Maximum IPv4 Fragment Reassembly Table Elements Maximum IPv4 Fragment Reassembly Table Elements regulates the size of IP fragment tables by controlling the number of simultaneous IP fragments that the sensor handles. It directly impacts memory consumption. Each fragment table entry can consume slightly more than 64K of memory.
Page 175: Segment Parameters
Detecting Configuring sensor detection UDP Maximum Flow Table Elements (Fast Ethernet) UDP Maximum Flow Table Elements (Fast Ethernet) regulates the size of the UDP flow table by controlling the number of simultaneous flows that the fast Ethernet sensor handles. It has a direct impact on memory consumption. The default is set to 32,768 for optimum performance and sensitivity, and does not need to be changed under most circumstances.
Page 176 176 Detecting Configuring sensor detection TCP Flow Max Queued Segments TCP Flow Max Queued Segments regulates the number of TCP segments that are out of order in a queue per TCP flow. If the number of out-of-order segments exceeds this maximum, the sensor discards the flow. Out-of-order segments in a flow usually signify a problem;...
Page 177: Configuring Port Mapping
Configuring port mapping Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be...
Page 178 If port map settings change, all signatures in use at that time must be recompiled to synchronize with the new information. When you edit the port map settings, Symantec Network Security recompiles automatically. This section describes the following: Adding or editing port mappings ■...
Page 179: Configuring Signature Detection
Managing signatures ■ About Symantec signatures Symantec Network Security uses network pattern matching, or signatures, to provide a powerful layer of detection. Signature detection involves detecting threats by looking for a specific pattern or fingerprint of a known bad or harmful thing.
Page 180: About User-Defined Signatures
180 Detecting Configuring signature detection Symantec Network Security uses signatures as a compliment to PAD. The combination provides robust detection without the weaknesses of either PAD alone or signatures alone. Symantec Network Security's high performance is maintained by matching against the smallest set of signatures as is possible given the current context.
Page 181 On the Policies tab, click Policies > Policies Applied to Interfaces to see ◆ interfaces with policies applied. To see applied signatures On the Policies tab, click Policies > Policies to see the Symantec signatures ◆ that are applied. To see available signatures On the Policies tab, click the User-defined Signatures tab to see available ◆...
Page 182 182 Detecting Configuring signature detection In Protocol, enter a protocol from the pull-down list. ■ In Transit Type, which is active if you chose IP_OTHER from the ■ Protocol pull-down list, enter a transit type from the pull-down list. Click Next to proceed. In Signature Description, enter optional notes, and click Next.
Page 183 Detecting Configuring signature detection Note: See the Symantec Network Security Installation Guide for upgrading user-defined signatures from Symantec ManHunt 3.0. Deleting user-defined signatures The Network Security console provides a way to delete user-defined signatures at any time. To delete user-defined signatures On the Policies tab, click User-defined Signatures.
Page 184: Managing Signature Variables
“Applying signatures variables” page 185. Editing signatures variables Symantec Network Security provides an easy way to edit signature variables for reuse. The signature variables apply to all signatures, both the default Symantec signatures and any user-defined signatures that you add.
Page 185 To apply this change to the database, see “Applying signatures variables” page 185. Resetting signatures variables Symantec Network Security provides an easy way to reset an edited signature variable after editing it. To reset signature variables On the Policies tab, click Signature Variables.
Page 186 In Signature Variables, and click Apply to save the changes to the database. Reverting signatures variables Symantec Network Security provides an easy way to revert any changes to signature variables, if you act before saving. To revert changes to signature variables On the Policies tab, click Signature Variables.
Page 187: Using Symantec Network Security
Part III Using Symantec Network Security This section describes how to use your Symantec Network Security system to monitor your network, interpret incidents and events, generate reports and run queries, maintain logs and databases, and fine-tune your system using advanced...
Page 189: Chapter 8 Monitoring
Incidents to which no new events have been added for a given amount of time are considered idle, so Symantec Network Security closes them. The condition of the incident can be viewed in the State column of the Incidents table.
Page 190: Viewing Incident And Event Data
Incidents are groups of multiple related base events. Base events are the representation of individual occurrences, either suspicious or operational. The sensors notify the software or appliance node of any suspicious actions or occurrences that might warrant a response, such as a probe. Symantec Network...
Page 191: Adjusting The View
About incident and event data Security also monitors operational occurrences that the user should be aware of, such as a Symantec Network Security license approaching the expiration date. The Incidents tab contains an upper and lower pane: Incidents, and Events at Selected Incident.
Page 192: Examining Incident And Event Data
202. Examining incident and event data Because large chronological lists of events are difficult to humanly manage, Symantec Network Security categorizes events into incidents with similar or related characteristics, such as time, type, location, source, or destination. Using...
Page 193: Examining Incident Data
Monitoring Examining incident and event data real-time analysis and correlation in this way, Symantec Network Security provides information about all incidents and events that occur in your network. You can control the way this information is displayed by setting font size, choosing the data to display, filtering the view, and sorting it.
Page 194 Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward. End time Indicates the time at which Symantec Network ■ Security stopped monitoring the incident. “Setting Incident Idle Time” on page 213.
Page 195 If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward.
Page 196: Examining Event Data
196 Monitoring Examining incident and event data Event name Indicates the name of the event. ■ Detected At Indicates summary information about the event such as ■ the name of the software or appliance node on which the event was detected, interface, current policy, and MAC addresses.
Page 197 Note: All users can view top-level event data. See “User groups reference” page 319 for more about permissions. Interpreting severity and confidence levels Symantec Network Security factors severity and confidence levels as follows: Table 8-1 Severity and Confidence Levels Confidence...
Page 198 The confidence value indicates the level of certainty that a particular incident is actually an attack. If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward.
Page 199 Token Failure: The iButton, used only by Network Security software ■ nodes, stores the private key portion of the Symantec Network Security signature certificate to safeguard the private key against being stolen or compromised. The iButton also confirms the identity of a software node.
Page 200 Medium 1 week =< life < 1 month Warnings of the impending expiration are displayed in the Active Incidents tab. Expiration dates are also displayed when Symantec Network Security is restarted. Network Security SuperUser Login: Symantec Network Security displays ■...
Page 201: Managing Incident And Event Data
Symantec Network Security. SNMP Alert Successful, but Truncated: An SNMP trap was successfully ■ sent by Symantec Network Security, but the message was too long and was truncated. SNMP Alert Failed: An error occurred while sending an SNMP alert from ■...
Page 202: Selecting Columns
Click OK to save and close. The Incidents tab can display the following incident data Last Mod. ■ Indicates the date and time when Symantec Network Security Time last modified the incident record. Name he user group of the current user.
