100% found this document useful (1 vote)
364 views432 pages

Symantec Network Security Administration Guide

Symantec Network Security Administration Guide is a copyrighted work of Symantec Corporation. No WARRANTY is given as to its accuracy or use. Symantec reserves the right to make changes without prior notice.

Uploaded by

Tibor Csizovszky
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100% found this document useful (1 vote)
364 views432 pages

Symantec Network Security Administration Guide

Symantec Network Security Administration Guide is a copyrighted work of Symantec Corporation. No WARRANTY is given as to its accuracy or use. Symantec reserves the right to make changes without prior notice.

Uploaded by

Tibor Csizovszky
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 432

Symantec Network Security Administration Guide

Symantec Network Security Administration Guide


The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 4.0 PN: 10268960

Copyright Notice
Copyright 2004 Symantec Corporation. All Rights Reserved. Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained therein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice. No part of this publication may be copied without the express written permission of Symantec Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks
Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are U.S. registered trademarks of Symantec Corporation. Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks of Symantec Corporation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Windows is a registered trademark, and 95, 98, NT and 2002 are trademarks of Microsoft Corporation. Pentium is a registered trademark of Intel Corporation. Sun is a registered trademark, and Java, Solaris, Ultra, Enterprise, and SPARC are trademarks of Sun Microsystems. UNIX is a registered trademark of UNIX System Laboratories, Inc. Cisco and Catalyst are registered trademarks of Cisco Systems, Inc. Foundry is a registered trademark of Foundry Networks. Juniper is a registered trademark of Juniper Networks, Inc. iButton is a trademark of Dallas Semiconductor Corp. Dell is a registered trademark of Dell Computer Corporation. Check Point and OPSEC are trademarks and FireWall-1 is a registered trademark of Check Point Software Technologies, Ltd. Tripwire is a registered trademark of Tripwire, Inc. Symantec Network Security software contains/includes the following Third Party Software from external sources: "bzip2" and associated library "libbzip2," Copyright 1996-1998, Julian R Seward. All rights reserved. (http://sources.redhat.com/bzip2). " Castor,"ExoLab Group, Copyright 1999-2001 199-2001 Intalio, Inc. All rights reserved. (http://www.exolab.org). Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical support
As part of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. The Technical Support groups primary role is to respond to specific questions on product feature/function, installation, and configuration, as well as to author content for our Web-accessible Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts. Symantec technical support offerings include:

A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and Web support components that provide rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Content Updates for virus definitions and security signatures that ensure the highest level of protection Global support from Symantec Security Response experts, which is available 24 hours a day, 7 days a week worldwide in a variety of languages

Advanced features, such as the Symantec Alerting Service and Technical Account Manager role, offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs. The specific features available may vary based on the level of support purchased and the specific product that you are using.

Licensing and registration


If the product that you are implementing requires registration and/or a license key, the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www.symantec.com/certificate. Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html, select the product that you wish to register, and from the Product Home Page, select the Licensing and Registration link.

Contacting Technical Support


Customers with a current support agreement may contact the Technical Support group via phone or online at www.symantec.com/techsupp. Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www-secure.symantec.com/platinum/.

When contacting the Technical Support group, please have the following:

Product release level Hardware information Available memory, disk space, NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description Error messages/log files Troubleshooting performed prior to contacting Symantec Recent software configuration changes and/or network changes

Customer Service
To contact Enterprise Customer Service online, go to www.symantec.com, select the appropriate Global Site for your country, then choose Service and Support. Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec's technical support options Nontechnical presales questions Missing or defective CD-ROMs or manuals

Contents

Symantec Network Security Administration Guide 1

Section 1
Chapter 1

Overview
Introduction
About the Symantec Network Security foundation ....................................... 15 About the Symantec Network Security 7100 Series ............................... 15 About other Symantec Network Security features ................................. 17 Finding information ............................................................................................ 20 About 7100 Series appliance documentation .......................................... 20 About Network Security software documentation ................................. 21 About the Web sites ..................................................................................... 22 About this guide ........................................................................................... 23

Chapter 2

Architecture
About Symantec Network Security ................................................................... 25 About the core architecture ............................................................................... 25 About detection ............................................................................................ 26 About analysis .............................................................................................. 30 About response ............................................................................................. 31 About management and detection architecture ............................................. 32 About the Network Security console ........................................................ 32 About the node architecture ...................................................................... 34 About the 7100 Series appliance node ..................................................... 37

Chapter 3

Getting started
Getting started ..................................................................................................... 41 General checklist ................................................................................................. 42 General software and appliance checklist ............................................... 42 Additional appliance-specific checklist ................................................... 43 About the management interfaces .................................................................... 44 Using the Network Security console ......................................................... 44 Using the serial console .............................................................................. 50 Using the LCD panel .................................................................................... 52

6 Contents

Managing user access ......................................................................................... 54 Managing user login accounts ................................................................... 55 Managing user passphrases ....................................................................... 57 Controlling user access ............................................................................... 59 Planning the deployment ................................................................................... 61 Deploying single nodes ....................................................................................... 61 Deploying a single Network Security software node ............................. 62 Deploying a single 7100 Series appliance node ...................................... 62 Configuring single-node parameters ........................................................ 64 Deploying node clusters ..................................................................................... 65 Deploying software and appliance nodes in a cluster ............................ 66 Monitoring groups within a cluster .......................................................... 66

Section 2
Chapter 4

Initial Configuration
Populating the topology database
About the network topology .............................................................................. 73 About the Devices tab ................................................................................. 74 About topology mapping ............................................................................ 76 Managing the topology tree ............................................................................... 80 Viewing auto-generated objects ................................................................ 81 Viewing node details ................................................................................... 81 Viewing node status .................................................................................... 81 Adding objects for the first time ............................................................... 82 Editing objects .............................................................................................. 83 Deleting objects ............................................................................................ 83 Reverting changes ....................................................................................... 84 Saving changes ............................................................................................. 84 Forcing nodes to synchronize .................................................................... 85 Backing up changes ..................................................................................... 85 Adding nodes and objects ................................................................................... 86 About location objects ................................................................................. 86 About nodes and interfaces ........................................................................ 88 About Network Security software nodes ................................................. 89 About 7100 Series appliance nodes .......................................................... 95 About router objects .................................................................................. 105 About Smart Agents .................................................................................. 108 About managed network segments ......................................................... 112

Chapter 5

Protection policies
About protection policies ................................................................................. 115 Responding to malicious or suspicious events ..................................... 116

Contents

Understanding the protection policy work area ...........................................116 Using protection policies .................................................................................117 Selecting pre-defined policies ..................................................................118 Setting policies to interfaces ....................................................................119 Applying to save changes .........................................................................119 Overriding blocking rules globally ..........................................................119 Undoing policy settings ............................................................................120 Adjusting the view of event types ...................................................................121 Searching to create a subset of event types ...........................................121 Adjusting the view by columns ................................................................123 Viewing event type details .......................................................................123 Defining new protection policies ....................................................................124 Adding or editing user-defined protection policies ..............................125 Cloning existing protection policies .......................................................125 Enabling or disabling logging rules ........................................................126 Enabling or disabling blocking rules ......................................................128 Deleting user-defined protection policies ..............................................129 Updating policies automatically .....................................................................129 Annotating policies and events .......................................................................131 Backing up protection policies ........................................................................133

Chapter 6

Responding
About response rules .........................................................................................135 About automated responses .............................................................................137 Managing response rules ..................................................................................138 Viewing response rules .............................................................................138 Adding new response rules ......................................................................139 Editing response rules ...............................................................................140 Searching event types ...............................................................................140 Deleting response rules ............................................................................141 Saving or reverting changes ....................................................................141 Backing up response rules ........................................................................141 Setting response parameters ...........................................................................141 Setting event targets .................................................................................142 Setting event types ....................................................................................142 Setting severity levels ...............................................................................143 Setting confidence levels ..........................................................................145 Setting event sources ................................................................................145 Setting response actions ...........................................................................146 Setting next actions ...................................................................................146 Setting response actions ...................................................................................147 Setting no response action .......................................................................148 Setting email notification .........................................................................148

8 Contents

Setting SNMP notification ....................................................................... 152 Setting TrackBack response action ......................................................... 154 Setting a custom response action ........................................................... 154 Setting a TCP reset response action ....................................................... 157 Setting traffic record response action .................................................... 159 Setting a console response action ........................................................... 160 Setting export flow response action ....................................................... 161 Managing flow alert rules ................................................................................ 162 Viewing flow alert rules ............................................................................ 163 Adding flow alert rules ............................................................................. 163 Editing flow alert rules ............................................................................. 164 Deleting flow alert rules ........................................................................... 165

Chapter 7

Detecting
About detection .................................................................................................. 167 Configuring sensor detection .......................................................................... 168 Configuring sensor parameters ............................................................... 169 Restarting or stopping sensors ................................................................ 170 Basic sensor parameters ........................................................................... 170 Basic flood and scan parameters ............................................................. 174 Advanced flood and scan parameters ..................................................... 178 Other advanced parameters ..................................................................... 184 Advanced TCP engine parameters .......................................................... 185 Advanced UDP engine parameters ......................................................... 194 Configuring port mapping ............................................................................... 196 Configuring signature detection ..................................................................... 198 About Symantec signatures ..................................................................... 198 About user-defined signatures ................................................................ 199 Managing signatures ................................................................................. 199 Managing signature variables ................................................................. 206

Section 3
Chapter 8

Using Symantec Network Security


Monitoring
About incident and event data ......................................................................... 213 Viewing incident and event data ............................................................. 214 Adjusting the view ..................................................................................... 215 Examining incident and event data ................................................................ 216 Examining incident data ........................................................................... 217 Examining event data ............................................................................... 220 Managing incident and event data .................................................................. 225 Selecting columns ...................................................................................... 226

