Table of Contents
Advertisement
Users can increase the detection capabilities by using Flow Alert Rules and
adding user-defined signatures. Flow alert rules allow users to monitor network
policy and respond to traffic to or from IP address and port combinations.
User-defined signatures allow users to add network patterns to the supported
set, and tune them to a specific network environment. Examples include
monitoring proprietary protocols, searching for honey-tokens, or detecting
disallowed application versions.
Symantec Network Security can also integrate event data from third-party
devices, enabling you to combine existing intrusion detection products with
Symantec Network Security's high speed and zero-day attack detection
capabilities.
This section describes the layers of the detection model:
About protocol anomaly detection
■
About Symantec signatures
■
About user-defined signatures
■
Monitoring traffic rate
■
About DoS detection
■
About external EDP
■
About protocol anomaly detection
Symantec Network Security's Protocol Anomaly Detection (PAD) is a form of
anomaly detection. PAD detects threats by noting deviations from expected
activity, rather than known forms of misuse. Anomaly detection looks for
expected or acceptable traffic, and alerts when it does not see it. This is the
compliment of a signature-based approach, which looks for abnormal,
unexpected, or unacceptable traffic.
Symantec Network Security provides in-depth models of the most frequently
used network protocols, providing extensive detection capability that goes
beyond simpler forms of protocol analysis. These models provide much deeper
detection and fewer false positives because they are able to follow a client-server
exchange throughout the life of the connection. For example, if a protocol
defines the size of a field, and Symantec Network Security detects a field that
breaches the defined size, it will trigger an alert.
Symantec Network Security has overcome the issue of overly generic alerts,
which is one of the major issues surrounding PAD. During a zero-day attack, a
general PAD alert is often all that is possible. However, soon after a new threat is
discovered, it is often identified by a name and assigned a unique identifier by
authorities. These organizations publish descriptions of the threat and provide
Architecture
About the core architecture
27
Advertisement
Table of Contents
Related Manuals for Symantec 10521146 - Network Security 7120
Related Products for Symantec 10521146 - Network Security 7120
- Symantec 10521148 - Network Security 7161
- Symantec 16-00-00091 - FNC XGRD FW VPN 200
- Symantec 10268947 - Network Security 7160
- Symantec 10744983 - Mail Security 8320
- Symantec 100
- Symantec 10024200 - 50PK SYM ANTIVIRUS 8.0
- Symantec 10097944 - 10PK NORTON ANTIVIRUS 2004
- Symantec 10460591 - Mail Security 5.0
- Symantec 10067161 - 10PK NORTON ANTIVIRUS
- Symantec 10288239 - ACAD NORTON ANTISPAM 2005
- Symantec 10099585 - 10PK NORTON ANTISPAM 2004
- Symantec 10514879 - Norton Confidential
- Symantec 10547829 - Mail Security For Smtp 5.0 Smb
- Symantec 10547849 - Mail Security For SMTP
- Symantec 10551441 - AntiVirus Corporate Edition
- Symantec 10765539 - Mail Security For SMTP