Page 203 Indicates the condition of the incident, either Active . Incidents to which no new events have been added for a Closed given amount of time are considered idle, and Symantec Network Security closes them. Marked ■ Indicates whether you marked the incident as viewed.
Page 204 204 Monitoring Managing incident and event data The Events at Selected Incident can display the following information: Time Indicates the date and time when Symantec Network Security first ■ detected and logged the event. Event Indicates the event category of the detected event.
Page 205: Selecting View Filters
Monitoring Managing incident and event data See the following for further information: “About incident/event reports” on page 229. ■ “Interpreting severity and confidence levels” on page 197. ■ Selecting view filters The Network Security console provides a way to adjust the view by selecting filters to display only a relevant subset of the total incident or event tables.
Page 206 206 Monitoring Managing incident and event data Click Hide Marked to show only the incidents that have not been ■ marked in the Network Security console. Click Show Both to include both marked and unmarked incidents. ■ In Analyst Notes, do one of the following: Click Hide Unannotated to show only incidents with annotations and ■...
Page 207: Marking And Annotating
Monitoring Managing incident and event data Click Show Both to show all events relating to the selected incident. ■ In Maximum Events to Display, enter a value. The default is 100 events per incident. Click Apply to save and exit. Note: All users can select event filtering criteria.
Page 208 208 Monitoring Managing incident and event data Annotating incident data You can add comments to incidents and events. Each annotation receives a time stamp and lists the author of the annotation. You can sort multiple annotations for an event by time stamp in ascending or descending order. To annotate an incident or event On the Incidents tab, double-click an incident or event.
Page 209: Saving, Copying, And Printing Data
Monitoring Managing incident and event data Saving, copying, and printing data This section describes the following: Saving incident data ■ Copying and pasting incidents ■ Copying an incident’s top event ■ Copying event details ■ Printing incident data ■ Saving incident data All users can save detailed information about each incident on the Network Security console Incidents tab.
Page 210 210 Monitoring Managing incident and event data Note: All users can copy and paste incident data. See “User groups reference” page 319 for more about permissions. Copying an incident’s top event The Network Security console provides a way to copy the top event data from an incident, and paste it into a document or email.
Page 211: Emailing Incident Or Event Data
Note: All users can print top-level incident data. See “User groups reference” page 319 for more about permissions. Emailing incident or event data The Network Security console provides a way to configure Symantec Network Security to export incident or event data via email: Configuring email ■...
Page 212 212 Monitoring Managing incident and event data Note: All users can configure Symantec Network Security to email top-level incident data. See “User groups reference” on page 319 for more about permissions. Emailing incident data You can send detailed information about each incident via email using the Incidents tab.
Page 213: Tuning Incident Parameters
Incidents are considered idle and are closed when no new events have been added for a given amount of time. SuperUsers and Administrators can define the period of time that an incident remains idle before Symantec Network Security discontinues monitoring it, by editing the incident idle time parameter. By default, the value for this parameter is set to 10 minutes.
Page 214: Setting Maximum Incidents
214 Monitoring Tuning incident parameters In Symantec Network Security Configuration Parameters, click Incident/Event Parameters > Incident Idle Time. Enter a value for the parameter, in minutes. By default, the value for this parameter is set to 10 minutes. Click OK to save and exit.
Page 215: Setting Incident Unique Ip Limit
Monitoring Tuning incident parameters In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Maximum Active Incident Life. In the lower right pane, enter a value in hours. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Click OK to save the changes to this node and close.
Page 216: Event Correlation 'Source Ip' Weight
10. If the sum is less than 10, no events will be correlated. Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter Click Configuration > Node > Network Security Parameters.
Page 217: Event Correlation 'Destination Ip' Weight
10. If the sum is less than 10, no events will be correlated. Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter Click Configuration > Node > Network Security Parameters.
Page 218: Event Correlation 'Destination Port' Weight
10. If the sum is less than 10, no events will be correlated. Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter Click Configuration > Node > Network Security Parameters.
Page 219: Monitoring Flow Statistics
FlowChaser receives information about network flows from Network Security sensors, routers, and third-party devices. FlowChaser stores the data in an optimized fashion that Symantec Network Security uses for TrackBack and response actions. To enable flow data collection In the Network Security console, click the Devices tab.
Page 220: Configuring Flowchaser
In Apply Changes To, select the node to which to apply the parameter. Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect. Setting FlowChaser Router Flow Collection Threads FlowChaser Router Flow Collection Thread determines the number of threads for the FlowChaser database to receive flow data.
Page 221 Setting FlowChaser Router Flow Collection Port FlowChaser Router Flow Collection Port sets the UDP port by which routers send flow data to Symantec Network Security. Configure the routers to use this port as well. The default value is 12,387. To configure this parameter Click Configuration >...
Page 222 In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect.
Page 223: Chapter 9 Reporting
You can generate reports that appear in table format, and sort the table columns. Symantec Network Security can generate email reports of incidents logged for all Network Security software nodes in the cluster. You can also generate reports on demand about any Network Security software nodes in the cluster.
Page 224: Scheduling Reports
224 Reporting Scheduling reports section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.
Page 225: Refreshing The List Of Reports
Reporting Scheduling reports In Unscheduled Subreports, click a report type, and then click the double right arrows to move it to Scheduled Subreports. The following subreports require additional information: Top Event Types: Enter the number of event types, and click OK. ■...
Page 226: Deleting Report Schedules
Click Actions > Delete, and click OK. Managing scheduled reports Symantec Network Security provides an efficient way to manage scheduled reports using Manage Report Files. Symantec Network Security also provides the Admin menu as an alternative to managing saved reports via the Reports menu.
Page 227 Reporting Scheduling reports To view saved reports In the Network Security console, do one of the following: Click Reports > Schedule Reports. ■ Click Admin > Node > Manage Report Files. ■ In Select Node, choose a node from the pull-down list, and click OK. Do one of the following: In Report Scheduling, click Manage Report Files.
Page 228: Reporting Top-Level And Drill-Down
By supplying report parameters, you can choose the report type. The types of reports that Symantec Network Security generates are described in detail in the following sections.
Page 229: About Report Types
Then select a report type from the pop-up menu that appears. Symantec Network Security will generate the drill-down report based on the data related to the column, bar, pie piece or table row you selected.
Page 230: Printing And Saving Reports
In the Network Security console, click Reports > File > Print. ◆ About top-level report types This section describes the following top-level reports that Symantec Network Security generates, most of which also include drill-down reports: Reports of top events ■...
Page 231: Reports Of Top Events
