Symantec Network Security Administration Guide
Symantec Network Security Administration Guide
Copyright Notice
Copyright 2004 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.
Trademarks
Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Windows is a registered trademark, and 95, 98, NT and 2002 are trademarks of Microsoft Corporation. Pentium is a registered trademark of Intel Corporation. Sun is a registered trademark, and Java, Solaris, Ultra, Enterprise, and SPARC are trademarks of Sun Microsystems. UNIX is a registered trademark of UNIX System Laboratories, Inc. Cisco and Catalyst are registered trademarks of Cisco Systems, Inc. Foundry is a registered trademark of Foundry Networks. Juniper is a registered trademark of Juniper Networks, Inc. iButton is a trademark of Dallas Semiconductor Corp. Dell is a registered trademark of Dell Computer Corporation. Check Point and OPSEC are trademarks and FireWall-1 is a registered trademark of Check Point Software Technologies, Ltd. Tripwire is a registered trademark of Tripwire, Inc. Symantec Network Security software contains/includes the following Third Party Software from external sources: "bzip2" and associated library "libbzip2," Copyright 1996-1998, Julian R Seward. All rights reserved. (http://sources.redhat.com/bzip2). " Castor,"ExoLab Group, Copyright 1999-2001 199-2001 Intalio, Inc. All rights reserved. (http://www.exolab.org). Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support groups primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages
Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.
When contacting the Technical Support group, please have the following:
Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes
Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals
Contents
Section 1
Chapter 1
Overview
Introduction
About the Symantec Network Security foundation ....................................... 15 About the Symantec Network Security 7100 Series ............................... 15 About other Symantec Network Security features ................................. 17 Finding information ............................................................................................ 20 About 7100 Series appliance documentation .......................................... 20 About Network Security software documentation ................................. 21 About the Web sites ..................................................................................... 22 About this guide ........................................................................................... 23
Chapter 2
Architecture
About Symantec Network Security ................................................................... 25 About the core architecture ............................................................................... 25 About detection ............................................................................................ 26 About analysis .............................................................................................. 30 About response ............................................................................................. 31 About management and detection architecture ............................................. 32 About the Network Security console ........................................................ 32 About the node architecture ...................................................................... 34 About the 7100 Series appliance node ..................................................... 37
Chapter 3
Getting started
Getting started ..................................................................................................... 41 General checklist ................................................................................................. 42 General software and appliance checklist ............................................... 42 Additional appliance-specific checklist ................................................... 43 About the management interfaces .................................................................... 44 Using the Network Security console ......................................................... 44 Using the serial console .............................................................................. 50 Using the LCD panel .................................................................................... 52
6 Contents
Managing user access ......................................................................................... 54 Managing user login accounts ................................................................... 55 Managing user passphrases ....................................................................... 57 Controlling user access ............................................................................... 59 Planning the deployment ................................................................................... 61 Deploying single nodes ....................................................................................... 61 Deploying a single Network Security software node ............................. 62 Deploying a single 7100 Series appliance node ...................................... 62 Configuring single-node parameters ........................................................ 64 Deploying node clusters ..................................................................................... 65 Deploying software and appliance nodes in a cluster ............................ 66 Monitoring groups within a cluster .......................................................... 66
Section 2
Chapter 4
Initial Configuration
Populating the topology database
About the network topology .............................................................................. 73 About the Devices tab ................................................................................. 74 About topology mapping ............................................................................ 76 Managing the topology tree ............................................................................... 80 Viewing auto-generated objects ................................................................ 81 Viewing node details ................................................................................... 81 Viewing node status .................................................................................... 81 Adding objects for the first time ............................................................... 82 Editing objects .............................................................................................. 83 Deleting objects ............................................................................................ 83 Reverting changes ....................................................................................... 84 Saving changes ............................................................................................. 84 Forcing nodes to synchronize .................................................................... 85 Backing up changes ..................................................................................... 85 Adding nodes and objects ................................................................................... 86 About location objects ................................................................................. 86 About nodes and interfaces ........................................................................ 88 About Network Security software nodes ................................................. 89 About 7100 Series appliance nodes .......................................................... 95 About router objects .................................................................................. 105 About Smart Agents .................................................................................. 108 About managed network segments ......................................................... 112
Chapter 5
Protection policies
About protection policies ................................................................................. 115 Responding to malicious or suspicious events ..................................... 116
Contents
Understanding the protection policy work area ...........................................116 Using protection policies .................................................................................117 Selecting pre-defined policies ..................................................................118 Setting policies to interfaces ....................................................................119 Applying to save changes .........................................................................119 Overriding blocking rules globally ..........................................................119 Undoing policy settings ............................................................................120 Adjusting the view of event types ...................................................................121 Searching to create a subset of event types ...........................................121 Adjusting the view by columns ................................................................123 Viewing event type details .......................................................................123 Defining new protection policies ....................................................................124 Adding or editing user-defined protection policies ..............................125 Cloning existing protection policies .......................................................125 Enabling or disabling logging rules ........................................................126 Enabling or disabling blocking rules ......................................................128 Deleting user-defined protection policies ..............................................129 Updating policies automatically .....................................................................129 Annotating policies and events .......................................................................131 Backing up protection policies ........................................................................133
Chapter 6
Responding
About response rules .........................................................................................135 About automated responses .............................................................................137 Managing response rules ..................................................................................138 Viewing response rules .............................................................................138 Adding new response rules ......................................................................139 Editing response rules ...............................................................................140 Searching event types ...............................................................................140 Deleting response rules ............................................................................141 Saving or reverting changes ....................................................................141 Backing up response rules ........................................................................141 Setting response parameters ...........................................................................141 Setting event targets .................................................................................142 Setting event types ....................................................................................142 Setting severity levels ...............................................................................143 Setting confidence levels ..........................................................................145 Setting event sources ................................................................................145 Setting response actions ...........................................................................146 Setting next actions ...................................................................................146 Setting response actions ...................................................................................147 Setting no response action .......................................................................148 Setting email notification .........................................................................148
8 Contents
Setting SNMP notification ....................................................................... 152 Setting TrackBack response action ......................................................... 154 Setting a custom response action ........................................................... 154 Setting a TCP reset response action ....................................................... 157 Setting traffic record response action .................................................... 159 Setting a console response action ........................................................... 160 Setting export flow response action ....................................................... 161 Managing flow alert rules ................................................................................ 162 Viewing flow alert rules ............................................................................ 163 Adding flow alert rules ............................................................................. 163 Editing flow alert rules ............................................................................. 164 Deleting flow alert rules ........................................................................... 165
Chapter 7
Detecting
About detection .................................................................................................. 167 Configuring sensor detection .......................................................................... 168 Configuring sensor parameters ............................................................... 169 Restarting or stopping sensors ................................................................ 170 Basic sensor parameters ........................................................................... 170 Basic flood and scan parameters ............................................................. 174 Advanced flood and scan parameters ..................................................... 178 Other advanced parameters ..................................................................... 184 Advanced TCP engine parameters .......................................................... 185 Advanced UDP engine parameters ......................................................... 194 Configuring port mapping ............................................................................... 196 Configuring signature detection ..................................................................... 198 About Symantec signatures ..................................................................... 198 About user-defined signatures ................................................................ 199 Managing signatures ................................................................................. 199 Managing signature variables ................................................................. 206
Section 3
Chapter 8
Contents
Selecting view filters .................................................................................229 Marking and annotating ...........................................................................231 Saving, copying, and printing data .........................................................233 Emailing incident or event data ..............................................................235 Tuning incident parameters ............................................................................237 Setting Incident Idle Time ........................................................................237 Setting Maximum Incidents .....................................................................238 Setting Incident Unique IP Limit ............................................................239 Setting Event Correlation Name Weight .............................................239 Event Correlation Source IP Weight .....................................................240 Event Correlation Destination IP Weight ............................................241 Event Correlation Source Port Weight .................................................242 Event Correlation Destination Port Weight ........................................243 Tuning operational event parameters ............................................................244 High CPU Load Logging Interval .............................................................244 Sensor No Traffic Detected Logging Interval ........................................245 Sensor Dropped Packet Percentage Threshold .....................................246 Monitoring flow statistics ................................................................................247 Enabling flow data collection ...................................................................247 Configuring FlowChaser ...........................................................................248
Chapter 9
Reporting
About reports and queries ................................................................................253 Scheduling reports ............................................................................................254 Adding or editing report schedules .........................................................254 Refreshing the list of reports ...................................................................255 Deleting report schedules .........................................................................256 Managing scheduled reports ....................................................................256 Reporting top-level and drill-down .................................................................258 About report formats ................................................................................259 About report types .....................................................................................259 About incident/event reports ..................................................................260 Printing and saving reports .....................................................................260 About top-level report types ............................................................................260 Reports of top events ................................................................................261 Reports per incident schedule .................................................................262 Reports per event schedule ......................................................................263 Reports by event characteristics .............................................................264 Reports per Network Security device .....................................................265 Drill-down-only reports ............................................................................266 Querying flows ...................................................................................................267 Viewing current flows ...............................................................................268 Viewing Flow Statistics .............................................................................269
10 Contents
Viewing exported flows ............................................................................ 270 Playing recorded traffic .................................................................................... 271 Replaying recorded traffic flow data ...................................................... 271
Chapter 10
Chapter 11
Advanced configuration
About advanced setup ....................................................................................... 303 Updating Symantec Network Security ........................................................... 303 About LiveUpdate ...................................................................................... 304 Scanning for available updates ............................................................... 305 Applying updates ....................................................................................... 305 Setting the LiveUpdate server ................................................................. 306 Scheduling live updates .................................................................................... 307 Adding or editing automatic updates .................................................... 307 Deleting automatic update schedules ..................................................... 308 Reverting automatic update schedules .................................................. 308 Backing up LiveUpdate configurations .................................................. 308 Managing node clusters .................................................................................... 309 Creating a new cluster .............................................................................. 309 Managing an established cluster ............................................................. 312 Setting a cluster-wide parameter ............................................................ 315
Contents
11
Backup up cluster-wide data ....................................................................316 Integrating third-party events ........................................................................316 Integrating via Smart Agents ..................................................................316 Integrating with Symantec Decoy Server ..............................................319 Establishing high availability failover ...........................................................322 Monitoring node availability ...................................................................322 Configuring availability for single nodes ...............................................323 Configuring availability for multiple nodes ..........................................324 Configuring watchdog processes .............................................................328 Backing up and restoring ..................................................................................332 Backing up and restoring on the Network Security console ...............333 Backing up and restoring on compact flash ..........................................337 Configuring advanced parameters ..................................................................343 About parameters for clusters, nodes, and sensors .............................344 About basic setup and advanced tuning .................................................345 Configuring node parameters ..................................................................345 Configuring basic parameters ..................................................................346 Configuring advanced parameters ..........................................................346
Section 4
Appendix A
Appendices
User groups reference
About user groups .............................................................................................353 Permissions by user group ...............................................................................354 Summary of permissions ..........................................................................354 Permissions by task ...........................................................................................355 Rebooting and restarting ..........................................................................355 Configuring at node or cluster level .......................................................356 Configuring at interface level ..................................................................357 Viewing only ...............................................................................................359 Master list of permissions by task ..........................................................360
Appendix B
SQL reference
About SQL export parameters .........................................................................365 Setting up SQL export ...............................................................................365 Using Oracle tables ............................................................................................366 Oracle incident table .................................................................................366 Oracle event table ......................................................................................368 Using MySQL tables ..........................................................................................372 MySQL incident table ................................................................................372 MySQL event table .....................................................................................374
12 Contents
Part I
Overview
Symantec Network Security is a new generation of security software that provides an unprecedented ability to detect, analyze, and respond to network intrusions and prevent damage from attacks. Symantec Network Security contains multiple tools and techniques that work together to gather attack information, analyze the attacks, and then initiate an appropriate response. The Symantec Network Security 7100 Series is a family of highly scalable integrated hardware and software intrusion detection appliances, designed to detect and prevent attacks across multiple network segments at multi-gigabit speeds. The 7100 Series combines Symantec Network Securitys powerful detection capabilities with robust hardware features and the convenience of an appliance. This section introduces you to the Symantec Network Security intrusion detection system, describes the architecture of the core Symantec Network Security software and the Symantec Network Security 7100 Series appliance, and outlines how to get started with basic deployment schemes as follows:
14
Chapter
Introduction
This chapter includes the following topics:
About the Symantec Network Security 7100 Series About other Symantec Network Security features
activities, backdoors, buffer overflow attempts and blended threats like MS Blaster and SQL Slammer. In addition to the features it shares with the Symantec Network Security 4.0 software, the Symantec Network Security 7100 Series appliance offers:
In-line Operation: The 7100 Series appliance can be deployed in-line as a transparent bridge to perform real-time monitoring and blocking of network-based attacks. This ability to prevent attacks before they reach their targets takes network security to the next level over passive event identification and alerting. The 7100 Series appliance's One-Click Blocking feature enables users to automatically enable blocking on all in-line interfaces with the click of a single button, saving critical time in the event of worm attacks. Policy-based Attack Prevention: Deployed in-line, the 7100 Series appliance is able to perform session-based blocking against malicious traffic, preventing attacks from reaching their targets. Predefined and customizable protection policies enable users to tailor their protection based on their security policies and business need. Policies can be tuned based on threat category, severity, intent, reliability and profile of protected resources, and common or individualized policies can be applied per sensor for both in-line and passive monitoring. Interface Grouping: 7100 Series appliance users can configure up to four monitoring interfaces as an interface group to perform detection of attacks for large networks that have asymmetric routed traffic. A single sensor handles all network traffic seen by the interface group, keeping track of state even when traffic enters the network on one interface and departs on another. This feature greatly increases the attack detection capacity of the 7100 Series and allows it to operate more effectively in enterprise network environments. Dedicated Response Ports: The Symantec Network Security 7100 Series provides special network interfaces for sending anonymous TCP resets to attackers. With this configuration, network monitoring continues uninterrupted even when sending resets. Reduced Total Cost of Solution: A single 7100 Series appliance can monitor up to eight network segments or VLANs. The Symantec Network Security 7100 Series reduces the cost of a network security solution by enhancing the security and reliability of the hardware, simplifying deployment and management, and providing a single point of service and support. Flexible Licensing Options: Each model of the Symantec Network Security 7100 Series offers licensing at multiple bandwidth levels. Whether you
17
deploy the appliance at a slow WAN connection or on your gigabit backbone, you can select the license that fits your needs.
Fail-open: When using in-line mode, the Symantec Network Security 7100 Series appliance is placed directly into the network path. The optional Symantec Network Security In-line Bypass unit provides fail-open capability to prevent an unexpected hardware failure from causing a loss of network connectivity. The Symantec In-line Bypass Unit provides a customized solution that will keep your network connected even if the appliance has a sudden hardware failure. See also About other Symantec Network Security features on page 17.
Multi-Gigabit Detection for High-speed Environments: Symantec Network Security sets new standards with multi-gigabit, high-speed traffic monitoring allowing implementation at virtually any level within an organization, even on gigabit backbones. On a certified platform, Symantec Network Security can maintain 100% of its detection capability at 2Gbps across 6 gigabit network interfaces with no packet loss. Hybrid Detection Architecture: Symantec Network Security uses an array of detection methodologies for effective attack detection and accurate attack identification. It collects evidence of malicious activity with a combination
of protocol anomaly detection, stateful signatures, event refinement, traffic rate monitoring, IDS evasion handling, flow policy violation, IP fragmentation reassembly, and user-defined signatures.
Zero-Day Attack Detection: Symantec Network Security's protocol anomaly detection helps detect previously unknown and new attacks as they occur. This capability, dubbed zero-day detection, closes the window of vulnerability inherent in signature-based systems that leave networks exposed until signatures are published. Symantec Security Updates with LiveUpdate: Symantec Network Security now includes LiveUpdate, allowing users to automated the download and deployment of regular and rapid response Security Updates from Symantec Security Response, the world's leading Internet security research and support organization. Symantec Security Response provides top-tier security protection and the latest security context information, including exploit and vulnerability information, event descriptions, and event refinement rules to protect against ever-increasing threats. Real-Time Event Correlation and Analysis: Symantec Network Security's correlation and analysis engine filters out redundant data and analyzes only the relevant information, providing threat awareness without data overload. Symantec Network Security gathers intelligence across the enterprise using cross-node analysis to quickly spot trends and identify related events and incidents as they happen. In addition, new user-configurable correlation rules enable users to tune correlation performance to meet the needs of their own organization and environment. Full packet capture, session playback and flow querying capabilities: Symantec Network Security can be configured on a per-interface basis to capture the entire packet when an attack is detected so that you can quickly determine if the offending packet is a benign event that can be filtered or flagged for further investigation. Automated response actions can initiate traffic recording and flow exports, and you can query existing or saved flows as well as playback saved sessions to further assist in drill-down analysis of a security event. Proactive Response Rules: Contains and controls the attack in real-time and initiates other actions required for incident response. Customized policies provide immediate response to intrusions or denial-of-service attacks based on the type and the location of the event within the network. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack, and custom responses to be combined with email and SNMP notifications to protect an enterprise's most critical assets.
19
Policy-Based Detection: Predefined policies speed deployment by allowing users quickly configure immediate response to intrusions or denial-of-service attacks based on the type and the location of the event within the network. Independently configurable detection settings make it easy for users to create granular responses. Using the robust policy editor, users can quickly create monitoring policies that are customized to the needs of their particular environment. Policies can applied at the cluster, node, or interface level for complete, scalable control. Role-based Administration: Symantec Network Security provides the ability to define administrative users and assign them roles to grant them varying levels of access rights. Administrative users can be assigned roles all the way from full SuperUser privileges down to RestrictedUser access that only allows monitoring events without packet inspection capabilities. All administrative changes made from the Network Security console are logged for auditing purposes. TrackBack and FlowChaser: Symantec Network Security incorporates sophisticated FlowChaser technology that uses flow information from both Network Security software nodes and 7100 Series appliance nodes, and from other network devices to trace attacks to the source. Cost-effective Scalable Deployment: A single Network Security software node or 7100 Series appliance node can monitor multiple segments or VLANs. Each node can be configured to monitor up to 12 Fast Ethernet ports or 6 to 8 Gigabit Ethernet ports. As the network infrastructure grows, network interface cards can be added to the same node to support additional monitoring requirements. High Availability Deployment: Network Security software nodes and 7100 Series appliance nodes can be deployed in a High Availability (H/A) configuration to ensure continuous attack detection without any loss of traffic or flow data in your mission-critical environment. Centralized Cluster Management: A Symantec Network Security deployment can consist of multiple clusters, each cluster consisting of up to 120 nodes, and an entire Network Security cluster can be securely and remotely managed from a centralized management console. The Network Security console provides complete cluster topology and policy management, node and sensor management, incident and event monitoring, and drill-down incident analysis and reporting. Enterprise Reporting Capabilities: Symantec Network Security provides cluster-wide, on-demand, drill-down, console-based reports that can be generated in text, HTML, and PDF formats and can also be emailed, saved, or printed. In addition, Symantec Network Security provides cluster-wide
scheduled reports generated on the software and appliance nodes that can be emailed or archived to a remote computer using secure copy.
Symantec Network Security Smart Agents Technology: Symantec Network Security Smart Agents enable enterprise-wide, multi-source intrusion event collection, helping companies to expand the security umbrella and enhance the threat detection value of their existing security assets. Third-party intrusion events are aggregated into a centralized location, leveraging the power of the Symantec Network Security correlation and analysis framework, along with the ability to automate responses to intrusions across the enterprise. See also About the Symantec Network Security 7100 Series on page 15.
Finding information
You can find information about Symantec Network Security software and Symantec Network Security 7100 Series appliances in the documentation sets, on the product CDs, and on the Symantec Web sites. This section includes the following topics:
About 7100 Series appliance documentation About Network Security software documentation About the Web sites About this guide
Symantec Network Security 7100 Series Implementation Guide (printed and PDF). This guide explains how to install, configure, and perform key tasks on the Symantec Network Security 7100 Series. Symantec Network Security Administration Guide (printed and PDF). This guide provides the main reference material, including detailed descriptions of the Symantec Network Security features, infrastructure, and how to configure and manage effectively. Depending on your appliance model, one of the following:
Symantec Network Security 7100 Series: Model 7120 Getting Started Card Symantec Network Security 7100 Series: Models 7160 and 7161 Getting Started Card
21
This card provides the minimum procedures necessary for installing, configuring, and starting to operate the Symantec Network Security 7100 Series appliance (printed and PDF).
Symantec Network Security 716x Service Manual (printed and PDF). This document provides instructions for removing the hard drive on the 7160 and 7161. Symantec Network Security 7100 Series Product Specifications and Safety Information (printed and PDF). This document provides specifications for all 7100 Series models as well as safety warnings and certification information. Symantec Network Security User Guide (PDF). This guide provides basic introductory information about Symantec Network Security software. Symantec Network Security 7100 Series Readme (on CD). This document provides a feature summary, support and licensing information, key task tips, and provides a link to late-breaking information about the Symantec Network Security 7100 Series, including limitations, workarounds, and troubleshooting tips. See also Finding information on page 20.
Symantec Network Security Getting Started (printed and PDF): This guide provides basic introductory information about the Symantec Network Security software product, an abbreviated list of system requirements, and a basic checklist for getting started. Symantec Network Security Installation Guide (printed and PDF): This guide explains how to install, upgrade, and migrate Symantec Network Security software on supported platforms. Symantec Network Security Administration Guide (printed and PDF): This guide provides the main reference material, including detailed descriptions of the Symantec Network Security features, infrastructure, and how to configure and manage effectively. Symantec Network Security Signature Developers Guide (Web only): This Guide contains detailed descriptions of the proprietary Symantec Network Security Signature Language and how to use it to create effective user-defined signatures to customize the detection system. Symantec Network Security User Guide (PDF): This guide provides introductory information about Symantec Network Security core software for the user with read-only access.
Symantec Network Security Readme (on CD): This document provides the late-breaking information about Symantec Network Security core software, limitations, and workarounds. See also Finding information on page 20.
23
To view the Patch Site 1 2 Open the following URL: www.symantec.com/techsupp/enterprise/select_product_updates.html Click Intrusion Protection > Symantec Network Security 4.0.
Part 1 Introduction: This section introduces you to the Symantec Network Security core intrusion detection system and the Symantec Network Security 7100 Series appliance, describes the architecture, and outlines a high-level setup and deployment scheme.
Chapter 1 Introduction: Describes the Symantec Network Security intrusion detection system and the Symantec Network Security 7100 Series appliance, documentation, and alternative sources of information. Chapter 2 Architecture: Describes the system components, compatibility, and integration of Symantec Network Security. Chapter 3 Getting started: Describes deployment and setup options of a Symantec Network Security intrusion detection system.
Part 2 Getting Started: This section explains how to set up your Symantec Network Security intrusion detection system, populate a network topology database, configure basic detection capabilities, and establish initial protection and response policies.
Chapter 4 Populating the topology database: Describes the initial network topology mapping process, and the information and procedures required to populate the topology database. Chapter 5 Protection policies: Describes Symantec Network Securitys protection policies and how to customize and manage them. Chapter 6 Responding: Describes Symantec Network Securitys response rules and flow alert rules, and how to customize and manage them. Chapter 7 Detecting: Describes Symantec Network Securitys methods of intrusion, anomaly, and signature detection, and how to customize and manage them.
Part 3 Using Symantec Network Security: This section describes how to use Symantec Network Security to monitor your network, including interpreting incident and event output, generating reports and running queries,
maintaining logs and databases, and fine tuning the intrusion detection system.
Chapter 8 Monitoring: Describes the types of information displayed for incidents and their related events, and how to view incident data in the Network Security console. Chapter 9 Reporting: Describes the types of reports that Symantec Network Security can generate, and how to generate them. Chapter 10 Managing log files: Describes the Network Security log databases, and how to view, compress, save, export, and archive them. Chapter 11 Advanced configuration: Describes advanced procedures such as high availability, cluster management, and integrating data from third-party products. Appendix A User groups reference: Describes the four user groups and lists exact permissions available for each group. Appendix B SQL reference: Describes MySQL and Oracle support in a detailed table format.
Glossary: Describes terminology used in this guide. Acronyms: Lists acronyms used in this guide. See also Finding information on page 20.
Chapter
Architecture
This chapter includes the following topics:
About Symantec Network Security About the core architecture About management and detection architecture
Figure 2-1
Stateful Signatures
Refinement
Correlation
Network Traffic
External Sources
Detection
About detection
Symantec Network Security uses multiple methods of threat detection that provide both broad and deep detection of network-borne threats. These include Protocol Anomaly Detection (PAD), traffic rate monitoring, and network pattern matching, or signature-based detection. Each of these methods has strengths and weaknesses. Signature-based approaches can miss new attacks; protocol anomaly detection can miss attacks that are not considered anomalies; traffic anomaly detection misses single-shot or low-volume attacks; and behavioral anomaly detection misses attacks that are difficult to differentiate from normal behavior. Symantec Network Security combines multiple techniques and technologies into a single solution. In addition, it adapts to the changing threat landscape by adopting new techniques and technologies that improve upon or replace existing ones.
Policy Application
27
Users can increase the detection capabilities by using Flow Alert Rules and adding user-defined signatures. Flow alert rules allow users to monitor network policy and respond to traffic to or from IP address and port combinations. User-defined signatures allow users to add network patterns to the supported set, and tune them to a specific network environment. Examples include monitoring proprietary protocols, searching for honey-tokens, or detecting disallowed application versions. Symantec Network Security can also integrate event data from third-party devices, enabling you to combine existing intrusion detection products with Symantec Network Securitys high speed and zero-day attack detection capabilities. This section describes the layers of the detection model:
About protocol anomaly detection About Symantec signatures About user-defined signatures Monitoring traffic rate About DoS detection About external EDP
pointers to vendor patches or other remediation tools. When this happens, it is better to have specific threat identification instead of a protocol anomaly alert. Symantec Network Security provides event refinement to address this issue. Threats identified by PAD are further analyzed to determine if they are known or unknown. This processing is done after the traffic has been identified and recorded, so that it does not interfere with the detection performance. This provides the high performance of PAD with the granular identification of a signature matching engine.
29
define, manage, and apply user-defined signatures from the Network Security console.
data from the native format to the Symantec Network Security format, and transmits the data to the software or appliance node. See About detection on page 167. See About Smart Agents on page 37.
About analysis
Symantec Network Security includes state-of-the-art correlation and analysis that filters out irrelevant information and refines only what is meaningful, providing threat awareness without data overload. Symantec Network Security correlates common events together within an incident to compress and relate the displayed information. This section describes the analysis mechanism in greater detail:
About refinement
Symantec Network Security detects both known and unknown (zero-day) attacks, using multiple detection technologies concurrently. Event refinement rules extend the Protocol Anomaly Detection capabilities. Symantec Network Security matches generic anomalies against a database of refinement rules, and for known attacks, reclassifies an anomaly event by retagging it with its specific name.
About correlation
Symantec Network Security uses event correlation, the process of grouping related events together into incidents. This produces a shorter, more manageable list to sift through. Some types of intrusions, such as DDoS attacks, generate hundreds of events. Others, such as buffer-overflow exploits, might generate only one event. Event correlation brings each key event to the forefront in an incident so that it remains visible despite floods of events from other activities. It automates the process of sorting through individual events and frees the user to focus on responding directly to the security incident. Symantec Network Security correlates security events (intrusions, attacks, anomalies, or any other suspicious activity), response action events (automated actions taken by Symantec Network Security in response to an attack), and operational events (action taken in the administration of the product, such as logging in or rotating logs).
31
About response
Protection policies and response rules are collections of rules configured to detect specific events, and to take specific actions in response to them. Protection policies can take action at the point of detection. Using a 7100 Series appliance, you can configure Symantec Network Security to block events before they enter the network. Response rules can be configured to react automatically and immediately contain and respond to intrusion attempts. The response mechanism is described further in the following sections:
console. Symantec Network Security generates responses based on multiple criteria such as event targets, attack types or categories, event sources, and severity or confidence levels. Multiple responses can be configured for the same event type, as well as the order in which Symantec Network Security executes the responses. Symantec Network Security reviews each event, and iterates through the list of response rules configured by the user. It compares each event against configurable match parameters. If a match occurs on all parameters, it then executes the specified action. After Symantec Network Security processes one rule, it proceeds to one of three alternatives: to the rule indicated by the Next parameter, to a following rule beyond the Next rule, or it stops policy application altogether for this event.
About the Network Security console About the node architecture About the 7100 Series appliance node
33
protection policies, and view log data. You can generate reports and view them immediately in the Network Security console, or you can schedule them to generate automatically. The Network Security console contains three main tabs that provide a view of the Devices tab, Incidents tab, and Policies tab.
Devices tab: Provides a hierarchical tree view of the network topology, with a detailed summary of each device. Incidents tab: Provides detailed descriptions of incidents and events taking place in the monitored network, and can be drilled down to reveal detailed packet information. Policies tab: Provides the tools to create, manage, and apply user-defined signatures, signature variables, and protection policies.
Reporting in the Network Security console includes dynamic chart and graph generation, with information drill-down and data retrieval. Pre-defined reports can be saved and printed. Users can send flow queries and play back traffic sequences from the Network Security console as well.
SuperUsers: A user authenticated with full administrative capabilities. This user is allowed to perform all administrative tasks that the Network Security console can execute. Administrators: A user authenticated with partial administrative capabilities. This user is allowed to perform most administrative tasks, with the exception of some advanced actions. StandardUsers: A user authenticated with full read-only capabilities. This user is allowed to view all information in the Network Security console.
RestrictedUsers: A user authenticated with partial read-only capabilities. This user is allowed to view most information in the Network Security Console with the exception of some advanced information and network-sensitive data.
Alert Manager
Analysis
Databases
Sensor Process
FlowChaser
The components of the core node architecture apply to both Network Security software nodes and 7100 Series appliance nodes as follows:
About the alert manager About the sensor manager About the administration service About analysis About the databases About Event Stream Provider
35
About analysis
Symantec Network Securitys analysis framework aggregates event data on possible attacks from all event sources. The analysis framework also performs statistical correlation analysis on events to identify event patterns that vary significantly from usual network activity and to identify individual events that are highly related, such as a port scan followed closely by an intrusion attempt.
Topology database: Stores information about local network devices and interfaces and the network configuration. Symantec Network Security uses this data to direct the FlowChaser toward the area of the network in which an attack occurs.
Protection policy database: Stores the pre-defined protection policies that installed with the product and those added through LiveUpdate, as well as any user-defined signatures. Response rule database: Stores the rules that define the actions to take when an attack is identified, the priority to give to the attack incidents, and the necessity for further investigation of the attack. Configuration database: Stores configurable parameters that SuperUsers and Administrators can use to configure tasks at the node level and to configure detection at the sensor level. Incident and event databases: Stores information about events and incidents. The event log can be signed periodically by the iButton or soft token to verify that the log has not been tampered with or altered in any way. The iButton is a hardware device that safeguards the signature certificate and confirms the identity of a Network Security software node. LiveUpdate database: Stores data relevant for LiveUpdate. User database: Stores information about each user login account.
37
tuned to maximize detection while retaining network performance and reliability. For example, using in-line mode, the sensor tunes itself to minimize latency and maximize throughput across a pair of interfaces. Using interface groups, the sensor correctly adjusts itself to compensate for the fact that a single network session may be conducted using multiple, asymmetric links. Using single monitoring interfaces, the sensor batches process packets to maximize detection coverage.
About FlowChaser
FlowChaser serves as a data source in coordination with TrackBack, a response mechanism that traces a DoS attack or network flow back to its source, or to the edges of an administrative domain. FlowChaser receives network flow data from multiple devices, such as Network Security sensors and network routers. FlowChaser stores the flow data in an optimized fashion that enhances analysis, correlation, and advanced responses.
The appliance provides all the functionality of a Network Security software node, with additional capabilities in the areas of detection, response, and management. This section describes the following topics:
About detection on the 7100 Series About response on the 7100 Series About management on the 7100 Series
39
In blocking mode, all network traffic is examined by the Network Security detection software before it enters your network, and is blocked if malicious. When a protocol anomaly event or an event matching an enabled signature is detected, the offending packet is dropped. For TCP/IP traffic, a reset is sent to the TCP connection. In alerting mode, the Network Security detection software still analyzes all packets as they enter your network, but does not prevent an intrusion attempt from proceeding. You can configure a non-blocking protection policy to send a reset and an alert, based on event ID. With only alerting enabled under in-line mode, there is no risk of inadvertently blocking legitimate network traffic. The advantage of in-line alerting mode over operating in passive mode is that you can enable blocking with a single mouse-click from the Network Security console. You dont need to halt network traffic while changing cabling and configuration to switch between in-line alerting and blocking modes.
About fail-open
When you configure in-line mode on the Symantec Network Security 7100 Series appliance, you place the in-line interface pair directly into the network path. If the appliance or one of those interfaces has a hardware or software failure, all associated network traffic is blocked. You can avoid this risk with the addition of the 2 In-line Bypass unit or 4 In-line Bypass unit, custom fail-open devices available from Symantec specifically for the appliance. These devices provide the fail-open capability, allowing your network to stay up while you make repairs. At this time, the bypass units are only available for copper interfaces. There is currently no fail-open solution for the fiber interfaces of the appliance model 7161.
About the LCD panel About the serial console About the compact flash
sixteen characters each, and there are six buttons: four arrow buttons and two function buttons labeled s (start) and e (enter). You can use the LCD panel for initial configuration of your appliance. After initial configuration, the LCD screen displays system statistics in a rotating sequence, and provides a menu of tasks including stopping and starting Symantec Network Security, rebooting or shutting down the appliance, and changing the IP address.
Chapter
Getting started
This chapter includes the following topics:
Getting started General checklist About the management interfaces Managing user access Planning the deployment Deploying single nodes Deploying node clusters
Getting started
This chapter provides a general outline of major tasks involved in setting up a core Symantec Network Security intrusion detection system. It describes basic tasks, including accessing the management interfaces (Network Security console, serial console, and LCD panel), accessing nodes and sensors, and establishing user permissions and access. It also describes deployment considerations and examples of ways to deploy Symantec Network Security. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.
General checklist
This section provides a broad outline of the basic steps to set up a core Symantec Network Security intrusion detection system for the first time. It also describes additional deployment options that are unique to the 7100 Series appliance. This section describes the following topics:
Deployment Plan: Decide how to deploy a Symantec Network Security intrusion detection system. Some things to consider might include:
What kinds of traffic flow do you expect on your network? Which devices or elements of your network will you monitor? Will you deploy Symantec Network Security as single peer software or appliance nodes, or as a cluster of interacting nodes? Will you establish failover redundancy with standby nodes?
Licensing: Obtain a Symantec license for each software and appliance node. Installation: Install Symantec Network Security. User accounts: One SuperUser default account is created at installation. You can add more accounts at any time after installation.
Create network topology database: Provide detailed information about your Symantec Network Security intrusion detection system by populating the topology tree on the Devices tab. Establish protection policy: Establish blocking and/or alerting triggers so that Symantec Network Security automatically responds to intrusions at the point of entry.
43
Establish response rules: Establish additional action triggers so that Symantec Network Security automatically responds to intrusions as they pass through the network. Configure user-defined signatures: Enhance the basic detection capabilities by creating customized signatures to fine-tune the detection to your unique security environment.
Incidents and Events: Drill down for detailed information about suspicious and intrusive activity. Reports and Queries: Launch queries and generate comprehensive reports in a variety of formats about suspicious activity. Logs and Databases: Review collected data about suspicious activity in logs and databases to use in analyzing and tracking. Set configuration parameters: Configure single node or cluster-wide settings to define advanced features such as failover, export, TrackBack, and more.
