Table of Contents
Advertisement
About response
About cross-node correlation
Cross-node correlation is a feature that enables software and appliance nodes in
a cluster to communicate with each other and to recognize when similar
incidents are monitored by different nodes. Symantec Network Security collects
events from both local and remote sources, and organizes the events into a
single, rate-controlled stream. It compares new events to existing event groups,
and judges similarity. It writes all events and analysis results to a local database,
evaluates against protection and response policies, and then takes action if
appropriate.
If two peer nodes detect an attack, each node treats it as a separate incident and
has no knowledge of what the other node detects. However, when Symantec
Network Security applies cross-node correlation to the incidents detected by
two nodes in a cluster, each adds a reference to the other and maintains
awareness that this may be the same or a related attack. The Network Security
console displays both as a single incident.
Protection policies and response rules are collections of rules configured to
detect specific events, and to take specific actions in response to them.
Protection policies can take action at the point of detection. Using a 7100 Series
appliance, you can configure Symantec Network Security to block events before
they enter the network. Response rules can be configured to react automatically
and immediately contain and respond to intrusion attempts.
The response mechanism is described further in the following sections:
About protection policies
■
About response rules
■
About protection policies
Symantec Network Security applies protection policies to interfaces at the point
of detection, before they enter the network. Each protection policy indicates the
specific signatures that the sensor will hunt for on the applied interface, in
addition to protocol anomaly detection events. If a 7100 Series appliance is
deployed in-line, it can use blocking rules to prevent traffic from entering the
network.
About response rules
Symantec Network Security's automated rule-based response system includes
alerting, pinpoint traffic recording, flow tracing, session resetting, and custom
responses on both the software and appliance nodes and the Network Security
Architecture
About the core architecture
31
Advertisement
Table of Contents