For example, generate a report on the top 10 unique events or top 100 unique events. To view the number of times any event type occurred, hover the cursor over the event. Symantec Network Security generates the Top Event Types report in the table, pie chart and bar chart formats.
Page 232: Reports Per Incident Schedule
232 Reporting About top-level report types Reports per incident schedule Symantec Network Security generates the following types of incident reports: Table 9-2 Types of incident reports Type Description Incidents per month This reports displays the total number of incidents that occurred during each month of the time period you specify.
Page 233: Reports Per Event Schedule
Reporting About top-level report types Reports per event schedule Symantec Network Security generates the following types of event reports: Table 9-3 Types of event reports Type Description Events per month This report displays the total number of events detected per month during the time period you specify.
Page 234 Symantec Network Security are grouped as RCRS events because RCRS is the vendor ID for Symantec Network Security. You specify the report start and end dates/times. Symantec Network Security generates this report in table, bar, column and pie chart formats. This report has no drill-down reports.
Page 235: Reports Per Network Security Device
You can generate drill-down event lists by source IP from Top Event Sources. Reports per Network Security device Symantec Network Security generates the following types of device reports: Table 9-5 Types of device reports Type...
Page 236: Drill-Down-Only Reports
IP addresses, and the name of the device where the event was detected. Symantec Network Security generates the Event List report in table format only. You can access this report from within any Incidents or Events report, as well as from within the Top Event Destination and Top Event Source reports.
Page 237: Querying Flows
Flow Statistics report. Querying flows FlowChaser serves as a data source in coordination with Symantec Network Security TrackBack, a response mechanism that traces a DoS attack or network flow back to its source. The FlowChaser database can be queried for flows by port and arbitrary address.
Page 238: Viewing Current Flows
238 Reporting Querying flows Note: SuperUsers, Administrators, and StandardUsers can view flow data; RestrictedUsers cannot. See “User groups reference” on page 319 for more about permissions. Viewing current flows View Current Flows enables you to search against all of the collected flows by FlowChaser.
Page 239: Viewing Flow Statistics
Reporting Querying flows Note: The Network Security console displays the flow data in table format, one page at a time. You can sort the table by clicking the heading of any column. This sort, however, applies only to the page currently displayed, which may be only a portion of the entire report.
Page 240: Playing Recorded Traffic
240 Reporting Playing recorded traffic Match Source or Destination: This will make a broader query on either ■ a source IP or a destination IP. In Match Source and Destination, you can display only flows that pertain to specific source and destination IPs. To make this more focused query, enter data in the following fields: Source IP: Numeric IP address ■...
Page 241: Replaying Recorded Traffic Flow Data
In Packet Replay Tool, view the detailed packet data, one packet at a time. To view all packet data in a session that includes multiple packets, on Symantec Packet Replay Tool, click View > Show Session Window. Return to Symantec Packet Replay Tool, and click Go.
Page 242 242 Reporting Playing recorded traffic...
Page 243: Chapter 10 Managing Log Files
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 244: About The Operational Log
244 Managing log files Managing logs About the operational log The operational log records events that Symantec Network Security is processing, such as startup and shutdown of the Network Security software or appliance node, or errors experienced within the node. The Network Security console provides a view of the operational log file of each node via Admin >...
Page 245: Viewing Live Log Files
Managing log files Managing logs To view log files In the Network Security console, click Admin > Node > Manage Logs. In Select Node, choose a node from the pull-down list, and click OK. In Log Files, do one of the following: Click a log file to select it.
Page 246: Archiving Log Files
246 Managing log files Managing logs Note: All users can view live log files. See “User groups reference” on page 319 for more about permissions. Archiving log files The Network Security console now provides a way to archive log files easily. The archiving process takes place in the background and may take a few minutes to complete.
Page 247: Deleting Log Files
Managing log files Managing logs Click OK to save a copy of the log file in the desired location and exit. Note: SuperUsers and Administrators can copy log files; StandardUsers and RestrictedUsers cannot. See “User groups reference” on page 319 for more about permissions.
Page 248: Configuring Automatic Archiving
248 Managing log files Configuring automatic archiving Configuring automatic archiving Symantec Network Security provides configuration of automatic log and database tasks via the configurable parameters. SuperUsers and Administrators can configure Symantec Network Security to perform logging tasks automatically, such as archiving, transferring via SCP, rotating, and...
Page 249: Archiving Log Files
In Apply Changes To, select the node to which to apply the parameter. Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect. Note: For information about how to manage logs manually, see “About the...
Page 250 252. Setting Limit Size for Archive Directory Limit Size for Archive Directory indicates the size at which Symantec Network Security clears the archive directory. If archive data files take more disk space than indicated by this value, then files are removed, starting with the oldest, to satisfy the limit.
Page 251 Click OK to save the changes to this node and close. Setting Limit Size for Traffic Record Directory Limit Size for Traffic Record Directory indicates the size at which Symantec Network Security clears the traffic record directory. If traffic record files take more disk space than indicated by this value, then files are removed, starting with the oldest, to satisfy the limit.
Page 252: Compressing Log Files
Compressing log files The Network Security console provides a way to conserve disk space by configuring Symantec Network Security to automatically compress log files when they are archived, regardless of the method of archiving. Log file compression is also useful when transferring via SCP.
Page 253 “About the Knowledge Base” page 22. Setting Compression Command Compression Command indicates the command that Symantec Network Security follows to compress operational log or database files during the archiving procedure. If you do not specify a compression command for the software node,...
Page 254: Exporting Data
Event Writer File enables you to export event data to a file in a format that other applications can read, in addition to exporting it to the database. To configure Symantec Network Security to output event data to a file, enter a valid pathname for the Event Writer File. There is no default.
Page 255: Exporting To Sesa
Bridge installation script located in the /usr/SNS/install/sesabridge directory. The SESA Bridge enables you to send events form Symantec Network Security to the SESA management console. The Bridge is not required to use Symantec Network Security in native mode. This section describes the following topics: Integrating with SESA ■...
Page 256 Security 7100 Series Implementation Guide for more information about the SESA Bridge. Setting SESA Bridge Export SESA Bridge Export serves as the on/off switch for sending events to Symantec Enterprise Security Administrator (SESA). If this value is , events are sent true to the local SESA Agent to be passed on to a SESA Manager.
Page 257: Exporting To Sql
Connectivity (JDBC) driver identifies the type of database to use, and defines how Symantec Network Security communicates to the database. JDBC drivers for both Oracle and MySQL are included in the installation of Symantec Network Security. You can indicate which driver you want to use, if any, create user login accounts, and establish tables on the database.