In-line or passive mode: Decide whether to deploy some or all appliance monitoring interfaces using in-line mode, or to leave them in passive mode. Your choice affects the cabling of the appliance. Fail-open: If you place any interfaces into in-line mode, you may wish to connect a bypass unit to provide fail-open capability. This also affects the cabling process. Initial configuration: Choose from three methods of initial configuration, including:
LCD: Use the LCD screen and push buttons on the appliance to enter the node IP address, password, and other information.
Serial console: Connect a laptop or other serial device to the appliance and use a serial terminal application with VT100 emulation to enter the initial configuration information. Compact flash: Add a slave node object to the master nodes topology, then write the node configuration to a compact flash card. Use the compact flash card for initial configuration when installing the slave appliance.
In-line blocking or alerting: Create policies for any in-line interface pairs to define when to block and when to alert. Interface grouping: Configure an interface group that aggregates traffic on up to four monitoring interfaces. An interface group is useful for intrusion detection in asymmetrically routed networks.
Using the Network Security console Using the serial console Using the LCD panel
45
Caution: The first time you launch the Network Security console after installation, expect a wait time of a few minutes while the database files load. Symantec Network Security caches the files after that first load, and makes subsequent launches faster. This section describes how to launch the Network Security console and adjust the view:
Launching the Network Security console Viewing the Network Security console Adjusting the Devices view Adjusting the Incidents view Adjusting the Policies view Viewing node status Restarting via the Network Security console Rebooting nodes via the Network Security console Restarting sensors via the Network Security console Checking and applying licenses
For Windows, double-click the Symantec Network Security icon on the desktop. For Solaris or Linux, run the following command:
<path to java>/bin/java -Xmx256M -jar snsadmin.jar
For example:
/usr/SNS/java/jre/bin/java -jar snsadmin.jar
Note: The Network Security console must have Java 1.4 installed to run. 2 3 In Hostname, enter the hostname or IP address of the software or appliance node you want to monitor. In Port, enter the port number.
If in a cluster, all nodes must use the same port number. 4 5 In Username, enter the user name. Access and permissions depend on the user group of your login account. In Passphrase, enter the passphrase established for your user login account, and click OK. Caution: If a non-SuperUser uses the wrong passphrase, an Incorrect Username or Passphrase message appears. If this occurs multiple times (as specified by the Maximum Login Failures parameter), the Network Security console locks the non-SuperUser out. Even if the correct passphrase is used at that point, access is denied. Contact the SuperUser to create a new passphrase.
The Devices tab provides a hierarchical tree view of the network topology with a detailed summary of each device. The Incidents tab provides detailed descriptions of security incidents and their correlated events taking place in the network, including sub-levels of packet detail. The Policies tab provides the area for managing protection policies and automated responses at the point of entry.
47
On the Incidents tab, click Configuration > Table Font Size > OK.
On the Devices tab, see the Node Status Indicator for any software or appliance node. A red X or Node Status Indicator signifies that Network Security processes or network connectivity failed on a software or appliance node.
2 3
In Select Node, select the node that you want to restart from the pull-down list, and then click OK. Wait until the progress bar indicates that the process is complete.
See also Restarting via the serial console on page 50. See also Restarting from the LCD panel on page 53.
In Select Node, select the node that you want to reboot from the pull-down list, and then click OK. Wait until the progress bar indicates that the process is complete.
Note: SuperUsers can reboot Network Security software nodes; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. See also Rebooting nodes via the serial console on page 51. See also Rebooting nodes via the LCD panel on page 53.
See also Stopping via the serial console on page 51. See also Stopping via the LCD panel on page 54.
49
help configure start restart stop unconfigure install-bridge uninstall-bridge date elevate passwd reboot shutdown
This section describes the following subset of procedures available on the serial console:
Restarting via the serial console Rebooting nodes via the serial console Stopping via the serial console Shutting down via the serial console
See the Symantec Network Security 7100 Series Implementation Guide for the full range of procedures available on the serial console.
51
1. Lock LCD 2. Change IP 3. Stop SNS 4. Start SNS 5. Shutdown Host 6. Restart Host 7. Unconfig SNS
This section describes the following subset of procedures available on the LCD panel:
Unlocking the LCD panel Restarting from the LCD panel Rebooting nodes via the LCD panel Stopping via the LCD panel Shutting down via the LCD panel
See the Symantec Network Security 7100 Series Implementation Guide for the full range of procedures available on the LCD panel.
53
Use the up/down arrow buttons to scroll through the character set, and the right arrow button to move the cursor after each character. 3 Press e to enter the password.
55
installation, this SuperUser can create additional user login accounts in any of the four groups from the Network Security console. Each group includes a predefined set of permissions and access. You can control user access using the predefined user groups, including managing user passwords and passphrases, tracking user actions, and limiting access via parameters. Note: See User groups reference on page 353 for more detailed information about access and permissions for specific user groups. The four user groups are unique to the Network Security console and do not extend to the serial console or the LCD panel. See the Symantec Network Security 7100 Series Implementation Guide for more information about the serial console and the LCD panel. This section describes the following topics:
Managing user login accounts Tracking user actions Controlling user access
Adding user login accounts Editing user login accounts Deleting user login accounts
To add a new user login account 1 2 3 4 On the main menu bar, click Admin > Manage Users > Add. In Add User, enter the Username, Passphrase, and confirm the passphrase. In Group, select one of the four predefined groups from the pull-down list, and click OK. In Manage Users, click OK to save and close.
57
Note: SuperUsers can add, modify, or delete the passphrase on any user login account in the Network Security console; Administrators, StandardUsers, and RestrictedUsers can modify only their own passphrases. See User groups reference on page 353 for more about permissions.
Changing the root password via the serial console Changing the secadm password via the serial console
59
Setting Maximum Login Failures Setting Lock LCD Screen Tracking user actions
3 4 5 6
In the left pane under Login Parameters, click Maximum Login Failures. In the lower right pane, enter the maximum number of failed attempts. Click Apply. In Apply Changes To, select the node or subset of nodes to which you want to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Click True to lock the LCD panel. Click False to unlock the LCD panel.
5 6
Click Apply. In Apply Changes To, select the node or subset of nodes to which you want to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
61
Single-node deployment: A peer relationship between one or more individual single nodes, viewed from one or more independent Network Security consoles. Cluster deployment: A hierarchical relationship between one master node and up to 120 slave nodes that synchronize to the master node.
Both software and appliance nodes can be deployed using passive mode; only 7100 Series appliances can be deployed using in-line mode:
In-line deployment: Only the Symantec Network Security 7100 Series appliance can be deployed in-line at this time. In-line mode enables multiple features such as the ability to block specified traffic from entering the network. Passive deployment: Both software and appliance nodes can be deployed in passive mode, and positioned near the network, where they do not impede network performance as a point of failure. No service is ever lost, even if the node fails. The possibility of failure can be mitigated by failover groups that maintain the availability of all nodes. See Establishing high availability failover on page 322.
Figure 3-1
Internet
Router
Host 1
Host 2
Host 3
Host 4
Attacker
63
to passive monitoring mode. You can also deploy the appliance using a combination of these modes in a way that best suits your network.
About fail-open
Fail-open is an option when using in-line mode and is the default for passive mode. Fail-open means that if the appliance has a hardware failure, network traffic will continue. Since the Symantec Network Security 7100 Series appliance is directly in the network path while deployed using in-line mode, fail-open capability requires the purchase and installation of a separate device. The Symantec Network Security In-line Bypass unit has been custom designed to provide fail-open capability for the Symantec Network Security 7100 Series. The bypass unit is available in two models, which accommodate two or four in-line interface pairs respectively. Fail-open is available for all copper gigabit or Fast Ethernet interfaces on the appliance. It is not an option for fiber interfaces at this time. The In-line Bypass unit is only necessary for fail-open when appliance interfaces are configured for in-line mode. All interfaces configured in passive mode are fail-open by default.
Node parameters: Apply to individual nodes, either within a cluster or set up as peers. For more information about node parameters, see Configuring node parameters on page 345. Cluster parameter: Applies to all nodes within a cluster. For more information about the cluster parameter, see Setting QSP Port Number on page 315. Sensor parameters: Dictate sensor detection behavior. You can fine-tune sensor parameters to recognize normal traffic behavior on your system and alert you to suspicious behavior. For more information about sensor parameters, see Configuring sensor detection on page 168.
Symantec Network Security provides node parameters to configure the following tasks on each node:
See Setting Maximum Login Failures on page 59. See Setting email notification parameters on page 149. See Setting SNMP notification parameters on page 152. See Tuning incident parameters on page 237. See Configuring FlowChaser on page 248.
65
See Setting automatic logging levels on page 278. See Archiving log files on page 279. See Compressing log files on page 282. See Exporting data on page 285. See Integrating via Smart Agents on page 316. See Configuring watchdog processes on page 328. See Configuring advanced parameters on page 346.
For information about advanced cluster management, see Managing node clusters on page 309. This section includes the following:
Deploying software and appliance nodes in a cluster Monitoring groups within a cluster
See the Symantec Network Security Installation Guide and the Symantec Network Security 7100 Series Implementation Guide for special considerations when upgrading or migrating clusters.
Creating a monitoring group Assigning a monitoring group Renaming a monitoring group Choosing monitoring groups Deleting a monitoring group
67
Note: Always align the assignment of a node to a monitoring group with the view of that monitoring group. If you assign a node to a different monitoring group than the monitoring group that defines your incident subset, you can miss events even though the sensors detect them. See Choosing monitoring groups on page 69.
69
If you view incidents from a node in a different monitoring group than the monitoring group that defines your view subset, you can miss events even though the sensors detect them. See Choosing monitoring groups on page 69.
Note: All users can select monitoring groups. See User groups reference on page 353 for more about permissions.
Part II
Initial Configuration
This section explains how to set up your Symantec Network Security intrusion detection system. After getting started, indicate what to monitor by creating a network topology database, what kind of activity to look for by configuring detection signatures and parameters, and how to respond by establishing protection policies and response rules:
72
Chapter
About the network topology Managing the topology tree Adding nodes and objects
The Devices tab provides a tree-oriented view of the network topology with a detailed summary of each device. When you select an object from the topology tree in the left pane, the right pane displays related information. Symantec Network Security updates this information at frequent intervals, so the status remains current. This section describes the following topics:
Types of objects
The Devices tab displays the following types of objects to represent the elements of your network and security system:
75
Locations: Objects that represent physical or logical groups of one or more network segments. The installation procedure automatically creates the first location object, named Enterprise by default. Symantec Network Security nodes: The object category for both software and appliance nodes.
Software nodes: Objects that represent the Symantec Network Security software installed on a designated computer. 7100 Series nodes: Objects that represent the Symantec Network Security 7100 Series appliances. Routers: Objects that represent devices that store data packets and forward them along the most expedient route. Symantec Network Security monitors this connection between hosts or networks. Interfaces: Objects that represent boundaries across which separate elements can communicate. Interfaces provide the point of contact between Symantec Network Security and routers.
Network devices: The object category for both routers and router interfaces.
Smart Agents: Objects that represent the entry point for event data from Symantec Decoy Server, Symantec Network Security Smart Agents, and other third-party sensors. Managed network segments: Objects that represent subnets in which the network devices and interfaces reside. The Network Security console automatically creates a network segment object for each unique subnet. Interfaces: Objects that represent boundaries across which separate elements can communicate. Interfaces provide the point of contact between Symantec Network Security and your network devices.
Monitoring interfaces: Objects that represent dedicated ports that mirror incoming or outgoing traffic on a software or appliance node. In-line pairs: Objects that represent pairs of interfaces on a 7100 Series appliance node that are directly in the network traffic path. For a given flow, one interface connects to inbound traffic and the other to outbound traffic. Only in-line pairs can be configured to block malicious traffic. Interface groups: Objects that represent groups of two to four interfaces on a 7100 Series appliance node that share a common sensor. Interface groups are used to monitor asymmetrically routed network environments, and are configurable only on 7100 Series nodes.
Device Type: Displays the type of device selected. IP address: Displays the IP address of the selected device, or the management IP address for a device with multiple IP addresses. Node Number: Displays the node number assigned to the software or appliance node, between 1 and 120. Customer ID: Displays an optional user-defined ID. Customer IDs for in-line pairs and interface groups reflect the 7100 Series appliance nodes to which they belong. Model: Displays the model number of a 7100 Series appliance, either 7120, 7160, or 7161. Monitoring Group: Identifies the monitoring group of the selected device, if any. Monitored Networks: Identifies the networks for which port usage patterns are tracked and anomalies detected. Displayed only if you entered network IP addresses on the Network tab when editing interfaces, adding in-line pairs, or adding interface groups. Available only on 7100 Series interfaces. TCP Reset Interface: Displays the interface that sends TCP resets; either eth0, eth1, or eth2, corresponding to your choice of RST0, RST1, or RST2 when you added the interface group. Bandwidth: Displays the expected throughput for the selected object. Sensor Status: Displays the current status of the related sensor. Description: Displays a brief optional description of the object. Active Security Incidents: Displays the active incidents of the selected topology object, with name, state, node number, and last date modified.
Mapping the existing network Gathering information Adding objects for the first time
77
Note: SuperUsers can view, add, edit, and delete all objects in the topology tree. Administrators can view, add, edit, and delete most objects in the topology tree except for software nodes and 7100 Series appliance nodes. StandardUsers and RestrictedUsers can view the topology tree. See User groups reference on page 353 for more about permissions.
Locations: Decide whether to divide the network into logical or physical groupings, depending on the network setup. A physical grouping might include all segments within a single building. A logical grouping might include all segments used by one department spread throughout multiple buildings. Managed Network Segments: Within each location, identify the existing network segments. Devices: Within each location or managed network segment, identify the routers that will send data to Symantec Network Security. Interfaces: For each router, decide which interfaces you want Symantec Network Security to monitor, and those interfaces that you merely want Symantec Network Security to be aware of to track an attack through them.
The following diagram shows an example of a simple topology map including locations, segments, devices, device interfaces and attachments between
interfaces. This example might help you when taking inventory of your own network topology: Figure 4-1 Sample Network Topology Map
Interface
Gathering information
After you have taken an inventory of your existing network, you can provide this information to the Symantec Network Security database by populating the topology tree. To prepare for this, we recommend that you gather information specific to each element of your topology. This section describes the information and conventions common to most devices and network elements that you might need to provide. Each individual procedure includes device-specific information.
79
You can save time if you review both the general information, and each procedure, and verify that you have all the necessary data before starting the procedure. The following table describes the kind of information you will need to provide when populating the topology tree: Table 4-1 Field
Name
Description
Customer IDs
Node number
Synchronization passphrases
Viewing auto-generated objects Viewing node details Viewing node status Adding objects for the first time Editing objects Deleting objects Reverting changes Saving changes Forcing nodes to synchronize Backing up changes
81
On the Devices tab, click the corresponding device object. The Network Security console displays the details and optional description in the right pane.
On the Devices tab, see the Node Status Indicator for any software or appliance node. A red X or Node Status Indicator signifies that Network Security processes or network connectivity failed on a software or appliance node.
Locations
83
Nodes and interfaces See About nodes and interfaces on page 88. Network devices See About router objects on page 105. Smart Agents See About Smart Agents on page 108. Managed Network Segments See About managed network segments on page 112.
Editing objects
The Network Security console provides a way to edit any user-created object, and some default objects. To edit an object 1 2 On the Devices tab, right-click the object you want to edit, and then click Edit. Edit each field as necessary, and click OK to save and exit.
About location objects About nodes and interfaces About router objects About Smart Agents About managed network segments
Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
Note: SuperUsers can add, edit, and delete Symantec Network Security software and appliance nodes. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot add, edit, or delete them. See User groups reference on page 353 for more about permissions.
Deleting objects
This section describes how to delete nodes, objects, and interface objects not created automatically during installation.
Caution: When an object is deleted, all of its sub-objects are also deleted. To delete an object 1 2 On the Devices tab, right-click the object from the topology tree, and click Delete. In Warning, click OK. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
Note: SuperUsers can add, edit, and delete any nodes (both software and appliance nodes) or objects that they create. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot add, edit, or delete them. See User groups reference on page 353 for more about permissions.
Reverting changes
The Network Security console provides a way to undo, cancel, or revert changes to the topology tree, if you change your mind before saving. Note: SuperUsers and Administrators can undo, cancel, or revert changes to the topology tree; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To undo changes to the topology tree 1 2 On the main menu bar, click Topology > Revert Changes before saving changes. In Warning, click Discard. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
Saving changes
The Network Security console provides a way to save all changes to the topology tree. Any unsaved changes will be lost upon quitting the Network Security console.
85
On the main menu bar, click Topology > Save Changes before quitting the Network Security console. It can take a few minutes for topology changes to process. Caution: Any unsaved changes are lost when you exit the Network Security console.
Backing up changes
We recommend that you back up the topology database on a regular basis. See Backing up and restoring on page 332.
About location objects About nodes and interfaces About Network Security software nodes About 7100 Series appliance nodes About router objects About Smart Agents About managed network segments
87
To add or edit a location object 1 On the Devices tab, do one of the following:
Click Topology > Add Location. Right-click an existing location (Enterprise by default) object, and click Edit from the pop-up menu.
In Add Location or Edit Location, enter a descriptive name for the location of up to 40 characters. This name appears in the topology tree. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See User name and passphrases on page 79. Click Color, and select a color to associate with this location. At a glance, you can view the Incidents tab and see which incidents and events were detected in this location by the color. You can select any color except white. Click OK or Reset. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
3 4
Under any location object, SuperUsers can add the following nodes and objects:
See About router objects on page 105. See About nodes and interfaces on page 88. See About Smart Agents on page 108. See Deleting objects on page 83.
Network Security software nodes: The objects that represent Symantec Network Security software installed on designated computers. See Adding or editing software nodes on page 89. 7100 Series appliance nodes: The objects that represent Symantec Network Security software installed on the new Symantec Network Security 7100 Series appliance. See Adding or editing 7100 Series nodes on page 95. Node interfaces: Interface objects represent the point of contact between Symantec Network Security and the devices in the network. Some interface objects are mandatory, others are optional. See About monitoring interfaces on software nodes on page 92. See About 7100 Series interfaces on page 98. See About router interfaces on page 107. See About Smart Agent interfaces on page 111.
Note: SuperUsers can add, edit, and delete both software or appliance nodes. Administrators, StandardUsers, and RestrictedUsers can view them only. See User groups reference on page 353 for more about permissions.
89
To add or edit a software node 1 On the Devices tab, do one of the following:
Right-click Symantec Network Security Nodes, and select Add Node > Software Node > OK. Right-click an existing node, and click Edit from the pop-up menu.
In Add Software Node or Edit Software Node, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the node. You can position Symantec Network Security in front of and/or behind a NAT device. If behind, provide a local IP address and an administration IP address. Use the administration IP address when adding the node to the topology tree. Note: If you change the IP address of a physical node, you must edit the Advanced Network Options tab. Verify that the values in the Netmask and Default Router fields are valid for the new IP address. See Viewing advanced network options on page 91.
3 4
In Node Number, enter a unique node number between 2 and 120, inclusive, not assigned to any other node in the cluster. Note: Use this same number when you install Symantec Network Security on the designated computer. See Node number on page 79.
6 7
In Monitoring Group, select a group from the pull-down list. In Failover Group Information, do one of the following:
If you do not want to provide failover, proceed to the next step. If you want to provide failover, click Failover Group Member, and provide a Failover Group Number between 1 and 99, inclusive. All nodes within the failover group must use the same group number. See Establishing high availability failover on page 322. If adding a software node in a cluster, in Master Node Sync Information, enter the synchronization password. Use the same passphrase when you install Symantec Network Security on the designated computer. See Synchronization passphrases on page 80. If editing a software node, proceed to the next step.
91
See Description on page 79. Note: After adding a software node to the topology tree, you must install Symantec Network Security on the designated computer. The installation process populates the fields in the Advanced Network Options tab. See Viewing advanced network options on page 91. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. For the sensor to run, you must add interfaces and a protection policy to each interface. To enable TrackBack to query flow data from this node, you must apply the sensor parameter for flow statistics, and execute the TrackBack response rule.
See About monitoring interfaces on software nodes on page 92. See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Deleting objects on page 83.
Default Router Indicates the IP address of the router that sends network traffic to and from the node. Required field. DNS Server 1 Indicates the primary Domain Name Service server for the node, which maps hostnames to IP addresses. Indicates the secondary Domain Name Service server for the node. Indicates the name of the host.
Note: You must reboot the node after editing these fields. See About monitoring interfaces on software nodes on page 92.
93
To add or edit a monitoring interface to a software node 1 On the Devices tab, do one of the following:
Right-click the software node, and select Add Monitoring Interface from the pop-up menu. Right-click an existing monitoring interface object, and click Edit from the pop-up menu.
2 3
In Add Monitoring Interface or Edit Monitoring Interface, enter a descriptive name. In Interface Name, enter the interface name. If entered incorrectly, the monitoring interface will not function. See Name on page 79. In Customer ID, enter an optional Customer ID. See Customer IDs on page 79. In Expected Throughput, enter the expected throughput from the pull-down list. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79.
4 5 6
Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. See Deleting objects on page 83.
To add or edit monitored networks 1 In Add Monitoring Interface or Edit Monitoring Interface, on the Networks tab, do one of the following:
2 3
In Add Network or Edit Network, replace the default 0.0.0.0/0 with all valid network IP addresses monitored by this interface, in CIDR format. Click OK. Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality.
95
To add or edit a 7100 Series node 1 On the Devices tab, do one of the following:
Right-click Symantec Network Security Nodes, and select Add Node > 7100 Series Node > Select A Model. Click the desired model number and click OK. Right-click an existing node, and click Edit on the pop-up menu.
Note: The model number of a 7100 Series node cannot be edited. To change it, you must delete the node object and add a new one using the desired model number. 2 In Add 7100 Series Node or Edit 7100 Series Node, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters. See Customer IDs on page 79. In IP, enter the IP address for the node. If the node is behind a NAT router, this IP address is the publicly visible address. Note: If you change the IP address of a node, a prompt requests you to edit settings in the Advanced Network Options tab. Make sure the values in the Netmask and Default Router fields are valid for the new IP address. See Viewing advanced network options on page 97. 5 In Node Number, enter a unique node number between 2 and 120, inclusive, that is not assigned to any other node in the cluster. Note: Use this same number for the QSP Node Number during initial configuration on the designated appliance. See Node number on page 79. 6 7 In Monitoring Group, select a group from the pull-down list. In Failover Group Information, do one of the following:
3 4
If you do not want to provide failover, proceed to the next step. If you want to provide failover, click Failover Group Member, and provide a Failover Group Number between 1 and 100, inclusive. All nodes within the failover group must use the same group number. See Establishing high availability failover on page 322. If adding a 7100 Series node in a cluster, in Master Node Sync Information, enter the synchronization password. Use the same passphrase for the Master Node Password during initial configuration on the designated appliance. See Synchronization passphrases on page 80. If editing a 7100 Series node, proceed to the next step.
97
In Description, enter an optional description of up to 255 characters, and click OK. You may want to enter the serial number of the appliance here for later reference. The serial number is found on the label on the back panel of the appliance, with the prefix S/N. See Description on page 79. Note: After adding a 7100 Series node to the topology tree, you must perform initial configuration on the designated appliance. The initial configuration process populates the fields in the Advanced Network Options tab. See Viewing advanced network options on page 97. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
Adding the 7100 Series node automatically creates the interface objects. You cannot add or delete interfaces on a 7100 Series node, but you can create interface groups or in-line pairs from the existing interfaces on the node. For the sensor to run, you must add a protection policy to each interface, interface group, or in-line pair. To enable TrackBack to query flow data from this node, you must apply the sensor parameter for flow statistics, and execute the TrackBack response rule.
See About 7100 Series interfaces on page 98. See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Deleting objects on page 83.
To view the advanced network options 1 2 On the Devices tab, right-click an existing 7100 Series node, and click Edit on the pop-up menu. In Edit 7100 Series Node, click the Advanced Network Options tab. The following list describes the advanced network option fields for a 7100 Series node:
Local IP Netmask Indicates the internal IP address for a node behind a NAT router. Indicates which part of the nodes IP address applies to the network. Required field.
Default Router Indicates the IP address of the router that sends network traffic to and from the node. Required field. DNS Server 1 Indicates the primary Domain Name Service server for the node, which maps hostnames to IP addresses. Indicates the secondary Domain Name Service server for the node. Indicates the hostname of the 7100 Series node.
Note: See the Symantec Network Security 7100 Series Implementation Guide to find out how to change the IP address of a node using the LCD panel. See Editing monitoring interfaces on 7100 Series nodes on page 99. See Adding or editing interface groups on page 101. See Adding or editing in-line pairs on page 103.
Monitoring interface
A single interface that monitors network traffic copied to it from a network device. Also known as a passive mode interface. Monitoring interface objects are added by default when a node object is added, and should be edited. Two to four passive mode interfaces sharing a single sensor. Used in an asymmetrically routed environment.
Interface group
99
In-line pair
Two interfaces cabled into the actual network traffic path, and configured for in-line mode. Allows blocking of malicious traffic.
The monitoring interface objects of a 7100 Series appliance node are automatically generated when the node is added to the topology. You cannot manually add or delete monitoring interfaces, but you must edit them to ensure that Network Security functions properly. SuperUsers can add, edit, or delete interface group and in-line pair objects. This section describes the following procedures:
Editing monitoring interfaces on 7100 Series nodes Adding or editing interface groups Adding or editing in-line pairs
To edit a monitoring interface on a 7100 Series node 1 2 3 4 5 On the Devices tab, right-click an existing monitoring interface object, and click Edit on the pop-up menu. In Edit Monitoring Interface, optionally enter a descriptive name. See Name on page 79. In Customer ID, optionally enter a Customer ID. See Customer IDs on page 79. In Expected Throughput, click the expected throughput on the pull-down list. In TCP Reset Interface, click the reset interface on the pull-down list. The reset interface must be cabled to access the monitored network. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Note: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. See Deleting objects on page 83.
101
To add or edit monitored networks 1 In Add Monitoring Interface or Edit Monitoring Interface, on the Networks tab, do one of the following:
2 3
In Add Network or Edit Network, replace the default 0.0.0.0/0 with all valid network IP addresses monitored by this interface, in CIDR format. Click OK. Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality.
To add or edit an interface group 1 On the Devices tab, do one of the following:
Right-click the 7100 Series node object, and click Add Interface Group on the pop-up menu.
Right-click an existing interface group object, and click Edit on the pop-up menu.
2 3 4
In Add Interface Group or Edit Interface Group, enter a descriptive name. See Name on page 79. In Expected Throughput, click the expected throughput on the pull-down list. In TCP Reset Interface, click the reset interface on the pull-down list. The reset interface must be cabled to access the monitored network. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters. See Description on page 79. On the Networks tab, click Add, enter the network IP address of all networks monitored by this interface group using CIDR format, and click OK. Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality.
5 6
On the Interfaces tab, press Ctrl and click to select multiple interfaces for the interface group, and click OK. Note: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
103
To add or edit an in-line pair 1 On the Devices tab, do one of the following:
Right-click the 7100 Series node object, and click Add In-line Pair on the pop-up menu. Right-click an existing in-line pair object, and click Edit on the pop-up menu.
2 3 4
In Add In-line Pair or Edit In-line Pair, enter a descriptive name. See Name on page 79. In Expected Throughput, click the expected throughput on the pull-down list. In Pair, click the interface pair on the drop-down list. The selected interfaces must be cabled for in-line mode. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters. See Description on page 79. On the Networks tab, click Add, enter a network IP address in CIDR format, and click OK. Enter all networks monitored by this in-line pair.
5 6
Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality. 7 Click OK to add the in-line pair object to the topology. Note: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. See Deleting objects on page 83.
105
To configure link state 1 2 On the Devices tab, right-click an appliance node interface object, and click Configure Link State from the pop-up menu. In Link On Active, do one of the following:
Select Enable if the node is part of a failover setup. Select Disable if the node is not part of a failover setup. Select Auto-Negotiate to enable Symantec Network Security to automatically select link speed and link duplex at both ends of the connection. Deselect Auto-Negotiate to manually configure the link speed and link duplex for the interface. Note that you must also apply the same link speed and link duplex settings at the other end of the connection as well.
4 5
In Link Speed (Mbps), select a speed from the pull-down menu. Link Speed is disabled when Auto-negotiate is enabled. In Link Duplex, do one of the following:
Select the Half radio button to choose half-duplex. Half-duplex is invalid if the link speed is set at 1000 Mbps. Select the Full radio button to choose full-duplex. Link Duplex is disabled when Auto-negotiate is enabled.
See also Establishing high availability failover on page 322. See also Enable PLSC (Propagate Link State Change) on page 184.
To add or edit a router object 1 On the Devices tab, do one of the following:
Right-click Network Devices or Location (Enterprise by default), and select Add Router from the pop-up menu. Right-click an existing router object, and click Edit from the pop-up menu.
In Add Router or Edit Router, enter a descriptive name of up to 40 characters for the device. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the device. In SNMP, enter an optional SNMP password of up to 64 characters, and confirm it. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79.
3 4 5 6
107
Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. To enable TrackBack to query flow data from a router, you must add interfaces to each router object, apply the sensor parameter for flow statistics, and execute the TrackBack response rule. You can also view flow data from routers and enable flow alert rules.
See About router interfaces on page 107. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Managing flow alert rules on page 162. See Deleting objects on page 83.
To add or edit a router interface object 1 On the Devices tab, do one of the following:
Right-click the router object, and click Add Interface from the pop-up menu. Right-click an existing router interface object, and click Edit from the pop-up menu.
In Add Router Interface or Edit Router Interface, enter a descriptive name up to 40 characters long. See Name on page 79. In Interface Name, enter the name of the interface, following the manufacturers interface naming convention. See Interface name on page 80. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the interface. In Netmask, enter the netmask for the interface. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. If you add an interface within a network segment that does not yet have an object in the topology tree, Symantec Network Security automatically creates an object for the new network segment under the Managed Network Segments category. You can edit the default name (Untitled) and description for this new network segment object. See About managed network segments on page 112. See Deleting objects on page 83.
4 5 6 7
109
Symantec Network Security, which leverages its correlation, analysis, and response functionality. Symantec Network Security contains an internal Smart Agent configuration to integrate Symantec Decoy Server events. To integrate events from any other external sensor, you must install an external Smart Agent designed for that sensor, and add a Smart Agent object to the topology tree to represent it.
To add or edit a Smart Agent object 1 On the Devices tab, do one of the following:
Right-click Enterprise or Smart Agents, and select Add Smart Agent from the pop-up menu. Right-click an existing Smart Agent object, and click Edit from the pop-up menu.
In Add Smart Agent or Edit Smart Agent, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79.
3 4 5 6 7
In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the device. In Type, indicate the type from the pull-down list. In Receiver, indicate the node to receive data from this Smart Agent from the pull-down list. In EDP Password, do one of the following:
If you are adding a new Smart Agent, provide a password between 8 to 64 characters long, for Symantec Network Security to communicate with the Smart Agent via EDP proxy (Event Dispatch Protocol). If you are editing an existing Smart Agent, you cannot directly edit the EDP Password. To change the EDP Password, you must delete the object, create a new object, and provide the desired password. See Deleting objects on page 83. See also Changing passphrases on page 314.
In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
You can add interface objects to each Smart Agent object in the topology tree. For the sensor to run, you must add interfaces and at least one protection policy to the interface. To enable TrackBack to query flow data from this object, you must apply the sensor parameter for flow statistics, and execute the TrackBack response rule.
See About Smart Agent interfaces on page 111. See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Integrating with Symantec Decoy Server on page 319. See Deleting objects on page 83.
111
To add or edit a Smart Agent interface object 1 On the Devices tab, do one of the following:
Right-click the Smart Agent object for which you want to create an interface, and click Add Smart Agent Interface from the pop-up menu. Right-click an existing Smart Agent Interface object, and click Edit from the pop-up menu.
In Add Smart Agent Interface or Edit Smart Agent Interface, enter a descriptive name. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the interface.
3 4
5 6
In Netmask, enter the netmask for the interface. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Deleting objects on page 83.
113
To edit a network segment object 1 2 On the Devices tab, right-click an object under a managed network segment, and click Edit. In Edit Network Segment, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.
Chapter
Protection policies
This chapter includes the following topics:
About protection policies Using protection policies Adjusting the view of event types Enabling or disabling logging rules Defining new protection policies Updating policies automatically Annotating policies and events Backing up protection policies
For example, when the 7100 Series appliance is deployed in-line, it can perform session-based blocking against malicious traffic and prevent attacks from reaching their targets.
Direct the protection: If the data indicates that unexpected traffic is about to penetrate the firewall or router, you can block it by configuring a protection policy with blocking enabled. The option to block is available only using a Symantec Network Security 7100 Series appliance that is deployed in-line. See Overriding blocking rules globally on page 119. Direct the response: You can configure Symantec Network Security to respond automatically to traffic across the network by configuring a response rule, such as alerting, capturing data, tracking, and more. See Setting response actions on page 147.
* View unaltered event list * Adjust view of list * Select events to apply logging and/or blocking rules
* View Search Events * Adjust view of list * Select events to apply logging and/or block rules
* Configure LiveUpdate so any new event types that match criteria are logged
* Apply/Unapply policies
117
Protection Policies tab: Symantec Network Security installs with a set of pre-defined policies that you can use immediately by setting them to interfaces, override existing blocking rules, and applying them.
Selecting pre-defined policies Setting policies to interfaces Applying to save changes Overriding blocking rules globally Undoing policy settings
Search Events tab: At first, the Search Events tab displays the full list of event types that the selected policy can detect. You can reduce this list to a more manageable size by setting search parameters. Then the Search Results pane displays a subset of the types of events that you specified. You can apply logging and/or blocking rules from this tab, and add new protection policies that you define yourself.
Searching to create a subset of event types Adding or editing user-defined protection policies Enabling or disabling logging rules Enabling or disabling blocking rules
Full Event List tab: The Full Event List displays all event types that the selected policy can detect. Even after you define the display on the Search Events tab, you can use the Full Event List to view the total list of all event types. You can also set logging and blocking rules from this tab.
Auto Update tab: Provides the ability to establish automatic policy, signature, and engine updates through LiveUpdate.
Notes tab: Provides the ability to annotate policies so that your note is displayed as a tool tip when you hover the cursor over the annotated policy.
immediately activate them by setting them to interfaces and applying them. You can also define your own policies and activate them using the same procedures.
2. Set to interfaces. 3. Click Apply to save. Option: You can also override blocking rules here.
Selecting pre-defined policies Setting policies to interfaces Applying to save changes Overriding blocking rules globally Undoing policy settings
119
Note: In a cluster, the master node stores the definitions of protection policies that you apply to slave nodes. If the master node fails or is demoted to slave, the link is broken between applied policies and their definitions. Slave nodes sometimes then appear to have viable policies applied that in reality are disabled. Prevent losing policies through failure by backing up the master node. Prevent losing policies when demoting by reapplying policy definitions to the new master node. See Backing up and restoring on page 332.
by configuring a protection policy with blocking enabled. You can enable blocking only on in-line interface pairs on a 7100 Series node. To make sure that blocking is enabled at the event list level, see also Enabling or disabling blocking rules on page 128. To enable or disable blocking on in-line interfaces 1 2 On the Policies > Protection Policies tab, in the right pane, click an in-line pair. Do one of the following:
121
In the Protection Policies tab, click Apply to save and apply changes.