Contents

Selecting view filters .................................................................................229 Marking and annotating ...........................................................................231 Saving, copying, and printing data .........................................................233 Emailing incident or event data ..............................................................235 Tuning incident parameters ............................................................................237 Setting Incident Idle Time ........................................................................237 Setting Maximum Incidents .....................................................................238 Setting Incident Unique IP Limit ............................................................239 Setting Event Correlation Name Weight .............................................239 Event Correlation Source IP Weight .....................................................240 Event Correlation Destination IP Weight ............................................241 Event Correlation Source Port Weight .................................................242 Event Correlation Destination Port Weight ........................................243 Tuning operational event parameters ............................................................244 High CPU Load Logging Interval .............................................................244 Sensor No Traffic Detected Logging Interval ........................................245 Sensor Dropped Packet Percentage Threshold .....................................246 Monitoring flow statistics ................................................................................247 Enabling flow data collection ...................................................................247 Configuring FlowChaser ...........................................................................248

Chapter 9

Reporting
About reports and queries ................................................................................253 Scheduling reports ............................................................................................254 Adding or editing report schedules .........................................................254 Refreshing the list of reports ...................................................................255 Deleting report schedules .........................................................................256 Managing scheduled reports ....................................................................256 Reporting top-level and drill-down .................................................................258 About report formats ................................................................................259 About report types .....................................................................................259 About incident/event reports ..................................................................260 Printing and saving reports .....................................................................260 About top-level report types ............................................................................260 Reports of top events ................................................................................261 Reports per incident schedule .................................................................262 Reports per event schedule ......................................................................263 Reports by event characteristics .............................................................264 Reports per Network Security device .....................................................265 Drill-down-only reports ............................................................................266 Querying flows ...................................................................................................267 Viewing current flows ...............................................................................268 Viewing Flow Statistics .............................................................................269

10 Contents

Viewing exported flows ............................................................................ 270 Playing recorded traffic .................................................................................... 271 Replaying recorded traffic flow data ...................................................... 271

Chapter 10

Managing log files


About the log files .............................................................................................. 273 About the install log .................................................................................. 273 About the operational log ......................................................................... 274 Managing logs .................................................................................................... 274 Viewing log files ......................................................................................... 274 Viewing live log files ................................................................................. 275 Archiving log files ...................................................................................... 276 Copying log files ......................................................................................... 276 Deleting log files ........................................................................................ 277 Refreshing the list of log files .................................................................. 277 Configuring automatic archiving .................................................................... 278 Setting automatic logging levels ............................................................. 278 Archiving log files ...................................................................................... 279 Compressing log files ................................................................................ 282 Exporting data .................................................................................................... 285 Exporting to file ......................................................................................... 285 Exporting to SESA ..................................................................................... 286 Exporting to SQL ........................................................................................ 288 Exporting to syslog .................................................................................... 293 Transferring via SCP ................................................................................. 297

Chapter 11

Advanced configuration
About advanced setup ....................................................................................... 303 Updating Symantec Network Security ........................................................... 303 About LiveUpdate ...................................................................................... 304 Scanning for available updates ............................................................... 305 Applying updates ....................................................................................... 305 Setting the LiveUpdate server ................................................................. 306 Scheduling live updates .................................................................................... 307 Adding or editing automatic updates .................................................... 307 Deleting automatic update schedules ..................................................... 308 Reverting automatic update schedules .................................................. 308 Backing up LiveUpdate configurations .................................................. 308 Managing node clusters .................................................................................... 309 Creating a new cluster .............................................................................. 309 Managing an established cluster ............................................................. 312 Setting a cluster-wide parameter ............................................................ 315

Contents

11

Backup up cluster-wide data ....................................................................316 Integrating third-party events ........................................................................316 Integrating via Smart Agents ..................................................................316 Integrating with Symantec Decoy Server ..............................................319 Establishing high availability failover ...........................................................322 Monitoring node availability ...................................................................322 Configuring availability for single nodes ...............................................323 Configuring availability for multiple nodes ..........................................324 Configuring watchdog processes .............................................................328 Backing up and restoring ..................................................................................332 Backing up and restoring on the Network Security console ...............333 Backing up and restoring on compact flash ..........................................337 Configuring advanced parameters ..................................................................343 About parameters for clusters, nodes, and sensors .............................344 About basic setup and advanced tuning .................................................345 Configuring node parameters ..................................................................345 Configuring basic parameters ..................................................................346 Configuring advanced parameters ..........................................................346

Section 4
Appendix A

Appendices
User groups reference
About user groups .............................................................................................353 Permissions by user group ...............................................................................354 Summary of permissions ..........................................................................354 Permissions by task ...........................................................................................355 Rebooting and restarting ..........................................................................355 Configuring at node or cluster level .......................................................356 Configuring at interface level ..................................................................357 Viewing only ...............................................................................................359 Master list of permissions by task ..........................................................360

Appendix B

SQL reference
About SQL export parameters .........................................................................365 Setting up SQL export ...............................................................................365 Using Oracle tables ............................................................................................366 Oracle incident table .................................................................................366 Oracle event table ......................................................................................368 Using MySQL tables ..........................................................................................372 MySQL incident table ................................................................................372 MySQL event table .....................................................................................374

12 Contents

Glossary Acronyms Index

Part I

Overview
Symantec Network Security is a new generation of security software that provides an unprecedented ability to detect, analyze, and respond to network intrusions and prevent damage from attacks. Symantec Network Security contains multiple tools and techniques that work together to gather attack information, analyze the attacks, and then initiate an appropriate response. The Symantec Network Security 7100 Series is a family of highly scalable integrated hardware and software intrusion detection appliances, designed to detect and prevent attacks across multiple network segments at multi-gigabit speeds. The 7100 Series combines Symantec Network Securitys powerful detection capabilities with robust hardware features and the convenience of an appliance. This section introduces you to the Symantec Network Security intrusion detection system, describes the architecture of the core Symantec Network Security software and the Symantec Network Security 7100 Series appliance, and outlines how to get started with basic deployment schemes as follows:

Copyright Notice Introduction Architecture Getting started

14

Chapter

Introduction
This chapter includes the following topics:

About the Symantec Network Security foundation Finding information

About the Symantec Network Security foundation


The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. This additional functionality is described in detail in each section. This section includes the following topics:

About the Symantec Network Security 7100 Series About other Symantec Network Security features

About the Symantec Network Security 7100 Series


Symantec Network Security 7100 Series security appliances provide real-time network intrusion prevention and detection to protect critical enterprise assets from the threat of known, unknown (zero-day) and DoS attacks. The 7100 Series appliances employ the new and innovative Network Threat Mitigation Architecture that combines anomaly, signature, statistical and vulnerability detection techniques into an Intrusion Mitigation Unified Network Engine (IMUNE), that proactively prevents and provides immunity against malicious attacks including denial of service attempts, intrusions and malicious code, network infrastructure attacks, application exploits, scans and reconnaissance

16 Introduction About the Symantec Network Security foundation

activities, backdoors, buffer overflow attempts and blended threats like MS Blaster and SQL Slammer. In addition to the features it shares with the Symantec Network Security 4.0 software, the Symantec Network Security 7100 Series appliance offers:

In-line Operation: The 7100 Series appliance can be deployed in-line as a transparent bridge to perform real-time monitoring and blocking of network-based attacks. This ability to prevent attacks before they reach their targets takes network security to the next level over passive event identification and alerting. The 7100 Series appliance's One-Click Blocking feature enables users to automatically enable blocking on all in-line interfaces with the click of a single button, saving critical time in the event of worm attacks. Policy-based Attack Prevention: Deployed in-line, the 7100 Series appliance is able to perform session-based blocking against malicious traffic, preventing attacks from reaching their targets. Predefined and customizable protection policies enable users to tailor their protection based on their security policies and business need. Policies can be tuned based on threat category, severity, intent, reliability and profile of protected resources, and common or individualized policies can be applied per sensor for both in-line and passive monitoring. Interface Grouping: 7100 Series appliance users can configure up to four monitoring interfaces as an interface group to perform detection of attacks for large networks that have asymmetric routed traffic. A single sensor handles all network traffic seen by the interface group, keeping track of state even when traffic enters the network on one interface and departs on another. This feature greatly increases the attack detection capacity of the 7100 Series and allows it to operate more effectively in enterprise network environments. Dedicated Response Ports: The Symantec Network Security 7100 Series provides special network interfaces for sending anonymous TCP resets to attackers. With this configuration, network monitoring continues uninterrupted even when sending resets. Reduced Total Cost of Solution: A single 7100 Series appliance can monitor up to eight network segments or VLANs. The Symantec Network Security 7100 Series reduces the cost of a network security solution by enhancing the security and reliability of the hardware, simplifying deployment and management, and providing a single point of service and support. Flexible Licensing Options: Each model of the Symantec Network Security 7100 Series offers licensing at multiple bandwidth levels. Whether you

Introduction About the Symantec Network Security foundation

17

deploy the appliance at a slow WAN connection or on your gigabit backbone, you can select the license that fits your needs.

Fail-open: When using in-line mode, the Symantec Network Security 7100 Series appliance is placed directly into the network path. The optional Symantec Network Security In-line Bypass unit provides fail-open capability to prevent an unexpected hardware failure from causing a loss of network connectivity. The Symantec In-line Bypass Unit provides a customized solution that will keep your network connected even if the appliance has a sudden hardware failure. See also About other Symantec Network Security features on page 17.