Page 258 Note: Restart Symantec Network Security for changes to this parameter to take effect. Setting JDBC Driver JDBC Driver indicates the classpath of the JDBC driver that Symantec Network Security uses when exporting to MySQL or Oracle databases. To configure this parameter Click Configuration >...
Page 259 Note: Restart Symantec Network Security for changes to this parameter to take effect. Setting DB User DB User indicates the user name that Symantec Network Security uses to authenticate against the database. Make sure to grant the proper permissions to the user.
Page 260: Exporting To Syslog
In Apply Changes To, select the node to which to apply the parameter. Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for a change to this parameter to take effect. Setting DB Password DB Password indicates the password that Symantec Network Security uses to authenticate against the MySQL or Oracle database.
Page 261 To do so, you must configure syslog to receive the operational log data, and enable Symantec Network Security to send data to a syslog server by entering a non-zero value for the Echo Operational Log to Syslog parameter. The value must correspond to syslog priority levels 1-4, inclusive.
Page 262 Syslog to function. Caution: Make sure that sufficient RAM exists on the system for this parameter. Restart Symantec Network Security for changes to this parameter to take effect. Setting Remote Syslog Destination Host Remote Syslog Destination Host indicates the remote syslog receiver that...
Page 263 It may take up to 10 minutes for changes to this parameter to take effect. Setting Remote Syslog Destination Port Remote Syslog Destination Port indicates the remote syslog port that Symantec Network Security uses. The default value is the standard syslog port (514), if not set otherwise. This value does not affect the local UNIX system in any way.
Page 264: Transferring Via Scp
In Apply Changes To, select the node to which to apply the parameter. Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect. Caution: Messages exceeding 1024 bytes are not compliant with the BSD Syslog Protocol RFC (3164), and may be truncated or dropped by syslog servers.
Page 265 Flag for SCP Usage serves as the on/off switch for SCP transfer. All other SCP parameters must be set properly for SCP transfer to function. If on, Symantec Network Security rotates the logs and exports them to another host for long-term storage.
Page 266 266 Managing log files Exporting data In the left pane, under Log & Database Parameters, click this parameter to display it. In the lower right pane, enter either the IP address or hostname of the node in which to place the logs. Note: We recommend that you always use the same name for the software or appliance node when exporting archived logs, establishing an authorized public key, or exporting scheduled reports.
Page 267 Managing log files Exporting data In the left pane, under Log & Database Parameters, click this parameter to display it. In the lower right pane, enter a path to the destination directory on the remote host in which to place the logs. The user specified in the User Account for SCP parameter must have write permission to this directory.
Page 268 268 Managing log files Exporting data...
Page 269: Chapter 11 Advanced Configuration
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 270: About Liveupdate
Backing up LiveUpdate configurations ■ About LiveUpdate Symantec Network Security provides the new LiveUpdate functionality to keep your system updated to the latest software levels in a seamless and timely manner. The Network Security console displays all available updates at any given time, and provides the LiveUpdate interface for you to selectively apply them or schedule them to be automatically applied.
Page 271: Scanning For Available Updates
Advanced configuration Updating Symantec Network Security Scanning for available updates Symantec Network Security provides a list of all available LiveUpdates in the Network Security console. To view available updates In the Network Security console, click Admin > LiveUpdate. In the left pane, select the nodes to receive updates.
Page 272: Setting The Liveupdate Server
272 Advanced configuration Updating Symantec Network Security In the left pane, select the nodes to receive updates. On the LiveUpdate tab, click Scan For Updates. In the right pane, do one of the following: Click Select All to select the entire list.
Page 273: Scheduling Live Updates
Advanced configuration Scheduling live updates Scheduling live updates This section describes the following topics: Adding or editing automatic updates ■ Deleting automatic update schedules ■ Reverting automatic update schedules ■ Adding or editing automatic updates The Network Security console provides a way to schedule automatic updates. To schedule or reschedule automatic updates In the Network Security console, click Admin >...
Page 274: Deleting Automatic Update Schedules
On the Schedule LiveUpdate tab, click Revert to undo your changes. Backing up LiveUpdate configurations The Network Security console provides a way to customize Symantec Network Security to allow for internal LiveUpdate servers. See the LiveUpdate documentation for this information.
Page 275: Managing Node Clusters
Advanced configuration Managing node clusters Managing node clusters Clusters are based on a hierarchy consisting of one central master node that receives information from and manages multiple slave nodes. The Network Security console provides a way to configure slave nodes by logging into the master node from the Network Security console, and to view events and incidents from them.
Page 276 Create a master high-availability configuration. “Establishing high availability failover” on page 287. Note: Upgrading node clusters requires special consideration. See the Symantec Network Security Installation Guide for more details. Establishing a master node This section describes how to establish a cluster master node using the Network Security console.
Page 277 7100 Series appliance nodes to a cluster, using the topology tree. Add a slave node to the topology tree after you install Symantec Network Security on the corresponding slave computer. Similarly, add a 7100 Series node to the topology tree after performing the initial configuration of the appliance itself.
Page 278: Managing An Established Cluster
If you want to re-add a node to the topology database after deleting it, you must do one of the following: For a software node: Reinstall it. ■ See the Symantec Network Security Installation Guide for reinstalling a software node. For an appliance node: Unconfigure and then rerun the initial configuration. ■...
Page 279 Advanced configuration Managing node clusters Security does not synchronize incidents and events. Each node maintains this information separately. Automatic synchronization Synchronization occurs automatically at a random interval so that the nodes in a cluster do not expect updates at the same time. When you edit the master node or the network topology, your changes are automatically synchronized across all nodes in the cluster.
Page 280 280 Advanced configuration Managing node clusters Note: SuperUsers and Administrators can force a database synchronization; StandardUsers and RestrictedUsers cannot. See “User groups reference” page 319 for more about permissions. Changing node numbers Node numbers cannot be edited directly. If you need to change the node number after adding the node to the topology tree, you must first delete the object, then create a new object, and last, assign a new node number to it.
Page 281: Setting A Cluster-Wide Parameter
“User groups reference” page 319 for more about permissions. Setting a cluster-wide parameter Symantec Network Security provides one cluster parameter called QSP Port Number to ensure communication between all nodes in a cluster. Note: SuperUsers can set parameters; Administrators, StandardUsers, and RestrictedUsers cannot.
Page 282: Backup Up Cluster-Wide Data
Symantec Network Security can be configured to receive events from third-party devices including ManTrap 2.1 and later, and Symantec Decoy Server 3.1, as well as from other third-party security sensors. Symantec Network Security can be configured to aggregate and correlate those events with all other events that Symantec Network Security detects.
Page 283: Integrating Via Smart Agents