Searching to create a subset of event types Adjusting the view by columns Viewing event type details
1. Set search parameters to select event types that match certain characteristics.
2. Click Logged and/or Blocked to display event types that have logging or blocking rules.
To adjust the view by searching for specific characteristics 1 On the Policies > Protection Policies tab, do one of the following:
Click New > Search Events. Select a policy, and click View > Search Events. Select a policy, and click Edit > Search Events. In Event Name, enter a name to distinguish this search. In Protocol, select a protocol from the pull-down list. In Category, select a category from the pull-down list. In Severity, set a severity level from the pull-down list. In Confidence, set a confidence level from the pull-down list. In Intent, select an intention from the pull-down list. In Blocked, specify whether you want to view events that have blocking rules applied to them. In Logged, specify whether you want to view events that have logging rules applied to them. In Note, specify the contents of the Note to search for events containing the specified contents.
3 4
Click Search Events. Search Results displays the total number of items shown in the subset. Click OK to save these search criteria. Note: Remember that the policy still contains the full list of event types. This search has provided a shorter, more manageable subset to view.
123
Click New. Select a protection policy, and click View. Click Search Events. Click Full Event List.
3 4 5 6
Click Columns. In Table Column Chooser, click each column that you want to see, and unclick each that you want to hide, and click OK. Optionally, you can click any column heading to sort the entire table, based on that column. Click OK.
View an event description by right-clicking an event type, and clicking View Description to display a detailed description in your browser. View logging and blocking rules by selecting an event type, and clicking Log/Block. Select all event rows by clicking Select All. If selecting to view all events includes event types with various settings, then clicking Log/Block will not display the settings. Adjust the view by clicking Columns to sort, move, or display columns. See also Adjusting the view by columns on page 123.
2. Enter a Name for the new protection policy. Optional: Apply search parameters to display a subset of event types.
3. Click Log/Block to set logging and blocking rules in the new policy.
4. Set Logging rules to alert you when specified event types are detected. The alerts will be displayed in the Incidents tab.
Optional: Click here to be alerted periodically about non-logged event types. 5. Set Blocking rules to prevent specified event types from entering the network.
125
Cloning existing protection policies Enabling or disabling logging rules Enabling or disabling blocking rules Overriding blocking rules globally Deleting user-defined protection policies
Click New. Select an existing protection policy, and click Clone > Edit.
2 3
In Policy Name, enter a unique name to distinguish this policy. You have the option of doing any or all of the following:
In Search Events, you can change the search parameters to display a more manageable subset of event types to apply rules. See Searching to create a subset of event types on page 121. In Search Results, you can adjust the view. See Adjusting the view by columns on page 123. For software and appliance nodes, select event types to apply logging rules to direct the monitoring of events. See Enabling or disabling logging rules on page 126. For 7100 Series appliance nodes only, select event types to apply blocking rules. Software nodes do not currently support blocking rules. See Enabling or disabling blocking rules on page 128.
In Search Results, define the policy by doing any or all of the following:
5 6
In Search Events, click OK to exit. In the Protection Policies tab, click Apply to save and apply changes.
To clone a protection policy 1 2 3 4 5 On the Policies > Protection Policies tab, select a protection policy. Click Clone. In Clone Policy, enter a name for the new protection policy, and click OK. In the Policies > Protection Policies tab, select the cloned protection policy. Click Edit to modify the cloned protection policy. See Adding or editing user-defined protection policies on page 125.
Optional: Click here to be alerted periodically about non-logged event types. Set Blocking rules to prevent specified event types from entering the network.
To enable logging rules to monitor events 1 On the Policies > Protection Policies tab, do one of the following:
127
Click New > Full Event List. Select a protection policy, and click Edit > Full Event List. You can edit user-defined protection policies only.
2 3
To adjust your view of the event list, click Columns. See Adjusting the view by columns on page 123. To select the events, do one of the following:
To select the entire event list, click Select All. To select a subset of events, press Ctrl and select multiple events.
Click Log/Block. You can enable logging rules independently of blocking rules. See also Enabling or disabling blocking rules on page 128. In Logging Options, do one of the following:
Click Log Event to enable logging. This generates an event in the Incidents tab each time a selected event is detected and blocked. Unclick Log Event to disable logging. To log all events, click Log For All IPs. To log selected events, click Log For Selected IP Ranges. To avoid logging selected events, click Log All Except IP Ranges. You can use this option as a partial filter to alert you periodically about non-logged event types.
If you enabled logging, then under Log Event, do one of the following:
If you chose to log a subset of events, then in IP Ranges, specify the subset by doing the following:
Provide the Source and Destination IP addresses. Provide the optional mask and port numbers, and click Add.
In Logging Options, you can keep track of non-logged event types by clicking For Every Non-Logged Events Log One Event and entering a number. In Note For Selected Event Type(s), you can add an optional note, and click OK. Event Details displays this annotation each time this policy detects the annotated event. See Viewing event details on page 221.
Click New > Full Event List. Select a protection policy, and click Edit > Full Event List. You can edit user-defined protection policies only.
2 3
To adjust your view of the event list, click Columns. See Adjusting the view by columns on page 123. To select the events, do one of the following:
To select the entire event list, click Select All. To select a subset of events, press Ctrl and select multiple events.
Click Log/Block. You can enable blocking rules independently of logging rules. See also Enabling or disabling logging rules on page 126. In Block Event (Applies only to in-line interfaces), do one of the following:
Click Block Event to enable blocking. Unclick Block Event to disable blocking.
Note: You can apply this option only to in-line interfaces on 7100 Series appliance nodes. It is not available on Network Security software nodes. 6 In Note For Selected Event Type(s), you can add an optional note, and click OK. Event Details displays this annotation each time this policy detects the annotated event. See Viewing event details on page 221.
You can override blocking rules globally from the Protection Policies tab. See also Overriding blocking rules globally on page 119. You can configure policies to include active blocking rules and LiveUpdate rules, so that when LiveUpdate adds new signatures, the blocking rules will be created
129
automatically. To do this, you must define at least one blocking rule in the policy so that blocking is enabled. See also Updating policies automatically on page 129.
occurs in the middle of the night, Symantec Network Security immediately starts logging the matching events.
To add auto update rules 1 On the Policies > Protection Policies tab, do one of the following:
Click New > Auto Update Rules > Add. Click an existing policy, and click Edit > Auto Update Rules > Edit. In Category, choose a category from the pull-down list. In Protocol, choose a protocol from the pull-down list. In Severity, choose a severity from the pull-down list. In Confidence, choose a confidence from the pull-down list. In Blocking Option, choose whether to enable blocking by clicking the Apply Blocking checkbox. Symantec Network Security sorts the rule table, and first displays rules with blocking enabled, followed by rules without blocking enabled.
Click OK.
131
Note: You can configure policies to include active blocking rules and LiveUpdate rules, so that when LiveUpdate adds new signatures, the blocking rules will be created automatically. To do this, you must define at least one blocking rule in the policy so that blocking is enabled. See also Enabling or disabling blocking rules on page 128.
Note: Engine Updates trigger the sensors to restart automatically when you apply them. See also Updating Symantec Network Security on page 303.
Annotating an entire policy Annotating an event type in a policy Annotating an instance of an event
2 3
In Add Protection Policy or Edit Protection Policy, click the Notes tab. In Policy Notes, enter a note regarding this policy, and click OK.
On the Policies > Protection Policies tab, hover the cursor over the policy to display the note as a tool tip.
Click New. Click Edit. In Search Events, double-click an event. In Full Event List, double-click an event.
In Note for Selected Event Type(s) in the lower pane, enter an annotation. Event Details displays this annotation each time this policy detects the annotated event. See Viewing event details on page 221. Click OK > OK > Apply.
Double-click an incident. In the upper pane, click an incident, and then in the lower pane, double-click the related event.
2 3 4
In Incident Details or Event Details, click Analyst Note. Enter your annotation, and click Add Note. Click Close.
133
Chapter
Responding
This chapter includes the following topics:
About response rules About automated responses Managing response rules Setting response parameters Setting response actions Managing flow alert rules
functionality that is unique to an appliance. Each section describes this additional functionality in detail. Symantec Network Security can take the following types of actions to respond to attacks, individually or in sequence:
Predefined actions See Setting response actions on page 147. Configured custom response actions See Setting a custom response action on page 154. Triggered actions from third-party applications via Smart Agents See Integrating third-party events on page 316. No actions See Setting no response action on page 148. Responding at the point of entry See Defining new protection policies on page 124.
The following diagram provides an overview of response rule procedures: 1. Add new rule
Set target
3. Set parameters
From Address Subject Line SMTP Server Hostname for Email Notifications
Set type Notify via console Set severity and confidence Notify via email
Notify via SNMP Set source Record traffic Set action Reset TCP Take customized action Set next action Track suspicious event SNMP Manager SNMP Community String
137
Note: SuperUsers and Administrators can read and write response rules; StandardUsers and RestrictedUsers can view only. See User groups reference on page 353 for more about permissions.
Viewing response rules Adding new response rules Editing response rules Searching event types Deleting response rules Saving or reverting changes Backing up response rules
Event Target Event Type Severity Confidence Event Source Response Action Next Action
Click the Response Actions column of a response rule to see all possible response actions.
139
Note: Make sure to click OK to save yellow response rules before proceeding.
Click Action > Add Response Rule to add a new row to the end of the response rule table. Click Action > Insert Response Rule to insert a new row into the response rule table. Click Action > Duplicate Response Rule to add a copy of an existing row to the response rule table. Setting event targets Setting event types Setting severity levels Setting confidence levels Setting event sources Setting response actions Setting next actions
Setting event targets Setting event types Setting severity levels Setting confidence levels Setting event sources Setting response actions Setting next actions
In Event Name, enter a name to identify this search. In Protocol, select a protocol from the pull-down list. In Category, select a category from the pull-down list. In Severity, select a severity level from the pull-down list. In Confidence, select a confidence level from the pull-down list. In Intent, select an intention from the pull-down list.
141
Click OK to save and exit. Click Cancel to undo the configuration and return to the previous one.
Note: It can take a few minutes for response rule changes to take effect. You can bypass this wait interval by clicking Admin > Force Database Sync.
Setting event targets Setting event types Setting severity levels Setting confidence levels Setting event sources Setting response actions Setting next actions
143
To set the Event Type 1 2 3 On the main menu bar, click Configuration > Response Rules. Click the Event Type cell of the response rule you want to edit. In Search Events, select the attack types to which the response rule applies by providing some or all of the following search criteria:
In Event Name, enter a name. In Protocol, select a protocol from the pull-down list. In Category, select a category from the pull-down list. In Severity, set a severity level from the pull-down list. In Confidence, set a confidence level from the pull-down list. In Intent, select an intention from the pull-down list.
4 5
Click Search Events. Search Results displays the total number of items shown in the subset. In Search Results, do one of the following:
Click Select All to select the entire result list. Click Clear All to deselect any selected event types. Individually select the desired event types.
Intrinsic severity of the type of event: An event might consist of an FTP packet transmitted on port 80. Because port 80 is used for HTTP traffic, this event might represent an attack on a Web server. By itself, this example might represent a medium level of intrinsic severity. Level of traffic, if it is a counter event: If Symantec Network Security determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received. Severity of other events in the same incident: Symantec Network Security correlates severity levels from all events in the same incident.
By using these variables to perform statistical analysis, Symantec Network Security assigns different severity levels as they apply to an incident. As the
system gains information about the network, it integrates characteristics that influence the levels to reflect the current state of the network security. Because the traffic on every network is different, the severity levels specified in the response rule parameters are relative values and contain no inherent absolute definition. The creation of response rules in general and the selection of severity levels for the specific response rules requires fine-tuning to existing security response rules, as well as to the network traffic and ambient conditions. If the severity assigned during analysis equals the severity level defined in the response rule, as well as all other parameters defined in the response rule, then Symantec Network Security responds to the incident by performing the action associated with the response rule. SuperUsers and Administrators can also specify that the action execute only if the incident priority level falls above or below that of a particular severity level. Possible severity parameter values include informational, low, medium, high, and critical.
Less than (<) Greater than (>) Equal to (=) Any Critical High Medium Low Informational
Select one of the following severity levels from the pull-down list:
145
Less than (<) Greater than (>) Equal to (=) Any Very High High Medium Low Very Low
Select one of the following confidence levels from the pull-down list:
Setting no response action Setting email notification Setting SNMP notification Setting TrackBack response action Setting a custom response action Setting a TCP reset response action Setting traffic record response action Setting a console response action Setting export flow response action
147
to Rule 8. The Stop value directs Symantec Network Security to discontinue searching for matching response rules. To set the next action 1 2 On the main menu bar, click Configuration > Response Rules. Select a Next Action to do one of the following:
Stop searching for matching response rules. Continue to the next rule. Jump to a specific rule.
Setting no response action Setting email notification Setting SNMP notification Setting TrackBack response action Setting a custom response action Setting a TCP reset response action Setting traffic record response action Setting a console response action Setting export flow response action
149
2 3 4
In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Email Notification. In the Email Notification pane, provide the following information:
To: Enter the destination of the email notification. Subject: Enter the subject line of the email notification. Maximum number of email notifications: Enter the number of notifications you want to send while the incident remains active. Delay between email notifications (mins): Enter the time in minutes that you want Symantec Network Security to wait before sending another notification.
5 6
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.
Setting From Address Setting Subject Line Setting SMTP Server Setting Hostname Used for Email Notifications
Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
151
To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click SMTP Server. In the lower right pane, enter an alternative mail server. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
SNMP Manager IP Address: Enter the IP address of the SNMP Manager to send notifications to. Maximum number of SNMP notifications: Enter the number of notifications you want to send. Delay between SNMP notifications (mins): Enter the time in minutes that you want Symantec Network Security to wait before sending another notification.
5 6
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.
153
SNMP Manager
SNMP Manager indicates where the software or appliance node sends SNMP traps. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click SNMP Manager. In the lower right pane, enter the SNMP Manager that will receive SNMP traps from the node. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Maximum number of trackbacks: Enter the number of tracking attempts that you want. Delay between trackbacks (mins): Enter the time in minutes that you want Symantec Network Security to wait before making another tracking attempt.
5 6
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.
155
To enable custom responses 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Custom Response. Provide the following information:
Start Command: Enter the command with applicable arguments. See Table of response variables on page 155. Maximum number of executions: Enter the number of executions per incident of this response. Delay between executions (mins): Enter the time in minutes that you want Symantec Network Security to wait per incident, before making another execution.
5 6
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit. Note: If you create a custom response action, it will be enabled on all software and appliance nodes defined in your topology. Be sure to include the custom application binary in the same location for each node.
Note: SuperUsers can read and write custom response actions; Administrators, StandardUsers, and RestrictedUsers can view only. See User groups reference on page 353 for more about permissions.
/usr/local/bin/myscript.sh -i %i -t %t -s %s [email protected]
The following table describes the variables that can be used in the command line of custom response actions, console response actions, and email responses: Table 6-1 Variable
%c %d
%D %F
%I
%m %s
%t
%T
%v
157
Maximum number of TCP resets: Enter the number of TCP resets per incident of this response. Delay between sending TCP resets (mins): Enter the time in minutes that you want Symantec Network Security to wait per incident, before sending another TCP reset.
5 6 7
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit. Set the reset port by doing one of the following:
For an appliance node, see Setting the reset port on appliance nodes on page 158. For a software node, see Setting the reset port on software nodes on page 158.
159
Caution: Traffic record files are stored in the /usr/SNS/record directory, and can quickly fill the disk space, especially on a gigabit link. Make sure that this directory contains sufficient disk space. To enable traffic records 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Traffic Record. Provide the following information:
Maximum packets to record: Enter the maximum number of packets per incident of this response. Maximum # of record actions: Enter the maximum number of records per incident of this response. Maximum time to record (mins): Enter the time in minutes that you want Symantec Network Security to record per incident.
Source IP: Click this parameter if you want to record only traffic with the same source address as the triggering event. Source Port: Click this parameter if you want to record only traffic with the same source port as the triggering event. Destination IP: Click this parameter if you want to record only traffic with the same destination address as the triggering event. Destination Port: Click this parameter if you want to record only traffic with the same destination port as the triggering event. Transport: Click this parameter if you want to record only traffic with the same transport protocol (such as TCP, UDP or ICMP) as the triggering event.
6 7
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit. Note: The Traffic Record and TrackBack response actions cannot run simultaneously.
Limit Action to One Console: Click this to apply this response action to a single Network Security console. Play Alert Sound: Click this to sound an alert. Execute Console Program: Click this to launch a program in response. Start command: Enter the command to launch the response program.
161
Maximum # of executions: Enter the maximum number of executions per incident of this response. Delay between executions (mins): Enter the time in minutes that you want Symantec Network Security to wait between executions.
5 6
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.
Play Alert Sounds: Click this to enable this Network Security console to emit an alert sound when triggered by an event. Execute Programs: Click this to enable this Network Security console to perform the console response action.
In Local Console Configuration, click OK to save and close. Note: The Network Security console must be running in order for Symantec Network Security to execute the console response action. If a Network Security console starts after console response events are sent, it does not execute the actions. Instead, upon startup, it displays a prompt indicating that the actions did not execute.
2 3 4
In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Export Flows. Provide the following information:
Limit for the number of flows to export: Enter the maximum number of flows to export per incident. The default limit per policy match is 100, the minimum is 1, and the maximum is 2048. Maximum # of flow export actions: Enter the maximum number of attempts to export flows per incident. The default per incident is 10, the minimum is 1, and the maximum is 256. Delay between flow export actions (mins): Enter the time in minutes that you want Symantec Network Security to wait between actions per incident. The default delay is 10, the minimum is 1, and the maximum is 256. Source IP: Use the IP address from the triggering event. Destination IP: Use the IP address from the triggering event. Source Port: Make port significant when matching related FDS flow entries to the triggering event source IPs. Destination Port: Make port significant when matching related FDS flow entries to the triggering event destination IPs. Transport Protocol: Export only matching FDS flow entries of the same protocol as the triggering event (IP, TCP, UDP).
6 7
In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.
See Playing recorded traffic on page 271. See Exporting data on page 285. See About incident and event data on page 213. See Defining new protection policies on page 124.
163
be configured to notify you when a sensor or router detects flows that match specific criteria. Symantec Network Security collects data about network flows from various devices. It optimizes the data to enable advanced response actions such as TrackBack, and notifies you about illegal flows. Symantec Network Security uses FlowChaser to store the data, in coordination with TrackBack, which traces a DoS attack or network flow back to its source, or to the edges of the administrative domain. This section describes the following:
On the main menu bar, click Configuration > Flow Alert Rules. In Flow Alert Rules, you can view the rule details.
Note: SuperUsers and Administrators can read and write flow alert rules; StandardUsers can view only; and RestrictedUsers have no access at all. See User groups reference on page 353 for more about permissions.
Click Permit. Click Alert. See Using the permit rule type on page 166.
4 5 6
Click Set Interfaces. In Select Interface or Device, select the object where you want the rule applied, and click OK. In Flow Alert Rule, select the following information from the pull-down lists, and click Add:
Source IP address, mask, and port Destination IP address, mask, and port See Providing an appropriate mask on page 165.
7 8
In Flow Alert Rule, click OK. In Flow Alert Rules, click OK to save and exit.
Click Permit. Click Alert. See Using the permit rule type on page 166.
165
4 5 6
Click Set Interfaces. In Select Interface or Device, select the object where you want the rule applied, and click OK. In Flow Alert Rule, select the following information from the pull-down lists, and click Add:
Source IP address, mask, and port Destination IP address, mask, and port See Providing an appropriate mask on page 165.
7 8
In Flow Alert Rule, click OK. In Flow Alert Rules, do one of the following:
Click Move Down. The flow alert rules are applied in sequential order from the top of the list to the bottom. Moving a rule up or down shifts it in relation to the other rules, and determines when it will be applied in the sequence. 9 Click OK to save and exit.
Note: Symantec Network Security examines these rules sequentially. After it makes an IP address/port match, it executes the corresponding rule, without examining or executing any further.
Chapter
Detecting
This chapter includes the following topics:
About detection Configuring sensor detection Configuring port mapping Configuring signature detection
About detection
In addition to the ability to start detection immediately using protection policies, Symantec Network Security also provides the tools to fine-tune the detection to a particular environment using sensor parameters and port mappings, and to enhance the detection using user-defined signatures. Symantec Network Security can run multiple detection methods concurrently, including protocol anomaly detection, signatures, IP traffic rate monitoring, IDS evasion detection, and IP fragment reassembly. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.
Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be added to run services on non-standard ports or to ignore ports on which you
normally run non-standard protocols, to mitigate common violations of protocol from being falsely reported as events.
Signature detection
Symantec Network Security provides the functionality to begin detection immediately by applying protection policies. In addition to this initial ability, detection can also be enhanced and tuned to a particular network environment by creating and applying user-defined signatures.
Symantec Network Security detects both known and unknown (zero-day) attacks, using multiple detection technologies concurrently. Event refinement rules extend the Protocol Anomaly Detection capabilities. Symantec Network Security matches generic anomalies against a database of refinement rules, and for known attacks, reclassifies an anomaly event by retagging it with its specific name. New refinement rules are available as part of SecurityUpdates on a periodic basis. Each software or appliance node downloads the refinement rules from LiveUpdate and stores them individually.
Configuring sensor parameters Restarting or stopping sensors Basic sensor parameters Basic flood and scan parameters
169
Advanced flood and scan parameters Other advanced parameters Advanced TCP engine parameters Advanced UDP engine parameters
See Other advanced parameters on page 184 for information about fine-tuning advanced parameters.
See Restarting sensors via the Network Security console on page 49. Note: SuperUsers and Administrators can restart sensors at any time; StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
171
for your environment. In this way, you will quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert. This section describes the following basic sensor detection parameters:
Enable Flow Statistics Collection Enable Full Packet Capture Enable IPv4 Header Checksum Validation Enable TCP Checksum Validation Enable UDP Checksum Validation Enable BackOrifice Detection Event Delay Time Traffic Mode Reset Port
enabled, the Network Security console displays all packet data in the Advanced tab of the Event Details. To disable the collection of full packet data, change the value to false. If you disable this parameter, the Network Security console displays only packet header data in the Advanced tab of the Event Details. Note: For software nodes, enabling this parameter can increase the size of the event database and reduce sensor performance. Do not install Symantec Network Security in the same partition as the operating system (the / partition) if disk space is low. The Network Security console displays low disk space events for less than 100,000 free blocks and less than 10% free space in the partition where it is installed. In earlier versions, the default value was false. See Viewing event details on page 221.
173
Traffic Mode
Traffic Mode regulates asymmetric routing in the following modes:
Simplex: The sensor predominantly monitors the client-to-server side of the connection.
Duplex:
The sensor monitors both the client-to-server and the server-to-client sides of the connection.
The default is set to duplex, and Symantec Network Security generally performs best in this mode. Change to simplex only under specific conditions or for specific environments. Set this parameter during deployment, when you decide which mode to use. Note: Restart the sensor for changes to this parameter to take effect.
Caution: Switching this parameter to simplex has a broad effect on a number of Symantec Network Security features. Do not change this without a thorough understanding of the effects.
Note: If a sensor in duplex mode receives a lot of simplex traffic, it displays an operational log message indicating that the flow records have been recycled, and that a large number of them have detected packets in only one direction.
Reset Port
Reset Port determines the port that Symantec Network Security uses to send TCP resets. When a reset response rule is triggered, Symantec Network Security sends the TCP reset through the port designated by this parameter. This parameter is specific to software installations of Symantec Network Security. It is not relevant to 7100 Series appliances, which can be set via the topology tree on the Network Security console. Valid values include any valid physical network interface identifier. There is no default value for this parameter. If you create a reset response rule without configuring this parameter, the response rule will fail. Note: Restart the sensor for changes to this parameter to take effect.
175
possible DoS attack. It generates events when traffic exceeds preset thresholds; that is, when a particular type of traffic exceeds a certain percentage of the traffic as a whole. For example, if a large percentage of traffic on a link is ICMP, it might indicate a ping flood. The following parameters set threshold levels for floods, scans, and sweeps. If activity levels remain below thresholds, the sensor detects the traffic but does not notify you. Breaching thresholds triggers an alert. Symantec Network Security provides counter-based detection of floods and denial-of-service attacks such as resource reservation and pipe filling. For example, in a reservation attack such as SYNflood, the attacker sends more SYN packets than the queue can hold, and thus reserves otherwise available resources and prevents new connections. In a pipe-filling attack, the attacker saturates the links by generating so much traffic on a network connection that it clogs a traffic pipe. This section describes the following basic flood and scan parameters:
TCP Flood Alert Threshold UDP Flood Alert Threshold Slow Scan Alert Threshold ICMP Saturation Alert Threshold UDP Saturation Alert Threshold IP Fragment Saturation Alert Threshold Bad Service Saturation Alert Threshold Other Saturation Alert Threshold
The default is set to 0.50 (50%) for a high level of sensitivity. Valid values range from 0 to 1. Increase the value to make the sensor less sensitive; decrease the value to make it more sensitive. A value of 1% is extremely sensitive, which impacts system performance somewhat if it generates alerts. It interacts with Streak Interval and UDP Number of Streak Packets, and affects performance slightly if changed. Note: In versions prior to 4.0, this parameter controlled input and detected both portscans and floods. Now this parameter controls output and detects either port scans or floods separately.
177
The default is set to 0.50, and valid values range from 0 to 1, representing the percentage of total traffic. By default, the sensor notifies you if it detects UDP traffic in 50% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. You can increase the threshold if you expect UDP traffic, such as in a Windows environment.
rate of alerting can slow performance, so you can increase the Threshold if you want to tolerate a high percentage of Other traffic in your environment.
Packet Counter Interval Streak Interval Counter Number of Streak Packets TCP Minimum Flows TCP Number of Streak Packets UDP Minimum Flows UDP Number of Streak Packets UDP Minimum Flows UDP Number of Streak Packets ICMP Minimum Flows ICMP Number of Streak Packets ICMP Flood Alert Threshold Saturation Counter Lapse Time Maximum Time to Streak Analysis Slow Scan Maximum IP Addresses Limit Slow Scan Max Entry Time (days)
179
Streak Interval
The four interval and flow parameters function interactively, and setting one affects the others. Packet Counter Interval controls how often to check packets. Streak Interval controls how often to check for port scans. TCP Minimum Flows controls how many TCP flows warrant analysis. UDP Minimum Flows regulates port scan sensitivity. Streak Interval regulates how often the sensor checks traffic for port scans. In past versions, Streak Interval and Counter Interval were controlled by the same parameter. Symantec Network Security now provides two parameters that you can configure independently. The default is set to 16,383 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 1,023 to 65,535, inclusive. You can increase sensitivity to port scans by lowering the value so that the sensor checks more often. Do not make changes to this parameter without a thorough understanding of how it interacts with TCP
Minimum Flows, UDP Minimum Flows, TCP Number of Streak Packets, and UDP Number of Streak Packets. Note: In versions prior to 4.0, Streak Interval and Counter Interval were controlled by the same parameter. Symantec Network Security now provides two parameters that you can configure independently.
181
The default value of 128 collects 128 unacknowledged packets. Valid values range from 3 to 256, inclusive. If you notice large streaks, you can increase the value to collect more packets for analysis at the cost of slowing performance somewhat.
controls how many TCP flows warrant analysis. UDP Minimum Flows regulates port scan sensitivity. ICMP Minimum Flows regulates the number of unacknowledged ICMP flows that the sensor sends to analysis during the time period set by Streak Interval. If it detects an alarming number of them, it sends the packets to streak analysis, which inspects the sample of packets and compares IP addresses, ports, and other characteristics for similarities. The default is set to 3 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 3 to twice the value of the ICMP Number of Streak Packets parameter. You can troubleshoot an overactive network by increasing the value without changing Streak Interval. The sensor then takes a larger sample at each interval and returns more accurate results, at the cost of impacting system performance somewhat. This parameter should not be changed without a thorough understanding of how it interacts with Streak Interval and ICMP Number of Streak Packets.
183
this limit, the entry is reset. Any old data is lost and new data in the entry is treated as an unrelated event. The default value is set to 30, and valid values range from 7 to 180, inclusive. If the slow scan functionality appears to be generating too many events, you can lessen the value to increase the inactive time period. This reduces detection sensitivity. Increase the sensitivity by increasing the value to keep inactive entries valid longer. These changes have little impact on performance.
Enable PLSC (Propagate Link State Change) Maximum IPv4 Fragment Reassembly Table Elements Signature Engine Max Backbuffer Size
Note: Restart the sensor for changes to this parameter to take effect. See also Configuring link state on page 104.
185
TCP Maximum Flow Table Elements (Fast Ethernet) TCP Maximum Flow Table Elements (Gigabit)
TCP Keepalive Timeout TCP Flow Max Queued Segments TCP Global Max Queued Segments (Fast Ethernet) TCP Global Max Queued Segments (Gigabit) TCP 2MSL Timeout TCP Default Window Size TCP Reset Quiet Period TCP Retransmitted Segment Alert Minimum Magnitude TCP Retransmitted Segment Alert Threshold TCP SYN Flood End Threshold TCP SYN Flood Retransmission Timeout TCP Retransmitted SYN Alert Magnitude TCP Opening Flows Target Ratio TCP Listening Flows Target Ratio TTL Allowed Variance for TCP over IPv4 for Inline Sensors TTL Allowed Variance for TCP over IPv4 for Passive Sensors TTL Change Timeout for TCP Over IPv4
187
The default is set to 131,072 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 32,768 (32K) to 1,048,576 (1M), inclusive. If you receive an operational log message indicating that the TCP Flow Table is full, you can eliminate the message by increasing this value, at the cost of greater memory consumption. Consider changing it only if you have a thorough understanding of its functionality.
The default is set to 65,535 for optimum performance and sensitivity, and does not need to be changed under most circumstances. The minimum value is 4,096. Although a high number of out-of-order segments is rare, if this is usual for your network, you can increase this value to compensate. If you see an operational event indicating too many out-of-order TCP segments, you can eliminate the message by increasing this value, at the cost of greater memory consumption. Consider changing it only if you have a thorough understanding of its functionality.
189
this way, you will quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert.
191
RSAT is an advanced parameter. The defaults are set for the optimum balance between maximum sensitivity and minimum false positives. Increasing sensitivity can result in false positives. Decreasing sensitivity can result in missed evasions. Adjusting the values does not affect performance.
193
resources under normal circumstances. Adjusting the default does not impact performance or detection sensitivity.
TTL Allowed Variance for TCP over IPv4 for Inline Sensors
TTL Allowed Variance for TCP over IPv4 for Inline Sensors determines how much the TTL of IPv4 packets carrying a TCP connection can vary on an inline sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. On inline sensors that monitor packets from a specific location, the TTL can be expected to remain consistent. The default value is set to 0, which provides the greatest sensitivity and tolerates zero variance. Raising this value decreases sensitivity to variation and susceptibility to false positives.
TTL Allowed Variance for TCP over IPv4 for Passive Sensors
TTL Allowed Variance for TCP over IPv4 for Passive Sensors determines how much the TTL of IPv4 packets carrying a TCP connection can vary on a passive sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. The TTL can be expected to vary on passive sensors that monitor packets from multiple locations on a network. The default value is set to 10 to tolerate a moderately sensitive, 10-hop variance. Raising this value decreases sensitivity to variation and susceptibility to false positives. Lowering this value increases sensitivity and susceptibility to false positives. The minimum value is 0, which does not tolerate variation at all.
can lower this value to avoid detection of expected activity. Setting the value to 0 effectively disables this parameter.
UDP Maximum Flow Table Elements (Fast Ethernet) UDP Maximum Flow Table Elements (Gigabit) UDP Connection Timeout TTL Allowed Variance for UDP over IPv4 for Inline Sensors TTL Allowed Variance for UDP over IPv4 for Passive Sensors TTL Change Timeout for UDP Over IPv4
195
TTL Allowed Variance for UDP over IPv4 for Inline Sensors
TTL Allowed Variance for UDP over IPv4 for Inline Sensors determines how much the TTL of IPv4 packets carrying a UDP connection can vary on an inline sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. The TTL can be expected to vary on passive sensors that monitor packets from multiple locations on a network. The default value is set to 255, which effectively disables detection of TTL variance. Lowering this value increases sensitivity and susceptibility to false positives. The minimum value is 0, which does not tolerate variation at all.
TTL Allowed Variance for UDP over IPv4 for Passive Sensors
TTL Allowed Variance for UDP over IPv4 for Passive Sensors determines how much the TTL of IPv4 packets carrying a UDP connection can vary on a passive sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. The TTL can be expected to vary on passive sensors that monitor packets from multiple locations on a network.
The default value is set to 255, which effectively disables detection of TTL variance. Lowering this value increases sensitivity and susceptibility to false positives. The minimum value is 0, which does not tolerate variation at all.
Note: SuperUsers and Administrators can add port mappings for any supported protocol; StandardUsers and RestrictedUsers can view only. See User groups reference on page 353 for more about permissions.
197
In Protocol, choose a type of protocol from the pull-down list. In Port, enter a port number. In Transport Protocol, choose TCP or UDP from the pull-down list. In Note, you can enter an optional reminder to yourself. Click OK to save and exit. Click Cancel > Yes to undo your changes and exit.
Click OK to save and exit. Click Cancel > Yes to undo your changes and exit.
Caution: Removing a port mapping can affect any PAD detection that relies on the mapping. Do not remove any pre-defined Symantec port mappings.
199
Managing signatures
The Network Security console provides a way to configure and enable your own user-defined signatures on a per-sensor basis. You can also define variables, such as creating the variable name port to stand for a value of 2600. This section includes the following topics:
Viewing signatures Adding or editing user-defined signatures Deleting user-defined signatures Adding new signature variables Importing user-defined signatures Resolving signature compile errors Managing signature variables
Viewing signatures
All users can view all available PAD event types and user-defined signatures from the Policies tab. You can also see which signatures are applied to the
monitoring interfaces, interface pairs, or interface groups, as well as the list of signature variables. To see interfaces
On the Policies > Protection Policies tab, the Policies Applied to Interfaces pane displays the interfaces with policies applied.
On the Policies > Protection Policies tab, select a policy and click View to see the PAD event types.
On the Policies tab, click the User-defined Signatures tab to see available user-defined signatures.
On the Policies tab, click the Signature Variables tab to see available variables to use when defining your own signatures.
2 3
Use regular expressions where applicable. See the Symantec Network Security Signature Developer Guide to find out more about regular expressions. Use inline functions where applicable. See the Symantec Network Security Signature Developer Guide to find out more about inline functions. Use optional signature variables if applicable.
201
See Managing signature variables on page 206. 4 5 6 Save the signature in the Signature Wizard. Apply the signature to a policy. Apply the policy to an interface. See Setting policies to interfaces on page 119.
In Add User-defined Signature or Edit User-defined Signature, provide information for the following fields:
In Name, enter a name for the user-defined signature. To find out more about each field, see About the Signature Wizard fields on page 203. In Severity, enter a level from the pull-down list. In Confidence, enter a level from the pull-down list. In Category, enter a type of event from the pull-down list. In Intent, enter an intention from the pull-down list. In Protocol, enter a protocol from the pull-down list. In Transit Type, which is active if you chose IP_OTHER from the Protocol pull-down list, enter a transit type from the pull-down list. Click Next to proceed.
3 4
In Signature Description, enter optional notes, and click Next. In User-defined Signature or Edit User-defined Signature, provide information for the following fields:
In Source IP, Source Port, Destination IP, and Destination Port, enter this information from the pull-down lists, if applicable.
Source Port and Destination Port are enabled only if you selected USER-DEFINED as the protocol.