About other Symantec Network Security features


Symantec Network Security is highly scalable, and meets a range of needs for aggregate network bandwidth. Symantec Network Security reduces the total cost of implementing a complete network security solution through simplified and rapid deployment, centralized management, and cohesive and streamlined security content, service, and support. Symantec Network Security is centrally managed via the Symantec Network Security Management Console, a powerful and scalable security management system that supports large, distributed enterprise deployments and provides comprehensive configuration and policy management, real-time threat analysis, enterprise reporting, and flexible visualization. The Network Security Management System automates the process of delivering security and product updates to Symantec Network Security using Symantec LiveUpdate to provide real-time detection of the latest threats. In addition, the Network Security Management System can be used to expand the intrusion protection umbrella using the Symantec Network Security Smart Agents to provide enterprise-wide, multi-source intrusion management by aggregating, correlating, and responding to events from multiple Symantec and third-party host and network security products. Symantec Network Security provides the following abilities:

Multi-Gigabit Detection for High-speed Environments: Symantec Network Security sets new standards with multi-gigabit, high-speed traffic monitoring allowing implementation at virtually any level within an organization, even on gigabit backbones. On a certified platform, Symantec Network Security can maintain 100% of its detection capability at 2Gbps across 6 gigabit network interfaces with no packet loss. Hybrid Detection Architecture: Symantec Network Security uses an array of detection methodologies for effective attack detection and accurate attack identification. It collects evidence of malicious activity with a combination

18 Introduction About the Symantec Network Security foundation

of protocol anomaly detection, stateful signatures, event refinement, traffic rate monitoring, IDS evasion handling, flow policy violation, IP fragmentation reassembly, and user-defined signatures.

Zero-Day Attack Detection: Symantec Network Security's protocol anomaly detection helps detect previously unknown and new attacks as they occur. This capability, dubbed zero-day detection, closes the window of vulnerability inherent in signature-based systems that leave networks exposed until signatures are published. Symantec Security Updates with LiveUpdate: Symantec Network Security now includes LiveUpdate, allowing users to automated the download and deployment of regular and rapid response Security Updates from Symantec Security Response, the world's leading Internet security research and support organization. Symantec Security Response provides top-tier security protection and the latest security context information, including exploit and vulnerability information, event descriptions, and event refinement rules to protect against ever-increasing threats. Real-Time Event Correlation and Analysis: Symantec Network Security's correlation and analysis engine filters out redundant data and analyzes only the relevant information, providing threat awareness without data overload. Symantec Network Security gathers intelligence across the enterprise using cross-node analysis to quickly spot trends and identify related events and incidents as they happen. In addition, new user-configurable correlation rules enable users to tune correlation performance to meet the needs of their own organization and environment. Full packet capture, session playback and flow querying capabilities: Symantec Network Security can be configured on a per-interface basis to capture the entire packet when an attack is detected so that you can quickly determine if the offending packet is a benign event that can be filtered or flagged for further investigation. Automated response actions can initiate traffic recording and flow exports, and you can query existing or saved flows as well as playback saved sessions to further assist in drill-down analysis of a security event. Proactive Response Rules: Contains and controls the attack in real-time and initiates other actions required for incident response. Customized policies provide immediate response to intrusions or denial-of-service attacks based on the type and the location of the event within the network. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack, and custom responses to be combined with email and SNMP notifications to protect an enterprise's most critical assets.

Introduction About the Symantec Network Security foundation

19

Policy-Based Detection: Predefined policies speed deployment by allowing users quickly configure immediate response to intrusions or denial-of-service attacks based on the type and the location of the event within the network. Independently configurable detection settings make it easy for users to create granular responses. Using the robust policy editor, users can quickly create monitoring policies that are customized to the needs of their particular environment. Policies can applied at the cluster, node, or interface level for complete, scalable control. Role-based Administration: Symantec Network Security provides the ability to define administrative users and assign them roles to grant them varying levels of access rights. Administrative users can be assigned roles all the way from full SuperUser privileges down to RestrictedUser access that only allows monitoring events without packet inspection capabilities. All administrative changes made from the Network Security console are logged for auditing purposes. TrackBack and FlowChaser: Symantec Network Security incorporates sophisticated FlowChaser technology that uses flow information from both Network Security software nodes and 7100 Series appliance nodes, and from other network devices to trace attacks to the source. Cost-effective Scalable Deployment: A single Network Security software node or 7100 Series appliance node can monitor multiple segments or VLANs. Each node can be configured to monitor up to 12 Fast Ethernet ports or 6 to 8 Gigabit Ethernet ports. As the network infrastructure grows, network interface cards can be added to the same node to support additional monitoring requirements. High Availability Deployment: Network Security software nodes and 7100 Series appliance nodes can be deployed in a High Availability (H/A) configuration to ensure continuous attack detection without any loss of traffic or flow data in your mission-critical environment. Centralized Cluster Management: A Symantec Network Security deployment can consist of multiple clusters, each cluster consisting of up to 120 nodes, and an entire Network Security cluster can be securely and remotely managed from a centralized management console. The Network Security console provides complete cluster topology and policy management, node and sensor management, incident and event monitoring, and drill-down incident analysis and reporting. Enterprise Reporting Capabilities: Symantec Network Security provides cluster-wide, on-demand, drill-down, console-based reports that can be generated in text, HTML, and PDF formats and can also be emailed, saved, or printed. In addition, Symantec Network Security provides cluster-wide

20 Introduction Finding information

scheduled reports generated on the software and appliance nodes that can be emailed or archived to a remote computer using secure copy.

Symantec Network Security Smart Agents Technology: Symantec Network Security Smart Agents enable enterprise-wide, multi-source intrusion event collection, helping companies to expand the security umbrella and enhance the threat detection value of their existing security assets. Third-party intrusion events are aggregated into a centralized location, leveraging the power of the Symantec Network Security correlation and analysis framework, along with the ability to automate responses to intrusions across the enterprise. See also About the Symantec Network Security 7100 Series on page 15.

Finding information
You can find information about Symantec Network Security software and Symantec Network Security 7100 Series appliances in the documentation sets, on the product CDs, and on the Symantec Web sites. This section includes the following topics:

About 7100 Series appliance documentation About Network Security software documentation About the Web sites About this guide

About 7100 Series appliance documentation


The documentation set for the Symantec Network Security 7100 Series includes:

Symantec Network Security 7100 Series Implementation Guide (printed and PDF). This guide explains how to install, configure, and perform key tasks on the Symantec Network Security 7100 Series. Symantec Network Security Administration Guide (printed and PDF). This guide provides the main reference material, including detailed descriptions of the Symantec Network Security features, infrastructure, and how to configure and manage effectively. Depending on your appliance model, one of the following:

Symantec Network Security 7100 Series: Model 7120 Getting Started Card Symantec Network Security 7100 Series: Models 7160 and 7161 Getting Started Card

Introduction Finding information

21

This card provides the minimum procedures necessary for installing, configuring, and starting to operate the Symantec Network Security 7100 Series appliance (printed and PDF).

Symantec Network Security 716x Service Manual (printed and PDF). This document provides instructions for removing the hard drive on the 7160 and 7161. Symantec Network Security 7100 Series Product Specifications and Safety Information (printed and PDF). This document provides specifications for all 7100 Series models as well as safety warnings and certification information. Symantec Network Security User Guide (PDF). This guide provides basic introductory information about Symantec Network Security software. Symantec Network Security 7100 Series Readme (on CD). This document provides a feature summary, support and licensing information, key task tips, and provides a link to late-breaking information about the Symantec Network Security 7100 Series, including limitations, workarounds, and troubleshooting tips. See also Finding information on page 20.

About Network Security software documentation


The documentation set for Symantec Network Security core software includes:

Symantec Network Security Getting Started (printed and PDF): This guide provides basic introductory information about the Symantec Network Security software product, an abbreviated list of system requirements, and a basic checklist for getting started. Symantec Network Security Installation Guide (printed and PDF): This guide explains how to install, upgrade, and migrate Symantec Network Security software on supported platforms. Symantec Network Security Administration Guide (printed and PDF): This guide provides the main reference material, including detailed descriptions of the Symantec Network Security features, infrastructure, and how to configure and manage effectively. Symantec Network Security Signature Developers Guide (Web only): This Guide contains detailed descriptions of the proprietary Symantec Network Security Signature Language and how to use it to create effective user-defined signatures to customize the detection system. Symantec Network Security User Guide (PDF): This guide provides introductory information about Symantec Network Security core software for the user with read-only access.

22 Introduction Finding information

Symantec Network Security Readme (on CD): This document provides the late-breaking information about Symantec Network Security core software, limitations, and workarounds. See also Finding information on page 20.

About the Web sites


You can view the entire documentation set on the Symantec Network Security Web site, as well as the continually updated Hardware Compatibility Reference, Knowledge Base, and patch Web sites.

About the Knowledge Base


The Knowledge Base provides a constantly updated reference of FAQs and troubleshooting tips as they are developed. You can view the Knowledge Base on the Symantec Network Security Web site. To view the Knowledge Base 1 2 Open the following URL: www.symantec.com/techsupp/enterprise/select_product_kb.html Click Intrusion Protection > Symantec Network Security 4.0.

About the Hardware Compatibility Reference


The Symantec Network Security Hardware Compatibility Reference provides a detailed list of platforms supported by Symantec Network Security. You can view the Hardware Compatibility Reference on the Symantec Network Security Web site. To view the Hardware Compatibility Reference 1 2 Open the following URL: www.symantec.com/techsupp/enterprise/select_product_manuals.html Click Intrusion Protection > Symantec Network Security 4.0.

About the Product Updates site


The Product Update Site provides documentation for product updates (patches) as they are released. Product updates, signature updates, and engine updates are now released via LiveUpdate. You can view the available product update documentation on the Symantec Network Security Web site.

Introduction Finding information

23

To view the Patch Site 1 2 Open the following URL: www.symantec.com/techsupp/enterprise/select_product_updates.html Click Intrusion Protection > Symantec Network Security 4.0.

See also Finding information on page 20.

About this guide


This guide contains the following sections:

Part 1 Introduction: This section introduces you to the Symantec Network Security core intrusion detection system and the Symantec Network Security 7100 Series appliance, describes the architecture, and outlines a high-level setup and deployment scheme.

Chapter 1 Introduction: Describes the Symantec Network Security intrusion detection system and the Symantec Network Security 7100 Series appliance, documentation, and alternative sources of information. Chapter 2 Architecture: Describes the system components, compatibility, and integration of Symantec Network Security. Chapter 3 Getting started: Describes deployment and setup options of a Symantec Network Security intrusion detection system.

Part 2 Getting Started: This section explains how to set up your Symantec Network Security intrusion detection system, populate a network topology database, configure basic detection capabilities, and establish initial protection and response policies.