Security supports holistic security awareness through real-time third-party event correlation and analysis. Smart Agents enable Symantec Network Security to receive event data from external sensors and correlate that data with all other Network Security events. Symantec Network Security performs some internal Smart Agent configuration for integrating Symantec Decoy Server events.
Page 284 ■ Setting EDP Port Number Symantec Network Security communicates with Smart Agents over an EDP proxy (Event Dispatch Protocol). In order to enable a software or appliance node to receive event data from an Smart Agent, the Smart Agent must share an EDP passphrase with the software or appliance nodes.
Page 285: Integrating With Symantec Decoy Server
Caution: Do not use the QSP port for EDP communication. Integrating with Symantec Decoy Server Now you can launch and log into the Symantec Decoy Server console by simply right-clicking any external sensor object in the topology tree and selecting Start Decoy Console.
Page 286 In the Network Security console create an external sensor node for each IP address that will send event data to Symantec Network Security; that is, a separate node for each cage and host. “Adding or editing Smart Agent objects”...
Page 287: Establishing High Availability Failover
Advanced configuration Establishing high availability failover Launching from a known location This section describes how to launch the Symantec Decoy Server console from a known location on the network. To launch the Symantec Decoy Server console from a known location Right-click any external sensor object in the topology tree, and click Start Decoy Console.
Page 288: Configuring Availability For Single Nodes
Configuring availability for single nodes Symantec Network Security provides a parameter to monitor the processes of a single node regularly, and automatically restart any processes that have failed. If a process on a single node fails, the failure recovery feature notes the failure and takes action to restart that process.
Page 289: Configuring Availability For Multiple Nodes
RestrictedUsers cannot. See “User groups reference” on page 319 for more about permissions. Configuring availability for multiple nodes Symantec Network Security provides a set of watchdog parameters to ensure uninterrupted event detection by deploying multiple nodes in a high-availability configuration called failover.
Page 290 In a failover group of three, the third standby node continues to monitor without recording, in case the second active node fails. This fault-tolerant feature occurs automatically and transparently, and ensures that Symantec Network Security remains continuously available. Do not confuse high-availability failover with load-balancing, in which systems providing balance through database synchronization methodology.
Page 291 Advanced configuration Establishing high availability failover To add a failover group To deploy standby nodes as backup, simply add multiple Network Security nodes in the same location to form the failover group, considering the following: You can set up a failover group using both software and appliance ■...
Page 292 292 Advanced configuration Establishing high availability failover Removing nodes from a failover group Symantec Network Security provides an efficient way to remove nodes from a failover group. To remove a node from a failover group In the Network Security console, edit the active or standby objects to the network topology tree.
Page 293: Configuring Watchdog Processes
Symantec Network Security provides a set of parameters that you can use to configure watchdog processes. Watchdog processes monitor each node closely, and if a failure occurs on any node, Symantec Network Security makes a number of attempts to reboot or restart the downed node. If the attempts to reboot or...
Page 294 294 Advanced configuration Establishing high availability failover restart also fail, then Symantec Network Security shifts or fails over to the standby node. Watchdog processes are advanced configurations that employ advanced parameters. Make sure that sufficient RAM exists on the system. When...
Page 295 Watchdog Process Stop Window determines the time period during which Symantec Network Security decides if failures occur at too high a rate. If a node fails too many times during this time period, then it shuts down and fails over to the standby node.
Page 296 The default value is false. If set to true, Symantec Network Security restarts the product on failure. If this value is not set, the default is to reboot the system on failure.
Page 297: Backing Up And Restoring
Setting Watchdog Process Email Watchdog Process Email indicates the email address to which Symantec Network Security sends a notification that it has failed over. If this value is not set, no email is sent.
Page 298: Backing Up And Restoring On The Network Security Console
■ Backing up Symantec Network Security configurations The Network Security console provides a way to back up a Symantec Network Security configuration. The backup procedure includes most configuration data such as topology, parameter, policy, and report configurations, but does not include collected data such as flow records, traffic record sessions, and generated reports.
Page 299 “Setting policies to interfaces” on page 115. Copying Symantec Network Security configurations The Network Security console provides a way to copy a configuration of Symantec Network Security easily.
Page 300 319 for more about permissions. Restoring Symantec Network Security configurations Symantec Network Security provides a way to restore a previous configuration to an entire cluster, so that all information that was synchronized throughout the cluster reverts back to the original values. SuperUsers can do this...
Page 301 “User groups reference” page 319 for more about permissions. Restoring an old configuration Symantec Network Security provides a way to restore an existing configuration using the Network Security console. To restore an old configuration In the Network Security console, click Admin > Node > Manage Backups.
Page 302: Backing Up And Restoring On Compact Flash
To mount the CF card, you must reboot the appliance after inserting the card into the adaptor. For more information about using the compact flash, see the Symantec Network Security 7100 Series Implementation Guide. To back up a configuration onto compact flash In the Network Security console, click Admin >...
Page 303 Advanced configuration Backing up and restoring In Actions, click Backup Current Configuration. In Backup Name, type in a file name for the backup, and click OK. Network Security adds a timestamp to the filename to ensure uniqueness. When the progress bar closes, click Refresh Table to view the backup. Note: SuperUsers and Administrators can back up a configuration using a compact flash card (CR);...
Page 304 Backing up and restoring Saving initial configuration to compact flash If the compact flash card is available, Symantec Network Security automatically saves the configuration file to the CF card. Saving a node’s configuration information to compact flash provides a way to control the configuration of one or more appliances you are adding to a cluster.
Page 305 Advanced configuration Backing up and restoring Saving initial configuration to the hard drive If no compact flash card is available during the save operation, the configuration is saved to the hard drive on the node. To save an initial configuration to the hard drive Do one of the following: On Devices, right-click the 7100 Series node object whose configuration ■...
Page 306 Warning: The Revert to Original Install process will completely remove Symantec Network Security on the appliance. The node will also be removed from the topology in the Network Security console.
Page 307 ■ Click No to exit the process. ■ In Generating SSH Keys, wait while Symantec Network Security generates the SSH keys. In Public Key, read the public key filename at the top, and the instructions for installing it on the target host.
Page 308: Configuring Advanced Parameters
7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance.
Page 309: About Parameters For Clusters, Nodes, And Sensors
Two sets of parameters exist, for basic setup and customizing to your environment, and for advanced tuning for specialized circumstances. Basic: Include the basic tools to customize Symantec Network Security to ■ your environment. Advanced: In most circumstances, advanced parameters are set with ■...