If transit type is TCP, in Match Type, click one of the following: Click Stream to create a stream-based signature. Click Packet to create a packet-based signature. Note that if you select anything other than TCP for transit type, Match Type is disabled. For stream-based protocols such as TCP, matches can span multiple packets. For packet-based protocols, which includes all other currently supported protocols, matches are per packet. In Match Type, however, you are indicating whether the signature should search for an offset in a stream or in a packet. In Direction, click server-bound or client-bound from the pull-down list, if applicable. Direction is enabled only if you set the Transit Type as TCP or UDP. In Encoding, enter the information from the pull-down list and click Next.
In User-defined Signature or Edit User-defined Signature, click Add and do one of the following:
Click Any Payload Offset, or specify a specific payload offset value. In Regular Expression, enter a regular expression (regex), and click OK. You can also use default or user-defined Signature Variables in this field. See Adding new signature variables on page 207. See the Symantec Network Security Signature Developer Guide to find out how to use regular expressions (regex) and inline functions in your user-defined signature.
If you return to User-defined Signature or Edit User-defined Signature, you can do the following:
Click Preview Signature to see the entire user-defined signature. Click Back to return to a previous step and change it. Click Finish to save and close. Click Cancel to exit without saving your work.
In User-defined Signatures, click Apply. Note: Expect a short delay while user-defined signatures are synchronized across the cluster. After synchronization, you must add the signature to a policy, and apply the policy to the appropriate monitoring interfaces.
203
After synchronization, reapply the edited signatures to the appropriate monitoring interfaces for the changes to take effect. See Setting policies to interfaces on page 119.
Note: See the Symantec Network Security Installation Guide for upgrading user-defined signatures from Symantec ManHunt 3.0.
Severity
Confidence
Category
Intent
Transit Type
Source Port
Destination IP
Destination Port
Match Type
Direction
Encoding
205
Regular Expression
See also the Symantec Network Security Signature Developers Guide to find out how to compose user-defined signatures that can be imported in bulk. See also the Symantec Network Security Installation Guide to find out how to upgrade user-defined signatures from Symantec ManHunt 3.0.
About default signature variables Viewing signature variables Adding new signature variables Editing signature variables Deleting signature variables Resetting signature variables Applying signature variables Reverting signature variables
207
Note: We recommend that you review the list of signature variables to make sure that it accurately represents your network, and adjust wherever necessary. For example, if you chose a port other than 5050 when you installed Yahoo Instant Messenger, you must edit the IM_YAHOO_PORTS variable to correctly direct all signatures that use that variable.
On the Policies tab, click the Signature Variables tab to see available variables to use when defining signatures.
In Variable Name, edit the name for the signature variable. In Value, edit the value.
4 5
In Edit Variable, click OK to save and exit. In Signature Variables, click Apply to save the changes to the database.
209
Click New. Select a signature variable, and click Edit. Select a signature variable, and click Delete. Select a signature variable, and click Reset.
Click New, and create a new signature variable. Select a signature variable, and click Edit. Select a signature variable, and click Delete. Select a signature variable, and click Reset.
In Signature Variables, click Revert to undo the changes. This option is available only before saving to apply changes. See also the Symantec Network Security Installation Guide for upgrading user-defined signatures from Symantec ManHunt 3.0.
Part III
212
Chapter
Monitoring
This chapter includes the following topics:
About incident and event data Examining incident and event data Managing incident and event data Tuning incident parameters Tuning operational event parameters Monitoring flow statistics
Security closes them. The condition of the incident can be viewed in the State column of the Incidents table. The incident idle time is a configurable parameter. This section describes the following topics:
Viewing incident and event data Adjusting the view Examining incident data Examining event data
Incidents tab: Displays both active and idle incidents. When you select an incident, Events At Selected Incident in the lower pane displays information about the related events. Devices tab: Displays the topology tree. When you select an object in the topology tree, the Network Security console displays related information in the right pane, including a link to security incidents that are currently active on that object.
The Incidents tab provides a multi-level view of both incidents and events. Incidents are groups of multiple related base events. Base events are the representation of individual occurrences, either suspicious or operational. The sensors notify the software or appliance node of any suspicious actions or occurrences that might warrant a response, such as a probe. Symantec Network
215
Security also monitors operational occurrences that the user should be aware of, such as a Symantec Network Security license approaching the expiration date.
The Incidents tab contains an upper and lower pane: Incidents, and Events at Selected Incident. The upper pane displays information about each incident, taken from the highest-priority event within that incident. The values may change if an event of higher priority is added to the same incident. To view incident data
Note: All users can view incident and event data. All users can modify the view by adjusting font size, selecting and sorting columns, and/or applying filters. See User groups reference on page 353 for more about permissions.
See Setting font size on page 216. See Sorting column data on page 216.
Note: All users can set the font size for incident and event tables. See User groups reference on page 353 for more about permissions.
Click the heading of the column you want to sort. Click the column heading again to reverse the order.
Note: All users can sort incident and event table columns. See User groups reference on page 353 for more about permissions. See also Selecting columns on page 226.
217
what you have read and add notes. The display is described in the following sections:
Viewing top-level incident data Viewing incident details Viewing an incidents top event Loading cross-node correlated events
Note: All users can view top-level incident data. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can drill down to view incident details. See User groups reference on page 353 for more about permissions. To view incident details 1 2 On the Incidents tab, in the upper Incidents pane, right-click any incident row. Click View Incident Details from the pop-up list. Incident Details displays the following information:
Indicates the name of the event. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that an incident can cause. Indicates the confidence level assigned to the incident. The confidence value indicates the level of certainty that a particular incident is actually an attack. If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward. Indicates the time at which Symantec Network Security stopped monitoring the incident. See Setting Incident Idle Time on page 237.
Confidence
End time
Detected At
Indicates the software or appliance node on which the top event for this incident was detected. Indicates the IP address and port of the node on which the top event for this incident was detected. Indicates the IP address and port of the node on which the top event for this incident was detected.
219
Summary Severity
Indicates the name of the event. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that an incident can cause. Indicates the confidence level assigned to the incident. The confidence value indicates the level of certainty that a particular incident is actually an attack. If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward. Indicates the time at which Symantec Network Security started monitoring the event. Indicates the software or appliance node on which the event was detected, interface, current policy, and MAC addresses. Indicates the response rule triggered by this incident. Provides detailed information about the event. Indicates a summary information about the event. Indicates source and destination IP addresses and ports of the packet that triggered the event.
Confidence
Start time
Occurred At
Event Note
Displays the optional note entered when the current policy was created, if any. See Annotating an event type in a policy on page 132.
Click Close to close top Event Details. From Event Details, you can do the following:
Click Load Events to load the events for the currently selected sub-incident. Load Events will be disabled if the currently selected sub-incident's events are already loaded.
Note: SuperUsers and Administrators can drill down to view cross-node events. See User groups reference on page 353 for more about permissions.
Viewing top-level event data Interpreting severity and confidence levels Viewing event details Viewing an events detailed description About operational event notices
221
the respective incident row. The related event information is then displayed in the lower pane. To view event data 1 2 On the Incidents tab, click an incident row. Related events are displayed in the lower Events at Selected Incident pane.
Note: All users can view top-level event data. See User groups reference on page 353 for more about permissions.
Summary Severity
Indicates the name of the event type. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that an incident can cause. Indicates the confidence level assigned to the incident. The confidence value indicates the level of certainty that a particular incident is actually an attack. If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward. Indicates the time at which Symantec Network Security started monitoring the event. Indicates summary information about the event such as the name of the software or appliance node on which the event was detected, interface, current policy, and MAC addresses. Provides detailed information about the event. Indicates a summary information about the event. Indicates source and destination IP addresses and ports of the packet that triggered the event. Displays the optional note entered when the current policy was created, if any. See Annotating an event type in a policy on page 132.
Confidence
Start time
Occurred At
223
Click New. Select a policy, and click Edit. Select a policy, and click View. Click Search Events. Click Full Event List.
4 5
Note: SuperUsers can view advanced event details and packet contents; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Monitored Host Unavailable: Symantec Network Security has detected a drop in network availability. iButton Token Failure: The iButton, used only by Network Security software nodes, stores the private key portion of the Symantec Network Security signature certificate to safeguard the private key against being stolen or compromised. The iButton also confirms the identity of a software node. Note: Notify us of your iButtons impending expiration. Replace it before it expires to ensure that the log files continue to be signed and the iButton can continue to perform its authentication and data hashing functions. See the Symantec Network Security Installation Guide for instructions on iButton replacement.
iButton Certificate Expiration: Several times during the 30 days prior to the expiration of your encryption certificate, warnings of the impending expiration are displayed in the Active Incidents tab. The notices are sent every 6 hours. The priority of the notices increases as the certificate lifetime gets shorter: Lifetime Priority
life < 1 hour 1 hour =< life < 1 day 1 day =< life < 3 days 3 days =< life < 1 week 1 week =< life < 1 month
Warnings of the impending expiration are displayed in the Active Incidents tab. Expiration dates are also displayed when Symantec Network Security is restarted.
Network Security SuperUser Login: Symantec Network Security displays this event whenever a SuperUser logs into the Network Security console. Network Security Administrator Login: Symantec Network Security displays this event whenever an Administrator logs into the Network Security console. Network Security StandardUser Login: Symantec Network Security displays this event whenever a StandardUser logs into the Network Security console. Network Security RestrictedUser Login: Symantec Network Security displays this event whenever a RestrictedUser logs into the Network Security console. Email Initiation Request Failed: An error occurred while sending an email notification from Symantec Network Security. Successful Email: An email response was successfully sent by Symantec Network Security. SNMP Initiation Request Failed: An error occurred while sending an SNMP trap from Symantec Network Security. Email Alert Failed: An error occurred while sending an email alert from Symantec Network Security. SNMP Alert Successful, but Truncated: An SNMP trap was successfully sent by Symantec Network Security, but the message was too long and was truncated. SNMP Alert Failed: An error occurred while sending an SNMP alert from Symantec Network Security. Unable to Execute Custom Response Process: Failed to execute custom response to an event.
225
Disk Space Warning: Symantec Network Security displays this event whenever <100,000 blocks and <10% of disk space is available. Failover Active: Symantec Network Security displays this event whenever a software or appliance node with failover enabled becomes the active node. High CPU Load Logging Interval: Symantec Network Security displays this event when a software or appliance node carries a CPU load of 95% averaged over the specific time interval set by the High CPU Load Logging Interval parameter. See High CPU Load Logging Interval on page 244. Sensor No Traffic Detected Logging Interval: Symantec Network Security displays this event whenever a sensor does not detect any traffic beyond the specific time interval set by the Sensor No Traffic Detected Logging Interval parameter. See Sensor No Traffic Detected Logging Interval on page 245. Sensor Dropped Packet Percentage Threshold: Symantec Network Security displays this event whenever the sensor detects a greater percentage of dropped packets over a 30-second time interval than the threshold set by the Sensor Dropped Packet Percentage Threshold parameter. See Sensor Dropped Packet Percentage Threshold on page 246.
Note: All users can view operational events at the top level. See User groups reference on page 353 for more about permissions.
Selecting columns Selecting view filters Marking and annotating Saving, copying, and printing data
Selecting columns
The Network Security console provides a way to adjust the view by selecting which columns the Network Security console displays.
See Selecting incident columns on page 226. See Selecting event columns on page 227.
Click Select All to display all columns. Click the individual columns that you want to view.
Click OK to save and close. The Incidents tab can display the following incident data:
Indicates the date and time when Symantec Network Security last modified the incident record. Indicates the user group of the current user. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that it can cause. Indicates the IP address of the attack source. If the source is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details. Indicates the IP address of the attack target. If the destination is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details.
Source
Destination
Event Count Indicates the total number of events associated with this incident that have been logged to the database.
227
Device Name Indicates the name of the device where the incident was detected. Location Indicates the location of the device where the incident was detected. Indicates the condition of the incident, either Active or Closed. Incidents to which no new events have been added for a given amount of time are considered idle, and Symantec Network Security closes them. Indicates whether you marked the incident as viewed. Indicates the number of the software or appliance node that detected the incident. Indicates the name of the software or appliance node that detected the incident. Indicates the numbers of the software or appliance node that the incident was cross-node correlated to, if any.
State
Marked Node #
Node Name
Other Node #s
Note: All users can select incident columns. See User groups reference on page 353 for more about permissions. See the following for related information:
See About incident/event reports on page 260. See Sorting column data on page 216.
Click Select All to select all columns. Click the individual columns you want to view.
Time
Indicates the date and time when Symantec Network Security first detected and logged the event. Indicates the event category of the detected event.
Indicates the user group of the current user. Indicates the IP address of the packet that triggered the event. If the source is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details.
Destination Indicates the IP address of the attack target. If the destination is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details. Severity Indicates the severity level assigned to the event. An events severity is a measure of the potential damage that it can cause.
Confidence Indicates the confidence level assigned to the event. An events confidence is a measure of the level of certainty that it is actually part of an attack and free from false positives. If the event is merely suspicious, then it is assigned a lower confidence level. If Symantec Network Security collects more data on the event to substantiate its confidence, the confidence is adjusted upward. Event Num Indicates the order in which the event was added to the incident. An event can be configured to be reported periodically, such as once every 500 times. The Event Num column indicates if an event is actually an aggregation of multiple events by displaying the number of suppressed events in parentheses. Indicates the name of the device where the event was detected.
Indicates the name of the interface group where the event was detected. Indicates the location of the device where the event was detected. Indicates the identification of the VLAN where the event was detected. Indicates whether the event was blocked or not. You can block events only with a 7100 Series appliance node.
Blocked
229
Note: All users can select event columns. See User groups reference on page 353 for more about permissions. See the following for further information:
See About incident/event reports on page 260. See Interpreting severity and confidence levels on page 221.
See Selecting incident filters on page 229. See Selecting event filters on page 230.
Click Hide All Operational to show only those incidents classified as sensor events, and filter out all operational notice events. Click Hide Sensor to show only operational events, such as Network Security console logins. Click Show All Operational and Sensor to show both operational and sensor events.
Click Hide Unmarked to show only the incidents that have been marked in the Network Security console. Click Hide Marked to show only the incidents that have not been marked in the Network Security console. Click Show Both to include both marked and unmarked incidents. Click Hide Unannotated to show only incidents with annotations and incidents that contain events with annotations. Click Hide Annotated to show only incidents that do not have annotations or that contain events with annotations. Click Show Both to include both annotated and unannotated incidents. In Show Incidents from Node #, click 1 from the pull-down list to show only incidents from the selected software or appliance node, or All (except standby) to view incidents from all the software or appliance nodes within the topology excluding standby nodes. Click Include Backup Nodes to preserve incidents during a failover scenario. In Maximum Incident Hours to Display, enter a value to limit the total number of hours. In Maximum Incidents Within Incident Hours, enter a value to limit the total number of incidents within the hour limit.
Note: All users can select incident filtering criteria. See User groups reference on page 353 for more about permissions.
231
Click Hide Operational to show only those events classified as sensor events. Click Hide Sensor to show only events associated with notices. Click Show Both to show all events relating to the selected incident.
3 4
In Maximum Events to Display, enter a value. The default is 100 events per incident. Click Apply to save and exit.
Note: All users can select event filtering criteria. See User groups reference on page 353 for more about permissions. See also About operational event notices on page 223.
See Marking incidents as read on page 231. See Annotating incident data on page 232. See Customizing annotation templates on page 232.
Note: If an incident changes after it was marked, such as a new event being added to it, the red hash mark changes to a red circle to flag you.
Note: All users can mark incident data. See User groups reference on page 353 for more about permissions.
4 5
Note: All users can annotate incident and event data. See User groups reference on page 353 for more about permissions.
233
Saving incident data Copying and pasting incidents Copying an incidents top event Copying event details Printing incident data
Note: All users can save incident data. See User groups reference on page 353 for more about permissions.
Note: All users can copy and paste incident data. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can copy data from an incidents top event. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can copy event details. See User groups reference on page 353 for more about permissions.
235
Click Page Setup to layout the page before printing or previewing. Click Print Preview to preview the page before printing.
Note: All users can print top-level incident data. See User groups reference on page 353 for more about permissions.
Configuring email
All users can configure a Network Security console to email detailed information about each incident on the Incidents tab. To configure Symantec Network Security to email incident data 1 2 3 On the Incidents tab, right-click an incident row. Click Email > Configuration. In Email Configuration, indicate the following:
In SMTP Mail Server, enter your SMTP server for outgoing emails. In To, enter the destination. In From, enter the source. In Subject, enter the email subject.
Note: All users can configure Symantec Network Security to email top-level incident data. See User groups reference on page 353 for more about permissions.
Click Compose > in HTML Format to send an email in HTML format. Click Compose > in Text Format to send an email in plain text format. Click Send Directly > in HTML Format to send an email in HTML format. Make sure to configure email first. Click Send Directly > in Text Format to send an email in plain text format. Make sure to configure email first. Click Through Browser, and paste the incident content into the body of the email. Click Through Mail Client, and paste the incident content into the body of the email.
Note: The Network Security console and the software or appliance node may not use the same SMTP mail server. Setting the SMTP Server notification parameter does not necessarily affect the SMTP mail server referenced in this procedure. 6 Click Send.
Note: All users can email top-level incident data. See User groups reference on page 353 for more about permissions.
237
Setting Incident Idle Time Setting Maximum Incidents Setting Incident Unique IP Limit Setting Event Correlation Name Weight Event Correlation Source IP Weight Event Correlation Destination IP Weight Event Correlation Source Port Weight Event Correlation Destination Port Weight
3 4 5 6
In the left pane under Incident Parameters, click Incident Idle Time. In the lower right pane, enter a value in minutes. By default, the value for this parameter is set to 10 minutes. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Click OK to save the changes to this node and close. Caution: You will lose any unsaved changes when you exit.
239
Note: We recommend that this value be set between 10 and 100. Increasing this value can impact memory.
Note: Make sure that the sum of all Event correlation Weight values is equal to or greater than 10. If the sum is less than 10, no events will be correlated.
Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Name Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
241
Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Source IP Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise
To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Destination IP Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK.
243
3 4 5 6
In the left pane under Incident Parameters, click Event Correlation Source Port Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Destination Port Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter.
Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
High CPU Load Logging Interval Sensor No Traffic Detected Logging Interval Sensor Dropped Packet Percentage Threshold
245
2 3 4
In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click High CPU Load Logging Interval. In the lower right pane, do one of the following:
Enter a value of 0 to disable this parameter. Enter a value of 3 or greater to enable this parameter.
5 6
Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Enter a value of 30 or greater to enable this parameter. Enter a value of 0 to disable this parameter.
5 6
Click Apply. In Apply Changes To, select the node to which to apply the parameter.
Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Enter a value between 1% and 100% to enable this parameter. Enter a value of 0% to disable this parameter.
5 6
Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
247
Configuring FlowChaser
Configure the following FlowChaser parameters to enable the FlowChaser option and define how it functions:
Setting FlowChaser Maximum Flows Per Device Setting FlowChaser Router Flow Collection Threads Setting FlowChaser Router Flow Collection Port Setting FlowChaser Sensor Threads
Note: Restart Symantec Network Security for changes to this parameter to take effect.
249
you can add threads by raising the value. This will affect system performance. In general, this should be set to 1 less than the number of processors on the software or appliance node, with a minimum value of 1. Set this to 0 if you are running the FlowChaser database but not receiving any router flow data. The default value is 3. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under FlowChaser Database, click FlowChaser Router Flow Collection Threads. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Note: Restart Symantec Network Security for changes to this parameter to take effect.
5 6
Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Note: Restart Symantec Network Security for changes to this parameter to take effect.
Note: Restart Symantec Network Security for changes to this parameter to take effect.
251
Chapter
Reporting
This chapter includes the following topics:
About reports and queries Scheduling reports Reporting top-level and drill-down About top-level report types Querying flows Playing recorded traffic
section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.
Scheduling reports
You can administer and configure scheduled reports on any software or appliance node using the Network Security console. You can generate Network Security console reports in table format, and customize the table by sorting. You can print or save reports, and drill-down to details in the a top-level report, and save or print all the details, rather than printing each page of details individually. You can save and print Console Reports in text and HTML format. This section includes the following:
Adding or editing report schedules Refreshing the list of reports Deleting report schedules Managing scheduled reports
Note: SuperUsers and Administrators can schedule reports; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
255
4 5
In Unscheduled Subreports, click a report type, and then click the double right arrows to move it to Scheduled Subreports. The following subreports require additional information:
In Top Event Types, enter the number of event types, and click OK. In Top Event Destinations, enter the number of addresses, and click OK. In Top Event Sources, enter the number of addresses, and click OK. In Event by Classful Destination, enter the number of networks, and click OK. In Event by Classful Source, enter the number of networks, and click OK.
6 7
To deselect a report, in Scheduled Subreports, click the report, and then click the double left arrows to move it to Unscheduled Subreports. In Report Generation Options, supply the generation options by selecting from the following:
In Report Name, enter a name for the report. In Report Format, choose plain text or HTML from the pull-down list. In Day to run, choose the day of the week from the pull-down list. In Hour to run, choose the hour from the pull-down list. In Report period in days, enter the number of days in the reporting period. In Send Via Email, enter the email address to send the report by email. In Save To File, click to save the report to a file. In Secure Copy, enter the hostname, directory, and username.
Click OK to save and exit. Note: Saved scheduled reports are output to: /usr/SNS/reports on software and appliance nodes using <report name>.<time stamp>.<file type>. For example, Rpt3.1085630401.txt or Rpt5.1085634000.html.
Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.
2 3
In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:
In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.
257
Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.
2 3
In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:
In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.
4 5 6
In Report Files, select a saved report. In Actions, click View. Click Close to exit.
Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.
2 3
In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:
In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.
4 5 6
In Report Files, select a saved report. Click Actions > Secure Copy. In Secure Copy Options, provide or verify the following information:
Filename: Indicates the name of the selected report. Hostname, enter the name of the host to which the report will be copied. Directory, enter the directory to which the report will be copied.
Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.
2 3
In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:
In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.
4 5
In Report Files, select a saved report. Click Actions > Delete, and click OK.
About report formats About report types About incident/event reports Printing and saving reports
259
A Fragmentation Attack event can consist of any one of these base event types. So, incidents can consist of one or more event types, and event types can map to one or more base events.
On the main menu bar, click Reports > File > Print.
Reports of top events Reports per incident schedule Reports per event schedule Reports by event characteristics Reports per Network Security device Drill-down-only reports
261
The Top Blocked Event Types report displays the list of event types that have the most number of blocked events. Symantec Network Security generates the Top Blocked Event Types report in table, pie, and bar chart formats. You can generate several drill-down reports for each event type listed in the Top Blocked Event Types report.
The Top Event Destinations report lists the most frequently occurring destination IP addresses of detected events. However, the top event destinations do not necessarily map to the top event types. You must specify the report start and end date/time, and number of unique addresses to display. For example, you could generate a report on the top 10 addresses or top 100 addresses. Symantec Network Security generates the Top Event Type report in the table, pie chart and bar chart formats. To view the number of times an IP address was an event destination during the report time period, hover the cursor over the table row, pie piece, or bar corresponding to the event destination. You can generate several drill-down reports for each event type listed in the Top Event Destinations report.
Incidents per month This reports displays the total number of incidents that occurred during each month of the time period you specify. If a month is not listed in the report, then no incidents were detected during that month. Symantec Network Security generates this report in table and column chart formats. You can generate several drill-down reports for each month listed in the Incidents Per Month report. Incidents per day This reports displays the total number of incidents that occurred per day during the time period you specify. If a day is not listed in the report, then no incidents were detected during that day. Symantec Network Security generates this report in table and column chart formats. You can generate several drill-down reports for each day listed in the Incidents Per Day report. This report displays the total number of incidents that occurred per hour during the time period you specify. If an hour is not listed in the report, then no incidents were detected during that hour. The Incidents Per Hour report is generated in table and column chart formats. You can generate several drill-down reports for each hour listed in the Incidents Per Hour report.
263
This report displays the total number of events detected per day during the time period you specify. If a day is not listed in the report, then no events were detected during that day. Symantec Network Security generates this report in stacking bar chart, column chart, and table formats. You can generate several drill-down reports for each day listed in the Events Per Day report. This report displays the total number of events detected per hour during the time period you specify. If an hour is not listed in the report, then no events were detected during that hour. Symantec Network Security generates this report in stacking bar chart, column chart, and table formats. You can generate several drill-down reports for each hour listed in the Events Per Hour report.
Events by protocol
Events by vendor
Destinations of source
Sources of destination
265
Events by device
This report lists operational events such as user logins, communication errors, response actions, and license status notifications. This report allows you to drill-down to event details.
Note: SuperUsers, Administrators, and StandardUsers can generate reports from devices with flow statistics; RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Drill-down-only reports
Most top-level report types are also available as drill-down reports within other top-level reports. However, some Network Security console reports are accessible only as drill-down reports from within top-level reports or other drill-down reports. This section describes the following drill-down-only reports. For the incident you select, data is displayed within the Incident List report. Table 9-6 Report
Incident details
Event list
Events details
267
Destinations of event
Flows by protocol
Querying flows
FlowChaser serves as a data source in coordination with Symantec Network Security TrackBack, a response mechanism that traces a DoS attack or network flow back to its source. The FlowChaser database can be queried for flows by port and arbitrary address. The Network Security console displays both current
flow data and exported flow data, and provides secondary query options from the results page. Symantec Network Security provides query options as follows:
In Query Current Flows or Query Exported Flows In Event Details, right-click the IP address to see the flow statistics In Event Details of an Exported Related Flows, exported flows are displayed
The Network Security console retrieves a limited number of records for each query, which prevents overloading memory, and displays the results in a table. If more results are available, click Next Results to proceed. This section includes the following:
Note: SuperUsers, Administrators, and StandardUsers can view flow data; RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Match Source and Destination: This will make a more focused query on specific source and destination IPs. Match Either Source or Destination: This will make a broader query on either a source IP or a destination IP.
In Match Source and Destination, you can display flows that pertain only to specific source IPs and destination IPs. To make this a more focused query, enter data in the following fields:
In Source IP, enter a numeric IP address. In Prefix Len, enter a mask of the IP address in integers between 1 and 32.
269
In Port, enter a valid port number. In Destination IP, enter a numeric IP address. In Prefix Len, enter a mask of the IP address in integers between 1 and 32. In Port, enter a valid port number.
In Match Either Source or Destination, you can display flows that pertain to either a source IP or a destination IP. To make this a broader query, enter data in the following fields:
In Source or Destination IP, enter a numeric IP address. In Prefix Len, enter a mask of the IP address in integers between 1 and 32. In Port, enter a valid port number.
Note: The Network Security console displays the flow data in table format, one page at a time. You can sort the table by clicking the heading of any column. This sort, however, applies only to the page currently displayed, which may be only a portion of the entire report. At the top of the display, a prompt indicates how many flows are currently displayed, out of the total report. 5 Do one of the following:
Click Start Query to run a flow query based on the parameters that you configured. Click Next Results to view the next page of a query that was too large to display in its entirety. Click Clear to stop the active query and remove the results from display.
Match Source and Destination: This will make a more focused query on specific source and destination IPs. Match Source or Destination: This will make a broader query on either a source IP or a destination IP.
In Match Source and Destination, you can display only flows that pertain to specific source and destination IPs. To make this more focused query, enter data in the following fields:
In Source IP, enter a numeric IP address. In Port, enter a valid port number. In Destination IP, enter a numeric IP address. In Port, enter a valid port number.
In Match Source or Destination, you can display flows that pertain to either a source IP or a destination IP. To make this broader query, enter data in the following fields:
In Source or Destination IP, enter a numeric IP address. In Port, enter a valid port number.
Note: The Network Security console displays the flow data in table format, one page at a time. You can sort the table by clicking the heading of any column. This sort, however, applies only to the page currently displayed, which may be only a portion of the entire report. At the top of the display, a prompt indicates how many flows are currently displayed, out of the total report. 5 Do one of the following:
Click Start Query to run a flow query based on the parameters that you configured. Click Next Results to view the next page of a query that was too large to display in its entirety.
271
Click Clear to stop the active query and remove the results from display.
Click Flows > Traffic Playback > select a node > OK. Click Incidents > double-click the Traffic Record Finished event > Event Message. Skip Steps 2 and 3, and proceed directly to Step 4. To adjust your view of Recorded Events, click Column. To remove events you do not want to view, click the event, and then click Delete.
3 4 5 6
In Recorded Events, click the row corresponding to an event to view the flow of that event in Flows of Selected Record. In Flows of Selected Record, click a row corresponding to a flow, then click Playback. In Packet Replay Tool, view the detailed packet data, one packet at a time. To view all packet data in a session that includes multiple packets, on Symantec Packet Replay Tool, click View > Show Session Window.
Note: SuperUsers can view playbacks of recorded traffic; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Chapter
10
About the log files Managing logs Configuring automatic archiving Exporting data
Note: For information about how to convert logs to text manually, see About the Knowledge Base on page 22.
Managing logs
Symantec Network Security provides log and database management from the Network Security console, described in the following sections:
Viewing log files Viewing live log files Archiving log files Copying log files Deleting log files
Note: All users can view log files; only SuperUsers and Administrators can manage them. See User groups reference on page 353 for more about permissions.
275
To view log files 1 2 3 On the main menu bar, click Admin > Node > Manage Logs. In Select Node, choose a node from the pull-down list, and click OK. In Log Files, do one of the following:
Click a log file to select it. Click Refresh Table to get the latest logs.
4 5
Scroll to read all lines on the log. On the Operational Log tab, view the log. On the Events tab, view the events. In Go To Page, enter a page number. Click Next Page to progress forward. Click Previous Page to progress backward.
Note: All users can view log files. See User groups reference on page 353 for more about permissions.
Click a log file to select it. Click Refresh Table to get the latest logs.
4 5 6
In Actions, click View Live Log. In Live Log, scroll to read all lines on the log. Click Close to exit.
Note: All users can view live log files. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can archive log files; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
In Filename, view the name of the selected log file. In Hostname, enter the name of the server receiving the log copy. In Directory, enter the directory. In Username, enter the user name.
277
Click OK to save a copy of the log file in the desired location and exit.
Note: SuperUsers and Administrators can copy log files; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can delete log files; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: All users can refresh the log files table. See User groups reference on page 353 for more about permissions.
Setting automatic logging levels Archiving log files Compressing log files
10
Click Apply.
279
In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Note: Restart Symantec Network Security for changes to this parameter to take effect.
Note: For information about how to manage logs manually, see About the Knowledge Base on page 22.
Setting Size to Trigger Rotation Setting Limit Size for Archive Directory Setting Limit Size for Traffic Record Directory
Note: If you set this value at too large a number with compression enabled, it may put excess strain on the node when the logs eventually archive. See Setting Compression On/Off Switch on page 283.
281
The default value is 5 GB, and the minimum effective value is 1 GB. If this parameter is not set, then the archive directory is not cleared at any size. Note: If Limit Size for Archive Directory is configured to any value greater than 0, Symantec Network Security automatically clears the archive directory each time the size limit is breached. If this occurs as you are attempting to view it, an error message appears. Simply close and reopen the window to refresh the available contents.
Note: This parameter refers only to the amount of data archived, not to the total disk usage. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Limit Size for Archive Directory. In the lower right pane, enter a size in GB. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Note: If Limit Size for Traffic Record Directory is configured to any value greater than 0, Symantec Network Security automatically clears the traffic record directory each time the size limit is breached. If this occurs as you are attempting to replay it, an error message appears. Simply close and reopen the window to refresh the available contents.
Note: This parameter refers only to the amount of data recorded, not to the total disk usage. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Limit Size for Traffic Record Directory. In the lower right pane, enter a size in GB. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
283
event logs are archived into a single file, and named in the logs.YYMMDDHHMMSS.tar format. In either case, when the event log is archived, it is signed by the iButton or soft token, whether compression is enabled or not. Note: Compression may require large amounts of memory and CPU for large logs. Use the following parameters to configure compression procedures:
Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Note: For large logs, compression may require large amounts of memory and CPU usage.
Note: For how to verify log files manually, see About the Knowledge Base on page 22.
285
Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Note: For large logs, compression may require large amounts of memory and CPU usage.
Note: To find out how to verify log files manually, visit the Knowledge Base. See About the Knowledge Base on page 22..
Exporting data
Symantec Network Security provides multiple ways to export log and database files, or transfer them to another host for long-term storage. Export to file if you want the log in a format that is readable by other programs or applications. Other methods of export use the Symantec format. This section includes the following forms of export:
Exporting to file Exporting to SESA Exporting to SQL Exporting to syslog Transferring via SCP
Exporting to file
Export to file if you want the log files written in a readable format that can be used by other applications.
To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Event Writer File. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect.
Exporting to SESA
Symantec Network Security can export event data to Symantec Enterprise Security Administrator (SESA) using the SESA Bridge Export node parameter. You can install the Bridge to both software and appliance nodes by running the Bridge installation script located in the /usr/SNS/install/sesabridge directory. The SESA Bridge enables you to send events form Symantec Network Security to the SESA management console. The Bridge is not required to use Symantec Network Security in native mode. This section describes the following topics:
287
Security, so all have to do is enable exporting to SESA via the SESA Bridge Export parameter. You need the following:
Symantec Network Security installed on a dedicated computer, or Symantec Network Security 7100 Series appliance SESA 2.0 SESA Integration Package (SIP) installed on the SESA Manager, to register Symantec Network Security with SESA 2.0 SESA Bridge installed on each software or appliance node that will send events to SESA SESA Agent Symantec Event Manager for Intrusion Protection (The Symantec Event Manager is optional. To view reports, you must install it, but to view raw events, you do not need it.
See the Symantec Network Security Installation Guide and Symantec Network Security 7100 Series Implementation Guide for more information about the SESA Bridge.
Click True to enable the SESA Bridge. Click False to disable the SESA Bridge.
5 6
Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Click OK to save the changes to this node and close. Note: It may take up to 10 minutes for changes to this parameter to take effect.
Exporting to SQL
Symantec Network Security can export event and incident data to two supported SQL-compliant databases: Oracle 9i and MySQL 4.0. A Java Database Connectivity (JDBC) driver identifies the type of database to use, and defines how Symantec Network Security communicates to the database. JDBC drivers for both Oracle and MySQL must be obtained externally and installed in the following directory before exporting to SQL:
/usr/SNS/java
You can set configurable parameters to indicate which driver you want to use, if any, create user login accounts, and establish tables on the database. Note: To find out how to set up export tables for incident and evernt databases to export to Oracle or MySQL, see SQL reference on page 365. To find out how to configure SQL export manually, visit the Knowledge Base. See About the Knowledge Base on page 22.. This section includes the following export parameters:
Setting Cluster ID Setting JDBC Driver Setting DB Connection String Setting DB User Setting DB Password
289
Setting Cluster ID
Cluster ID indicates the Network Security cluster sending a message, so that you can distinguish messages from multiple clusters if spooled to the same database. This parameter is included in all event and incident messages sent to the database, and should be unique for each Network Security cluster. Assign the same Cluster ID to all nodes within a cluster that you enable to export to SQL. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect.
3 4
In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter the JDBC Driver using one of the following classpath formats:
Oracle MySQL(Connect/J) oracle.jdbc.OracleDriver org.gjt.mm.mysql.Driver
5 6
Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Click OK to save the changes to this node and close. Note: Restart Symantec Network Security after changing this parameter. Changes will not take effect until the cluster synchronizes the changes, and each node is restarted.
Oracle: The standard Oracle NET8/SQL*NET port is 1521, and the format is as follows: jdbc:oracle:thin:\@//<FQDN of the oracle DB
server>:<port number>/<databasename>
MySQL: The default port for non-localhost MySQL connections is currently 3306, and the format is as follows: jdbc:mysql://<FQDN of
291
5 6
Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect.