Chapter 4 Populating the topology database: Describes the initial network topology mapping process, and the information and procedures required to populate the topology database. Chapter 5 Protection policies: Describes Symantec Network Securitys protection policies and how to customize and manage them. Chapter 6 Responding: Describes Symantec Network Securitys response rules and flow alert rules, and how to customize and manage them. Chapter 7 Detecting: Describes Symantec Network Securitys methods of intrusion, anomaly, and signature detection, and how to customize and manage them.

Part 3 Using Symantec Network Security: This section describes how to use Symantec Network Security to monitor your network, including interpreting incident and event output, generating reports and running queries,

24 Introduction Finding information

maintaining logs and databases, and fine tuning the intrusion detection system.

Chapter 8 Monitoring: Describes the types of information displayed for incidents and their related events, and how to view incident data in the Network Security console. Chapter 9 Reporting: Describes the types of reports that Symantec Network Security can generate, and how to generate them. Chapter 10 Managing log files: Describes the Network Security log databases, and how to view, compress, save, export, and archive them. Chapter 11 Advanced configuration: Describes advanced procedures such as high availability, cluster management, and integrating data from third-party products. Appendix A User groups reference: Describes the four user groups and lists exact permissions available for each group. Appendix B SQL reference: Describes MySQL and Oracle support in a detailed table format.

Part 4 Appendices: This section contains detailed reference information.

Glossary: Describes terminology used in this guide. Acronyms: Lists acronyms used in this guide. See also Finding information on page 20.

Chapter

Architecture
This chapter includes the following topics:

About Symantec Network Security About the core architecture About management and detection architecture

About Symantec Network Security


This chapter describes the underlying architecture of both the Symantec Network Security core software and the Symantec Network Security 7100 Series appliances. It describes how the components work together to gather attack information, analyze behavior, and initiate effective responses. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.

About the core architecture


Symantec Network Securitys challenges are to detect malicious or unauthorized behavior, to analyze the behavior, and to determine an appropriate response. Symantec Network Security provides a three-pronged approach to meet this challenge: detection, analysis, and response. The following diagram describes this basic approach:

26 Architecture About the core architecture

Figure 2-1

Core Architecture of Symantec Network Security

Protocol Anomaly Detection


Automated Response

Stateful Signatures
Refinement
Correlation

Network Traffic

User-defined Signatures DoS Detection Scan Detection

External Sources

EDP Analysis Response

Detection

This section describes the following topics:


About detection About analysis About response

About detection
Symantec Network Security uses multiple methods of threat detection that provide both broad and deep detection of network-borne threats. These include Protocol Anomaly Detection (PAD), traffic rate monitoring, and network pattern matching, or signature-based detection. Each of these methods has strengths and weaknesses. Signature-based approaches can miss new attacks; protocol anomaly detection can miss attacks that are not considered anomalies; traffic anomaly detection misses single-shot or low-volume attacks; and behavioral anomaly detection misses attacks that are difficult to differentiate from normal behavior. Symantec Network Security combines multiple techniques and technologies into a single solution. In addition, it adapts to the changing threat landscape by adopting new techniques and technologies that improve upon or replace existing ones.

Policy Application

Architecture About the core architecture

27

Users can increase the detection capabilities by using Flow Alert Rules and adding user-defined signatures. Flow alert rules allow users to monitor network policy and respond to traffic to or from IP address and port combinations. User-defined signatures allow users to add network patterns to the supported set, and tune them to a specific network environment. Examples include monitoring proprietary protocols, searching for honey-tokens, or detecting disallowed application versions. Symantec Network Security can also integrate event data from third-party devices, enabling you to combine existing intrusion detection products with Symantec Network Securitys high speed and zero-day attack detection capabilities. This section describes the layers of the detection model:

About protocol anomaly detection About Symantec signatures About user-defined signatures Monitoring traffic rate About DoS detection About external EDP

About protocol anomaly detection


Symantec Network Security's Protocol Anomaly Detection (PAD) is a form of anomaly detection. PAD detects threats by noting deviations from expected activity, rather than known forms of misuse. Anomaly detection looks for expected or acceptable traffic, and alerts when it does not see it. This is the compliment of a signature-based approach, which looks for abnormal, unexpected, or unacceptable traffic. Symantec Network Security provides in-depth models of the most frequently used network protocols, providing extensive detection capability that goes beyond simpler forms of protocol analysis. These models provide much deeper detection and fewer false positives because they are able to follow a client-server exchange throughout the life of the connection. For example, if a protocol defines the size of a field, and Symantec Network Security detects a field that breaches the defined size, it will trigger an alert. Symantec Network Security has overcome the issue of overly generic alerts, which is one of the major issues surrounding PAD. During a zero-day attack, a general PAD alert is often all that is possible. However, soon after a new threat is discovered, it is often identified by a name and assigned a unique identifier by authorities. These organizations publish descriptions of the threat and provide

28 Architecture About the core architecture

pointers to vendor patches or other remediation tools. When this happens, it is better to have specific threat identification instead of a protocol anomaly alert. Symantec Network Security provides event refinement to address this issue. Threats identified by PAD are further analyzed to determine if they are known or unknown. This processing is done after the traffic has been identified and recorded, so that it does not interfere with the detection performance. This provides the high performance of PAD with the granular identification of a signature matching engine.

About Symantec signatures


Symantec Network Security uses network pattern matching, or signatures, to provide a powerful layer of detection. Signature detection involves detecting threats by looking for a specific pattern or fingerprint of a known bad or harmful thing. This known-bad pattern is called a signature. These patterns are traditionally based on the observed network behavior of a specific tool or tools. Signature detection operates on the basic premise that each threat has some observable property that can be used to uniquely identify it. This can be based on any property of the particular network packet or packets that carry the threat. In some cases, this may be a literal string of characters found in one packet, or it may be a known sequence of packets that are seen together. In any case, every packet is compared against the pattern. Matches trigger an alert, while failure to match is processed as non-threatening traffic. Symantec Network Security uses signatures as a compliment to PAD. The combination provides robust detection without the weaknesses of either PAD alone or signatures alone. Symantec Network Securitys high performance is maintained by matching against the smallest set of signatures as is possible given the current context. Since many threats are detected and refined through the PAD functionality, Symantec Network Security minimizes the set of required signatures to maximize performance. Symantec Network Security also uses methods of rapid response in creating signatures that detect attempts to exploit new vulnerabilities as soon as they hit the network, independent of the exploit tool. This results in earlier prevention of threats and more complete coverage.

About user-defined signatures


Symantec Network Security provides the ability to define and apply user-defined signatures to tune Symantec Network Security to your particular environment. User-defined signatures significantly extend the functionality and allow you to leverage the power of Symantec Network Security, such as providing a flexible mechanism for making short-term updates during rapid outbreaks. Symantec Network Security provides an effective way to create,

Architecture About the core architecture

29

define, manage, and apply user-defined signatures from the Network Security console.

Monitoring traffic rate


Symantec Network Security detects malicious flow and traffic shape, provides multi-gigabit traffic monitoring, and maintains 100% of its detection capability on a fully saturated gigabit network. Symantec Network Security performs passive traffic monitoring on its detection interfaces. It uses this data to perform both aggregate traffic analysis and individual packet inspection. Individual packets are inspected and traffic is analyzed per interface. It also uses Netflow data that is locally collected, or forwarded from a remote device, to augment its traffic analysis. Symantec Network Security's aggregate analysis detects both denial-of-service and distributed denial-of-service attacks. These attacks are recognized as unusual spikes in traffic volume. Using the same data, Symantec Network Security can also recommend proper remediation of the problem. Beyond attack detection, Symantec Network Security uses traffic analysis to detect many information-gathering probes. It detects not only the common probing methods, but also many stealth modes that slip through firewalls and other defenses. For example, many firewalls reject attempts to send SYN packets, yet allow FIN packets. This results in a common port scan method. Symantec Network Security recognizes this anomaly and triggers an alert.

About DoS detection


Symantec Network Security provides passive traffic monitoring on its detection interfaces that allows it to detect a variety of DoS attacks such as flooding, resource reservation, and malformed traffic. Symantec Network Security also detects a variety of reconnaissance efforts, such as various forms of stealth scans.

About external EDP


The Event Dispatch Protocol (EDP) provides a generalized framework for sending events to software and appliance nodes for correlation, investigation, analysis, and response. Using EDP, Symantec Network Security can collect security data not only from its own sensors, but also from arbitrary third-party sources such as firewalls, IDS sensors, and host-based IDS devices. The process of integrating a third-party sensor generally involves three steps: collection, conversion, and transmission. First, Symantec Network Security collects the data from the third-party sensor in its usual collection format, such as flat text files, SNMP, and source APIs. Then Symantec Network Security converts the

30 Architecture About the core architecture

data from the native format to the Symantec Network Security format, and transmits the data to the software or appliance node. See About detection on page 167. See About Smart Agents on page 37.

About analysis
Symantec Network Security includes state-of-the-art correlation and analysis that filters out irrelevant information and refines only what is meaningful, providing threat awareness without data overload. Symantec Network Security correlates common events together within an incident to compress and relate the displayed information. This section describes the analysis mechanism in greater detail:

About refinement About correlation About cross-node correlation

About refinement
Symantec Network Security detects both known and unknown (zero-day) attacks, using multiple detection technologies concurrently. Event refinement rules extend the Protocol Anomaly Detection capabilities. Symantec Network Security matches generic anomalies against a database of refinement rules, and for known attacks, reclassifies an anomaly event by retagging it with its specific name.

About correlation
Symantec Network Security uses event correlation, the process of grouping related events together into incidents. This produces a shorter, more manageable list to sift through. Some types of intrusions, such as DDoS attacks, generate hundreds of events. Others, such as buffer-overflow exploits, might generate only one event. Event correlation brings each key event to the forefront in an incident so that it remains visible despite floods of events from other activities. It automates the process of sorting through individual events and frees the user to focus on responding directly to the security incident. Symantec Network Security correlates security events (intrusions, attacks, anomalies, or any other suspicious activity), response action events (automated actions taken by Symantec Network Security in response to an attack), and operational events (action taken in the administration of the product, such as logging in or rotating logs).