Page 310: Configuring Node Parameters
Click OK to save the changes to this sensor and close. Note: We recommend that you periodically back up the configuration database. “Backing up Symantec Network Security configurations” on page 298. Note: SuperUsers can configure advanced cluster, node, and sensor parameters;...
Page 311: Configuring Network Security Console Parameters
Advanced configuration Configuring advanced parameters Integrating via Smart Agents ■ Setting email notification parameters ■ Configuring watchdog processes ■ Configuring automatic archiving ■ Transferring via SCP ■ Exporting to file ■ Setting automatic logging levels ■ Exporting to SESA ■ Exporting to SQL ■...
Page 312 Make sure that the system has enough RAM to support this advanced ■ parameter. Restart Symantec Network Security for changes to this parameter to ■ take effect. Setting Event Destination Hashes Event Destination Hashes balance the rate of incoming events and adjust the analyzing logic by setting the number of destination buckets to keep.
Page 313 Make sure that the system has enough RAM to support this advanced ■ parameter. Restart Symantec Network Security for changes to this parameter to ■ take effect. Setting Event Queue Length Event Queue Length prevents the system from becoming overloaded during a denial-of-service attack.
Page 314 Make sure that the system has enough RAM to support this advanced ■ parameter. Restart Symantec Network Security for changes to this parameter to ■ take effect. Setting Event Rate Throttle Event Rate Throttle protects against system failure during flood attacks by controlling the rate at which the system accepts events.
Page 315 Advanced configuration Configuring advanced parameters Restart Symantec Network Security for changes to this parameter to ■ take effect.
Page 316 316 Advanced configuration Configuring advanced parameters...
Page 317: Appendices
Part IV Appendices The following appendices provide additional reference information: User groups reference ■ SQL reference ■...
Page 319: Appendix A User Groups Reference
About group permissions Symantec Network Security grants specific sets of permissions and access to each of the four user groups: SuperUser, Administrator, StandardUser, and RestrictedUser. The four groups and their respective permissions are predefined, and SuperUsers cannot modify them.
Page 320: Permissions By Group
Permissions by task ■ Permissions by group Symantec Network Security grants specific sets of permissions and access to each of the four user groups: SuperUser, Administrator, StandardUser, and RestrictedUser. The four groups and their respective permissions are predefined, and SuperUsers cannot modify them.
Page 321: Permissions By Task
User groups reference About user groups Permissions by task This table describes which tasks can be performed by each user group. Table A-1 User account capabilities Task SuperUser Administrator StandardUser RestrictedUser Analyst Note Allowed to edit Allowed to edit Not allowed Not allowed Template template...
Page 322 322 User groups reference About user groups Table A-1 User account capabilities Task SuperUser Administrator StandardUser RestrictedUser Force Database Sync Allowed to force Allowed to force Not allowed Not allowed database sync database sync Incidents Allowed to view Allowed to view Allowed to view Allowed to view Incidents, Columns...
Page 323 Protection Policies Allowed to add, Allowed to add, Allowed to view Allowed to view apply, clone, edit, apply, clone, edit, delete delete Reboot Symantec Allowed to reboot Not allowed Not allowed Not allowed Network Security Nodes Reports, Allowed to generate...
Page 324 324 User groups reference About user groups Table A-1 User account capabilities Task SuperUser Administrator StandardUser RestrictedUser Topology tree, Allowed to view, add, Allowed to view, add, Allowed to view Allowed to view edit nodes edit, and delete all edit, and delete most objects in the objects in the topology tree...
Page 325: About Sql Export Parameters
Using MySQL tables ■ About SQL export parameters Symantec Network Security can export event and incident data to two supported SQL-compliant databases: Oracle 9i and MySQL 4.0. SuperUsers can enable this functionality. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality.
Page 326: Using Oracle Tables
Oracle incident table ■ Oracle event table ■ Oracle incident table The following table describes the structure of the table that Symantec Network Security uses to export incident data to an Oracle database: Table B-1 Oracle Incident Table Field Name...
Page 327 SQL reference Using Oracle tables Table B-1 Oracle Incident Table Field Name Type Description Notes devid varchar(33) Indicates the ID of the device (deviceID from Used internally topology table) where the best event was detected. devName varchar(33) Indicates the device name of the best event. eventNum integer Indicates the eventNum of the best event.
Page 328: Oracle Event Table
Security console user, but has changed since. Oracle event table The following table describes the structure of the SQL table that is used when Symantec Network Security exports event data to an Oracle database: Table B-2 Oracle Event Table Field Name...
Page 329 Indicates the end time for this event, according to Standard UNIX time the sensor. format. eventCode varchar(65) Indicates the Symantec standard code representing the event. eventNum integer Indicates the event number for this incident. The first event in an incident will have an eventNum of 1.
Page 330 330 SQL reference Using Oracle tables Table B-2 Oracle Event Table Field Name Type Description Notes flowcookie varchar(1025) Indicates the flowcookie. fmly varchar(33) Indicates the event family. For class=sniffer events, this is integrity or availability. For class=generic events, this is fnotice or notice guiTxt varchar(65)
Page 331 SQL reference Using Oracle tables Table B-2 Oracle Event Table Field Name Type Description Notes poolID varchar(33) Indicates the ID of the pool ("poolID" from Used internally ifpooldb) where this event was detected. poolName varchar(41) Indicates the name of the interface group where this event was detected.
Page 332: Using Mysql Tables
MySQL incident table ■ MySQL event table ■ MySQL incident table The following table describes the structure of the table that Symantec Network Security uses to export incident data to a MySQL database: Table B-3 MySQL Incident Table Field Name...
Page 333 SQL reference Using MySQL tables Table B-3 MySQL Incident Table Field Name Type Description Notes hasNote integer Indicates whether there are annotations for this 0 = no annotations incident. 1 = has annotations ident varchar(33) Indicates the unique identifier for each type of message.
Page 334: Mysql Event Table
2 = Marked by a Network Security console user, but has changed since. MySQL event table The following table describes the structure of the table that Symantec Network Security uses to export event data to a MySQL database: Table B-4 MySQL Event Table...
Page 335 Indicates the end time for this event, according to Standard UNIX time the sensor. format. eventCode varchar(65) Indicates the Symantec standard code representing the event. eventNum integer Indicates the event number for this incident. The first event in an incident will have an eventNum of 1.
Page 336 336 SQL reference Using MySQL tables Table B-4 MySQL Event Table Field Name Type Description Notes hdrInfo text Indicates the TCP/IP header information OR full Base-64 encoded. packet. ident varchar(33) Indicates the unique identifier for each type of message. ifID varchar(33) Indicates the ID of the interface (interfaceID Used internally...
Page 337 SQL reference Using MySQL tables Table B-4 MySQL Event Table Field Name Type Description Notes reliability integer Indicates the reliability of this event. Valid values are 1-10 severity integer Indicates the severity of this event. Valid values are 1-10 sips varchar(195) Indicates a list of source IPs for this event.
Page 338 338 SQL reference Using MySQL tables...
Page 339: Glossary
Glossary This appendix defines terms used in this guide to categorize attack elements and system elements. 1000Base-SX 1000 Mbps (1 Gbps) baseband Ethernet over two multimode optical fibers using shortwave laser optics. access control The mechanisms and policies that restrict access to computer resources. An access control list (ACL), for example, specifies what operations different users can perform on specific files and directories.