Setting DB User
DB User indicates the user name that Symantec Network Security uses to authenticate against the database. Make sure to grant the proper permissions to the user. See Permissions by user group on page 354. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Depending on the type of database, use one of the following:
Oracle: The user must have CREATE SESSION permission granted. You may also want to grant UNLIMITED TABLESPACE, which means that the Oracle disk quota does not apply. Queries will begin failing once the Oracle user fills up the disk quota. See the Oracle documentation for creating user login accounts. MySQL: The user must have the following permissions granted: CREATE, INSERT, DELETE. See the MySQL documentation for creating user login accounts.
Click Apply.
In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for a change to this parameter to take effect.
Setting DB Password
DB Password indicates the password that Symantec Network Security uses to authenticate against the MySQL or Oracle database. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter a password. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for a change to this parameter to take effect. Note: See also SQL reference on page 365.
293
Exporting to syslog
The Network Security console provides a way to export to syslog on a cluster-wide basis now, or override cluster configuration at the node level. Only events are exported to syslog, not incidents. The Network Security console provides a way to export log files to flat file or remote UNIX syslog. SuperUsers and Administrators can export log files to Oracle or to MySQL. SuperUsers and Administrators can configure Symantec Network Security to send copies of its operational log messages to the UNIX syslog facility. To do so, you must configure syslog to receive the operational log data, and enable Symantec Network Security to send data to a syslog server by entering a non-zero value for the Echo Operational Log to Syslog parameter. The value must correspond to syslog priority levels 1-4, inclusive. Note: To export to syslog, syslog must be running in remote mode. This may not necessarily be the default. See the Unix or Linux man pages for more details.
Note: SuperUsers and Administrators can export logs; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. Symantec Network Security can export event data to syslog. Data remains in the proprietary format. Syslog is always considered remote, even if located on the same host. This section includes the following syslog export parameters:
Setting Syslog Event Export Setting Echo Operational Log to Syslog Setting Remote Syslog Destination Host Setting Remote Syslog Destination Port Setting Syslog Maximum Message Size
To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Syslog Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: It may take up to 10 minutes for changes to this parameter to take effect.
295
In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Caution: Make sure that sufficient RAM exists on the system for this parameter. Restart Symantec Network Security for changes to this parameter to take effect.
Caution: Make sure that sufficient RAM exists on the system for this parameter. It may take up to 10 minutes for changes to this parameter to take effect.
Caution: Make sure that sufficient RAM exists on the system for this advanced parameter. It may take up to 10 minutes for changes to this parameter to take effect.
Note: To export to syslog, syslog must be running in remote mode. This may not be the default. See the Unix or Linux man pages for more details.
297
To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Syslog Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
Note: Restart Symantec Network Security for changes to this parameter to take effect.
Caution: Messages exceeding 1024 bytes are not compliant with the BSD Syslog Protocol RFC (3164), and may be truncated or dropped by syslog servers.
Setting Flag for SCP Usage Setting Destination Host for SCP Setting User Account for SCP Setting Destination Directory for SCP Setting Location of SCP Binary
299
Note: We recommend that you always use the same name for the software or appliance node when exporting archived logs, establishing an authorized public key, or exporting scheduled reports. For example, do not refer to the software or appliance node by its FQDN in one place, and its IP address in another. 5 6 Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.
5 6
301
4 5 6
In the lower right pane, enter the path to the SCP binary on the Network Security software node if it differs from the default. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Note: For how to verify remote log archiving manually, see About the Knowledge Base on page 22.
Chapter
11
Advanced configuration
This chapter includes the following topics:
About advanced setup Updating Symantec Network Security Managing node clusters Integrating third-party events Establishing high availability failover Backing up and restoring Configuring advanced parameters
LiveUpdate functionality. Not to be confused with upgrading, LiveUpdate enables SuperUsers and Administrators to check for new updates, apply updates to peer nodes or node clusters, and schedule them to install automatically. This section includes the following topics:
About LiveUpdate Scanning for available updates Applying updates Setting the LiveUpdate server Adding or editing automatic updates Backing up LiveUpdate configurations
About LiveUpdate
Symantec Network Security provides the new LiveUpdate functionality to keep your system updated to the latest software levels in a seamless and timely manner. The Network Security console displays all available updates at any given time, and provides the LiveUpdate interface for you to selectively apply them or schedule them to be automatically applied. Symantec Network Security provides three kinds of LiveUpdates:
Security Updates: Add detection capabilities to the product, such as event data, refinement rules, and encrypted signatures. Security Updates are cumulative. Each update includes the data from the updates before it. Some Security Updates are dependent upon Engine Updates as well. Engine Updates: Add cumulative features and enhancements such as sensor functionality and data. Engine Updates are cumulative. Each update includes the data from the updates before it. Some Security Updates are dependent upon Engine Updates as well. Software or appliance Product Updates: Add restoration and repair functionality (database, configuration, and database updates), patches, or minor releases. Software and appliance Product Updates are incremental. You can choose any Product Update or patch level, even if it is not the latest, and each level will automatically install all previous levels. For example, you can select Patch 3, even if Patch 4 is available. However, it is not possible to select Patches 2 and 4, and skip Patch 3. When you install Patch 3, Patches 1 and 2 are automatically included.
305
2 3
In the left pane, select the nodes to receive updates. On the LiveUpdate tab, click Scan For Updates.
Note: SuperUsers and Administrators can view LiveUpdate using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Applying updates
The Network Security console provides a way to apply automatic updates to the system easily. To apply updates 1 On the main menu bar, click Admin > LiveUpdate.
2 3 4
In the left pane, select the nodes to receive updates. On the LiveUpdate tab, click Scan For Updates. In Available Updates, do one of the following:
Click Select All to select the entire list. Click Clear All to deselect the entire list. Click each update to select it individually.
Note: SuperUsers and Administrators can apply updates using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
In Host, enter the Hostname or IP address of the LiveUpdate server. In Type, select a HTTP or FTP from the pull-down list. In Username, enter a username if you selected the FTP type. In Password, enter a password if you selected the FTP type. Click OK.
Note: SuperUsers and Administrators can establish a LiveUpdate server using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: When you add them to an established cluster using an alternative LiveUpdate server, set the LiveUpdate server for each new node. New nodes do not automatically use the LiveUpdate server of the cluster, until you set an alternative LiveUpdate server.
307
Adding or editing automatic updates Deleting automatic update schedules Reverting automatic update schedules
Click Add to create a new schedule. Click an existing schedule, and click Edit to change the schedule. Click an existing schedule, and click Delete to remove the schedule. In Check for updates every, select Week, Day, or Hour from the pull-down list. In Day to run, select the day of the week from the pull-down list. In Hour to run, select a time from the pull-down list, and click a radio button to select AM or PM.
In Auto Install Options, click the checkbox if you want engine updates to be automatically installed, and Security Updates that meet policy rules to be applied. In Applies To Nodes, click Edit. In Select Nodes, click each node to receive updates, and click OK. In LiveUpdate Schedule, click OK. In the Schedule LiveUpdate tab, do one of the following:
5 6 7 8
Click Save to preserve your choices. Click Revert to undo your choices.
Note: SuperUsers and Administrators can schedule automatic updates using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
309
Creating a new cluster Managing an established cluster Setting a cluster-wide parameter Backup up cluster-wide data
Building a cluster Establishing a master node Adding slave nodes to clusters Deleting nodes from clusters
Building a cluster
The installation process automatically creates an object in the topology tree to represent the first software or appliance node. This defaults to master node status, and the installation program automatically assigns it a node number of 1. By default, all software and appliance nodes installed in the network after this master node default to slave node status. The master node synchronizes the databases on all slave nodes in a cluster to its topology, detection, and response rule configuration databases. This section describes the order in which to add nodes to build a node cluster.
Establish one master node to serve as the sync node. Slave nodes will automatically run the database sync process. See Establishing a master node on page 310.
Add the new node into the topology map. See Adding nodes and objects on page 86.
Use the passphrase as established during installation of that node. Use the node number.
Create a master high-availability configuration. See Establishing high availability failover on page 322.
Note: Upgrading node clusters requires special consideration. See the Symantec Network Security Installation Guide for more details.
Caution: Use Set As Cluster Master only if the master node in a cluster fails. After the original master comes back online, we recommend that you wait for at least 5 minutes before making any changes to give the returned node time to be fully initialized back into the cluster. Then, if you want to return the node to master status, force a database synchronization. This triggers the node to regenerate communication passwords with each slave node.
311
Note: SuperUsers can establish a cluster master node; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
See Adding or editing software nodes on page 89. See Adding or editing 7100 Series nodes on page 95. See Configuring availability for multiple nodes on page 324.
Caution: Verify that Network Time Protocol (NTP) is not running on any slave node within a cluster. If a slave node is running NTP, it cannot synchronize with the master node, which can cause the slave node to malfunction.
Note: SuperUsers can add both Network Security software nodes and 7100 Series appliance nodes to a cluster and assign them master and slave status. See User groups reference on page 353 for more about permissions.
If you want to re-add a node to the topology database after deleting it, you must do one of the following:
For a software node: Reinstall it. See the Symantec Network Security Installation Guide for reinstalling a software node. For an appliance node: Unconfigure and then rerun the initial configuration. See the Symantec Network Security 7100 Series Implementation Guide for unconfiguring an appliance node.
Note: SuperUsers can delete software and appliance nodes from the cluster. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot delete them. See User groups reference on page 353 for more about permissions.
Licensing nodes in a cluster Synchronizing clustered nodes Changing node numbers Changing passphrases Restarting sensors in a cluster
313
Security does not synchronize incidents and events. Each node maintains this information separately.
Automatic synchronization
Synchronization occurs automatically at a random interval so that the nodes in a cluster do not expect updates at the same time. When you edit the master node or the network topology, your changes are automatically synchronized across all nodes in the cluster. Because automatic synchronization occurs randomly, rather than immediately, you may want to initiate an immediate synchronization using Force Database Sync. See Forcing nodes to synchronize on page 85.
Forcing synchronization
All software and appliance nodes synchronize with the master node. The Network Security console provides a way to trigger synchronization by restarting or rebooting slave nodes, or by forcing. To force databases to synchronize at any time 1 2 On the main menu bar, click Admin > Force Database Sync. Click OK.
Note: SuperUsers and Administrators can force a database synchronization; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: SuperUsers can change node numbers; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: The node with the lowest node number serves as the active node in a failover group. All nodes with higher node numbers remain on standby status.
Changing passphrases
Synchronization passphrases and EDP passwords cannot be edited directly. If you want to change a passphrase, you must first delete the node or object, create a new one, and assign a new passphrase to it. To change a node passphrase 1 2 3 On the Devices tab, right-click the existing node or object. Click Delete, and OK. Click Topology > Save Changes.
315
4 5
Add a new node or object. See Adding nodes and objects on page 86. Assign a new passphrase. See Synchronization passphrases on page 80.
Note: SuperUsers can change node passphrases; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
To configure this parameter 1 2 3 On the main menu bar, click Configuration > QSP Port Configuration. In QSP Port Configuration, type the desired QSP port number into the text box. Click OK to save the changes to this node and close. Note: If you change the QSP port number, restart all nodes in the cluster before logging in with the new number.
317
response enables the rapid identification of threats in real time to mitigate potential damage to mission critical enterprise assets. Symantec Network Security supports holistic security awareness through real-time third-party event correlation and analysis. Smart Agents enable Symantec Network Security to receive event data from external sensors and correlate that data with all other Network Security events. Symantec Network Security performs some internal Smart Agent configuration for integrating Symantec Decoy Server events. To integrate events from any other external sensor, you must install a separate Smart Agent for the external sensor as well. To integrate event data from third-party sensors, you must first purchase and install the corresponding Smart Agent. Detailed configuration and installation instructions are provided in the installation guide for the Smart Agent, including how to create an external sensor object. The Network Security console must be aware of the external sensor for you to be able to set response rules for events from it. See also About Smart Agents on page 108 for more about Smart Agents. To purchase Smart Agent software, see the following web site: http://www.symantec.com/techsupp/enterprise/select_product_manuals.html, and click Intrusion Detection > Symantec Decoy Server.
The following diagram illustrates Symantec Network Security integrating with third-party intrusion detection systems via Symantec Network Security Smart Agents to provide enterprise-wide correlation and analysis:
Smart Agent
Smart Agent
You can set response actions via third-party sensors using Smart Agents. All response actions work for Smart Agents with the exception of TCP Reset and Traffic Record. You can set export flows, TrackBack, email and SNMP notification responses on events received via Smart Agents. This section includes the following Smart Agent parameter:
319
edit the password directly after it is set. To change it, you must delete the object, create a new object, and provide the desired password. See About Smart Agents on page 108 to find out how to create an external sensor object. See Changing passphrases on page 314 to find out how to change EDP passwords. See the Symantec Network Security Installation Guide for further integration details. EDP Port Number indicates the port through which Symantec Network Security and Smart Agents communicate. Symantec Network Security listens for Event Dispatch Protocol (EDP) events through this port. The default value is set to 1333. If you edit this parameter, use a valid, unused TCP port between 1025 and 65535. Avoid using the QSP port number, or TCP port numbers 1080, 6665-6669, 7000, because software and appliance nodes monitor and analyze traffic on these ports. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Smart Agent Parameters, click EDP Port Number. In the lower right pane, enter the port number. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect. Caution: Do not use the QSP port for EDP communication.
Decoy Console. Note that the Symantec Decoy Server console remains open, even if you close the Network Security console. This section includes the following:
Integrating with Symantec Decoy Server Launching from a new location Launching from a known location
321
Note: SuperUsers can integrate Symantec Decoy Server events; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can add Smart Agents to launch Symantec Decoy Server; all users can launch it after configuration. See User groups reference on page 353 for more about permissions.
Monitoring node availability Configuring availability for single nodes Configuring availability for multiple nodes Configuring watchdog processes
List only one host per line. Delimit the variables with spaces or tabs. For example, the following line configures the Availability Monitor to ping the host every 8 seconds, and to generate an availability-drop
323
event if the host fails to respond 8 times in a row, slightly longer than a minute:
10.0.5.8 PING 8 8
Note: SuperUsers can monitor availability; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
5 6
Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Note: SuperUsers can set this parameter; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Master node
325
All nodes monitor the network, but only active nodes record data. If the active node fails, the standby node immediately starts recording security events. The standby node does not become master; the cluster operates without a master node until a node is set to cluster master. In a failover group of three, the third standby node continues to monitor without recording, in case the second active node fails. This fault-tolerant feature occurs automatically and transparently, and ensures that Symantec Network Security remains continuously available. Do not confuse high-availability failover with load-balancing, in which systems providing balance through database synchronization methodology. This section includes the following:
Configuring a failover group Removing nodes from a failover group Viewing incidents during failover
You can set up a failover group using both software and appliance nodes interchangeably. You can set up a failover group for either a master or a slave node. Failover functions independently of master or slave status. The active and standby node must both have the same physical and logical configurations. The active and standby node must monitor the same subnet. The nodes must be installed in the same location. Each node must have a dedicated physical connection for detection.
On the Devices tab, add or edit the active and standby objects to the topology tree, with the following considerations:
In Add or Edit 7100 Series Node, or Add or Edit Software Node, under Failover Group Information, click Failover Group Member. Enter a Failover Group Number between 1 and 100.
Each node within the failover group must have the same Failover Group Numbers. Valid numbers range from 1 to 100. Do not use a number over 100.
Set the following configuration parameters for each active and standby node:
Setting Enable Watchdog Process Setting Watchdog Process Stop Window Setting Watchdog Process Maximum Resets Setting Watchdog Process Restart Only Setting Watchdog Process Email Configuring link state
4 5
Enable Link On Active for link state for each active and standby node:
Note: SuperUsers can create watchdog groups; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: SuperUsers can remove nodes from a failover group; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
327
Symantec Network Security maintains multiple nodes, each with its own unique ID number. One node in each failover group is recognized as active, the others as standby. Each node uses its own detection interface connections. Each node stores duplicate data that the Network Security console handles according to the precedence order. For exclusive actions, all nodes within the group communicate to determine the active node. Both the primary node and the standby node detect and report on incidents and events. The standby node processes the same data, performs the same analysis, and evaluates the same response rules as the active software or appliance node, but does not execute duplicate responses. If the active node fails for any reason, a standby node takes over recording data. If the original node comes back online, it resumes activity. There is no automatic recovery or failback. When the original node resumes activity, you must restart all nodes to reconnect. If a node fails, the Network Security console automatically connects to the standby node in the same failover group. You can configure the Network Security console to display standby node information. The console automatically connects to and pulls incidents and events from the standby node. New events automatically show up without reconfiguration, even though events from previous incidents before the failover is dependent on whether the masters were actually detecting traffic themselves, or acting as console servers only. There is no failback when the Network Security console is concerned. If the original master comes back online, the Network Security console does not automatically switch back.
Response actions such as TrackBack that augment the incident may not be visible during a failover, as a result of storing the response events in the local event database of a given node.
To view incidents from both active and standby nodes 1 2 On the Incidents tab, click Filters. In Incident Filter Options, click Include Backup Nodes. If the network contains multiple nodes specified in a watchdog group, the incidents from all standby nodes are added to the incident table. See Selecting incident filters on page 229. Click Apply.
Note: SuperUsers can preserve failover incidents; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: SuperUsers can configure watchdog processes; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
329
Setting Enable Watchdog Process Setting Watchdog Process Stop Window Setting Watchdog Process Maximum Resets Setting Watchdog Process Restart Only Setting Watchdog Process Email
Caution: Make sure that the system has enough RAM for this parameter.
To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click the parameter that you want to configure. In the lower right corner of the Configuration Parameters pane, enter a fail rate. If the number of failures breaches this threshold, it resorts to standby. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.
Caution: Make sure that the system has enough RAM for this parameter. Before setting this parameter, please review the failover procedure thoroughly.
331
In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.
Caution: Make sure that the system has enough RAM for this parameter. Before setting this parameter, please review the failover procedure thoroughly.
5 6
Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to.
Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.
Caution: Make sure that the system has enough RAM for this parameter. Before setting this parameter, please review the failover procedure thoroughly.
333
Network Security is running. The backup procedure produces a tar file of the copies of all backed up files and moves the tar file in a backup directory. For 7100 Series appliances, you have an additional alternative. You can mount a compact flash card on the appliance node, and back up the files to the compact flash. As a best practices policy, we recommend that you make periodic backups of the Symantec Network Security configuration on the master node. This section includes the following topics:
Backing up and restoring on the Network Security console Backing up and restoring on compact flash
Backing up Symantec Network Security configurations Reapplying policy assignments after failure Copying Symantec Network Security configurations Deleting Symantec Network Security configurations Refreshing the list of backup configurations Restoring Symantec Network Security configurations Restoring an existing configuration to a node
Note: Back up master nodes to preserve policy definitions. Demoting a master node can leave slave nodes with policies applied to their sensors that are not defined. Back up a master node before demoting it, restore just the policies, and reapply them.
Note: SuperUsers and Administrators can back up a configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
In Filename, enter the name of the backup file. In Host Name, enter the name of the host to copy to. In Directory, enter the directory. In User Name, enter the user name.
335
Note: SuperUsers and Administrators can copy a configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can delete an existing configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Note: All users can refresh the list of backup configurations. See User groups reference on page 353 for more about permissions.
the cluster reverts back to the original values. SuperUsers can do this selectively, and restore the configuration on a single node, a subset of selected slave nodes, or to the entire cluster by first restoring the master node and then synchronizing. Best practices rules include:
Backup the master node on a regular basis. Protection policy definitions are stored only on the master node. When reinstalling a node or unconfiguring an appliance, reapply all policies When restoring a slave node, force a database sync before reapplying policies on that node. This will ensure that the slave node has the most recent policy definitions. To restore a node to a previous configuration after a failure:
Reinstall the software or reconfigure the appliance Reapply all previous update packages Restore the configuration to the node If the restored node is a slave node, also restore the configuration to the master node Restore the old configuration to each individual slave node Restore the configuration to the master node
You must perform the restoration procedure while Symantec Network Security is running. For the restoration procedure to succeed, you must make sure the following are true:
The hardware and operating system are the same The Symantec Network Security version is the same The root directory is the same The Symantec Network Security patch level is the same The Symantec Network Security Security Update and Engine Update levels must be the same or greater than the backup The restoration machine must have the same number and type of interfaces The restoration machine must have the same IP address as the original
Note: SuperUsers and Administrators can restore a configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
337
Note: SuperUsers and Administrators can restore an existing configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
For a software node: Reinstall it. See the Symantec Network Security Installation Guide for reinstalling a software node. For an appliance node: Unconfigure the initial configuration. See the Symantec Network Security 7100 Series Implementation Guide for unconfigure an appliance node.
Note: SuperUsers can delete software and appliance nodes from the cluster. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot delete them. See User groups reference on page 353 for more about permissions.
Note: SuperUsers and Administrators can back up a configuration using a compact flash card (CR); StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
339
3 4
In Backups, click a backup filename. In Action, click Restore Selected Backup > Yes. This will restart the node, and overwrite all configuration changes that were made since the backup.
Note: SuperUsers and Administrators can restore a configuration using a compact flash card (CF); StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Insert the compact flash card into the CF adaptor. Reboot the appliance. On Devices, right-click the 7100 Series node object whose configuration you wish to save, then click Configuration > 7100 Series Configuration > Save Configuration File. On Devices, click Configuration > Node > 7100 Series Configuration > Save Configuration File and choose a node from the pull-down list in Select Node. Click OK.
3 4
In Appliance Network Configuration, type the node netmask for Netmask. In Default Router, type a value for Default Router. This should be the IP address of the default router for this node.
Note: Values for the netmask and default router will be automatically updated after the slave appliance is connected to the network and initially configured. These values will appear on the Advanced Network Options tab when you edit the node. 5 6 7 In DNS Server 1 and DNS Server 2, optionally type the IP addresses for the DNS servers. Click OK. In Save Config File, enter the filename and click Save. Network Security adds a timestamp to the filename to ensure uniqueness. Note: The enc suffix is applied to any file name you enter. It means the file is encrypted. This is an automatic process and does not require you to enter a key or password.
On the Devices tab, right-click the 7100 Series node object whose configuration you wish to save, then click Configuration > 7100 Series Configuration > Save Configuration File. On the main menu bar, click Configuration > Node > 7100 Series Configuration > Save Configuration File and choose a node from the pull-down list in Select Node. Click OK.
2 3
In Appliance Network Configuration, type the node netmask for Netmask. In Default Router, type a value for Default Router. This should be the IP address of the default router for this node. Note: Values for the netmask and default router will be automatically updated after the slave appliance is connected to the network and initially configured. These values will appear on the Advanced Network Options tab when you edit the node.
4 5
In DNS Server 1 and DNS Server 2, optionally type the IP addresses for the DNS servers. Click OK.
341
In File Name, click after the given path, enter a file name for the backup beginning with an appropriate slash character, and click Save. For example, on Windows:
\NodeA_backup1
Click Save. This saves the node configuration into the default file:
<path>\appcfg.enc
Browse to a different folder, enter a file name in the File Name text box, then click Save.
Note: The enc suffix is applied to any file name you enter. It means the file is encrypted. This is an automatic process and does not require you to enter a key or password.
On the Devices tab, right-click the 7100 Series node object whose configuration you wish to view, then click Configuration > 7100 Series Configuration > View Configuration File. On the main menu bar, click Configuration > Node > 7100 Series Configuration > View Configuration File and choose a node from the pull-down list in Select Node. Click OK.
2 3
In View Configuration File, click the file you wish to view and click Open. In Configuration File, view the information and click OK.
To revert to the original installation 1 On the Network Security console, do one of the following:
On the Devices tab, right-click the 7100 Series node object that you wish to revert, then click Configuration > 7100 Series Configuration > Revert to Original Install. On the main menu bar, click Configuration > Node > 7100 Series Configuration > Revert to Original Install and choose a node from the pull-down list in Select Node. Click OK. Click Yes to revert the node. Click No to abort this process.
In Revert to Original Install, read the message and do one of the following:
On the Devices tab, right-click the 7100 Series node object on which you wish to generate SSH keys, then click Configuration > 7100 Series Configuration > Generate SSH Keys. On the main menu bar, click Configuration > Node > 7100 Series Configuration > Generate SSH Keys and choose a node from the pull-down list in Select Node. Click OK. Click Yes to generate new SSH keys. This replaces any existing keys. Click No to exit the process.
3 4
In Generating SSH Keys, wait while Symantec Network Security generates the SSH keys. In Public Key, read the public key filename at the top, and the instructions for installing it on the target host. In the instructions, <user_home_dir> is the home directory of user on the target host who can use the public key to decrypt the transferred log files. This user should not be root.
343
Follow the instructions to add the public key to the target host, and click Close.
On the Devices tab, right-click the 7100 Series node object, then click Configuration > Network Security Parameters. On the main menu bar, click Configuration > Node > Network Security Parameters and choose a node from the pull-down list in Select Node. Click OK.
2 3 4 5 6 7 8 9
In Symantec Network Security Configuration Parameters, under Log and Database Parameters, set values for each of the listed parameters. In Size to Trigger Rotation, enter the rotation size. In Flag for SCP Usage, click True. In Destination Host for SCP, type the target host name or IP address. In User Account for SCP, type user name to transfer files to on the target host. In Destination Directory for SCP, type the directory to transfer files to on the target host. In Limit Size for Archive Directory, type the maximum disk space allowed for archived files. In Limit Size for Traffic Record Directory, type the maximum disk space allowed for traffic record data.
10 Click Apply.
functionality that is unique to an appliance. Each section describes this additional functionality in detail. A variety of configurable parameters enable you to customize your Symantec Network Security intrusion detection system. Most parameters apply to both Symantec Network Security and Symantec Network Security 7100 Series systems, and to clusters, single nodes, and/or to sensors. This section describes the following topics:
About parameters for clusters, nodes, and sensors About basic setup and advanced tuning Configuring node parameters Configuring basic parameters Configuring advanced parameters
Cluster parameter: Applies to all Network Security software nodes or 7100 Series nodes across an entire cluster. Setting QSP Port Number is set cluster-wide because it controls communication between all nodes in a cluster. It is applied first to the master node in a cluster, and then propagated throughout the cluster. Node parameters: Apply to an individual Network Security software node or 7100 Series node, or a subset of nodes within a cluster. Some settings depend on the processing capacity of the node and the amount of traffic you expect it to monitor.
Software nodes: The Network Security software nodes include parameters that allow for variations from the default during installation, such as Setting Event Writer File, Setting Compression Command, and Setting Location of SCP Binary. These configurations are pre-determined for appliances. Appliance nodes: The Setting Lock LCD Screen parameter applies exclusively to 7100 Series nodes.
Sensor parameters: Apply to sensor processes only, and can be applied to a single sensor or a group of sensors.
345
Basic: Include the basic tools to customize Symantec Network Security to your environment. Advanced: In most circumstances, advanced parameters are set with optimum defaults. For advanced users with very specialized circumstances, advanced parameters provide a way to tune the sensitivity.
Note: SuperUsers and Administrators can view and edit the parameter configurations. StandardUsers and RestrictedUsers can view them. See User groups reference on page 353 for more about permissions.
Note: We recommend that you periodically back up the configuration database. Backing up Symantec Network Security configurations on page 333.
Note: SuperUsers can configure advanced cluster, node, and sensor parameters; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.
Configuring FlowChaser Tuning incident parameters Controlling user access Setting a cluster-wide parameter Integrating via Smart Agents Setting email notification parameters Configuring watchdog processes Configuring automatic archiving Transferring via SCP Exporting to file Setting automatic logging levels Exporting to SESA Exporting to SQL Exporting to syslog
347
Setting Event Message Hashes Setting Event Destination Hashes Setting Event Queue Length Setting Event Rate Throttle
Before making such changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this advanced parameter.
Restart Symantec Network Security for changes to this parameter to take effect.
Before making such changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this advanced parameter. Restart Symantec Network Security for changes to this parameter to take effect.
349
Before making such changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this advanced parameter. Restart Symantec Network Security for changes to this parameter to take effect.
Before changing the value, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this parameter. Restart Symantec Network Security for changes to this parameter to take effect.
Part IV
Appendices
The following appendices provide additional reference information:
352
Appendix
SuperUsers: A user authenticated with full administrative capabilities. This user is allowed to perform all administrative tasks that the Network Security console can execute. Administrators: A user authenticated with partial administrative capabilities. This user is allowed to perform most administrative tasks, with the exception of some advanced actions. StandardUsers: A user authenticated with full read-only capabilities. This user is allowed to view all information in the Network Security console. RestrictedUsers: A user authenticated with partial read-only capabilities. This user is allowed to view most information in the Network Security console, with the exception of some advanced information and network-sensitive data.
Note: If you are not a member of one of these predefined groups, you will not be allowed access to the Network Security console at all.
Summary of permissions
This table provides a summary of the general categories of tasks that each user group has permission to perform: Table A-1 Task category
Reboot and restarting nodes See Rebooting and restarting on page 355. Configure at node or cluster level See Configuring at node or cluster level on page 356. Restart sensors See Rebooting and restarting on page 355. Full permissions Full permissions No permissions No permissions Full permissions No permissions No permissions No permissions
Administrators StandardUsers
No permissions No permissions
RestrictedUsers
No permissions
355
Administrators StandardUsers
Full or partial permissions Full or partial permissions
RestrictedUsers
View only
Configure at interface level See Configuring at interface level on page 357. View See Viewing only on page 359.
Full permissions
Full permissions
See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.
Permissions by task
This section describes the tasks in more detail that each user group has permission to perform. To see the tasks listed by category as in Summary of user group capabilities, see the following:
Rebooting and restarting Configuring at node or cluster level Configuring at interface level Viewing only
Administrators
Not allowed to login to slave nodes Allowed to login to master node only
StandardUsers
Not allowed to login to slave nodes Allowed to login to master node only
RestrictedUsers
Not allowed to login to slave nodes Allowed to login to master node only
Administrators
StandardUsers
RestrictedUsers
Allowed to restart
Allowed to restart
See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.
Administrators
Not allowed to unconfigure Not allowed Not allowed Not allowed
StandardUsers
Not allowed to unconfigure Not allowed Not allowed Not allowed
RestrictedUsers
Not allowed to unconfigure Not allowed Not allowed Not allowed
Monitoring Groups
Not allowed to Not allowed to Not allowed to configure monitoring configure monitoring configure monitoring groups groups groups Allowed to configure all except custom response actions Allowed to view only Allowed to view only Allowed to view only
Response Rules
357
Administrators
Not allowed to set cluster master
StandardUsers
Not allowed to set cluster master
RestrictedUsers
Not allowed to set cluster master Allowed to view only
Allowed to view, add, Allowed to view only edit, and delete most objects in the topology tree (such as routers, Smart Agents, and locations), but not software or appliance nodes
See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.
Administrators
StandardUsers
RestrictedUsers
Not allowed
Allowed to add, edit, Not allowed delete interfaces, interface groups, and in-line pairs Allowed to generate Not allowed
Generate SSH keys on appliances Save Configuration File on appliances Write to Compact Flash on appliances Availability Monitor
Not allowed
Allowed to save
Allowed to save
Not allowed
Not allowed
Allowed to write to compact flash Allowed to edit availability monitor Allowed to force database sync
Allowed to write to compact flash Allowed to edit availability monitor Allowed to force database sync
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Administrators
Allowed to add, apply, clone, edit, delete Allowed to add, edit, and delete flow alert rules Allowed to manage Allowed to edit template
StandardUsers
Allowed to view only
RestrictedUsers
Allowed to view only
Not allowed
Manage Backups Analyst Note Template for incidents and events Manage Logs Manage Reports Port Mapping
Allowed to manage Allowed to manage Allowed to add, edit, and delete Allowed to schedule
Allowed to manage Allowed to manage Allowed to add, edit, and delete Allowed to schedule
Not allowed Not allowed Not allowed to add, edit, and delete Not allowed
Not allowed Not allowed Not allowed to add, edit, and delete Not allowed
Allowed to configure all except custom response actions Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to generate all reports
Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to generate all reports
Reports, Online
Allowed to generate reports except devices with flow statistics reports Allowed to annotate
Allowed to annotate
Allowed to annotate
Allowed to annotate
Allowed to change Allowed to change Allowed to change own passphrase only own passphrase only own passphrase only
359
Administrators
Allowed to adjust Allowed to adjust Allowed to mark Allowed to choose
StandardUsers
Allowed to adjust Allowed to adjust Allowed to mark Allowed to choose
RestrictedUsers
Allowed to adjust Allowed to adjust Allowed to mark Allowed to choose
Reports, Online
Allowed to generate reports except devices with flow statistics reports Allowed to adjust
Allowed to adjust
Allowed to adjust
Allowed to adjust
See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.
Viewing only
This table describes which tasks are view only by each user group. Table A-5 Permissions
Events, packet data
Administrators
Allowed to view detailed packet data Allowed to add, edit, and delete flow alert rules Allowed to view only Allowed to view only Allowed to view only Allowed to view
StandardUsers
Allowed to view detailed packet data Allowed to view
RestrictedUsers
Not allowed
Not allowed
Traffic Playback View Current Flows View Exported Flows Appliance Configuration File Events, general data Incidents
Allowed to view only Allowed to view only Allowed to view only Allowed to view
Administrators
Allowed to edit Allowed to add, edit, and delete Allowed to configure all except custom response actions Allowed to view
StandardUsers
Allowed to view only Allowed to view only
RestrictedUsers
Allowed to view only Allowed to view only
Response Rules
Topology tree
Allowed to view
Allowed to view
Allowed to view
See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.
Administrator
Allowed to edit template Allowed to annotate
StandardUser
Not allowed
RestrictedUser
Not allowed
Allowed to annotate
Allowed to annotate
Allowed to generate
Allowed to generate
Not allowed
Not allowed
Not allowed
Not allowed
Not allowed
Allowed to save
Not allowed
Not allowed
Allowed to view
Allowed to view
Allowed to view
Allowed to view
Not allowed
Not allowed
361
Administrator
Allowed to edit availability monitor
StandardUser
Not allowed
RestrictedUser
Not allowed
Availability Monitor
Allowed to change Allowed to change Allowed to change own passphrase only own passphrase only own passphrase only
Events, Columns Events, Filters Events, general data Events, packet data
Allowed to adjust Allowed to adjust Allowed to view Allowed to view detailed packet data Allowed to add, edit, and delete flow alert rules Allowed to force database sync Allowed to view Allowed to adjust Allowed to adjust Not allowed Not allowed Allowed to manage Allowed to manage Allowed to manage Not allowed
Allowed to adjust Allowed to adjust Allowed to view Allowed to view detailed packet data Allowed to view
Not allowed
Not allowed
Not allowed
Incidents Incidents, Columns Incidents, Filters Licensing LiveUpdate Manage Backups Manage Logs Manage Reports Manage Users
Allowed to view Allowed to adjust Allowed to adjust Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed
Allowed to view Allowed to adjust Allowed to adjust Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed
StandardUser
Not allowed
RestrictedUser
Not allowed
Nodes, both software Allowed to add, edit, and appliance delete all objects, including software and appliance nodes Nodes, logging in to both software and appliance via the Network Security console
Allowed to login to Allowed to login to both master and master nodes only slave nodes, with read-only permission on the slave node except for promoting
Node Interfaces, both Allowed to add, edit, software and delete interfaces, appliance interface groups, and in-line pairs Parameters Port Mapping Allowed to edit Allowed to add, edit, and delete Allowed to add, apply, clone, edit, delete Allowed to reboot
Allowed to add, edit, Not allowed delete interfaces, interface groups, and in-line pairs Allowed to edit Allowed to add, edit, and delete Allowed to add, apply, clone, edit, delete Not allowed Allowed to view Allowed to view
Not allowed
Protection Policies
Allowed to view
Allowed to view
Not allowed
Not allowed
Allowed to generate reports except devices with flow statistics reports Not allowed
Allowed to schedule
Allowed to schedule
Not allowed
Allowed to view
Allowed to view
Allowed to view
Allowed to view
363
Administrator
Not allowed
StandardUser
Not allowed
RestrictedUser
Not allowed
Allowed to restart
Allowed to restart
Set as Cluster Master Allowed to set cluster Not allowed master Signatures, User-defined Signature Variables Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to adjust Allowed to view, add, edit, and delete all objects in the topology tree Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to adjust Allowed to view, add, edit, and delete most objects in the topology tree (such as routers, Smart Agents, and locations), but not software or appliance nodes Allowed to view
Allowed to view
Allowed to view
Allowed to view
Allowed to view
Topology tree, view Traffic Playback View Current Flows View Exported Flows
Allowed to view
Allowed to view
Allowed to view
Appendix
SQL reference
This appendix includes the following topics:
About SQL export parameters Using Oracle tables Using MySQL tables
The Symantec Network Security software does not include the JDBC drivers required to export to Oracle and MySQL, so you must obtain and install them separately. Add a supported driver manually into the appropriate location and naming convention as follows:
3 4
Restart Symantec Network Security. Configure the SQL Export parameters. See Exporting to SQL on page 288.