Architecture About the core architecture

31

About cross-node correlation


Cross-node correlation is a feature that enables software and appliance nodes in a cluster to communicate with each other and to recognize when similar incidents are monitored by different nodes. Symantec Network Security collects events from both local and remote sources, and organizes the events into a single, rate-controlled stream. It compares new events to existing event groups, and judges similarity. It writes all events and analysis results to a local database, evaluates against protection and response policies, and then takes action if appropriate. If two peer nodes detect an attack, each node treats it as a separate incident and has no knowledge of what the other node detects. However, when Symantec Network Security applies cross-node correlation to the incidents detected by two nodes in a cluster, each adds a reference to the other and maintains awareness that this may be the same or a related attack. The Network Security console displays both as a single incident.

About response
Protection policies and response rules are collections of rules configured to detect specific events, and to take specific actions in response to them. Protection policies can take action at the point of detection. Using a 7100 Series appliance, you can configure Symantec Network Security to block events before they enter the network. Response rules can be configured to react automatically and immediately contain and respond to intrusion attempts. The response mechanism is described further in the following sections:

About protection policies About response rules

About protection policies


Symantec Network Security applies protection policies to interfaces at the point of detection, before they enter the network. Each protection policy indicates the specific signatures that the sensor will hunt for on the applied interface, in addition to protocol anomaly detection events. If a 7100 Series appliance is deployed in-line, it can use blocking rules to prevent traffic from entering the network.

About response rules


Symantec Network Securitys automated rule-based response system includes alerting, pinpoint traffic recording, flow tracing, session resetting, and custom responses on both the software and appliance nodes and the Network Security

32 Architecture About management and detection architecture

console. Symantec Network Security generates responses based on multiple criteria such as event targets, attack types or categories, event sources, and severity or confidence levels. Multiple responses can be configured for the same event type, as well as the order in which Symantec Network Security executes the responses. Symantec Network Security reviews each event, and iterates through the list of response rules configured by the user. It compares each event against configurable match parameters. If a match occurs on all parameters, it then executes the specified action. After Symantec Network Security processes one rule, it proceeds to one of three alternatives: to the rule indicated by the Next parameter, to a following rule beyond the Next rule, or it stops policy application altogether for this event.

About management and detection architecture


Symantec Network Security combines two main physical components: management and detection. The management component, called the Network Security console, provides management functionality such as incident review, logging, and reporting. The detection component is available as a Network Security software node or a Symantec Network Security 7100 Series appliance node. Both are based upon the same basic architecture, and both provide detection, analysis, storage, and response functionality. The 7100 Series node includes the functionality of the Network Security software node, with additional unique functionality. This section describes the following components in greater detail:

About the Network Security console About the node architecture About the 7100 Series appliance node

About the Network Security console


Symantec Network Securitys administrative and management component is the powerful but easy-to-use Network Security console. It communicates over an encrypted and authenticated link to ensure that authorized administrators may log in from any secure or insecure network. The Network Security console manages all operations, including incident and event filtering, drill-down incident analysis, full packet capture, detailed event descriptions, and allows event annotations and incident marking for tracking. The Network Security console provides an interface from which you can monitor events and devices, edit parameters, configure response rules, apply

Architecture About management and detection architecture

33

protection policies, and view log data. You can generate reports and view them immediately in the Network Security console, or you can schedule them to generate automatically. The Network Security console contains three main tabs that provide a view of the Devices tab, Incidents tab, and Policies tab.

Devices tab: Provides a hierarchical tree view of the network topology, with a detailed summary of each device. Incidents tab: Provides detailed descriptions of incidents and events taking place in the monitored network, and can be drilled down to reveal detailed packet information. Policies tab: Provides the tools to create, manage, and apply user-defined signatures, signature variables, and protection policies.

Reporting in the Network Security console includes dynamic chart and graph generation, with information drill-down and data retrieval. Pre-defined reports can be saved and printed. Users can send flow queries and play back traffic sequences from the Network Security console as well.

About role-based administration


The Network Security console provides a simple yet powerful interface that is useful for all levels of administration, from the Network Operation Center (NOC) operator who watches for a red light, to the skilled security administrator who examines and analyzes packets. Four pre-defined user groups provide efficient management. Each group includes a set of permissions for specific management operations. Each users login identity indicates their role and permission assignment during an administrative session. Symantec Network Security automatically installs a SuperUser login account that is authenticated with full administrative capabilities. The SuperUser can create additional login accounts in the following user groups:

SuperUsers: A user authenticated with full administrative capabilities. This user is allowed to perform all administrative tasks that the Network Security console can execute. Administrators: A user authenticated with partial administrative capabilities. This user is allowed to perform most administrative tasks, with the exception of some advanced actions. StandardUsers: A user authenticated with full read-only capabilities. This user is allowed to view all information in the Network Security console.

34 Architecture About management and detection architecture

RestrictedUsers: A user authenticated with partial read-only capabilities. This user is allowed to view most information in the Network Security Console with the exception of some advanced information and network-sensitive data.

About the node architecture


The Network Security software node or 7100 Series appliance node contains a variety of tools and techniques that work together to gather attack information, analyze the attacks, and initiate responses appropriate to specific attack circumstances. The following diagram illustrates how Symantec Network Securitys arsenal of tools work together to provide protection: Figure 2-2 Core architecture of a software or appliance node Sensor Manager Admin Service (QSP Proxy)

Alert Manager

Analysis

Databases

Event Stream Provider

Sensor Process

Smart Agent Receiver

FlowChaser

The components of the core node architecture apply to both Network Security software nodes and 7100 Series appliance nodes as follows:

About the alert manager About the sensor manager About the administration service About analysis About the databases About Event Stream Provider

Architecture About management and detection architecture

35

About sensor processes About Smart Agents About FlowChaser

About the alert manager


The Network Security Alerting Manager provides three types of alerts: a Network Security console action alert, an email alert, and an SNMP trap alert.

About the sensor manager


The Sensor Manager maintains a pool of sub-processes to manage sensor-related functionality. This includes sensor processes for event detection, traffic recording, and FlowChaser sub-processes that handle network device configuration, starting, and stopping.

About the administration service


All communication across the network passes through the QSP Proxy, an administration service with 256-bit AES encryption and passphrase authentication. This ensures that all communication between the Network Security console and the master node, and between software and appliance nodes within a cluster, are properly authenticated and encrypted. In addition, this service enforces role-base administration and thus prevents any circumvention of established access policy.

About analysis
Symantec Network Securitys analysis framework aggregates event data on possible attacks from all event sources. The analysis framework also performs statistical correlation analysis on events to identify event patterns that vary significantly from usual network activity and to identify individual events that are highly related, such as a port scan followed closely by an intrusion attempt.

About the databases


Symantec Network Security provides multiple databases to store information about attacks, the network topology, and configuration information.

Topology database: Stores information about local network devices and interfaces and the network configuration. Symantec Network Security uses this data to direct the FlowChaser toward the area of the network in which an attack occurs.

36 Architecture About management and detection architecture

Protection policy database: Stores the pre-defined protection policies that installed with the product and those added through LiveUpdate, as well as any user-defined signatures. Response rule database: Stores the rules that define the actions to take when an attack is identified, the priority to give to the attack incidents, and the necessity for further investigation of the attack. Configuration database: Stores configurable parameters that SuperUsers and Administrators can use to configure tasks at the node level and to configure detection at the sensor level. Incident and event databases: Stores information about events and incidents. The event log can be signed periodically by the iButton or soft token to verify that the log has not been tampered with or altered in any way. The iButton is a hardware device that safeguards the signature certificate and confirms the identity of a Network Security software node. LiveUpdate database: Stores data relevant for LiveUpdate. User database: Stores information about each user login account.

About Event Stream Provider


The Event Stream Provider (ESP) prevents event flood invasions by intelligently processing them in multiple event queues, based on key criteria. In this way, if multiple identical events bombard the network, the ESP treats the flood of events as a single unit. This prevents any one event type or event source from overloading a security administrator. Thus, the events that are forwarded are representative of the actual activity on the network. If it is necessary to drop events for stability and security, the ESP does so in a manner that loses as little important information as possible. If a second attack is hidden beneath the volume of an event flood attack, the events related to the hidden attack will differ from the flood events. Therefore, the ESP places these events in separate queues. The analysis framework can then analyze the events related to the hidden attack. In this way, Symantec Network Security analyzes and responds to both attacks quickly and effectively.

About sensor processes


Symantec Network Security sensors can operate using in-line or passive mode, and using interface groups or single monitoring interfaces. In-line deployment and interface groups are possible using a Symantec Network Security 7100 Series appliance only. Independent of the deployment mode of a particular sensor, Symantec Network Security applies the same comprehensive detection strategy and protection,

Architecture About management and detection architecture

37

tuned to maximize detection while retaining network performance and reliability. For example, using in-line mode, the sensor tunes itself to minimize latency and maximize throughput across a pair of interfaces. Using interface groups, the sensor correctly adjusts itself to compensate for the fact that a single network session may be conducted using multiple, asymmetric links. Using single monitoring interfaces, the sensor batches process packets to maximize detection coverage.

About Smart Agents


Symantec Network Security Smart Agents (Smart Agents) combine an investment in first-generation network intrusion detection products with Symantec Network Securitys high speed and zero-day attack detection capabilities. Using Smart Agents as the bridge between Symantec Network Security and other intrusion detection and firewall products, users can centralize management of events and incidents from the Network Security console. Smart Agents enable Symantec Network Security to collect data from third-party hosts and network IDS products in real time. Smart Agents collect event data from external sensors such as Symantec Decoy Server, as well as from third-party sensors, log files, SNMP, and source APIs. They send this data to be analyzed, aggregated, and correlated with all other Symantec Network Security events.

About FlowChaser
FlowChaser serves as a data source in coordination with TrackBack, a response mechanism that traces a DoS attack or network flow back to its source, or to the edges of an administrative domain. FlowChaser receives network flow data from multiple devices, such as Network Security sensors and network routers. FlowChaser stores the flow data in an optimized fashion that enhances analysis, correlation, and advanced responses.