Page 340 The front panel of a Symantec Network Security 7100 Series appliance. blocking A configured mode for preventing malicious or unwanted network traffic from passing a...
Page 341 The measure of a threat's technical expertise or knowledge of a system's connectivity. CD start A screen that is usually the first thing a customer will see after inserting the Symantec product CD. certificate A file that is used by cryptographic systems as proof of identity. It contains a user's name and public key.
Page 342 The graphical user interface (GUI) that is provided for centralized administration of console software and appliance nodes and node clusters in Symantec Network Security. content scanning or The ability to review the actual information that an end user sees when using a specific screening Internet application, for example, the content of email messages.
Page 343 Typically, denial of service attacks are aimed at bandwidth control. deployment The installation of a network of security products, such as Symantec Network Security (nodes and Network Security console), Symantec Network Security 7100 Series appliances, and Symantec Network Security Smart Agents to form an enterprise security environment.
Page 344 344 Glossary digital certificate A digital certificate is an electronic credit card that establishes a user's credentials when doing business or other transactions on the Web. It is issued by a Certificate Authority (CA). It contains the user's name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Page 345 A predefined event category that is used for sorting reports and configuring events and alerts. event, base A significant occurrence in a system or application that Symantec Network Security detects. Base events are the detected activities at the most elemental level. For detailed descriptions of events, see “About the Web sites”...
Page 346 FQDN (fully qualified A URL that consists of a host and domain name, including top-level domain. For example, domain name) www.symantec.com is a fully qualified domain name. www is the host, symantec is the second-level domain, and .com is the top-level domain.
Page 347 For example, hack tools, accessware, spyware, adware, dialers, and joke programs. group A category of user accounts in Symantec Network Security that contains specific, predefined permissions and rights. See also user account.
Page 348 348 Glossary host-based security The technique of securing an individual system from attack. Host-based security is operating system-dependent and version-dependent. HTML (Hypertext A standard set of commands used to structure documents and format text so that it can be Markup Language) used on the Web.
Page 349 A designated port (also called copy port or mirror port) that creates a copy of the traffic flow on a specific network device. The monitor interface sends this data to Symantec Network Security to examine out-of-band so there is no loss of network functionality.
Page 350 A unique identification number used to register a Symantec product. local attack An attack that takes place against a computer or a network to which the attacker already has either physical or legitimate remote access.
Page 351 On condition and an Off condition. For example, in-line mode for interfaces in a Symantec Network Security 7100 Series appliance is On if a security administrator configures those interfaces for in-line mode, and does the proper cabling of the ports. Using in-line mode, the appliance is placed into the network path, and can block malicious traffic.
Page 352 A Symantec Network Security installation that ranks below a master Network Security node in a group or cluster. By default, the first Symantec Network Security installation is designated as a master node, and all other Network Security nodes within the cluster are designated as slave nodes.
Page 353 Glossary node, standby The secondary node or nodes in a watchdog process or failover group. Standby nodes monitor traffic flows on designated network devices, but do not log data unless the active node fails. Standby nodes wait until the active node is out of commission before becoming active.
Page 354 A set of rights of a user determining the level of access to Symantec Network Security components and functions. Permissions are granted through assignment of predefined accounts to Users. See user account.
Page 355 Glossary physical exposure A rating used to calculate vulnerability that is based on whether a threat must have physical access to your system to exploit a vulnerability. PIN (personal In computer security, a number used during the authentication process that is known only identification number) to the user.
Page 356 TCP protocol to manage connections, and the IP protocol to deliver data. Protocol Anomaly One of an array of methodologies by which Symantec Network Security inspects network Detection traffic, compares observed behavior during network protocol exchange to structured protocols, analyzes defiant behavior in context, and detects deviations from the norm.
Page 357 The process of duplicating data from one database to another. report A set of data that is collected by Symantec Network Security that allows all types of data to be selectively examined, scheduled, exported, or printed. reset An action that clears any changes made since the last apply or reset action.
Page 358 358 Glossary role-based A method of administration in which access rights or permissions are granted to user administration roles in hierarchical responsibilities. The set of permissions define the administrative or user positions. ROM (read-only The memory that is stored on the hard drive of the computer. Its contents cannot be memory) accessed or modified by the computer user, but can only be read.
Page 359 Glossary SESA (Symantec The centralized, scalable management architecture that is used by Symantec's security Enterprise Security products. Architecture) session In communications, the time during which two computers maintain a connection and, usually, are engaged in transferring information. setting A collection of parameters (key/value pairs, data blobs, and so on).
Page 360 360 Glossary SOCKS A security package that allows a host behind a firewall to use finger, FTP, telnet, Gopher, and Mosaic to access resources outside the firewall while maintaining the security requirements. software The instructions for the computer to perform a particular task. A series of instructions that performs a particular task is called a program.
Page 361 Symantec Network Formerly called MSAs, the Symantec Network Security Smart Agents are a translation Security Smart Agents software that enable Symantec Network Security to receive event data from external sensors and correlate that data with all other events.
Page 362 362 Glossary Telnet The main Internet protocol for creating an interactive control connection with a remote computer. Telnet is the most common way of allowing users a remote connection to a network, as with telecommuters or remote workers. text field The area in which a user can type text.
Page 363 The tracking and denying of user access to undesirable Web sites based on predefined site content. user A person who is enabled to perform Symantec Network Security administrative tasks, such as view reports or receive notifications. See also SuperUser, Administrator, StandardUser, and RestrictedUser.
Page 364 364 Glossary user account A file that contains information that identifies a user to the system. This information includes the user name and password, the groups in which the user account has membership, and the rights and permissions that the user has for using the system and accessing its resources.
Page 365 Glossary VPN (virtual private A network that has characteristics of a private network such as a LAN, but which is built network) on a public network such as the Internet. VPNs allow organizations to implement private networks between geographically separate offices and remote or mobile employees by means of encryption and tunneling protocols.
Page 366 366 Glossary...
Page 367 Distributed denial of service Demilitarized Zone Domain Name System Denial of Service Dynamic Security Extension Event Dispatch Protocol external hostile structured) threa (external hostile unstructured) threat Event Stream Provider, a Symantec Network Security component (Encapsulated Security Payload) FDDI Fiber Distributed Data Interface...