Description
Indicates the class of the best event. Indicates the user-defined Network Security cluster ID where the incident originated. Indicates time when this incident was created. Indicates the Customer ID of the best event.
Notes
crtTime custID
integer varchar(41)
367
Description
Indicates the ID of the device (deviceID from topology table) where the best event was detected. Indicates the device name of the best event. Indicates the eventNum of the best event. This is the event that best represents this incident (usually the one with the highest severity). Indicates the family of the best event. Indicates the flowcookie of the best event. Indicates whether there are annotations for this incident. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from the topology table) where the best event was detected. Indicates the actual name of the interface associated with the best event, corresponding to ifaceid. Indicates the unique string identifying this incident.
Notes
Used internally
devName eventNum
varchar(33) integer
ident
varchar(33)
ifaceid
varchar(33)
Used Internally
ifName
varchar(65)
incidentID
varchar(33)
incidRefs
varchar(2049)
Indicates references to other incidents that have For example: been cross-node correlated using the following 3d20b47d091e45e8@2, format: 3d20b45191f6ec72@3 incidentID@nodenum, incidentID@nodenum, ... Indicates the last time when an event was added to this incident. Indicates the mapped type of the event/incident corresponding to type. Indicates the module name where this incident was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum. Used internally
lastEvtTime
integer
mappedType
varchar(128)
module
varchar(33)
nodeName
varchar(255)
Description
Indicates the Network Security Node number where the incident originated. Indicates the number of logged events in this incident. Indicates the ID of the interface group where this event was detected. Indicates the name of the interface group where this event was detected. Indicates the reliability of the best event. Indicates the severity of the best event. Indicates the state of this incident.
Notes
numEvts
integer
poolid
varchar(33)
Used internally
poolName
varchar(33)
Valid values are 1-10 Valid values are 1-10 1 = active (currently being monitored by the AF) 0 = closed (archived to the db)
time
integer
Indicates the time when incident record was last Standard UNIX time format updated. (seconds since 1970 GMT) Indicates the type of the best event. Indicates the marked status of this incident. 0 = Not yet marked by a Network Security console user. 1 = Marked by a Network Security console user, and unchanged since. 2 = Marked by a Network Security console user, but has changed since.
type viewed
varchar(129) integer
Description
Indicates the attempted action.
Notes
369
Description
Indicates the process name of the attacker, or blank if not applicable. Indicates the username of the attacker, or blank if not applicable. Indicates the event class.
Notes
atkuser
varchar(255)
class
varchar(33)
clusterID
integer
Indicates the user-defined Network Security cluster ID where the incident originated. Indicates additional information sent by the sensor. Not every event will have context information. Example: For HTTP events, this may be a URL. For FTP events, this may be a username. Base-64 encoded.
contextBuffer
varchar(512)
contextDesc
varchar(512)
crtTime
integer
Indicates the time when this event was realized in Standard UNIX time the Analysis Framework. format (seconds since 1970 GMT) Indicates the Customer ID that this event is associated with. Indicates a list of destination IPs for this event. Indicates the destination ethernet address. Indicates the name of the network device where the event was detected. Indicates the end time for this event, according to Standard UNIX time the sensor. format. Indicates the Symantec standard code representing the event. Indicates the event number for this incident. The first event in an incident will have an eventNum of 1. The eventNum will be incremented by 1 for each subsequent event.
custID
varchar(41)
endTime
integer
eventCode
varchar(65)
eventNum
integer
Description
Indicates the flowcookie. Indicates the event family.
Notes
For class=sniffer events, this is integrity or availability. For class=generic events, this is fnotice or notice
guiTxt hdrInfo
varchar(65) varchar(2727)
Deprecated. Indicates the TCP/IP header information OR full packet. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from topology table) where this event was detected. Indicates the name of the interface where this event was detected. For example: hme0 Indicates a unique string identifier that identifies the incident to which this event belongs. Indicates the mapped type of the event/incident corresponding to type Indicates the module name where this event was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum. Indicates the Network Security node number where the incident originated. Indicates that the event was blocked if integer is 1. Identifies the ending index of the region in payload where the anomaly was detected. Identifies the starting index of the region in payload where the anomaly was detected. Used internally Used internally Base-64 encoded.
ident
varchar(33)
ifID
varchar(33)
ifName
varchar(33)
incidentID
varchar(33)
mappedType
varchar(128)
module
varchar(33)
nodeName
varchar(255)
nodeNum
integer
outcome
integer
pldEnd
integer
pldStt
integer
371
Description
Indicates the ID of the pool ("poolID" from ifpooldb) where this event was detected. Indicates the name of the interface group where this event was detected. Indicates that the protocol was either IP, TCP, UDP, or ICMP. Indicates the portion of the packet that triggered this event. Indicates the reliability of this event. Indicates the severity of this event. Indicates a list of source IPs for this event. Indicates the source ethernet address. Indicates the start time for this event, according to the sensor. Indicates the name of the attacker's target, or blank if not applicable. Indicates the type of the attacker's target. Identifies the type of this event. This is the violation/anomaly that caused the event to be triggered.
Notes
Used internally
poolName
varchar(41)
prot
varchar(33)
pyld
varchar(513)
Base-64 encoded
trgtname
varchar(3000)
trgtntype type
integer varchar(129)
vlanId vndr
integer varchar(33)
Indicates the VLAN ID. Indicates the vendor of the sensor that detected the event.
Description
Indicates the class of the best event. Indicates the Network Security cluster ID where the incident originated
Notes
Indicates the time that this incident was created. Standard UNIX time format Indicates the Customer ID of the best event. Indicates the ID of the device (deviceID from topology table) where the best event was detected. Indicates the device name of the best event. Indicates the eventNum of the best event. This is the event that best represents this incident (usually the one with the highest severity). Indicates the family of the best event. Indicates the flowcookie of the best event. Used internally
devName eventNum
varchar(41) integer
family flowcookie
varchar(33) text
373
Description
Indicates whether there are annotations for this incident. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from topology table) where the best event was detected. Indicates the actual name of the interface associated with the event, corresponding to ifaceid Indicates the unique string identifying this incident.
Notes
0 = no annotations 1 = has annotations
ident
varchar(33)
ifaceid
varchar(33)
Used Internally
ifName
varchar(65)
incidentID
varchar(33)
incidRefs
text
Indicates references to other incidents that were For example: cross-node correlated using the following 3d20b47d091e45e8@2, format: 3d20b45191f6ec72@3 incidentID@nodenum, incidentID@nodenum, ... Indicates the last time when an event was added to this incident. Indicates the mapped type of the event/incident corresponding to type Indicates the module name where this incident was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum Indicates the Network Security node number where the incident originated Indicates the number of logged events in this incident. Indicates the ID of the interface group where this event was detected. Indicates the name of the interface group where this event was detected. Indicates the reliability of the best event. Valid values are 1-10 Used internally Used internally
lastEvtTime
integer
mappedType
varchar(128)
module
varchar(33)
nodeName
varchar(255)
nodeNum
integer
numEvts
integer
poolid
varchar(33)
poolName
varchar(41)
reliability
integer
Description
Indicates the severity of the best event. Indicates the state of this incident.
Notes
Valid values are 1-10 1 = active (currently being monitored by the AF) 0 = closed (archived to the db)
time
integer
Indicates the time that the incident record was last updated. Indicates the type of the best event. Indicates the marked status of this incident.
type viewed
varchar(129) integer
0 = Not yet marked by a Network Security console user. 1 = Marked by a Network Security console user, and unchanged since. 2 = Marked by a Network Security console user, but has changed since.
Description
Indicates the attempted action. Indicates the process name of the attacker, or blank if not applicable. Indicates the username of the attacker, or blank if not applicable. Indicates the event class.
Notes
atkuser
varchar(255)
class
varchar(33)
375
Description
Indicates the user-defined Network Security cluster ID where the incident originated. Indicates additional information sent by the sensor. Not every event will have context information.
Notes
contextBuffer
text
Example: For HTTP events, this may be a URL. For FTP events, this may be a username. Base-64 encoded.
contextDesc
text
crtTime
integer
Indicates the time when this event was realized in Standard UNIX time the analysis framework. format (seconds since 1970 GMT) Indicates the Customer ID that this event is associated with. Indicates a list of destination IPs for this event. Indicates the destination ethernet address. Indicates the name of the network device where the event was detected. Indicates the end time for this event, according to Standard UNIX time the sensor. format. Indicates the Symantec standard code representing the event. Indicates the event number for this incident. The first event in an incident will have an eventNum of 1. The eventNum will be incremented by 1 for each subsequent event. Indicates the flowcookie. Indicates the event family. For class=sniffer events, this is integrity or availability. For class=generic events, this is fnotice or notice
custID
varchar(41)
endTime
integer
eventCode
varchar(65)
eventNum
integer
flowcookie fmly
text varchar(33)
guiTxt
varchar(65)
Deprecated.
Description
Indicates the TCP/IP header information OR full packet. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from the topology table) where this event was detected. Indicates the name of the interface where this event was detected. For example: hme0 Indicates a unique string identifier that identifies the incident to which this event belongs. Indicates the mapped type of the event/incident corresponding to type Indicates the module name where this event was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum Indicates the Network Security node number where the incident originated. Indicates that the event was blocked if integer is 1. Identifies the ending index of the region in payload where the anomaly was detected. Identifies the starting index of the region in payload where the anomaly was detected. Indicates the ID of the interface group where this event was detected. Indicates the name of the interface group where this event was detected. Indicates the protocol, either IP, TCP, UDP, or ICMP. Indicates the portion of the packet that triggered this event.
Notes
Base-64 encoded.
ident
varchar(33)
ifID
varchar(33)
Used internally
ifName
varchar(65)
incidentID
varchar(33)
mappedType
varchar(128)
module
varchar(33)
Used internally
nodeName
varchar(255)
nodeNum
integer
outcome
integer
pldEnd
integer
pldStt
integer
poolID
varchar(33)
Used internally
poolName
varchar(41)
prot
varchar(33)
pyld
text
Base-64 encoded
377
Description
Indicates the reliability of this event. Indicates the severity of this event. Indicates a list of source IPs for this event. Indicates the source ethernet address. Indicates the start time for this event, according to the sensor. Indicates the name of the attacker's target, or blank if not applicable. Indicates the type of the attacker's target. Identifies the type of this event. This is the violation/anomaly that caused the event to be triggered.
Notes
Valid values are 1-10 Valid values are 1-10
trgtname
text
trgtntype type
integer varchar(129)
vlanId vndr
integer varchar(33)
Indicates the VLAN ID. Indicates the vendor of the sensor that detected the event.
Glossary
This appendix defines terms used in this guide to categorize attack elements and system elements.
1000Base-SX 1000 Mbps (1 Gbps) baseband Ethernet over two multimode optical fibers using shortwave laser optics. The mechanisms and policies that restrict access to computer resources. An access control list (ACL), for example, specifies what operations different users can perform on specific files and directories. The act of permitting two or more users simultaneous access to file servers or devices. A predefined response to an event or alert by a system or application. A status that indicates that a program, job, policy, or scan is running. For example, when a scheduled scan executes, it is considered active. An individual with an account that is configured to perform administrative tasks, such as view reports, receive alerts, and add or delete objects. This group and its respective set of permissions is predefined, and cannot be modified. See also user account. A sound or visual signal that is triggered by an error condition. See notification. See also event. A rule that monitors suspicious activity based on access attempts and time intervals. You can customize or disable the default threshold according to your needs. Represents the number of times that the response rule has been triggered for the given incident. A specialized server designed for ease of installation and maintenance. Hardware and software are bundled, and applications are pre-installed. The device is plugged into a network and can begin working almost immediately with little configuration. A collection of computer files that have been packaged together for backup, to transport to some other location, for saving away from the computer so that more hard disk storage can be made available, or for some other purpose. An archive can include a simple list of files or files organized under a directory or catalog structure (depending on how a particular program supports archiving).
access control
Administrator
ALERT_NUMBER
appliance
archive
380 Glossary
asymmetric encryption A type of encryption that is based on the concept of a key pair. Also called public key cryptography. Each half of the pair (one key) can encrypt information so that only the other half (the other key) can decrypt it. One part of the key pair, the private key, is known only by the designated owner; the other part, the public key, is published widely but is still associated with the owner. See also synchronous transmission. asynchronous transmission A form of data transmission in which information is sent intermittently. The sending device transmits a start bit and stop bit to indicate the beginning and end of a piece of data. The features of network traffic, either in the heading of a packet or in the pattern of a group of packets, that distinguish attacks from legitimate traffic. A property of an object, such as a file or display device. A type of Secure Sockets Layer (SSL) that provides authentication and data encryption through a self-signed certificate. The process of determining the identity of a user attempting to access a network. Authentication occurs through challenge/response, time-based code sequences, or other techniques. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network. See also PAP (Password Authentication Protocol). A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords. See also iButton. The process of determining the type of activities or access that is permitted on a network. Usually used in the context of authentication: once you have authenticated a user, the user can be authorized to have access to a specific service. An entry point to a program or a system that is hidden or disguised, often created by the software's author for maintenance. A certain sequence of control characters permits access to the system manager account. If the back door becomes known, unauthorized users (or malicious software) can gain entry and cause damage. The amount of data transmitted or received per unit time. In digital systems, bandwidth is proportional to the data speed in bits per second (bps). Thus, a modem that works at 57,600 bps has twice the bandwidth of a modem that works at 28,800 bps. The risk that exists before safeguards are considered. The effectiveness of a safeguard in terms of vulnerability measure. If the safeguard is applied by itself, it lowers the danger that the vulnerability poses by the amount specified. The front panel of a Symantec Network Security 7100 Series appliance. A configured mode for preventing malicious or unwanted network traffic from passing a certain point in the network.
attack signature
authentication token
authorization
back door
bandwidth
bezel blocking
Glossary
381
A measure of the speed at which a device such as a modem can transfer bits of data. An application that retrieves events from non-SESA, native Symantec products and places them in the SESA DataStore. To simultaneously send the same message to all users on a network. A build-to-order server is a PC or laptop running Red Hat Linux, configured as a DHCP server, TFTP server, and NFS server. It uses the Red Hat kickstart mechanism to load a Symantec Network Security 7100 Series appliance with initial software. An attack that works by exploiting a known bug in one of the applications running on a server. This then causes the application to overlay system areas, such as the system stack, thus allowing the attacker to gain administrative rights. In most cases, this gives the attacker complete control over the system. Also called stack overflow. A device that provides the ability to transparently detour network traffic around a malfunctioning Ethernet network appliance. A group of wires that are enclosed in a protective tube. Usually this is an organized set of wires that correspond to specific pins on a 9- or 25-pin connector located at each end. A cable is used to connect peripheral devices to each other or to another computer. In remote computing, this can refer to a cable that is used to connect a computer to a modem, or a cable that connects two computers directly, that is sometimes called a null modem cable. A file that is used to improve the performance of Microsoft Windows. The cache file is established on the remote computer and is used to hold Windows bitmap data. If the bitmap data is in the cache file when a Windows screen is redrawn, the data does not have to be resent, that results in better performance. The measure of a threat's technical expertise or knowledge of a system's connectivity. A screen that is usually the first thing a customer will see after inserting the Symantec product CD. A file that is used by cryptographic systems as proof of identity. It contains a user's name and public key. A type of Secure Sockets Layer (SSL) that provides authentication and data encryption through a certificate that is digitally signed by a Certificate Authority. A denial of service attack that is aimed at the Common Gateway Interface (CGI). CGI is a standard way for a Web server to pass a Web user's request to an application program and to receive data back to forward to the user. It is part of the Web's Hypertext Transfer Protocol (HTTP). A communication medium for transferring information. Also called a line or circuit. Depending on its type, a communications channel can carry information in analog or digital form. A communications channel can be a physical link, such as a cable that connects two stations in a network, or it can consist of some electromagnetic transmission.
bypass unit
cable
cache file
capability CD start
certificate
channel
382 Glossary
checksum
A count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, it is assumed that the complete transmission was received. Also called hash. A checksum is a value that is generated to verify the integrity of data, and stored or transmitted with the data that it verifies. To verify the data, the receiver generates a second checksum and compares the two checksums. If the values match, this confirms that the data has not been altered or contaminated. (Command Line Interface) A utility that provides an alternate way to execute commands in UNIX and Windows NT environments. A group of two or more nodes that are linked together to share attack data and/or to provide continued operation in the event that one server fails. A cluster can include up to 125 Network Security software nodes across multiple network segments within multiple network locations.
Checksums
COM (communications) A location for sending and receiving serial data transmissions. Also called a serial port. port These ports are referred to as COM1, COM2, COM3, and COM4. communications protocol compact flash (CF) A set of rules that are designed to let computers exchange data. A communications protocol defines issues such as transmission rate, interval type, and mode. Digital memory technology providing non-volatile data storage on a compact flash card, readable and writable by a compact flash adaptor on a computer. The graphical user interface (GUI) that is provided for centralized administration of software and appliance nodes and node clusters in Symantec Network Security. The ability to review the actual information that an end user sees when using a specific Internet application, for example, the content of email messages. A virus that is commonly protected against with a virus scanner. See also data-driven attack. A safeguard that mitigates a vulnerability or exposure and reduces risk. Examples are strong user passwords, applying vendor patches, and removing unneeded services. See interface, monitoring. The intelligent association of disparate items into a related group. A protocol that packages and sends data from component to component using the various transports that ESM supports. CSP bundles the data and places it on the network in whatever way is appropriate for the transport mechanism. The risk that remains after safeguards have been applied. The danger that is posed by a vulnerability after you have accounted for the safeguards that you use to secure it. If you use a valid safeguard, the current vulnerability measure is less than the default vulnerability measure.
control
Glossary
383
daemon
A program that runs continuously and exists for the purpose of handling periodic service requests that a computer system expects to receive. The daemon forwards the requests to other programs (or processes) as appropriate. A typical example of a daemon can be seen on Web servers. Each server has a Hypertext Transfer Protocol Daemon (HTTPD) that continually waits for requests to come in from Web clients and their users. The speed at which information is moved from one location to another. Data rates are commonly measured in kilobits (thousand bits), megabits (million bits), and megabytes (million bytes) per second. Modems, for example, are generally measured in kilobits per second (Kbps). The movement of information from one location to another. The speed of transfer is called the data rate or data transfer rate. The electronic transfer of information from a sending device to a receiving device. A form of intrusion in which the attack is encoded in seemingly innocuous data. It is subsequently executed by a user or other software to actually implement the attack. To convert encoded text to plain text through the use of a code. To convert either encoded or enciphered text into plain text. A special-purpose device. Although it is capable of performing other duties, it is assigned to only one. A type of attack in which a user or program takes up all of the system resources by launching a multitude of requests, leaving no resources and thereby denying service to other users. Typically, denial of service attacks are aimed at bandwidth control. The installation of a network of security products, such as Symantec Network Security (nodes and Network Security console), Symantec Network Security 7100 Series appliances, and Symantec Network Security Smart Agents to form an enterprise security environment. A widely-used method of data encryption using a private (secret) key that was judged so difficult to break by the U.S. government that it was restricted for exportation to other countries. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. To initiate a connection via LAN, modem, or direct connection, whether or not actual dialing is involved. A program that uses your system, without your permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges. A secondary window containing command buttons and options available to users for carrying out a particular command or task.
data rate
data transfer
deployment
dial
dialer
dialog box
384 Glossary
digital certificate
A digital certificate is an electronic credit card that establishes a user's credentials when doing business or other transactions on the Web. It is issued by a Certificate Authority (CA). It contains the user's name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. An electronic rather than a written signature that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged. Additional benefits to the use of a digital signature are that it is easily transportable, cannot be easily repudiated, cannot be imitated by someone else, and can be automatically time-stamped. A form of data communication in which one computer is directly connected to another, usually via a null modem cable. A status that indicates that a program, job, policy, or scan is not available. For example, if scheduled scans are disabled, a scheduled scan does not execute when the date and time specified for the scan is reached. A network added between a protected network and an external network to provide an additional layer of security. Sometimes called a perimeter network. A hierarchical system of host naming that groups TCP/IP hosts into categories. For example, in the Internet naming scheme, names with .com extensions identify hosts in commercial businesses. The act of breaching the trust relationship by assuming the Domain Name System (DNS) name of another system. This is usually accomplished by either corrupting the name service cache of a victim system or by compromising a Domain Name Server for a valid domain. A group of computers or devices that share a common directory database and are administered as a unit. On the Internet, domains organize network addresses into hierarchical subsets. For example, the .com domain identifies host systems that are used for commercial business. To transfer data from one computer to another, usually over a modem or network. Usually refers to the act of transferring a file from the Internet, a bulletin board system (BBS), or an online service to one's own computer. A proprietary technology that is patented and works in the following way. The operating system has a system call (or vector) table that contains memory address pointers for each system call. These pointers point to a location in memory where the actual kernel code of the system calls resides. DSX stores the address pointers for the security-sensitive system calls and then redirects these pointers to the corresponding SECURED system call code, which is located elsewhere in memory.
digital signature
direct connection
disabled
DNS spoofing
domain
download
Glossary
385
email bomb
A code that, when executed, sends many messages to the same address(es) for the purpose of using up disk space or overloading an email or Web server. An application from which users can create, send, and read email messages. An application that controls the distribution and storage of email messages. A status that indicates that a program, job, policy, or scan is available. For example, if scheduled scans are enabled, any scheduled scan will execute when the date and time specified for the scan is reached. A method of scrambling or encoding data to prevent unauthorized users from reading or tampering with the data. Only those who have access to a password or key can decrypt and use the data. The data can include messages, files, folders, or disks. The process of using encryption at the point of origin in a network, followed by decryption at the destination. A standard that provides confidentiality for IP datagrams or packets by encrypting the payload data to be protected. Datagrams and packets are the message units that the Internet Protocol deals with and that the Internet transports. A local area network (LAN) protocol developed by Xerox Corporation in cooperation with DEC and Intel in 1976. Ethernet uses a bus or star topology and supports data transfer rates of 100 Mbps. NIC interfaces on the Network Security or network devices capable of up to 100Mb/s, half or full-duplex, of ethernet traffic. A message that is generated by a product to indicate that something has happened. The centralized collection, classification, and normalization of events to enable alerting and reporting across multivendor managed security products. A predefined event category that is used for sorting reports and configuring events and alerts. A significant occurrence in a system or application that Symantec Network Security detects. Base events are the detected activities at the most elemental level. For detailed descriptions of events, see About the Web sites on page 22.
encryption
end-to-end encryption
Ethernet
Ethernet interface
event type
event, base
exploit
1. A method used to compromise the integrity, availability, or confidentiality of information or services. 2. A program that automates a method to compromise the integrity, availability, or confidentiality of information or services. A vulnerability that is inherent in a legitimate service or system. A threat that originates outside of an organization. The ability of a network appliance to allow network traffic to continue even when the appliance itself experiences a failure. This differs from failover in that other appliance functionality is not continued by another device when the failure occurs.
386 Glossary
failover
An automated strategy to provide high availability and redundancy by deploying a standby node to take over if the master node fails or is shut down for servicing. See also watchdog process. An unrecognized and/or unreported activity or state that requires response, such as a virus or intrusion that is not detected. A reported activity or state that does not require response because it was reported incorrectly or does not pose a threat. Too many false positives can become intrusive in themselves. A design method that ensures continued systems operation in the event of individual failures by providing redundant system elements.
false negative
false positive
fault tolerance
FDDI (Fiber Distributed A set of ANSI protocols used for sending digital data over fiber optic cable. FDDI networks Data Interface) are token-passing networks and support data rates of up to 100 Mb (100 million bits) per second. FDDI networks are typically used as backbones for wide area networks. file transfer The process of using communications to send a file from one computer to another. In communications, a protocol must be agreed upon by sending and receiving computers before a file transfer can occur. A program or section of code that is designed to examine each input or output request for certain qualifying criteria and then process or forward it accordingly. Also a method of querying a list to produce a subset of items with specified characteristics. A program that protects the resources of one network from users from other networks. Often, an enterprise with an intranet that allows its workers access to the wider Internet will install a firewall to prevent outsiders from accessing its own private data resources. A denial of service attack aimed directly at the firewall. A physical or virtual boundary to secure a network or network segment. A firewall can identify and permit or block network traffic based on multiple criteria including originating domain, network port number, and originating network IP address. A program that contains code that, when executed, will bombard the selected system with requests in an effort to slow down or shut down the system. A message in string format that includes details about a particular event, such as IP addresses, attack details, ports, etc. The final phase of incident response to an incident. All other phases seek the most efficient path to this phase. Reporting is a key action in this phase. A URL that consists of a host and domain name, including top-level domain. For example, www.symantec.com is a fully qualified domain name. www is the host, symantec is the second-level domain, and .com is the top-level domain.
filter
firewall
flooding program
flowcookie
follow-up
Glossary
387
The simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers email, FTP is an application protocol that uses the Internet's TCP/IP protocols. A network point that acts as an entrance to another network. In a company network, a proxy server acts as a gateway between the internal network and the Internet. A gateway can also be any computer or service that passes packets from one network to another network during their trip across the Internet. See blocking. NIC interfaces on the Network Security or network devices capable of up to 1000Mb/s, half or full-duplex, of ethernet traffic. The relative fineness or coarseness by which a mechanism can be adjusted. Programs that do not contain viruses and that are not obviously malicious, but which can be annoying or even harmful to the user. For example, hack tools, accessware, spyware, adware, dialers, and joke programs. A category of user accounts in Symantec Network Security that contains specific, predefined permissions and rights. See also user account. A subset of a cluster. A program in which a significant portion of the code was originally another program. A tool that is used by a hacker to gain unauthorized access to a computer. One type of hack tool is a keystroke logger, which is a program that tracks and records individual keystrokes and can send this information back to the hacker. A term used by some to mean a clever programmer and by others, especially journalists or their editors, to mean someone who tries to break into computer systems. A set of hardware parameters, such as modem type, port/device, and data rate, that is used as a singular named resource in launching a host or remote session. A technology that uses experience-based knowledge rather than virus definitions to identify new threats by examining files for suspicious behavior. See watchdog process. The control of a connection taken by the attacker after the user authentication has been established. 1. In a network environment, a computer that provides data and services to other computers. Services might include peripheral devices, such as printers, data storage, email, or World Wide Web access. 2. In a remote control environment, a computer to which remote users connect to access or exchange data.
gateway
group
hacker
hardware setup
heuristic
host
388 Glossary
host-based security
The technique of securing an individual system from attack. Host-based security is operating system-dependent and version-dependent. A standard set of commands used to structure documents and format text so that it can be used on the Web. The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Similar to the TCP/IP suite of protocols (the basis for information exchange on the Internet), HTTP is an application protocol. A variation of HTTP that is enhanced by a security mechanism, which is usually Secure Sockets Layer (SSL). An unusual configuration with routers that maintain the complete state of the TCP/IP connections or examine the traffic to try to detect and prevent attack (this may involve the bastion host). If very complicated, it is difficult to attach, and difficult to maintain and audit. A dime-size hardware device that stores the private key portion of the Network Security signature certificate to safeguard the private key against being stolen or compromised. The iButton also confirms the identity of a Network Security node. A graphic representation of a container, document, network object, or other data that users can open or manipulate in an application. A status that indicates that a program, job, policy, or scan is not currently running. For example, when a scheduled scan is waiting for the specified date and time to execute, it is inactive. A security occurrence that requires closure. Incidents are derived from an event or a group of events that are generated by a security point product. When a sensor detects a suspicious event, it correlates the event to an incident containing similar or related events. Multiple related events that indicate a possible attack are categorized as incidents. Incidents derive their names from the highest priority event type that is correlated to the incident. A generic grouping that indicates key aspects of an incident based on attributes of related vulnerabilities. Denial of service (DoS) and root compromise are examples of such groupings. To prepare for use. In communications, to set a modem and software parameters at the start of a session. A method of connecting to the network that makes the device an integral part of the network traffic path or route. The place where typed text or a dragged or pasted selection appears. An attack originating from inside a protected network.
iButton
icon
inactive
incident
incident type
initialize
in-line
Glossary
389
intelligence
The continual analysis of threats, vulnerabilities, and system and network environments to better provide information, as opposed to data, which aids in the protection of system and network environments. A collection of multiple monitoring interfaces on a Symantec Network Security 7100 Series appliance sharing one sensor process which correlates all network traffic as if it were seen by a single interface. Two monitoring interfaces which are configured together using in-line mode. One of the pair connects to the inside network, and the other connects to the outside network. A designated port (also called copy port or mirror port) that creates a copy of the traffic flow on a specific network device. The monitor interface sends this data to Symantec Network Security to examine out-of-band so there is no loss of network functionality. A threat that originates within an organization. A web of different, intercommunicating networks funded by both commercial and government organizations. It connects networks in many countries. No one owns or runs the Internet. There are thousands of enterprise networks connected to the Internet, and there are millions of users, with thousands more joining every day. A security service that monitors and analyzes system events for the purpose of finding and providing real-time, or near real-time, warning of attempts to access system resources in an unauthorized manner. The centralized management of intrusion-based security technologies to identify, manage, and mitigate network intrusions based on security policy. The method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one address that uniquely identifies it to all other computers on the Internet. A unique number that identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network must be assigned a unique IP address, which consists of the network ID, plus a unique host ID assigned by the network administrator. This address is usually represented in dot-decimal notation, with the decimal values separated by a period (for example 123.45.6.24). An attack in which an active, established session is intercepted and taken over by the attacker. This attack may take place after authentication has occurred, which allows the attacker to assume the role of an already authorized user. An attack in which someone intercepts and co-opts an active, established session. IP spoofing is also an attack method by which IP packets are sent with a false source address, which may try to circumvent firewalls by adopting the IP address of a trusted source. This fools the firewall into thinking that the packets from the hacker are actually from a trusted source. IP spoofing can also be used simply to hide the true origin of an attack.
interface group
interface pair
interface, monitoring
intrusion detection
intrusion management
IP (Internet Protocol)
IP address
IP hijacking
IP spoofing
390 Glossary
IPSec (Internet Protocol A developing standard for security at the network or packet-processing layer of network Security) communication. IPSec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both the authentication of the sender and encryption of data as well. IPSec is widely used with virtual private networks. ISDN (Integrated Services Digital Network) ISP (Internet service provider) joke program A high-speed, digital, high-bandwidth telephone line that allows simultaneous voice and data transmission over the same line. ISDN is one of the always-on class of connections. An organization or company that provides dial-up or other access to the Internet, usually for money. A program that changes or interrupts the normal behavior of a computer, for example, making the mouse click in reverse. A variable value in cryptography that is applied (using an algorithm) to a string or block of unencrypted text to produce encrypted text. A key is also a series of numbers or symbols that are used to encode or decode encrypted data. A protocol that supports the creation of secure virtual private dial-up networks over the Internet. A group of computers and other devices in a relatively limited area (such as a single building) that are connected by a communications link that enables any device to interact with any other device on the network. A software protocol that enables anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet. LDAP is a lightweight (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. The process of designing operational aspects of a system to operate with a minimum amount of system privilege. This reduces the authorization level at which various actions are performed and decreases the chance that a process or user with high privileges can perform unauthorized activity resulting in a security breach. A unique identification number used to register a Symantec product. An attack that takes place against a computer or a network to which the attacker already has either physical or legitimate remote access. This can include the computer that the attacker is actually using or a network to which that computer is connected. A record of actions and events that take place on a computer. The process of storing information about events that occurred on a firewall or network. The malicious code that is inserted into a program and designed to lie dormant until a specific event occurs, such as a specific date being reached or a user typing a specific command. At this time, the logic bomb triggers, usually to destroy or modify data without the knowledge or authorization of the computer user.
key
least privilege
Glossary
391
On a network, a computer's unique hardware number. The MAC address is used by the Media Access Control sublayer of the Data Link Control (DLC) layer of telecommunication protocols. There is a different MAC sublayer for each physical device type. The data-link layer is the protocol layer in a program that handles the moving of data in and out across a physical link in a network. Programs such as viruses, worms, logic bombs, and Trojan horses that are surreptitiously inserted into programs to destroy data, run destructive or intrusive programs, or otherwise compromise the security or integrity of the victim's computer data. Programs and files that are created to do harm. Malware includes computer viruses, worms, and Trojan horses. The insertion of arbitrary streams of data without the user noticing. The horizontal area at the top of a window containing all of the commands appropriate to the selected console view tab. A database of objects that can be monitored by a network management system. Both SNMP and RMON use standardized MIB formats that allow any SNMP and RMON tools to monitor any device defined by an MIB. An application that connects two otherwise separate applications. A protocol used for transmitting documents with different formats via the Internet.
malicious code
malware
See interface, monitoring. A system state in which a single action or a series of actions are performed. A mode has an On condition and an Off condition. For example, in-line mode for interfaces in a Symantec Network Security 7100 Series appliance is On if a security administrator configures those interfaces for in-line mode, and does the proper cabling of the ports. Using in-line mode, the appliance is placed into the network path, and can block malicious traffic. The viewing of activity in a security environment, generally in real-time. Monitoring allows security administrators to view the content of applications that are being used. See interface, monitoring. See Symantec Network Security Smart Agents. To simultaneously send the same message to a select group of recipients on a network, as opposed to broadcasting to all recipients on a network. Sometimes used synonymously as narrowcast. Of, or pertaining to, the ability of multiple, concurrent users to log on and run applications from a single server. A computer running a program that converts domain names into appropriate IP addresses and vice versa.
monitoring
multiuser
name server
392 Glossary
The timely action in response to an event, incident, or alert. A group of computers and associated devices that are connected by communications facilities (both hardware and software) to share information and peripheral devices such as printers and modems. See interface, monitoring. A program or command file that uses a computer network as a means for adversely affecting a system's integrity, reliability, or availability. A network worm can attack from one system to another by establishing a network connection. It is usually a self-contained program that does not need to attach itself to a host file to infiltrate network after network. See Ethernet interface and gigabit Ethernet interface. A type of intrusion detection system that works at the network level by monitoring packets on the network and gauging whether a hacker is attempting to sending a large number of connection requests to a computer on the network, indicating an attempt either to break into a system or cause a denial of service attack. Unlike other intrusion detection systems, a NIDS is able to monitor numerous computers at once. The predominant protocol used by computers (servers and clients) for managing the notes posted on newsgroups. NNTP replaced the original Usenet protocol, UNIX-to-UNIX. The primary node in a watchdog process or failover group, from which all activity predominates. See also node, standby. A primary Symantec Network Security installation that ranks above all other Network Security nodes in a group or cluster. By default, the first Network Security installation is designated as a master node, and all other Network Security nodes within the cluster are designated as slave nodes. Changes to a master node are propagated to the slave nodes in a cluster. See object.