About the 7100 Series appliance node


The Symantec Network Security 7100 Series is a dedicated, scalable appliance designed to monitor and protect multiple network segments at multi-gigabit speeds using Symantec Network Security software. The appliance provides advanced intrusion detection and prevention on enterprise-class networks. The Symantec Network Security 7100 Series runs an optimized, hardened operating system with limited user services to further increase security and performance.

38 Architecture About management and detection architecture

The appliance provides all the functionality of a Network Security software node, with additional capabilities in the areas of detection, response, and management. This section describes the following topics:

About detection on the 7100 Series About response on the 7100 Series About management on the 7100 Series

About detection on the 7100 Series


In addition to the detection facilities of Symantec Network Security software, the 7100 Series appliance provides a new detection feature called interface grouping.

About interface grouping


Interface grouping, also called port clustering, enables up to four monitoring interfaces to be grouped together as a single logical interface. This is especially useful in asymmetrically routed environments, where incoming traffic is seen on one interface and outbound traffic passes through another. Grouping the interfaces into one logical interface with a single sensor allows state to be maintained during the session, making it possible to detect attacks.

About response on the 7100 Series


An important new 7100 Series response capability is provided by the addition of in-line monitoring mode.

About in-line monitoring mode


In-line monitoring mode places the full capabilities of the Symantec Network Security 7100 Series directly into the network path, enabling you to detect and block malicious traffic before it enters your network. With an active sensor monitoring traffic on an in-line interface pair, all packets are examined in real time so that you can prevent intrusions from reaching their targets. By comparison, passive mode supplies monitoring, alerting, and response capabilities, while in-line mode provides all these plus proactive intrusion prevention.

About blocking or alerting mode


In-line mode protection policies are configurable so that you can choose to block and alert on designated events. You can easily switch between blocking and alerting in the Network Security console.

Architecture About management and detection architecture

39

In blocking mode, all network traffic is examined by the Network Security detection software before it enters your network, and is blocked if malicious. When a protocol anomaly event or an event matching an enabled signature is detected, the offending packet is dropped. For TCP/IP traffic, a reset is sent to the TCP connection. In alerting mode, the Network Security detection software still analyzes all packets as they enter your network, but does not prevent an intrusion attempt from proceeding. You can configure a non-blocking protection policy to send a reset and an alert, based on event ID. With only alerting enabled under in-line mode, there is no risk of inadvertently blocking legitimate network traffic. The advantage of in-line alerting mode over operating in passive mode is that you can enable blocking with a single mouse-click from the Network Security console. You dont need to halt network traffic while changing cabling and configuration to switch between in-line alerting and blocking modes.

About fail-open
When you configure in-line mode on the Symantec Network Security 7100 Series appliance, you place the in-line interface pair directly into the network path. If the appliance or one of those interfaces has a hardware or software failure, all associated network traffic is blocked. You can avoid this risk with the addition of the 2 In-line Bypass unit or 4 In-line Bypass unit, custom fail-open devices available from Symantec specifically for the appliance. These devices provide the fail-open capability, allowing your network to stay up while you make repairs. At this time, the bypass units are only available for copper interfaces. There is currently no fail-open solution for the fiber interfaces of the appliance model 7161.

About management on the 7100 Series


The 7100 Series offers several management features in addition to those provided by the Network Security software, as follows:

About the LCD panel About the serial console About the compact flash

About the LCD panel


The Symantec Network Security 7100 Series appliance is equipped with an LCD screen and push buttons on the front bezel. The screen can display two lines of

40 Architecture About management and detection architecture

sixteen characters each, and there are six buttons: four arrow buttons and two function buttons labeled s (start) and e (enter). You can use the LCD panel for initial configuration of your appliance. After initial configuration, the LCD screen displays system statistics in a rotating sequence, and provides a menu of tasks including stopping and starting Symantec Network Security, rebooting or shutting down the appliance, and changing the IP address.

About the serial console


You can use the serial console for initial configuration of the appliance and for command line access to the operating system utilities and filesystems. The serial console provides an alternative to using the LCD panel for initial configuration. Serial console access requires a valid username and password.

About the compact flash


Other new appliance management functionality involves the compact flash. The compact flash can be used for initial configuration and for full backup and restore. Slave appliance nodes can be initially configured from compact flash. On the Network Security console, a SuperUser adds the node to the topology and then writes the node configuration to the compact flash. Lab personnel can use the compact flash card for the initial configuration of the new appliance. If a compact flash card is available on the appliance, it is automatically used when you select a full backup in the Network Security console. When you do a restore from the Network Security console, you can choose from backup files on the compact flash as well as those that are available on the hard drive.

Chapter

Getting started
This chapter includes the following topics:

Getting started General checklist About the management interfaces Managing user access Planning the deployment Deploying single nodes Deploying node clusters

Getting started
This chapter provides a general outline of major tasks involved in setting up a core Symantec Network Security intrusion detection system. It describes basic tasks, including accessing the management interfaces (Network Security console, serial console, and LCD panel), accessing nodes and sensors, and establishing user permissions and access. It also describes deployment considerations and examples of ways to deploy Symantec Network Security. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.

42 Getting started General checklist

General checklist
This section provides a broad outline of the basic steps to set up a core Symantec Network Security intrusion detection system for the first time. It also describes additional deployment options that are unique to the 7100 Series appliance. This section describes the following topics:

General software and appliance checklist Additional appliance-specific checklist

General software and appliance checklist


To set up a new Symantec Network Security intrusion detection system for the first time, consider the following:

Preparing to set up Symantec Network Security


Before installation, decide how to deploy your Symantec Network Security intrusion detection system and obtain a license:

Deployment Plan: Decide how to deploy a Symantec Network Security intrusion detection system. Some things to consider might include:

What kinds of traffic flow do you expect on your network? Which devices or elements of your network will you monitor? Will you deploy Symantec Network Security as single peer software or appliance nodes, or as a cluster of interacting nodes? Will you establish failover redundancy with standby nodes?

Licensing: Obtain a Symantec license for each software and appliance node. Installation: Install Symantec Network Security. User accounts: One SuperUser default account is created at installation. You can add more accounts at any time after installation.

Setting up Symantec Network Security


After installation, use the following tools to get your Symantec Network Security intrusion detection system started:

Create network topology database: Provide detailed information about your Symantec Network Security intrusion detection system by populating the topology tree on the Devices tab. Establish protection policy: Establish blocking and/or alerting triggers so that Symantec Network Security automatically responds to intrusions at the point of entry.

Getting started General checklist

43

Establish response rules: Establish additional action triggers so that Symantec Network Security automatically responds to intrusions as they pass through the network. Configure user-defined signatures: Enhance the basic detection capabilities by creating customized signatures to fine-tune the detection to your unique security environment.

Using Symantec Network Security


After the initial configuration of your network intrusion detection system, use the following tools to monitor your network and provide advanced configuration:

Incidents and Events: Drill down for detailed information about suspicious and intrusive activity. Reports and Queries: Launch queries and generate comprehensive reports in a variety of formats about suspicious activity. Logs and Databases: Review collected data about suspicious activity in logs and databases to use in analyzing and tracking. Set configuration parameters: Configure single node or cluster-wide settings to define advanced features such as failover, export, TrackBack, and more.

Additional appliance-specific checklist


Deploying a new Symantec Network Security 7100 Series appliance for the first time involves some additional considerations.

Preparing the appliance


When preparing the appliance, consider the following:

In-line or passive mode: Decide whether to deploy some or all appliance monitoring interfaces using in-line mode, or to leave them in passive mode. Your choice affects the cabling of the appliance. Fail-open: If you place any interfaces into in-line mode, you may wish to connect a bypass unit to provide fail-open capability. This also affects the cabling process. Initial configuration: Choose from three methods of initial configuration, including:

LCD: Use the LCD screen and push buttons on the appliance to enter the node IP address, password, and other information.

44 Getting started About the management interfaces

Serial console: Connect a laptop or other serial device to the appliance and use a serial terminal application with VT100 emulation to enter the initial configuration information. Compact flash: Add a slave node object to the master nodes topology, then write the node configuration to a compact flash card. Use the compact flash card for initial configuration when installing the slave appliance.

Setting up appliance features in Symantec Network Security


Once your appliance is installed and the initial configuration is done, you can use these appliance-specific features while customizing Network Security for your network:

In-line blocking or alerting: Create policies for any in-line interface pairs to define when to block and when to alert. Interface grouping: Configure an interface group that aggregates traffic on up to four monitoring interfaces. An interface group is useful for intrusion detection in asymmetrically routed networks.

About the management interfaces


Symantec Network Security provides a management interface called the Network Security console. Both the Symantec Network Security software and the 7100 Series appliance utilize the Network Security console for the majority of tasks. The 7100 Series appliance also provides two additional management interfaces: the serial console and the LCD panel. You can use these additional interfaces to perform some initial configuration and basic tasks on 7100 Series appliances. This section describes the following topics:

Using the Network Security console Using the serial console Using the LCD panel

Using the Network Security console


The Network Security console serves as the main management interface for both Network Security software nodes and 7100 Series appliance nodes. The Network Security console uses QSP 256-bit AES encryption.

Getting started About the management interfaces

45

Caution: The first time you launch the Network Security console after installation, expect a wait time of a few minutes while the database files load. Symantec Network Security caches the files after that first load, and makes subsequent launches faster. This section describes how to launch the Network Security console and adjust the view:

Launching the Network Security console Viewing the Network Security console Adjusting the Devices view Adjusting the Incidents view Adjusting the Policies view Viewing node status Restarting via the Network Security console Rebooting nodes via the Network Security console Restarting sensors via the Network Security console Checking and applying licenses

Launching the Network Security console


All users can launch the Network Security console on Windows, Solaris, and Linux, and view the main tabs and menus. To launch the Network Security console 1 Depending on the operating system, do one of the following:

For Windows, double-click the Symantec Network Security icon on the desktop. For Solaris or Linux, run the following command:
<path to java>/bin/java -Xmx256M -jar snsadmin.jar

For example:
/usr/SNS/java/jre/bin/java -jar snsadmin.jar

Note: The Network Security console must have Java 1.4 installed to run. 2 3 In Hostname, enter the hostname or IP address of the software or appliance node you want to monitor. In Port, enter the port number.