Page 368 368 Acronyms FQDN Fully qualified domain name File Transfer Protocol Greenwich Mean Time Graphical user interface HMAC Has Message Authentication Code HTML HyperText Markup Language HTML Hypertext Markup Language HTTP HyperText Transfer Protocol HTTPS Hypertext Transfer Protocol Secure ICMP Internet Control Message Protocol "I-Seek-You,"...
Page 369 Acronyms Local area network LDAP Lightweight Directory Access Protocol Media Access Control Management Information Base MIME Multipurpose Internet Mail Extensions Not Applicable NACS NetWare Asynchronous Communication Services Network Address Retention NASI NetWare Asynchronous Services Interface Network Address Translation NCSA National Computer Security Association Network Interface Card NIDS Network-based intrusion detection system...
Page 370 370 Acronyms Routing Information Protocol Read-only memory S/MIME Secure/Multipurpose Internet Mail Extensions Secure Copy Protocol SESA Symantec Enterprise Security Architecture SLIP Serial Line Internet Protocol Standard Message Format SMON See Monitored Interfaces Simple Management Protocol SMTP Simple Mail Transfer Protocol...
Page 371 Index Numerics Administrators about 320 7100 Series. See appliances pre-defined login account 200 advanced parameters configuring 308, 311 alert manager access node architecture 35 controlling users 59 alerting. See logging accounts alerts. See notifications about administration of 33 analysis user 319 about 30 user login permissions 321 about correlation 30...
Page 372 62 refreshing the configuration list 300 applying response rules database 135 flow data collection 219 Symantec Network Security 297 incident view during failover 292 using compact flash 302 LiveUpdates 271 via compact flash 40 parameters to nodes 309, 310...
Page 373 Cluster ID console response action setting node parameters 257 configuring 152 cluster parameters console. See Network Security console, serial about 309 console, Symantec Decoy Server console, LCD clusters panel about deployment 60 conventions about parameters 63 node description 77 adding slave nodes 277...
Page 374 226 response rules 135 removing signatures 183 saved reports 228 signature 179 signature variables 185 Symantec signatures 28, 179 user login accounts 56 upgrading signatures 183 user-defined protection policies 125 user-defined signatures 180 denial of service. See DoS...
Page 375 100 Enable Watchdog Process interface groups 98 setting node parameters 294 LiveUpdates 273 enabling location objects 84 Symantec Decoy Server 285 monitoring interfaces on appliance nodes 96 EngineUpdates monitoring interfaces on software nodes 90 about 269 network segments 108 errors...
Page 376 376 Index Event Correlation ‘Source IP’ Weight events (cont.) setting node parameters 216 list reports 236 Event Correlation ‘Source Port’ Weight modifying the view 47 setting node parameters 217 modifying the view of types 47 Event Delay Time next action parameter 140 setting sensor parameters 167 none option 142 Event Destination Hashes...
Page 377 Index flows (cont.) devices with statistics 235 fail-open enabling data collection 219 about 39, 62 mask for alert rules 157 failover querying 237 configuring watchdog group 290 replaying traffic 241 configuring watchdog parameters 293 reports by destination address 236 viewing incidents during 292 reports by destination port 237 failures reports by protocol 237...
Page 378 378 Index in-line (cont.) about blocking 112 iButton about bypass unit 17 certificate expiration 199 about deployment 60 See also software token bypass unit 39 signing rotated event log 252 creating in-line pairs 100 token failure 199 creating interface groups 98 ICMP Saturation Alert Threshold enabling blocking on in-line pairs 123 setting sensor parameters 166...
Page 379 57 preventing cleartext passwords 149 via user interfaces 44 viewing non-logged events 122 managing flow statistics 219 login ManTrap. See Symantec Decoy Server adding user accounts 55 mapping deleting user login accounts 56 adding ports 178 editing user accounts 56...
Page 380 380 Index mapping (cont.) monitoring interfaces (cont.) ports 177 on appliance nodes 95 topology 74 on software nodes 89 your network 75 MSAs. See Smart Agents marking MySQL incidents as viewed 207 event table 334 master nodes exporting to 257 adding 86 incident table 332 adding appliance 92...
Page 381 Index networks (cont.) nodes (cont.) sample topology map 61, 76 single-node availability 288 topology map 75 status indicator 47, 79 viewing advanced options 88, 94 stopping from the LCD panel 54 viewing the monitoring interface networks stopping from the serial console 51 tab 91 synchronization in cluster 279 next action...
Page 382 382 Index Oracle parameters (cont.) event table 328 setting Enable Flow Statistics Collection 163 exporting to 257 setting Enable Full Packet Capture 163 incident table 326 setting Enable IPv4 Header Checksum using tables 326 Validation 168 Other Saturation Alert Threshold setting Enable TCP Checksum Validation 169 setting sensor parameters 167 setting Enable UDP Checksum Validation 169...
Page 383 Index parameters (cont.) parameters (cont.) setting Maximum Login Failures 59 setting Watchdog Process Maximum setting Maximum Time to Streak Analysis 173 Resets 295 setting Operational Logging Level 248 setting Watchdog Process Restart Only 289, setting Other Saturation Alert Threshold 167 setting Packet Counter Interval 170 setting Watchdog Process Stop Window 295 setting QSP Port Number 281...
Page 384 384 Index policies (cont.) protection policies (cont.) enabling blocking 123 adjusting the view 117 enabling logging rules 122 annotating 126 Full Event List tab 113 applying to save 115 modifying the view 47 Auto Update tab 113 Notes tab 113 backing up 128 overriding blocking rules 115 cloning 121...
Page 385 Index reports (cont.) deleting schedules 226 drill-down 236 query service proxy. See QSP exporting saved 227 secure communication 35 format 228 setting port number for cluster 281 managing scheduled 226 QSP Port Number per event schedule 233 setting cluster parameter 281 per incident schedule 232 queries per Network Security device 235...
Page 386 139 old configurations 301 setting event sources 139 on Network Security console 298 setting event targets 136 Symantec Network Security 297 setting event types 136 using compact flash 303 setting next actions 140 via compact flash 40...
Page 387 Network Security console 49 importing 183 restarting in a cluster 281 managing 180 restarting or stopping 161 removing 183 setting Packet Counter Interval parameter 170 resolving compile errors 183 tweaking sensitivity 162, 169 Symantec 28, 179 upgrading 183...
Page 388 289 adding external sensor nodes 104 adding or editing 105 stateful signatures. See signatures communicating via EDP proxy 284 statistics communicating with Symantec Network devices with flow 235 Security 106, 284 stopping third-party integration 283 end time 194...
Page 389 103 tabs adding router nodes 102 about Advanced Network Options tab 88, 94 adding Symantec Decoy Server nodes 285 about Auto Update tab 113, 125 backing up 83 about Devices tab 33, 72, 190 deleting nodes 81...
Page 390 72 protection policies 125 saving changes 82 scanning for LiveUpdates 271 TrackBack Symantec Network Security 269 about 18, 19 upgrading configuring 147 node clusters 276 flow data collection 219 User Account for SCP limitation with Traffic Record 152...
Page 391 Index viewing (cont.) event details 197 expanding and collapsing the view 46 flow alert rules 155 incident details 193 incidents and events 191 live logs 245 logs 244 marking as viewed 207 monitoring groups 68 Network Security console 46 object details 74 objects 79 response rules 132 saved reports 226...
Page 392 392 Index...

This manual is also suitable for:

Network security

Symantec 10521146 - Network Security 7120 Administration Manual

Chapter 1 Introduction

Chapter 2 Architecture

Chapter 3 Getting Started

Chapter 4 Populating the Topology Database

Chapter 5 Protection Policies

Chapter 6 Responding

Chapter 7 Detecting

Chapter 8 Monitoring

Chapter 9 Reporting

Chapter 10 Managing Log Files

Chapter 11 Advanced Configuration

Appendix A User Groups Reference

Appendix B SQL Reference

Quick Links

Related Manuals for Symantec 10521146 - Network Security 7120

Summary of Contents for Symantec 10521146 - Network Security 7120