node, master
node, network
node, Network Security The main component of Symantec Network Security that includes comprehensive detection, analysis, and response functionality. Network Security nodes can be administered via the Network Security console, and can be deployed singly or grouped for cross-node correlation. node, standby The standby node or nodes in a watchdog process or failover group serve as a backup if your active master node fails or is shut down for servicing. A Symantec Network Security installation that ranks below a master Network Security node in a group or cluster. By default, the first Symantec Network Security installation is designated as a master node, and all other Network Security nodes within the cluster are designated as slave nodes. The slave nodes receive updates to their topology, response rule, and configuration databases from a master Network Security software node in the cluster.
node, slave
Glossary
393
node, standby
The secondary node or nodes in a watchdog process or failover group. Standby nodes monitor traffic flows on designated network devices, but do not log data unless the active node fails. Standby nodes wait until the active node is out of commission before becoming active. An automatic alert message that notifies a security administrator that an event or error has occurred, or a predefined response that is triggered by a system condition, such as an event or error condition. Typical responses include sound or visual signals, such as displaying a message box, sending email, or paging a security administrator. The security administrator may be able to configure the response. A graphical representation of a device or entity on your network with a unique address. You can create objects to represent network or Network Security devices such as servers or routers, as well as entities such as network segments or interfaces. The Network Security console displays objects in the topology tree on the Devices tab. A standard or open application programming interface (API) for accessing a database. By using ODBC statements in a program, you can access files in a number of different databases, including Access, dBase, DB2, Excel, and Text. In addition to the ODBC software, a separate module or driver is needed for each database to be accessed. In network security, a password that is issued only once as a result of a challenge-response authentication process. This cannot be stolen or reused for unauthorized access. The state of being connected to the Internet. When a user is connected to the Internet, the user is said to be online. A one-size-fits-all authentication sequence for protocols that require transparency or have their own authentication. OOBA allows you to authenticate with proxies, such as HTTP, SQLnet, and h323, that have not supported authentication on the firewall in the past. A program whose source code is available for public inspection and revision. Open source software is often distributed freely, in the hope that the computing community will contribute to the program, helping to identify and eliminate bugs. Two well-known examples of open source programs are the Apache Web server and the Linux operating system. The interface between the hardware of the computer and applications (for example a word-processing program). For personal computers, the most popular operating systems are MacOS, Windows, DOS, and Linux. A unit of data that is formed when a protocol breaks down messages that are sent along the Internet or other networks. Messages are broken down into standard-sized packets to avoid overloading lines of transmission with large chunks of data. Each of these packets is separately numbered and includes the Internet address of the destination. Upon arrival at the recipient computer, the protocol recombines the packets into the original message.
notification
object
one-time password
online
OS (operating system)
packet
394 Glossary
packet filter
A filter that keeps out certain data packets based on their source and destination addresses and service types. You can use packet filters to block connections from or to specific hosts, networks, or ports. Packet filters are simple and fast, but they make decisions based on a very limited amount of information. A firewall technique that examines the headers of packets requesting connection to a computer behind the firewall and either grants or denies permission to connect based on information held within the packet header according to a set of preestablished rules. The interception of packets of information (for example, a credit card number) that are traveling across a network. See Protocol Anomaly Detection. A procedure used to validate a connection request. After the link is established, the requester sends a password and an ID to the server. The server either validates the request and sends back an acknowledgement, terminates the connection, or offers the requester another chance. A port that transmits synchronous, high-speed flow of data along parallel lines. Parallel ports are usually used for printers. A value that is assigned to a variable. In communications, a parameter is a means of customizing program (software) and hardware operation. A unique string of characters that a user types as an identification code to restrict access to computers and sensitive files. The system compares the code against a stored list of authorized passwords and users. If the code is legitimate, the system allows access at the security level approved for the owner of the password.
packet filtering
packet sniffing
parallel port
parameter
passphrase
password-based attack An attack in which repetitive attempts are made to duplicate a valid logon or password sequence. patch A type of programming code that is used to repair an identified software bug or vulnerability or mitigates a vulnerability by resolving the underlying implementation error. The part of the packet, message, or code that carries the data. In information security, payload generally refers to the part of malicious code that performs the destructive operation. A set of rights of a user determining the level of access to Symantec Network Security components and functions. Permissions are granted through assignment of predefined accounts to Users. See user account. A freeware (for non-commercial users) encryption program that uses the public key approach: messages are encrypted using the publicly available key, but the intended recipient can only decipher them via the private key. PGP is perhaps the most widely used encryption program.
payload
permissions
Glossary
395
physical exposure
A rating used to calculate vulnerability that is based on whether a threat must have physical access to your system to exploit a vulnerability. In computer security, a number used during the authentication process that is known only to the user. A program that security administrators and hackers or crackers use to determine whether a specific computer is currently online and accessible. Pinging works by sending a packet to the specified IP address and waiting for a reply; if a reply is received, the computer is deemed to be online and accessible. An attack that focuses on vulnerabilities in the operating system that is hosting the firewall. 1. A document (hardcopy or electronic) that outlines specific requirements or rules that must be met. 2. The activities or states that are allowed, required, or forbidden within a specific environment. See response rule. The creation, configuration, and monitoring of security assets and information to ensure that they are compliant with policies. A protocol that allows clients to retrieve email from a mail server. An email protocol used to retrieve email from a remote server over an Internet connection. 1. A hardware location for passing data into and out of a computing device. Personal computers have various types of ports, including internal ports for connecting disk drives, monitors, and keyboards, and external ports, for connecting modems, printers, mouse devices, and other peripheral devices. 2. In TCP/IP and UDP networks, the name given to an endpoint of a logical connection. Port numbers identify types of ports. For example, both TCP and UDP use port 80 for transporting HTTP data. An intrusion method in which hackers use software tools called port scanners to find services currently running on target systems. This is done by scanning the target for open ports, usually by sending a connection request to each port and waiting for a response. If a response is received, the port is known to be open. A protocol used for communication between two computers. This is most commonly seen with dial-up accounts to an ISP. However, Point-to-Point Protocol over Ethernet (PPPoE) has now become more popular with many DSL providers. A number between 1 and 5 (inclusive) that is assigned to an incident. The number is assigned based on signature attributes, system attributes, organization attributes, and vulnerability attributes.
platform attack
policy
policy management
port scan
priority
396 Glossary
private key
A part of asymmetric encryption that uses a private key in conjunction with a public key. The private key is kept secret, while the public key is sent to those with whom a user expects to communicate. The private key is then used to encrypt the data, and the corresponding public key is used to decrypt it. The risk in this system is that if either party loses the key or the key is stolen, the system is broken. An effort, such as a request, transaction, or program, that is used to gather information about a computer or the state of a network. For example, sending an empty message to see whether a destination actually exists. Ping is a common utility for sending such a probe. Some probes are inserted near key junctures in a network for the purpose of monitoring or collecting data about network activity. A set of rules for encoding and decoding data so that messages can be exchanged between computers and so that each computer can fully understand the meaning of the messages. On the Internet, the exchange of information between different computers is made possible by the suite of protocols known as TCP/IP. Protocols can be stacked, meaning that one transmission can use two or more protocols. For example, an FTP session uses the FTP protocol to transfer files, the TCP protocol to manage connections, and the IP protocol to deliver data. One of an array of methodologies by which Symantec Network Security inspects network traffic, compares observed behavior during network protocol exchange to structured protocols, analyzes defiant behavior in context, and detects deviations from the norm. A server that acts on behalf of one or more other servers, usually for screening, firewall, or caching purposes, or a combination of these purposes. Also called a gateway. Typically, a proxy server is used within a company or enterprise to gather all Internet requests, forward them out to Internet servers, and then receive the responses and in turn forward them to the original requester within the company. A part of asymmetric encryption that operates in conjunction with the private key. The sender looks up the public key of the intended recipient and uses the public key to encrypt the message. The recipient then uses his or her private key, which is not made public, to decrypt the message.
probe
protocol
proxy server
public key
public key cryptography A cryptographic system in which two different keys are used for encryption and decryption. Also called asymmetric cryptography. The sender of the message looks up the public key of the intended recipient and uses the public key to encrypt the message. The recipient then uses his or her private key, which is not made public to decrypt the message. This method of encryption is considered more secure than symmetrical cryptography because one of the keys is kept strictly private. QoS (quality of service) The idea that transmission rates, error rates, and other characteristics on the Internet and in other networks, can be measured, improved, and, to some extent, guaranteed in advance. QoS is of particular concern for the continuous transmission of high-bandwidth video and multimedia information.
Glossary
397
The memory that information required by currently running programs is kept in, including the program itself. Random access refers to the fact that it can be either read from or written to by any program. Many operating systems protect critical, occupied, or reserved RAM locations from tampering. An immediate action in response to an event, incident, or alert. To capture and store a set of data that consists of a series of actions and events. See watchdog process. The use of programs that allow access over the Internet from another computer to gain information or to attack or alter your computer. The process of duplicating data from one database to another. A set of data that is collected by Symantec Network Security that allows all types of data to be selectively examined, scheduled, exported, or printed. An action that clears any changes made since the last apply or reset action. An interface on a Symantec Network Security 7100 Series appliance through which TCP resets are sent to stop a malicious TCP/IP flow. A predefined reaction to an event or alert to a defined security threat, such as capturing the attackers section, triggering tracking, or emailing an alert. Response actions can be configured for each type of incident that is handled by Symantec Network Security. The method of action for handling security risks that is selected from alternatives, given specific conditions to guide and determine present and future decisions. A logical statement that lets you respond to an event based on predetermined criteria. An individual with an account that is configured to perform a restricted set of tasks, such as view reports, and receive alerts. This group and the respective set of permissions is predefined, and cannot be modified. See permissions. The oldest routing protocol on the Internet and the most commonly used routing protocol on local area IP networks. Routers use RIP to periodically broadcast the networks that they know how to reach. The anticipated adverse impact that can result if a threat exploits a vulnerability in an asset. Any program intended to damage programs or data (such as malicious Trojan horses). An administrative position that is defined by a set of permissions. A method of administration in which access rights or permissions are granted to user roles in hierarchical responsibilities. The set of permissions define the administrative or user positions.
replication report
response action
response rule
RestrictedUser
risk
398 Glossary
The memory that is stored on the hard drive of the computer. Its contents cannot be accessed or modified by the computer user, but can only be read. A device that helps local area networks (LANs) and wide area networks (WANs) achieve interoperability and connectivity. A logical statement that lets you respond to an event based on predetermined criteria. To execute a program or script. An email security protocol that was designed to prevent the interception and forgery of email by using encryption and digital signatures. S/MIME builds security on top of the MIME protocol and is based on technology originally developed by RSA Data Security, Inc. The control or countermeasure employed to reduce the risk associated with a specific threat or group of threats. Examples of safeguards are patches, policies, deterrence measures, surveillance, physical security, upgrades, education, and training. A type of program that consists of a set of instructions for an application. A script usually consists of instructions that are expressed using the application's rules and syntax, combined with simple control structures. An unskilled cracker who uses code and software (or scripts) downloaded from the Internet to inflict damage on targeted sites. Often these destructive activities are carried out for no other purpose than to prove the script kiddie's hacking prowess. A Web browser that can use a secure protocol, such as SSL, to establish a secure connection to a Web server. The policies, practices, and procedures that are applied to information systems to ensure that the data and information that is held within or communicated along those systems is not vulnerable to inappropriate or unauthorized use, access, or modification and that the networks that are used to store, process, or transmit information are kept operational and secure against unauthorized access. As the Internet becomes a more fundamental part of doing business, computer and information security are assuming more importance in corporate planning and policy. The functionality of Network Security sensors to perform detection, analysis and take responsive action against perceived attacks. A location for sending and receiving serial data transmissions. Also known as a communications port or COM port. DOS references these ports by the names COM1, COM2, COM3, and COM4. A computer or software that provides services to other computers (known as clients) that request specific services. Common examples are Web servers and mail servers. The centralized, scalable management architecture that is used by Symantec's security products.
script
script kiddie
secure browser
security
sensor process
serial port
server
Glossary
399
session
In communications, the time during which two computers maintain a connection and, usually, are engaged in transferring information. A collection of parameters (key/value pairs, data blobs, and so on). A level that is assigned to an incident. See also incident. A mailbox that stores messages for an entire domain and that allows organizations with part-time Internet connections to exchange mail. 1. A state or pattern of activity that indicates a violation of policy, a vulnerable state, or an activity that may relate to an intrusion. 2. Logic in a product that detects a violation of policy, a vulnerable state, or an activity that may relate to an intrusion. This can also be referred to as a signature definition, an expression, a rule, a trigger, or signature logic. 3. Information about a signature including attributes and descriptive text. This is more precisely referred to as signature data. A TCP/IP protocol used for communication between two computers that have been previously configured for communication with each other. See Symantec Network Security Smart Agents.
signature
SMF (Standard Message A message file format established by Novell and used by many email applications. Format) SMON SMTP (Simple Mail Transfer Protocol) SMTP alert See interface, monitoring. The protocol that allows email messages to be exchanged between mail servers. Then, clients retrieve email, typically via the POP or IMAP protocol. A Simple Mail Transfer Protocol notification of a major system event, such as shutdown, startup, crash, or virus definition update error. A file in which information about the system's configuration and properties is stored.
snapshot
SNMP (Simple Network The protocol governing network management and the monitoring of network devices and Management Protocol) their functions. SNMP alert A Simple Network Management Protocol notification of a major system event, such as shutdown, startup, crash, virus definitions update, or virus definitions update error. An attack based on tricking or deceiving users or security administrators into revealing passwords or other information that compromises a target system's security. Social engineering attacks are typically carried out by attackers who telephone users or operators and pretend to be authorized users. A security package that allows a host behind a firewall to use finger, FTP, telnet, Gopher, and Mosaic to access resources outside the firewall while maintaining the security requirements.
social engineering
SOCKS
400 Glossary
software
The instructions for the computer to perform a particular task. A series of instructions that performs a particular task is called a program. Software instructs the hardware of the computer how to handle data in order to perform a specific task. A form of spoofing in which the routing, as indicated in the source routed packet, is not coming from a trusted source and therefore the packet is being routed illicitly.
source-route attack
SPI (Security Parameter An Authentication Header (AH) SPI number between 1 and 65535 that you assign to each Index) tunnel endpoint when using AH in a VPN policy. spoofing The act of establishing a connection with a forged sender address. This normally involves exploiting a trust relationship that exists between source and destination addresses or systems. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay the information back to another computer. A program that allows a user to log on to another computer securely over a network by using encryption. SSH prevents third parties from intercepting or otherwise gaining access to information sent over the network. A protocol that allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection, thus ensuring the secure transmission of information over the Internet. An individual with an account that is configured to perform a specific set of tasks, such as view reports, receive alerts, and add or delete objects. This group and the respective set of permissions is predefined, and cannot be modified. The last known status, or current status of an application or a process. Of, or pertaining to, a computer or computer program that is designed to note and remember one or more preceding events in a given sequence of interactions with a user, another computer or program, a device, or other outside element. Stateful means that the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose. Stateless does not. A simple and transparent protection approach that renders stack or buffer overflow attacks unsuccessful. Stack or buffer overflow attacks continue to be a favorite technique used by hackers to break into servers. STOP reallocates the location of the system stack (the area to which the attacker is trying to have the data overflow). This is like reshuffling the cards in a deck, making it very difficult for the attacker to predict the location for the overflow data. A segment of traffic that contains a sequence of packets that meet specific characteristics, such as the same source and destination IP addresses. To distinguish between DoS attacks, portscans, and sweeps, Symantec Network Security analyzes the characteristics and behavior of streaks. Many of the flood and scan parameters regulate what elements in a streak to monitor, how to analyze them, and when to trigger an event. See group.
spyware
StandardUser
state stateful
streak
sub-cluster
Glossary
401
SuperUser
An individual with an account that is configured to perform all tasks. During installation of the master node, an account is created for a SuperUser with full permissions. This group and the respective set of permissions is predefined, and cannot be modified. Formerly called MSAs, the Symantec Network Security Smart Agents are a translation software that enable Symantec Network Security to receive event data from external sensors and correlate that data with all other events. An encryption method involving a single secret key for both encryption and decryption. The sender of the encrypted message must give that key to the recipient before the recipient can decrypt it. Although this method of encryption is efficient, there is a danger that if the secret key is intercepted, the message can be read by an unintended audience. A type of attack in which a system is bombarded with bogus TCP/IP SYN (synchronous idle) requests. When a session is initiated between the Transmission Control Program (TCP) client and server in a network, a very small buffer space exists to handle the handshaking or exchange of messages that sets up the session. The session establishing includes a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can't be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. In general, this problem depends on the operating system providing correct settings or allowing the network administrator to tune the size of the buffer and the time-out period. To copy files between two directories on host and remote computers to make the directories identical to one another. A form of data transmission in which information is sent in blocks of bits separated by equal time intervals. The sending and receiving devices must first be set to interact with one another at precise intervals, then data is sent in a steady stream. See also asynchronous transmission. An error made by an author when creating a script, for example, not enclosing a string in quotes or specifying the wrong number of parameters. A Unix operating system logging capability to log to a remote server. A set of related elements that work together to accomplish a task or provide a service. For example, a computer system includes both hardware and software. The suite of protocols that allows different computer platforms using different operating systems (such as Windows, MacOS, or UNIX) or different software applications to communicate. Although TCP and IP are two distinct protocols, the term TCP/IP includes Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), and many others.
symmetric encryption
SYN flood
synchronize
synchronous transmission
syntax error
syslog system
402 Glossary
Telnet
The main Internet protocol for creating an interactive control connection with a remote computer. Telnet is the most common way of allowing users a remote connection to a network, as with telecommuters or remote workers. The area in which a user can type text. A low-cost computing device that works in a server-centric computing model. Thin clients typically do not require state-of-the-art, powerful processors and large amounts of RAM and ROM because they access applications from a central server or network. Thin clients can operate in a server-based computing environment. A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. The identification and quantification of human threats to an organization or its systems. An attack that uses multiple methods to transmit and spread. The damage caused by blended threats can be rapid and widespread. Protection from blended threats requires multiple layers of defense and response mechanisms. The number of events that satisfy certain criteria. SuperUsers and Administrators define threshold rules to determine how notifications are to be delivered. A predetermined period of time during which a given task must be completed. If the time-out value is reached before or during the execution of a task, the task is cancelled. A counter in the Internet Protocol (IP) header that specifies how many point-to-point transmissions, also called hops, that an IP packet can travel before it expires. The TTL prevents IP packets from traveling indefinitely. The area at the top of a window showing the name of the program, function, document, or application. An authentication tool or a device used to send and receive challenges and responses during the user authentication process. Tokens can be small, handheld hardware devices similar to pocket calculators or credit cards. See also iButton. A type of computer network in which all of the computers are arranged schematically in a circle. A token, which is a special bit pattern, travels around the circle. To send a message, a computer catches the token, attaches a message to it, and then lets it continue traveling around the network. The various rows below the menu bar containing buttons for a commonly used subset of the commands that are available in the menus. The logging of inbound and outbound messages based on a predefined criteria. Logging is usually done to allow for further analysis of the data at a future date or time.
threat
threshold
time-out
Time to Live
title bar
token
token ring
toolbar
tracking
Glossary
403
trackware
Stand-alone or appended applications that trace a user's path on the Internet and send information to the target computer. For example, a user could download an application from a Web site or an email or instant messenger attachment. That attachment can then obtain confidential information regarding user behavior. A secret entry point into a computer program that illegitimate users can use to get around authentication and validation methods that are intended to prevent unauthorized entry. The result of monitoring and analyzing data to show a tendency in some direction over time. A rogue program that disguises itself as a legitimate file to lure users to download and run it. It takes the identity of a trusted application to collect confidential user information or avoid detection. A Trojan horse neither replicates nor copies itself, but causes damage and compromises the security of an infected computer. A process that allows a company to securely use public networks as an alternative to using its own lines for wide-area communications. A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption. A type of authentication that is based on something a user knows (factor one) plus something the user has (factor two). In order to access a network, the user must have both factors (in the same way that a user must have an ATM card and a personal identification number [PIN] to retrieve money from a bank account). In order to be authenticated during the challenge/response process, the user must have this specific (private) information. A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. UDP is used primarily for broadcasting messages over a network. A threat that tends to be technically unskilled or unsophisticated. To send a file from one computer to another via modem, network, or serial cable. With a modem-based communications link, the process generally involves the requesting computer instructing the remote computer to prepare to receive the file on its disk and wait for the transmission to begin. See also download. A device that allows your computer and firewall equipment to run for a short time after a power failure. This allows you to power the device down in an orderly manner. A UPS also provides protection in the event of a power surge.
trapdoor
trending
Trojan horse
tunnel
tunneling router
two-factor authentication
URL (Uniform Resource The standard addressing system for the World Wide Web. A URL consists of two parts: The Locator) first part indicates the protocol to use (for example http://), and the second part specifies the IP address or the domain name and the path where the desired information is located (for example www.securityfocus.com/glossary). URL blocking The tracking and denying of user access to undesirable Web sites based on predefined site content.
404 Glossary
user
A person who is enabled to perform Symantec Network Security administrative tasks, such as view reports or receive notifications. See also SuperUser, Administrator, StandardUser, and RestrictedUser. A file that contains information that identifies a user to the system. This information includes the user name and password, the groups in which the user account has membership, and the rights and permissions that the user has for using the system and accessing its resources. A process that verifies a user's identity to ensure that the person requesting access to the private network is, in fact, that person to whom entry is authorized. The process by which a user is identified to the system as a valid user (as opposed to authentication, which is the process of establishing that the user is indeed that user and has a right to use the system). A form of authentication that is in place to ensure that the user is authorized to use the services being requested. The user name also signifies the primary user or users of a particular computer. Commands or utilities such as ssh and syslog which are available from the underlying operating system. A set of UNIX programs for copying (sending) files between different UNIX systems and for sending commands to be executed on another system. A data encoding standard developed to translate or convert a file or email attachment (an image, text file, or program) from its binary or bit-stream representation into the 7-bit ASCII set of text characters. The process of checking a configuration for completeness, ensuring that all values are valid, and determining if all logical and physical references can be resolved. An executable file (usually an applet or an ActiveX control) associated with a Web page that is designed to be harmful, malicious, or at the very least inconvenient to the user. Because these applets or application programs can be embedded in any HTML file, they can also arrive as an email attachment or automatically as the result of being pushed to the user. Vandals can be viewed as viruses that can arrive over the Internet stuck to a Web page. Vandals are sometimes referred to as hostile applets. A network that appears to be a single protected network behind firewalls, but which actually encompasses encrypted virtual links over untrusted networks. A piece of programming code inserted into other programming to cause some unexpected and, for the victim, usually undesirable event. Viruses can be transmitted by downloading programming from other sites or present on a diskette. The source of the file you are downloading or of a diskette you have received is often unaware of the virus. The virus lies dormant until circumstances cause the computer to execute its code. Some viruses are playful in intent and effect, but some can be harmful, erasing data or causing your hard disk to require reformatting.
user account
user authentication
user identification
user name
user-level services
validation
vandal
Glossary
405
A network that has characteristics of a private network such as a LAN, but which is built on a public network such as the Internet. VPNs allow organizations to implement private networks between geographically separate offices and remote or mobile employees by means of encryption and tunneling protocols. A design, administrative, or implementation weakness or flaw in hardware, firmware, or software. If exploited, it could lead to an unacceptable impact in the form of unauthorized access to information or disruption of critical processing. A weakness or flaw that lets a human threat exploit or compromise a network or system. An open global standard for communications between a mobile handset and the Internet or other computer applications as defined by the WAP forum. A message that informs the user that performing an action can or will result in data loss on the user's system. A strategy for supporting failover, high availability, and redundancy. The watchdog process deploys a group of Network Security nodes in a hierarchical group so that one is active and the remaining are standby. If the active node fails, a standby node takes its place so that the transition is seamless. An attack from the outside that is aimed at Web server vulnerabilities. A denial of service attack that specifically targets a Web server. A symbol that enables multiple matching values to be returned based on a shared feature. A special type of virus. A worm does not attach itself to other programs like a traditional virus, but creates copies of itself, which create even more copies. A program's ability to continue displaying information on a new line or page when the end of a line or page is reached.
vulnerability
watchdog process
wrap
WWW (World Wide Web) An application on the Internet that allows for the exchange of documents formatted in Hypertext Markup Language (HTML), which facilitates text, graphics, and layout. The World Wide Web is also a system of Internet servers that support specially formatted documents. X.509 The most widely used standard for defining digital certificates. X.509 is actually an ITU Recommendation, which means that it has not yet been officially defined or approved. The ability to detect newly emerging, previously unknown, variant, and/or polymorphic exploits as they occur, without requiring prior exposure or signatures. A computer that is used by hackers to attack the computers that they are targeting for denial of service. The legitimate user of the zombie may not be aware that the computer has been controlled by the hacker; however, if the computer is used to launch a damaging attack, the legitimate user may be investigated or held legally responsible.
zero-day detection
zombie
sub-cluster
See group.
406 Glossary
Acronyms
This section defines acronyms used in this guide to categorize attack elements and system elements.