46 Getting started About the management interfaces

If in a cluster, all nodes must use the same port number. 4 5 In Username, enter the user name. Access and permissions depend on the user group of your login account. In Passphrase, enter the passphrase established for your user login account, and click OK. Caution: If a non-SuperUser uses the wrong passphrase, an Incorrect Username or Passphrase message appears. If this occurs multiple times (as specified by the Maximum Login Failures parameter), the Network Security console locks the non-SuperUser out. Even if the correct passphrase is used at that point, access is denied. Contact the SuperUser to create a new passphrase.

Viewing the Network Security console


The Network Security console contains three main tabs that provide a view of the network topology, the network traffic, and the detection and response functionality:

The Devices tab provides a hierarchical tree view of the network topology with a detailed summary of each device. The Incidents tab provides detailed descriptions of security incidents and their correlated events taking place in the network, including sub-levels of packet detail. The Policies tab provides the area for managing protection policies and automated responses at the point of entry.

Adjusting the Devices view


You can adjust the display of the network topology tree in the Devices tab as follows: To display the entire topology tree

On the Devices tab, click Topology > Expand All Objects.

To display all device objects and hide all interface objects

On the Devices tab, click Topology > Expand Categories.

To display the first level of objects in the topology tree

On the Devices tab, click Topology > Collapse All Objects.

Getting started About the management interfaces

47

Adjusting the Incidents view


You can adjust the display of the events and incidents tables in the Incidents tab as follows: To adjust the font size of the display

On the Incidents tab, click Configuration > Table Font Size > OK.

Adjusting the Policies view


You can adjust the display of the list of event types in the Policies tab, to view a workable subset. To do this, see Adjusting the view of event types on page 121.

Viewing node status


The Network Security console displays an object in the topology tree representing devices and interfaces in the network. When a software or appliance node experiences a process failure of any kind, the Network Security console displays the node with a red X, called the Node Status Indicator. This signifies that Network Security processes or connectivity to the network has failed. To view node status

On the Devices tab, see the Node Status Indicator for any software or appliance node. A red X or Node Status Indicator signifies that Network Security processes or network connectivity failed on a software or appliance node.

Restarting via the Network Security console


The Network Security console provides a way to restart both Network Security software nodes and 7100 Series appliance nodes easily. Restarting includes the Symantec Network Security software and enables you to address an intermittent problem. Note: SuperUsers can restart both software and appliance nodes from the Network Security console; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To restart Symantec Network Security 1 On the main menu bar, click Admin > Node > Restart Symantec Network Security Application.

48 Getting started About the management interfaces

2 3

In Select Node, select the node that you want to restart from the pull-down list, and then click OK. Wait until the progress bar indicates that the process is complete.

See also Restarting via the serial console on page 50. See also Restarting from the LCD panel on page 53.

Rebooting nodes via the Network Security console


The Network Security console now provides a way to reboot Network Security software nodes easily. Rebooting includes the entire system and is rarely necessary except during installation and changes to the IP address. To reboot a software node 1 2 3 On the main menu bar, click Admin > Node > Reboot Network Security
Node.

In Select Node, select the node that you want to reboot from the pull-down list, and then click OK. Wait until the progress bar indicates that the process is complete.

Note: SuperUsers can reboot Network Security software nodes; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. See also Rebooting nodes via the serial console on page 51. See also Rebooting nodes via the LCD panel on page 53.

Stopping Symantec Network Security via the command line


Symantec Network Security provides a way to shut down software nodes from the command line. You must have root access to shut down software nodes from the command line. To shut down Symantec Network Security manually

To stop Symantec Network Security manually, use the following command:


<Symantec_Network_Security_install_dir>/stop

See also Stopping via the serial console on page 51. See also Stopping via the LCD panel on page 54.

Getting started About the management interfaces

49

Restarting sensors via the Network Security console


The Network Security console now provides a way to restart sensors remotely in both software and appliance nodes. This procedure restarts the sensor process without restarting other Network Security processes, and without rebooting the node itself. Note: SuperUsers and Administrators can restart Network Security sensors; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To restart sensors on both software and appliance nodes 1 2 On the Devices tab, right-click a monitoring interface object under either a software or appliance node. Click Restart Sensor.

Checking and applying licenses


The Network Security console provides a way to check the status of the Symantec Network Security license applied to each node. Note: SuperUsers and Administrators can check the licenses of Network Security sensors; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To check your license status 1 2 3 4 On the main menu bar, click Admin > Node > Licensing. In Select Node, select the Network Security software node or 7100 Series appliance node from the pull-down list whose license you want to check. Click OK. In License Information for <nodename>, view the license status, bandwidth, expiry date, and Symantec System ID. See the Symantec Network Security 7100 Series Implementation Guide or the Symantec Network Security Installation Guide for more information about obtaining or upgrading licenses through the Symantec Enterprise Licensing System (ELS).

50 Getting started About the management interfaces

Using the serial console


In addition to the Network Security console, Symantec Network Security 7100 Series appliances also provide a serial port. You can connect a serial console to an appliance to perform some basic initial configuration tasks. The serial console makes the following commands available:

help configure start restart stop unconfigure install-bridge uninstall-bridge date elevate passwd reboot shutdown

This section describes the following subset of procedures available on the serial console:

Restarting via the serial console Rebooting nodes via the serial console Stopping via the serial console Shutting down via the serial console

See the Symantec Network Security 7100 Series Implementation Guide for the full range of procedures available on the serial console.

Restarting via the serial console


The Symantec Network Security 7100 Series provides a way to restart appliance nodes using the serial console. You must have secadm access to restart Symantec Network Security on the serial console. Restarting includes the Symantec Network Security software and enables you to address an intermittent problem. To restart Symantec Network Security from the serial console 1 2 Connect your laptop or other serial device to the appliance with the serial console cable. Using a serial terminal application, login to the appliance as:
secadm

Getting started About the management interfaces

51

Type the following command:


restart

Rebooting nodes via the serial console


The Symantec Network Security 7100 Series provides a way to reboot appliance nodes using the serial console. You must have secadm access to reboot the appliance from the serial console. Rebooting includes the entire system and is rarely necessary except during installation and changes to the IP address. To reboot an appliance node from the serial console 1 2 3 Connect your laptop or other serial device to the appliance with the serial console cable. Using a serial terminal application, login to the appliance as:
secadm

Type the following command:


reboot

Stopping via the serial console


You must have secadm access to stop Symantec Network Security on the appliance from the serial console. To stop Symantec Network Security from the serial console 1 2 3 Connect your laptop or other serial device to the appliance with the serial console cable. Using a serial terminal application, login to the appliance as:
secadm

Type the following command:


stop

Shutting down via the serial console


You must have secadm access to shut down the appliance from the serial console. To shut down an appliance from the serial console 1 2 Connect your laptop or other serial device to the appliance with the serial console cable. Using a serial terminal application, login to the appliance as:
secadm

52 Getting started About the management interfaces

Type the following command:


shutdown

Using the LCD panel


In addition to the Network Security console, Symantec Network Security 7100 Series appliances also provide a management interface called the LCD panel. You can use the LCD panel on an appliance to perform some basic initial configuration tasks. The LCD panel provides a run-time menu that includes the following commands:

1. Lock LCD 2. Change IP 3. Stop SNS 4. Start SNS 5. Shutdown Host 6. Restart Host 7. Unconfig SNS

This section describes the following subset of procedures available on the LCD panel:

Unlocking the LCD panel Restarting from the LCD panel Rebooting nodes via the LCD panel Stopping via the LCD panel Shutting down via the LCD panel

See the Symantec Network Security 7100 Series Implementation Guide for the full range of procedures available on the LCD panel.

Unlocking the LCD panel


The LCD panel may be locked. If so, you must use the secadm password to unlock it before you can perform any other tasks. To unlock the LCD panel 1 On the appliance front panel, press any button to display: LCD Password [a] unless it is already displayed on the LCD screen. Use the buttons to enter the secadm password to unlock the LCD panel.

Getting started About the management interfaces

53

Use the up/down arrow buttons to scroll through the character set, and the right arrow button to move the cursor after each character. 3 Press e to enter the password.

Restarting from the LCD panel


The Symantec Network Security 7100 Series provides a way to restart Symantec Network Security on appliance nodes using the LCD panel. Restarting includes the Symantec Network Security software and enables you to address an intermittent problem. If the LCD panel is locked, see Unlocking the LCD panel. After it is unlocked, follow this procedure to restart Symantec Network Security. To restart Symantec Network Security from the LCD panel 1 2 On the appliance front panel, press any button to display the LCD run menu unless it is already displayed on the LCD screen. Use the down arrow button to scroll through the numbered menu choices until you see: SNS7100 4. Start SNS Press e to restart the Symantec Network Security application. The LCD screen displays the following when the restart process completes: Success Press any button

Rebooting nodes via the LCD panel


The Symantec Network Security 7100 Series provides a way to reboot appliance nodes using the LCD panel. Rebooting includes the entire system and is rarely necessary except during installation and changes to the IP address. If the LCD panel is locked, see Unlocking the LCD panel. After it is unlocked, follow this procedure to restart Symantec Network Security. To reboot an appliance node from the LCD panel 1 2 On the appliance front panel, press any button to display the LCD run menu unless it is already displayed on the LCD screen. Use the down arrow button to scroll through the numbered menu choices until you see: SNS7100 6. Restart Host

54 Getting started Managing user access

Press e to reboot the appliance.