ACL AF API ASN BTO CF CGI CLI CPU CSP CTR CVE DDOS DMZ DNS DOS DSX EDP EHS EHU ESP Access Control List Analysis Framework, a Symantec Network Security component Application programming interface Abstract Syntax Notation Build-to-order Compact flash Common Gateway Interface Command Line Interface Central Processing Unit Client server protocol Cisco Threat Response Common Vulnerabilities and Exposures Distributed denial of service Demilitarized Zone Domain Name System Denial of Service Dynamic Security Extension Event Dispatch Protocol External hostile structured threat External hostile unstructured threat Event Stream Provider, a Symantec Network Security component (Encapsulated Security Payload) Fiber Distributed Data Interface
FDDI
408 Acronyms
FQDN FTP GMT GUI HMAC HTML HTML HTTP HTTPS ICMP ICQ IDS IDWG IETF IHS IHU IKE IM IMAP INS INU IO-APIC IP IPSec IRC ISDN ISP JDBC L2F
Fully qualified domain name File Transfer Protocol Greenwich Mean Time Graphical user interface Has Message Authentication Code HyperText Markup Language Hypertext Markup Language HyperText Transfer Protocol Hypertext Transfer Protocol Secure Internet Control Message Protocol "I-Seek-You," an online instant messaging program Intrusion Detection System Intrusion Detection Working Group Internet Engineering Task Force internal hostile structured threat internal hostile unstructured threat Internet Key Exchange Instant Message Internet Message Access Protocol Internal nonhostile structured threat Internal nonhostile unstructured threat IO-Advanced Programmable Interrupt Controller Internet Protocol Internet Protocol Security Internet Relay Chat Integrated Services Digital Network Internet service provider Java Database Connectivity Layer Two Forwarding Protocol
Acronyms
409
LAN LDAP MAC MIB MIME N/A NACS NAR NASI NAT NCSA NIC NIDS NNTP NOC NTP ODBC OS PAD PAP PGP PIN ping POP3 PPP PRDP QoS QSP RAM
Local area network Lightweight Directory Access Protocol Media Access Control Management Information Base Multipurpose Internet Mail Extensions Not Applicable NetWare Asynchronous Communication Services Network Address Retention NetWare Asynchronous Services Interface Network Address Translation National Computer Security Association Network Interface Card Network-based intrusion detection system Network News Transfer Protocol Network Operation Center Network Time Protocol Open Database Connectivity Operating system Protocol Anomaly Detection Password Authentication Protocol Pretty Good Privacy Personal Identification Number Packet Internet Groper Post Office Protocol Point-to-Point Protocol Policy Response Dispatch Protocol Quality of service Query Service Provider Random Access Memory
410 Acronyms
RIP ROM S/MIME SCP SESA SLIP SMF SMON SMP SMTP SNMP SPI SQL SSH SSL STOP STP TCP/IP TTL UDP UPS URL UUCP VLAN WAP XML
Routing Information Protocol Read-only memory Secure/Multipurpose Internet Mail Extensions Secure Copy Protocol Symantec Enterprise Security Architecture Serial Line Internet Protocol Standard Message Format See Monitored Interfaces Simple Management Protocol Simple Mail Transfer Protocol Simple Network Management Protocol Security Parameter Index Structured Query Language Secure Shell Secure Sockets Layer Stack Overflow Protection Shielded Twisted Pair Transmission Control Protocol/Internet Protocol Time to Live Protocol User Datagram Protocol Uninterruptible power supply Uniform Resource Locator UNIX-to-UNIX Copy Virtual Large Area Network Wireless Application Protocol eXtensible Markup Language
Index
Numerics
7100 Series. See appliances
A
access controlling users 59 intent 203 managing users 59 accounts about administration of 33 user 353 user login permissions 360 adding appliance nodes 95 flow alert rules 163 in-line pairs 103 interface groups 101 LiveUpdates 307 location objects 87 monitoring groups 67 monitoring interfaces to software nodes 93 nodes 82 nodes and objects 86 objects 82 port mappings 197 protection policies 124, 125 report schedules 254 response rules 139 sample flow alert rule 164 signature variables 207 Smart Agent interfaces 111 Smart Agents 109 software nodes 89 user login accounts 55 user-defined signatures 201 adjusting view by columns 123 view of incidents 215 view of policies 121 administration console. See Network Security
console administration service node architecture 35 Administrators about 354 pre-defined login account 224 advanced parameters configuring 343, 346 alert manager node architecture 35 alerting. See logging alerts. See notifications analysis about 30 about correlation 30 about cross-node correlation 31 about event responses 35 about refinement rules 30 about Smart Agents 37 about the architecture 35 assigning priority level 143 annotating entire policies 131 event instances 132 event types in a policy 132 events 131 incidents 232 policies 131 appliances about 37 about blocking 38 about compact flash 40 about detection 38 about in-line mode 38 about interface groups 38 about LCD panel 39 about nodes and interfaces 88 about passive mode 38 about response 38 about serial console 40 about the 7100 Series 15 adding nodes 95
412 Index
appliances (cont.) adding or editing in-line pairs 103 adding or editing interface groups 101 auto-negotiation 104 blocking override 119 clustering with software nodes 66 configuring link state 104 deleting nodes 311 deployment checklist 43 documentation 20 enabling blocking rules 128 fail-open 39 management via consoles 39 monitoring interfaces 99 node status indicator 81 parameters 344 powering off 54 queries from TrackBack 97 shutting down from the serial console 51 single-node deployment 62 applying flow data collection 247 incident view during failover 327 LiveUpdates 305 parameters to nodes 344, 345 parameters to sensors 344 policies after failure 334 policies to interfaces 119 response rules to Decoy Server events 320 sensor parameters to objects 169 signature variables 209 applying user-defined signatures 201 architecture about the core 25 about the management and detection 32 about the node 34 FlowChaser 37 archive clearing automatically 280 archiving configuring automatic 278 log files 279 logs 276 assigning monitoring groups 67 attack responses. See responses attacks categories 142 flood-based 148
attacks (cont.) fragmentation 260 syn floods 156 target IP address 226, 228 traffic 279 Auto Update tab about 117 automated response architecture 137 availability for single nodes 323 monitoring node 322
B
backing up cluster-wide data 316 configurations 333 LiveUpdate configurations 308 on the Network Security console 333 protection policies 133 refreshing the configuration list 335 response rules database 141 Symantec Network Security 332 using compact flash 338 via compact flash 40 watchdog process 324 Bad Service Saturation Alert Threshold setting sensor parameters 177 basic parameters configuring 346 basic setup advanced tuning 345 blocking about 38 automatically 128, 131 disabling 128 enabling 128 in LiveUpdate 128, 131 overriding globally 119 bypass unit. See in-line
C
cancelling changes to topology tree 84 LiveUpdate schedules 308 policy applications 121 reverting signature variables 209
Index
413
category about Wizard fields 203 changing EDP 314 checklist appliance-specific deployment 43 general deployment 42 cleartext preventing passwords in 156 cloning protection policies 125 Cluster ID setting node parameters 289 cluster parameters about 344 clusters about deployment 61 about parameters 64 adding slave nodes 311 applying policies after setting masters 313 backing up 316 creating 309 deploying 65 licensing nodes 312 managing 309 monitoring groups 66 restarting sensors 315 software and appliance nodes 66 subclusters 66 synchronization with 313 synchronizing nodes 312 tracking data stream 154 upgrading 310 columns adjusting the view of event types 123 selecting 226, 227 sorting incident data 216 communication via EDP proxy 318 via QSP proxy 35 compact flash about 40 backing up 338 backing up and restoring 337 restoring 338 saving configurations 339 Compression Command setting node parameters 284 Compression On/Off Switch setting node parameters 283
confidence about Wizard fields 203 assigning levels 218, 219, 222 likelihood of attack 145 mapping level 228 response rules 145 setting level 145 viewing events 221 configuration auto-negotiation enabling or disabling 104 via compact flash 40 console response action configuring 160 console. See Network Security console, serial console, Symantec Decoy Server console, LCD panel conventions node description 79 node naming 79 copy ports. See monitoring interfaces copying configurations 334 event details 234 incident data and pasting 233 logs 276 top events 234 correlation about 30 about cross-node analysis 31 Counter Number of Streak Packets setting sensor parameters 180 creating clusters 309 monitoring groups 67 policies 124 protection policies 124 response rules 154 cross-node correlation loading events from 220 custom response actions creating rules 154 failure to execute 224 customer IDs devices 79
D
data events displayed 226, 228
414 Index
data (cont.) exporting to syslog 293 incidents 214, 226 tracking stream 154 databases architecture 35 deleting user-defined signatures 205 forcing synchronization 85, 313 time delay while loading 45 DB Connection String setting node parameters 290 DB Password setting node parameters 292 DB User setting node parameters 291 deception device nodes 319 setting EDP passphrases 110 Decoy Server integrating with 320 launching from a new location 321 Decoy Server console launching from Network Security console 320 defining protection policies 124 signature variables 207 signatures 201 view of incidents 69 deleting configurations 335 flow alert rules 165 LiveUpdate schedules 308 log files 277 monitoring groups 68 nodes 83, 311 objects 83 passphrases 80 report schedules 256 response rules 141 saved reports 258 signature variables 208 user login accounts 56 user-defined protection policies 129 denial of service. See DoS deployment about clusters 61 about in-line mode 61 about passive mode 61 about single-node 61
deployment (cont.) appliance-specific checklist 43 clustering software and appliance nodes 66 general checklist 42 monitoring groups 66 node clusters 65 planning 61 single appliance node 62 single node 61, 62 slave node 311 Destination Directory for SCP setting node parameters 300 Destination Host for SCP setting node parameters 298 destination IP 204 destination port about Wizard fields 204 details viewing event types 123 viewing objects 76 detection about 167 about 7100 Series appliances 38 about architecture 26 about denial of service 29 about protocol anomaly detection 167 about refinement rules 168 about signature 168 about traffic rate monitoring 29 about user-defined signatures 28 adding or editing port mappings 197 adding or editing user-defined signatures 201 adding user-defined signatures 201 creating signature variables 207 deleting port mappings 197 deleting user-defined signatures 205 deselecting signatures 205 disabling signatures 205 external EDP 29 managing user-defined signatures 199 port mapping 196 protocol anomaly 27 removing signatures 205 signature 198 Symantec signatures 28, 198 upgrading signatures 203, 209 user-defined signatures 199 devices event data display 226, 228
Index
415
Devices tab about 74 direction about Wizard fields 204 documentation 7100 Series 20 software 21 DoS about detection architecture 29 top Telnet event type 261 drill-down reports destination sources 264 devices with flow statistics 266 drill-down-only reports 266 event destinations 267 event details 266 event lists 266 event sources 267 events per day 263 events per hour 263 events per month 263 flows by destination address 267 flows by destination port 267 flows by protocol 267 flows by source address 267 flows by source port 267 incident details 266 incidents list 263 incidents per day 262 incidents per hour 262 incidents per month 262 source destinations 264 top blocked event types 261 top events 261, 262 top level 260 types 259
E
Echo Operational Log to Syslog setting node parameters 294 editing flow alert rules 164 in-line pairs 103 interface groups 101 LiveUpdates 307 location objects 87 monitoring interfaces on appliance nodes 99 monitoring interfaces on software nodes 93 network segments 112
editing (cont.) node numbers 314 node passphrases 314 objects in topology tree 83 port mappings 197 protection policies 125 report schedules 254 response rules 140 root password on serial consoles 58 secadm password 59 signature variables 207 Smart Agent interfaces 111 Smart Agents 109 software nodes 89 user passphrases 57 user-defined signatures 201 EDP about Event Dispatch Protocol 29 changing passwords 314 communicating with Smart Agents 110, 318 communication by proxy 318 detection architecture 29 Network Security node passphrase 318 setting passphrases 110 setting port numbers 318 EDP Port Number setting node parameters 318 ELS checking licenses 49 licensing clusters 312 email configuring incidents 235 format 267 incident data 236 initiation request failure 224 notification failure 224 notification messages 148 Enable BackOrifice Detection setting sensor parameters 173 Enable Flow Statistics Collection setting sensor parameters 171 Enable Full Packet Capture setting sensor parameters 171 Enable IPv4 Header Checksum Validation setting sensor parameters 172 Enable PLSC setting sensor parameters 184 Enable TCP Checksum Validation setting sensor parameters 172
416 Index
Enable UDP Checksum Validation setting sensor parameters 173 Enable Watchdog Process setting node parameters 329 enabling Symantec Decoy Server 319 encoding about Wizard fields 204 Engine Updates about 303 Enterprise Licensing System checking licenses 49 licensing clustered nodes 312 errors compiling signatures 206 email initiation request failure 224 email notification failure 224 iButton 223 SNMP alert failure 224 SNMP initiation request failure 224 truncated SNMP message 224 ESP about node architecture 36 ethernet deploying failover groups through 328 Event Correlation Destination IP Weight setting node parameters 241 Event Correlation Destination Port Weight setting node parameters 243 Event Correlation Name Weight setting node parameters 239 Event Correlation Source IP Weight setting node parameters 240 Event Correlation Source Port Weight setting node parameters 242 Event Delay Time setting sensor parameters 173 Event Destination Hashes setting node parameters 348 Event Dispatch Protocol. See EDP Event Message Hashes setting node parameters 347 Event Queue Length setting node parameters 349 Event Rate Throttle setting node parameters 350 event source response rules 145
event target response rules 142 event types 142 adjusting the view by columns 123 searching response rules 140 viewing details 123 Event Writer File setting node parameters 285 events about event dispatch protocol 29 about event stream provider. See ESP annotating 232 annotating an instance 132 annotating policies 131 availability monitor 322 base 260 copying details 234 copying incidents top 234 customizing annotation templates 232 customizing responses 154 data displayed 226, 228 destination report 267 detail reports 266 email notifying 148 enabling logging 126 enabling SNMP notifications 152 examining data 220 filtering 229, 230 filtering tables 229, 230 integrating third-party 316 interpreting severity and confidence levels 221 list reports 266 modifying the view 47 modifying the view of types 47 next action parameter 146 none option 148 operational 223 protocol 267 report types 260 reporting per day 263 per hour 263 per month 263 response parameter 147 searching for types 121 selecting columns 227 SNMP notification 152 sorting 216
Index
417
events (cont.) sorting by classful destination 264 sorting by classful source 264 sorting by protocol 264 sorting by vendor 264 source parameter 145, 146 source reports 267 target parameter 142 top blocked types 261 top destinations 261 top report type 261 top sources 262 TrackBack function 154 type parameters 142 viewing descriptions 222 viewing details 221 viewing non-logged 126 viewing top of incident 219 viewing top-level 220 export flow action response rules 161 exporting about SQL 365 data to syslog 293 log data 285 saved reports 257 to file 285 to SESA 286 to SQL 288 to syslog 293 external sensors queries from TrackBack 110
F
fail-open about 39, 62 failover configuring watchdog group 325 configuring watchdog parameters 328 viewing incidents during 327 failures applying policies after 334 See also errors setting maximum logins 59 fault tolerance watchdog process 324 files exporting logs to 285
filters applying to incident tables 229, 230 ignoring attacks 148 incident filter options 328 preserving incidents during fail-over 230 showing incidents from selected nodes 230 showing operational events 229 viewing incidents from all nodes 328 Flag for SCP Usage setting node parameters 298 floods advanced flood parameters 178 flow alert rules deleting 165 editing 164 providing a mask 165 using permits 166 viewing 163 flow statistics viewing 269 FlowChaser about 37 collecting flow status 247 configuring 248 FlowChaser Maximum Flows Per Device setting node parameters 248 FlowChaser Router Flow Collection Port setting node parameters 249 FlowChaser Router Flow Collection Threads setting node parameters 248 FlowChaser Sensor Threads setting node parameters 250 flows adding alert rules 163 alert rules 162 configuring FlowChaser 248 devices with statistics 266 enabling data collection 247 mask for alert rules 165 querying 267 replaying traffic 271 reports by destination address 267 reports by destination port 267 reports by protocol 267 reports by source address 267 reports by source port 267 sample alert rule 164 status collection 247 TrackBack 247
418 Index
flows (cont.) traffic playback tool 271 using permit types 166 viewing current 268 viewing exported 270 font size setting in incident tables 216 forcing database synchronization 85, 313 formats report 259 From Address setting node parameter 149 Full Event List tab about 117
G
generating SSH keys 342 groups about interface groups 38 about monitoring groups 66 about user accounts 54
H
Hardware Compatibility Reference viewing 22 high availability watchdog process 324 host name SMTP server for email alerts 150, 151 Hostname Used For Email Notifications setting node parameter 151
I
iButton certificate expiration 223 See also software token signing rotated event log 282 token failure 223 ICMP Minimum Flows setting sensor parameters 181, 182 ICMP Number of Streak Packets setting sensor parameters 182 ICMP Saturation Alert Threshold setting sensor parameters 176
importing signatures 205 Incident Idle Time setting node parameters 237 Incident Unique IP Limit setting node parameters 239 incidents annotating events 232 configuring email 235 copying and pasting 233 copying top event 234 cross-node correlated details 220 customizing annotation templates 232 data 214, 226 details 266 emailing 236 examining data 217 filtering 229, 230 list 263 marking as viewed 231 modifying the view 47 parameters 237 printing 235 reporting 260 reporting per day 262 reporting per hour 262 reporting per month 262 saving data 233 selecting columns 227 selecting data to display 226 setting idle time 237 setting table font size 216 sorting events 216 viewing 326 viewing details 217 viewing flow statistics 269 viewing from monitoring groups 69 viewing top event 219 viewing top-level data 217 in-line about 16, 38, 62 about blocking 116 about bypass unit 17 about deployment 61 bypass unit 39 creating in-line pairs 103 creating interface groups 101 enabling blocking on in-line pairs 128 fail-open 39
Index
419
in-line (cont.) overriding blocking on in-line pairs 119 permitting fail-open 328 sensor processes 36 setting policies to in-line pairs 119 in-line pairs adding or editing 103 on appliance nodes 98 inserting response rules 139 intent about Wizard fields 203 interface groups about 38, 62 adding or editing 101 on appliance nodes 98 interfaces about 7100 Series appliance 98 about Smart Agents 111 adding nodes 88 adding or editing Smart Agent 111 auto-negotiation 104 configuring link state 104 for external sensors 111 for nodes 88 monitoring on software nodes 92 name 80 IP Fragment Saturation Alert Threshold setting sensor parameters 177
J
JDBC Driver exporting to SQL databases 288 setting node parameters 289
K
Knowledge Base viewing 22
L
LCD panel about 39, 52 power off nodes 54 rebooting nodes 53 restarting nodes 53 setting lock 60 shutting down nodes 54
LCD panel (cont.) stopping nodes 54 unlocking 52 LCD screen. See LCD panel licenses checking status 49 checking via Network Security console 49 licensing clustered nodes 312 Limit Size for Archive Directory setting node parameters 280 Limit Size for Traffic Record Directory setting node parameters 281 link state configuring negotiation 104 LiveUpdate about 303, 304 adding or editing 307 applying 305 backing up configurations 308 blocking automatically 128, 131 deleting schedules 308 reverting schedules 308 scanning for available updates 305 setting the server 306 loads events button 220 location adding 87 editing 87 Location of SCP Binary setting node parameters 300 Lock LCD Screen setting node parameter 60 locking LCD panel 60 logging about 38 enabling rules 126 preventing cleartext passwords 156 viewing non-logged events 126 login adding user accounts 55 deleting user login accounts 56 editing user accounts 56 from Windows 45 history report 265 Network Security Administrator 224 Network Security console 223, 224
420 Index
login (cont.) setting maximum failures 59 logs about 273 about install 273 about operational 274 archiving 276, 279 clearing directory 280 compressing files 282 copying 276 deleting 277 exporting data 285, 293 managing 274 managing operational 274 refreshing the list 277 rotating by size 280 rotating with SCP 297 secure copy protocol 297 setting automatic logging levels 278 viewing 274 viewing live 275
M
managed network segments about 112 managers alert 35 sensor 35 managing controlling user access 59 from the LCD panel 52 from the Network Security console 44 from the serial console 50 node clusters 309 report schedules 256 response rules 138 topology tree 80 user access 59 user login accounts 54, 55 user passphrases 57 via user interfaces 44 managing flow statistics 247 ManTrap. See Symantec Decoy Server mapping adding ports 197 deleting ports 197 event type to base event 260 event type to incident 263 gathering topology data 78
mapping (cont.) network sample 62, 78 ports 196 topology 76 your network 77 marking incidents as viewed 231 master nodes adding 89 adding appliance 95 adding or editing software 89 editing 82, 89 editing appliance 95 establishing 310 primary default 309 set as cluster master 310 match type about Wizard fields 204 maximum nodes in failover group 325 Maximum Incidents setting node parameters 238 Maximum IPv4 Fragment Reassembly Table Elements setting sensor parameters 185 Maximum Login Failures setting node parameter 59 Maximum Time to Streak Analysis setting sensor parameters 183 modes about alerting 38 about blocking 38 about cluster 61 about in-line 38, 61 about passive 38, 61 about single-node 61 monitoring flow statistics 247 node availability 322 traffic rate 29 monitoring groups assigning 67 choosing view 69 creating 67 deleting 68 deploying 66 renaming 68 monitoring interfaces adding or editing on software nodes 93
Index
421
monitoring interfaces (cont.) editing on appliance nodes 99 on appliance nodes 98 on software nodes 92 MSAs. See Smart Agents MySQL event table 374 exporting to 288 incident table 372 using tables 372
N
name about Wizard fields 203 names interface 80 Network Security accessing the Network Security console 44 logging in 224 logging in as Administrator 224 login history 265 Network Security console about 32 accessing 44 backing up 333 changing font size 47 checking licenses and Security Updates 49 choosing view 46, 47 creating synchronization passphrases 80 expanding or collapsing view 46 launching from Windows 45 logging in 223 login 45 node status indicator 47 rebooting nodes 48 restoring 333 viewing 46 Network Security node about alert manager architecture 35 deployment checklist 42 QSP proxy architecture 35 sensor manager architecture 35 Network Security nodes starting and stopping from the Network Security console 47 stopping from the command line 48 networks about managed segments 112
networks (cont.) about monitoring interfaces on appliance nodes 100 editing managed segments 112 sample topology map 62, 78 topology map 77 viewing advanced options 91, 97 viewing the monitoring interface networks tab 94 next action configuring 146 response rules 146 node numbers changing 314 node parameters about 344 configuring 345 configuring basic 346 node status indicator appliance or software 81 nodes about appliances 37 about cross-node correlation 31 about parameters 64 about software and appliances 88 adding 82, 89 adding 7100 Series appliance nodes 95 adding interfaces 88 adding slaves to cluster 311 adding software nodes 89 administration service architecture 35 cluster deployment 65 customer IDs 79 database architecture 35 deleting 83, 311 description conventions 79 incident details 220 interface naming 80 modifying the view 46 monitoring groups 66 monitoring interfaces on software nodes 93 naming conventions 79 passphrase 79 rebooting from the LCD panel 53 rebooting from the Network Security console 48 rebooting from the serial console 51 restarting from the LCD panel 53 restarting from the serial console 50
422 Index
nodes (cont.) shutting down 54 single node deployment 62 single-node appliance deployment 62 single-node availability 323 status indicator 47, 81 stopping from the LCD panel 54 stopping from the serial console 51 synchronization in cluster 313 synchronizing clustered 312 user name 79 viewing 46 viewing details 81 viewing status 81 none option configuring 148 non-logged viewing events 126 Notes tab annotating policies 117 notifications about alert manager 35 configuring email 148
operational logs (cont.) setting parameter level 278 options configuring none 148 viewing advanced network 91, 97 Oracle event table 368 exporting to 288 incident table 366 using tables 366 Other Saturation Alert Threshold setting sensor parameters 177
P
Packet Counter Interval setting sensor parameters 179 PAD about 167 panel LCD 39 parameters about 64 about cluster 64 about clusters, nodes, and sensors 344 about node 64 about sensor 64 advanced 346 advanced sensor 184, 194 advanced sensor TCP engine 185 basic sensor 170 configuring advanced 343 configuring sensors 169 configuring watchdog 328 Event Correlation Name Weight 239 event source 145, 146 event target policy 142 event type 142 incident 237 operational logging level 278 response rules 141, 147 setting Bad Service Saturation Alert Threshold 177 setting Cluster ID 289 setting Compression Command 284 setting Compression On/Off Switch 283 setting Counter Number of Streak Packets 180 setting DB Connection String 290 setting DB Password 292 setting DB User 291
O
objects adding 82 adding or editing Smart Agent 109 adding or editing Smart Agent interface 111 customer IDs 79 deleting 83 description conventions 79 editing 83 editing network segments 112 interface naming 80 naming conventions 79 types in topology tree 74 user name and passphrase 79 viewing 81 viewing details 76 offsets about Wizard fields 205 Operational Logging Level setting logging level 278 setting node parameters 278 operational logs about 274 event notice 223 sending copies to syslog 293
Index
423
parameters (cont.) setting Destination Directory for SCP 300 setting Destination Host for SCP 298 setting Echo Operational Log to Syslog 294 setting EDP Port Number 318 setting email notification 149 setting Enable BackOrifice Detection 173 setting Enable Flow Statistics Collection 171 setting Enable Full Packet Capture 171 setting Enable IPv4 Header Checksum Validation 172 setting Enable PLSC 184 setting Enable TCP Checksum Validation 172 setting Enable UDP Checksum Validation 173 setting Enable Watchdog Process 329 setting Event Correlation Destination IP Weight 241 setting Event Correlation Destination Port Weight 243 setting Event Correlation Source IP Weight 240 setting Event Correlation Source Port Weight 242 setting Event Delay Time 173 setting Event Destination Hashes 348 setting Event Message Hashes 347 setting Event Queue Length 349 setting Event Rate Throttle 350 setting Event Writer File 285 setting Flag for SCP Usage 298 setting FlowChaser Maximum Flows Per Device 248 setting FlowChaser Router Flow Collection Port 249 setting FlowChaser Router Flow Collection Threads 248 setting FlowChaser Sensor Threads 250 setting From Address 149 setting Hostname Used For Email Notifications 151 setting ICMP Minimum Flows 181, 182 setting ICMP Number of Streak Packets 182 setting ICMP Saturation Alert Threshold 176 setting Incident Idle Time 237 setting Incident Unique IP Limit 239 setting IP Fragment Saturation Alert Threshold 177 setting JDBC Driver 289 setting Limit Size for Archive Directory 280
parameters (cont.) setting limit size for archive directory 280 setting Limit Size for Traffic Record Directory 281 setting Location of SCP Binary 300 setting Lock LCD Screen 60 setting Maximum Incidents 238 setting Maximum IPv4 Fragment Reassembly Table Elements 185 setting Maximum Login Failures 59 setting Maximum Time to Streak Analysis 183 setting Operational Logging Level 278 setting Other Saturation Alert Threshold 177 setting Packet Counter Interval 179 setting QSP Port Number 315 setting Remote Syslog Destination Host 295 setting Remote Syslog Destination Port 296 setting Reset Port 174 setting Saturation Counter Lapse Time 183 setting SESA Bridge Export 287 setting Signature Engine Max Backbuffer Size 185 setting Size to Trigger Rotation 280 setting Slow Scan Alert Threshold 176 setting Slow Scan Max Entry (days) 183 setting Slow Scan Maximum IP Addresses Limit 183 setting SMTP Server 150 setting SNMP Community String 153 setting SNMP Manager 153 setting Streak Interval 179 setting Subject Line 150 setting Syslog Event Export 293 setting Syslog Maximum Message Size 296 setting TCP 2MSL Timeout 188 setting TCP Default Window Size 189 setting TCP Flood Alert Threshold 175 setting TCP Flow Max Queued Segments 187 setting TCP Global max Queued Segments (Fast Ethernet) 187 setting TCP Global max Queued Segments (Gigabit) 188 setting TCP Keepalive Timeout 187 setting TCP Listening Flows Target Ratio 192 setting TCP Maximum Flow Table Elements (Fast Ethernet) 186 setting TCP Maximum Flow Table Elements (Gigabit) 186 setting TCP Minimum Flows 180
424 Index
parameters (cont.) setting TCP Number of Streak Packets 180 setting TCP Opening Flows Target Ratio 192 setting TCP Retransmitted Segment Alert Minimum Magnitude 190 setting TCP Retransmitted Segment Alert Threshold 190 setting TCP Retransmitted SYN Alert Magnitude 192 setting TCP RST Quiet Period 189 setting TCP SYN Flood End Threshold 191 setting TCP SYN Flood Retransmission Timeout 191 setting Traffic Mode 173 setting TTL Allowed Variance for TCP over IPv4 193 setting TTL Allowed Variance for UDP over IPv4 195 setting TTL Change Timeout for TCP Over IPv4 193 setting TTL Change Timeout for UDP Over IPv4 196 setting UDP Connection Timeout 195 setting UDP Flood Alert Threshold 175 setting UDP Maximum Flow Table Elements (Fast Ethernet) 194 setting UDP Maximum Flow Table Elements (Gigabit) 194 setting UDP Minimum Flows 181 setting UDP Number of Streak Packets 181 setting UDP Saturation Alert Threshold 176 setting User Account for SCP 299 setting Watchdog Process Email 332 setting Watchdog Process Maximum Resets 330 setting Watchdog Process Restart Only 323, 331 setting Watchdog Process Stop Window 329 passive about 38 sensor processes 36 passive modes about deployment 61 passphrases changing node 314 collecting 79 deleting 80 editing 57 managing 57
passphrases (cont.) synchronizing 80 passwords editing 58 editing on serial consoles 58 editing secadm 59 preventing cleartext logging 156 pasting incident data 233 patches accessing sites 22 payload offset about Wizard fields 205 PDF saving console reports 260 permissions by group 354 by task 360 PLSC Propagate Link State Change parameter 184 policies about 31 about protection 115 adding 125 adding new 124 adjusting the view 121 annotating 131 applying to save 119 Auto Update tab 117 backing up 133 cloning 125 column view 123 creating 124 creating new 124 defining new 124 deleting user-defined 129 editing 125 enabling blocking 128 enabling logging rules 126 Full Event List tab 117 modifying the view 47 Notes tab 117 overriding blocking rules 119 Protection Policies tab 117 removing application 120 removing set to interfaces 120 responding to events 116 reverting applications 121 saving changes 119
Index
425
policies (cont.) Search Events tab 117 searching event types 121 selecting pre-defined 118 setting to interfaces 119 unapplying 120 understanding the workarea 116 updating 129 using 117 viewing event type details 123 portable document format. See PDF ports adding or editing mappings 197 deleting mappings 197 flow reports by destination 267 flow reports by source 267 mapping 196 portscan top event type 261 powering off nodes from the serial console 51 primary default master node 309 printing incident data 235 reports 260 priority configuring levels 143 mapping level 228 processes about sensors 36 Product Updates about 303 accessing 22 protection policies about 31, 115 adding 125 adjusting the view 121 annotating 131 applying to save 119 Auto Update tab 117 backing up 133 cloning 125 column view 123 deleting user-defined 129 editing 125 enabling blocking 128 enabling logging rules 126 Full Event List tab 117
protection policies (cont.) Notes tab 117 overriding blocking rules 119 Protection Policies tab 117 removing application 120 removing set to interfaces 120 responding to events 116 reverting application 121 saving changes 119 Search Events tab 117 selecting pre-defined 118 setting to interfaces 119 unapplying 120 understanding the workarea 116 updating 129 using 117 using Search Events 121 viewing event type details 123 Protection Policies tab about 117 protocol about Wizard fields 204 protocol anomaly detection. See PAD protocols about anomaly detection architecture 27 adding mappings to supported 197 deleting mappings to supported 197 EDP 29 EDP proxy 110, 318 flow 266 flow reports by 267 list of events 264 matching event transport 160 moving logs with SCP 297 rotating logs with SCP 279 SCP 297
Q
QSP query service proxy. See QSP secure communication 35 setting port number for cluster 315 QSP Port Number setting cluster parameter 315 queries about 253 event type list 140 replaying traffic flow data 271 traffic playback tool 271
426 Index
queries (cont.) viewing current flows 268 viewing exported flows 270
R
read-only RestrictedUser partial permissions 354 StandardUser permissions 354 user login permissions 360 read-only See passphrases read-write Administrator partial permissions 354 SuperUser permissions 354 user login permissions 360 read-write See passphrases rebooting nodes from the LCD panel 53 nodes from the Network Security console 48 nodes from the serial console 51 redundancy watchdog process 324 refinement about 30 detection rules method 168 Security Updates 304 regex about Wizard fields 205 Remote Syslog Destination Host setting node parameters 295 Remote Syslog Destination Port setting node parameters 296 renaming monitoring groups 68 reports about 253 about top-level and drill-down 258 adding or editing schedules 254 by event characteristics 264 deleting saved 258 deleting schedules 256 drill-down 266 exporting saved 257 format 259 managing scheduled 256 per event schedule 263 per incident schedule 262 per Network Security device 265 printing 260 querying flows 267
reports (cont.) refreshing list 255 replaying traffic flow 271 saving 260 scheduling 254 top events 261 top level 260 traffic playback 271 type 259 viewing current flows 268 viewing exported flows 270 viewing Flow Statistics 269 viewing saved 257 Reset Port setting sensor parameters 174 resetting signature variables 208 response actions command variables 155 enabling console 161 response rules 146 setting email notification parameters 149 TCP reset 157 using percent sign as argument 157 response rules 142 about automated 31 adding 139 color coding 139 configuring console response 160 custom response 154 database backup 141 editing 140 enabling SNMP notifications 152 event source parameters 145, 146 event target parameter 142 event type parameters 142 export flow action 161 inserting 139 managing 138 next action parameter 146 none option 148 parameters 141 response parameter 147 saving configurations 141 searching for event types 140 setting confidence levels 145 setting event sources 145 setting event targets 142 setting event types 142
Index
427
response rules (cont.) setting next actions 146 setting response actions 146 setting TrackBack response actions 154 SNMP notification 152 TCP reset 157 TrackBack 154 viewing 138 responses about 31 about automated 137 adding flow alert rules 163 adding Smart Agent nodes 108 assigning priority levels 143 automated 137 configuring confidence level 145 configuring parameters 141 configuring priority 143 customizing arguments 156 customizing responses 154 deleting 141 email notifications 148 enabling automatic next action 146 failure of custom 224 flow alert rules 162 mask for flow alert rules 165 modifying response rules 140 monitoring service availability 322 none option 148 sample flow alert rule 164 setting parameters 147 setting SNMP notifications 152 setting TrackBack response actions 154 SNMP notifications 152 tracking data stream to source 154 traffic record 159 using permit types 166 viewing rules 138 restarting Network Security sensors 49 nodes from the LCD panel 53 nodes from the Network Security console 47 nodes from the serial console 50 sensors in a cluster 315 restoring configurations 335 existing configuration to cluster 337 existing configuration to node 337 on Network Security console 333
restoring (cont.) Symantec Network Security 332 using compact flash 338 via compact flash 40 RestrictedUser pre-defined login account 224 RestrictedUsers about 354 reverting changes to topology tree 84 LiveUpdate schedules 308 policy applications 121 signature variables 209 to original install 341 roles about administration of 33 creating user login accounts 55 deleting user login accounts 56 editing user login accounts 56 establishing user accounts 353 user login permissions 360 rotation clearing directories 280 moving logs 297 size-based logs 280 routers queries from TrackBack 107 rules about refinement 30 adding flow alert 163 blocking 119 flow alert 162 mask for flow alert 165 refinement detection 168 sample flow alert 164 using permit types 166
S
Saturation Counter Lapse Time setting sensor parameters 183 Save Changes topology tree 83 saving changes to response rules 141 changes to topology tree 83, 84 configurations to hard drive 340 incident data 233 initial configuration 339 initial configurations to compact flash 339
428 Index
saving (cont.) reports 260 scans advanced scan parameters 178 scheduling deleting reports 256 refreshing report list 255 reports 254 SCP 297 rotating logs 279 transferring with 343 Search Events tab about 117 creating a subset of event types 121 secadm password editing 59 secure copy protocol. See SCP Security Updates about 303 security updates checking status 49 selecting protection policies 118 sensor manager node architecture 35 sensor parameters about 344 advanced flood and scan parameters 178 setting Enable PLSC 184 setting Packet Counter Interval 179 threshold 174 sensor processes definition 398 setting enable PLSC parameter 184 setting packet-counting interval 179 sensors about node architecture 36 about parameters 64 about sensor processes 36 advanced parameters 184 advanced TCP engine parameters 185 advanced UDP engine parameters 194 basic parameters 170 configuring parameters 169 restarting from Network Security console 49 restarting in a cluster 315 restarting or stopping 170 setting Enable PLSC parameter 184 setting Packet Counter Interval parameter 179
sensors (cont.) tweaking sensitivity 170, 184, 185, 194 serial console about 40, 50 editing root password 58 editing secadm passwords 59 powering off nodes 51 rebooting nodes 51 restarting nodes 50 shutting down nodes 51 stopping nodes 51 SESA exporting data to 286 integrating with 286 setting SESA Bridge Export 287 SESA Bridge Export setting node parameters 287 Set to Interfaces protection policies 119 removing or undoing 120 setting policies to interfaces 119 severity 143 about Wizard fields 203 mapping level 228 viewing events 221 shutting down appliance nodes from the serial console 51 appliances from the LCD panel 54 signature descriptions about Wizard fields 204 Signature Engine Max Backbuffer Size setting sensor parameters 185 signature variables applying 209 deleting 208 editing 207 resetting 208 reverting 209 viewing 207 signatures about 28 about detection 168 about user-defined 28 adding or editing user-defined 201 adding user-defined 201 creating global variables 207 deleting 205 deselecting 205
Index
429
signatures (cont.) detection by 198 disabling 205 importing 205 managing 199 removing 205 resolving compile errors 206 Symantec 28, 198 upgrading 203, 209 user-defined 199 variables 206 viewing 199 size to trigger editing log rotation size 280 Size to Trigger Rotation setting node parameters 280 slave nodes adding 89 adding appliance 95 adding or editing software 89 creating topology tree 89 editing 89 editing appliance 95 setting passphrase 90, 96 synchronizing 309 Slow Scan Alert Threshold setting sensor parameters 176 Slow Scan Max Entry (days) setting sensor parameters 183 Slow Scan Maximum IP Addresses Limit setting sensor parameters 183 Smart Agents about 37, 108 about interfaces 111 adding external sensor nodes 108 adding or editing 109 communicating via EDP proxy 318 communicating with Symantec Network Security 110, 318 third-party integration 316 SMTP Server node parameter 150 sniffer. See sensor processes SNMP alert failure 224 configuring notification 152 request failure 224 truncated message 224
SNMP Community String setting node parameters 153 SNMP Manager setting node parameters 153 software about parameters 344 about the node architecture 34 accessing Knowledge Base 22 adding nodes 89 adding or editing nodes 89 clustering with appliances 66 deleting nodes 311 documentation 21 node status indicator 81 queries from TrackBack 91 viewing Hardware Compatibility Reference 22 sorting incident data 216 source destination reports 264 source IP about Wizard fields 204 source port about Wizard fields 204 SQL exporting parameters 365 setting up export 365 SSH keys generating 342 StandardUser pre-defined login account 224 StandardUsers about 354 standby nodes about failover 65 configuring high availability 324 creating failover groups 325 node numbers 314 watchdog process 324 state configuring link negotiation 104 stateful signatures. See signatures statistics devices with flow 266 stopping end time 218 incident response 148 nodes from the command line 48 nodes from the LCD panel 54
430 Index
stopping (cont.) nodes from the Network Security console 47 nodes from the serial console 51 Streak Interval setting sensor parameters 179 Subject Line node parameter 150 SuperUsers about 354 Symantec Decoy Server external sensors 319 integrating with Symantec Network Security 108, 317 launching via Network Security 319 Symantec Decoy Server console launching from Network Security console 320 Symantec Network Security about analysis 30 about database architecture 35 about detection 26 about response 31 about software features 17 about the 7100 Series 15 about the core architecture 25 about the node architecture 34 accessing patch site 22 accessing the Network Security console 44 adding nodes 89 detection architecture 32 management architecture 32 software documentation 21 Symantec signatures. See signatures synchronizing automatic 313 forcing 85, 313 nodes in a cluster 312 passphrases 80 slave nodes 309 synflood top event type 261 syslog exporting data to 293 exporting to 293 Syslog Event Export setting node parameters 293 Syslog Maximum Message Size setting node parameters 296
T
tabs about Advanced Network Options tab 91, 97 about Auto Update tab 117, 129 about Devices tab 33, 74, 214 about Full Event List tab 117 about Incidents tab 33, 214 about Networks tab 94, 100 about Notes tab 117, 131 about Policies tab 33 about Protection Policies tab 117 about Search Events tab 117, 121 TCP 2MSL Timeout setting sensor parameters 188 TCP Default Window Size setting sensor parameters 189 TCP Flood Alert Threshold setting sensor parameters 175 TCP Flow Max Queued Segments setting sensor parameters 187 TCP Global max Queued Segments (Fast Ethernet) setting sensor parameters 187 TCP Global max Queued Segments (Gigabit) setting sensor parameters 188 TCP Keepalive Timeout setting sensor parameters 187 TCP Listening Flows Target Ratio setting sensor parameters 192 TCP Maximum Flow Table Elements (Fast Ethernet) setting sensor parameters 186 TCP Maximum Flow Table Elements (Gigabit) setting sensor parameters 186 TCP Minimum Flows setting sensor parameters 180 TCP Number of Streak Packets setting sensor parameters 180 TCP Opening Flows Target Ratio setting sensor parameters 192 TCP reset 157 TCP Retransmitted Segment Alert Minimum Magnitude setting sensor parameters 190 TCP Retransmitted Segment Alert Threshold setting sensor parameters 190 TCP Retransmitted SYN Alert Magnitude setting sensor parameters 192 TCP RST Quiet Period setting sensor parameters 189
Index
431
TCP SYN Flood End Threshold setting sensor parameters 191 TCP SYN Flood Retransmission Timeout setting sensor parameters 191 third-party integration events 316 Smart Agents 37 via Decoy Server 317, 319 via Smart Agents 316 time setting incident idle 237 tool tips annotating policies 131 topology adding external sensor device nodes 109, 113 adding external sensor interfaces 111 adding locations 87 adding nodes and objects 86 adding router device interface nodes 108 adding router nodes 106 adding Symantec Decoy Server nodes 319 backing up 85 deleting nodes 83 editing locations 87 editing nodes 83 establishing the database 80 gathering information for map 78 managing the tree 80 mapping 76 modifying the view 46 numbering nodes 311 populating the tree 80, 82 saving changes 84 saving changes to 83 saving or reverting changes 84 viewing 46 viewing node details 81 viewing node status 81 topology tree objects in 74 saving changes 84 TrackBack about 18, 19 configuring 154 flow data collection 247 limitation with Traffic Record 160 querying appliance nodes 97 querying external sensors 110 querying routers 107
TrackBack (cont.) querying software nodes 91 setting response action 154 traffic about rate monitoring 29 configuring record response 159 playback tool 271 record response 159 replaying recorded 271 viewing current flows 268 viewing exported flows 270 Traffic Mode setting sensor parameters 173 Traffic Record limitation with TrackBack 160 transferring using SCP 343 transit types about Wizard fields 204 TTL Allowed Variance for TCP over IPv4 setting sensor parameters 193 TTL Allowed Variance for UDP over IPv4 setting sensor parameters 195 TTL Change Timeout for TCP Over IPv4 setting sensor parameters 193 TTL Change Timeout for UDP Over IPv4 setting sensor parameters 196
U
UDP Connection Timeout setting sensor parameters 195 UDP Flood Alert Threshold setting sensor parameters 175 UDP Maximum Flow Table Elements (Fast Ethernet) setting sensor parameters 194 UDP Maximum Flow Table Elements (Gigabit) setting sensor parameters 194 UDP Minimum Flows setting sensor parameters 181 UDP Number of Streak Packets setting sensor parameters 181 UDP Saturation Alert Threshold setting sensor parameters 176 undoing changes to topology tree 84 LiveUpdate schedules 308 policy applications 121 reverting signature variables 209
432 Index
unlocking LCD panel 52 updating protection policies 129 scanning for LiveUpdates 305 Symantec Network Security 303 upgrading node clusters 310 User Account for SCP setting node parameters 299 user accounts creating 55 definition 353 deleting 56 editing 56 establishing 54, 353 logged actions 61 user-defined signatures about 28 deleting user-defined signatures 205 user-defined signatures. See also signatures users about administration of 33 controlling access of 59 editing passphrases 57 locking LCD screen 60 login accounts 353 login history 265 managing access 54, 59 name 79 Network Security console login 224 permissions 360 setting maximum login failures 59 SuperUser login 223 tracking activities 61
viewing (cont.) expanding and collapsing the view 46 flow alert rules 163 incident details 217 incidents and events 215 live logs 275 logs 274 marking as viewed 231 monitoring groups 69 Network Security console 46 object details 76 objects 81 response rules 138 saved reports 257 severity and confidence levels of events 221 signature variables 207 signatures 199 top event of incident 219 top-level events 220 top-level incident data 217 topology 46, 47 VLAN specifying rules 145
W
watchdog process adding failover groups 325 high availability 324 preserving incidents 326 viewing incidents 327 Watchdog Process Email setting node parameters 332 Watchdog Process Maximum Resets setting node parameters 330 Watchdog Process Restart Only setting node parameters 323, 331 Watchdog Process Stop Window setting node parameters 329 watchdog processes configuring parameters 328 Windows launching Network Security console 45 writing about Wizard fields 203 summary via the Wizard 200
V
variables about default 206 creating for signatures 207 response command 155 signatures 206 viewing adjusting policies 121 changing font size 47 color-coded response rules 139 configuration files 341 event descriptions 222 event details 221