Stopping via the LCD panel


You must have the secadm password to stop Symantec Network Security on the appliance from the LCD panel. If the LCD panel is locked, see Unlocking the LCD panel. After it is unlocked, follow this procedure to restart Symantec Network Security. To stop Symantec Network Security from the LCD panel 1 2 On the appliance front panel, press any button to display the LCD run menu unless it is already displayed on the LCD screen. Use the down arrow button to scroll through the numbered menu choices until you see: SNS7100 3. Stop SNS Press e to stop Symantec Network Security on the appliance.

Shutting down via the LCD panel


You must have the secadm password to shut down the appliance from the LCD panel. If the LCD panel is locked, see Unlocking the LCD panel. After it is unlocked, follow this procedure to restart Symantec Network Security. To shut down an appliance from the LCD panel 1 2 On the appliance front panel, press any button to display the LCD run menu unless it is already displayed on the LCD screen. Use the down arrow button to scroll through the numbered menu choices until you see: SNS7100 5. Shutdown Host Press e to shut down and power off the appliance.

Managing user access


Symantec Network Security provides an efficient way to administer user access using four predefined groups: SuperUser, Administrator, StandardUser, and RestrictedUser. The installation procedure creates one user login account in the SuperUser group with full access and all permissions. At any time after

Getting started Managing user access

55

installation, this SuperUser can create additional user login accounts in any of the four groups from the Network Security console. Each group includes a predefined set of permissions and access. You can control user access using the predefined user groups, including managing user passwords and passphrases, tracking user actions, and limiting access via parameters. Note: See User groups reference on page 353 for more detailed information about access and permissions for specific user groups. The four user groups are unique to the Network Security console and do not extend to the serial console or the LCD panel. See the Symantec Network Security 7100 Series Implementation Guide for more information about the serial console and the LCD panel. This section describes the following topics:

Managing user login accounts Tracking user actions Controlling user access

Managing user login accounts


The Network Security console provides a way to create and modify user login accounts efficiently. In a cluster, create user accounts on the master software or appliance node. The user database is propagated across all slave nodes in a cluster when they synchronize with the master node. This section describes the following topics:

Adding user login accounts Editing user login accounts Deleting user login accounts

Adding user login accounts


The Network Security console provides an efficient way to add new user login accounts to the system by assigning each user to a predefined user group. Note: SuperUsers can create new user accounts in any of the predefined groups; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

56 Getting started Managing user access

To add a new user login account 1 2 3 4 On the main menu bar, click Admin > Manage Users > Add. In Add User, enter the Username, Passphrase, and confirm the passphrase. In Group, select one of the four predefined groups from the pull-down list, and click OK. In Manage Users, click OK to save and close.

Editing user login accounts


The Network Security console provides an efficient way to edit existing user login accounts by reassigning a user to a different predefined user group. Note: SuperUsers can move any user to a different user group; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To modify an existing user login account 1 2 3 4 5 On the main menu bar, click Admin > Manage Users. In Manage Users, select the user account you want to modify. Click Edit. Change the Username or Passphrase, or select a different group from the Group pull-down list, and click OK. In Manage Users, click OK to save and close.

Deleting user login accounts


The Network Security console provides an efficient way to delete user login accounts from the system altogether. Note: SuperUsers can delete any user accounts in any groups except for the last SuperUser in a cluster; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To delete a user login account 1 2 3 On the main menu bar, click Admin > Manage Users. In Manage Users, select the user account you want to delete. Click Delete.

Getting started Managing user access

57

Click OK to save and close.

Managing user passphrases


Symantec Network Security provides an efficient way to control access to the Network Security console for both software and appliance nodes by managing user passphrases. You can control access to the serial console on an appliance by managing root and secadm passwords. This section describes the following topics:

Changing user passphrases Changing passwords on the 7100 Series node

Changing user passphrases


Symantec Network Security provides an efficient way to control access to the Network Security console for both software and appliance nodes by managing user passphrases. The passphrase identifies each user with a user group that includes a predefined set of permissions and access. All users can change their own passphrase at any time. To change login account passphrases 1 2 3 4 On the main menu bar, click Admin > Change Current Passphrase. In Change Passphrase for <user>, in Enter Old Passphrase, type the existing passphrase. In Enter New Passphrase, type a new passphrase from 6 to 16 characters, inclusive, and confirm it. Click OK to save and close. Note: If a non-SuperUser uses an incorrect passphrase, an Incorrect Username or Passphrase message appears. If this happens multiple times (as specified by the Maximum Login Failures parameter), the user can be locked out. Even if the correct passphrase is used at that point, access is denied. Contact the SuperUser to create a new passphrase. See Setting Maximum Login Failures on page 59.

58 Getting started Managing user access

Note: SuperUsers can add, modify, or delete the passphrase on any user login account in the Network Security console; Administrators, StandardUsers, and RestrictedUsers can modify only their own passphrases. See User groups reference on page 353 for more about permissions.

Changing passwords on the 7100 Series node


The SuperUser password for a master 7100 Series node is entered during the initial configuration of the appliance. This password is used for the Network Security console login, root login, secadm login, and for unlocking the LCD panel. For security reasons, we recommend that you change passwords periodically for the root, secadm, and Network Security console user login accounts. This section describes the following topics:

Changing the root password via the serial console Changing the secadm password via the serial console

Changing the root password via the serial console


You must have root access to change the root password from the serial console. Changing the root password also changes the password for the elevate command. These passwords are always the same. To change the root password from the serial console 1 2 3 Connect your laptop or other serial device to the appliance with the serial console cable. Using a serial terminal application, login to the appliance as:
secadm

Type the following command:


elevate

and enter the root password. 4 5 6 Type the following command:


passwd

Enter the new password. Enter the new password again.

Getting started Managing user access

59

Changing the secadm password via the serial console


You must have secadm access to change the secadm password from the serial console. Changing the secadm password also changes the password for unlocking the LCD panel. These passwords are always the same. To change the secadm password from the serial console 1 2 3 4 5 Connect your laptop or other serial device to the appliance with the serial console cable. Using a serial terminal application, login to the appliance as:
secadm

Type the following command:


passwd

Enter the new password. Enter the new password again.

Controlling user access


The Network Security console provides a way to control user access using the predefined user groups, managing user passwords and passphrases, tracking user actions, and limiting access via parameters. This section describes the following topics:

Setting Maximum Login Failures Setting Lock LCD Screen Tracking user actions

Setting Maximum Login Failures


Maximum Login Failures determines the number of login attempts that Symantec Network Security can accept before it locks the user out. The limit applies to Administrators, StandardUsers, and RestrictedUsers. The SuperUser is not subject to this limitation, and can reset the password of a locked-out account to re-enable it. The default value allows 5 attempts to login before locking. If this value is set to 0, then no restrictions apply. To configure the Maximum Login Failures parameter 1 2 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK.

60 Getting started Managing user access

3 4 5 6

In the left pane under Login Parameters, click Maximum Login Failures. In the lower right pane, enter the maximum number of failed attempts. Click Apply. In Apply Changes To, select the node or subset of nodes to which you want to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this sensor and close.

Setting Lock LCD Screen


Lock LCD Screen indicates whether the LCD panel on a Symantec Network Security 7100 Series appliance is locked or not. The default value is false. If you set Lock LCD Screen to true, users must enter a password to access the LCD panel. To set the Lock LCD Screen parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under 7100 Series Parameters, click Lock LCD Screen. In the right pane, do one of the following:

Click True to lock the LCD panel. Click False to unlock the LCD panel.

5 6

Click Apply. In Apply Changes To, select the node or subset of nodes to which you want to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this sensor and close.

Getting started Planning the deployment

61

Tracking user actions


Symantec Network Security logs all user actions on the Network Security console that modify the configuration. When you set the operational log to verbose mode, Symantec Network Security extends logging to include user actions that do not affect the configuration. The log includes data specific to the action, such as the date and time of the action, the username, query information, whether the query is allowed or denied, and the type of action that was taken. See Setting automatic logging levels on page 278. See Archiving log files on page 279. See About operational event notices on page 223.

Planning the deployment


Both software and appliance nodes can be deployed singly or clustered:

Single-node deployment: A peer relationship between one or more individual single nodes, viewed from one or more independent Network Security consoles. Cluster deployment: A hierarchical relationship between one master node and up to 120 slave nodes that synchronize to the master node.

Both software and appliance nodes can be deployed using passive mode; only 7100 Series appliances can be deployed using in-line mode:

In-line deployment: Only the Symantec Network Security 7100 Series appliance can be deployed in-line at this time. In-line mode enables multiple features such as the ability to block specified traffic from entering the network. Passive deployment: Both software and appliance nodes can be deployed in passive mode, and positioned near the network, where they do not impede network performance as a point of failure. No service is ever lost, even if the node fails. The possibility of failure can be mitigated by failover groups that maintain the availability of all nodes. See Establishing high availability failover on page 322.

Deploying single nodes


Symantec Network Security can be deployed as one or more single nodes that operate independently of each other within your network. The following figure illustrates the relationship between a single Network Security software node or 7100 Series appliance node, a fictitious network, and a possible intruder:

62 Getting started Deploying single nodes

Figure 3-1

Fictitious Network Map with Intruder

Internet

Router

Network Security console

Software or appliance node

Host 1

Host 2

Host 3

Host 4

Attacker

Deploying a single Network Security software node


Symantec Network Security can be deployed using one or more single Network Security software nodes. Each node functions independently as the master node in a cluster of one. Managing a single node is simpler than managing a cluster. For example, you can partition your network to make each security administrator responsible for only one segment, without the need to communicate with other segments or with other software or appliance nodes. In this scenario, the nodes have no method of communication with each other. Using a single Network Security console, you can log in to any single node in your network, and view it individually. With single-node deployment, you cannot view all nodes simultaneously from the Network Security console. Also, failover groups do not function for single nodes.

Deploying a single 7100 Series appliance node


You can deploy a Symantec Network Security 7100 Series node just as you would a Network Security software node. It can operate independently or as part of a cluster. A 7100 Series appliance also has several extra deployment options. You can configure it for interface grouping, in-line mode, and fail-open, in addition

Getting started Deploying single nodes

63

to passive monitoring mode. You can also deploy the appliance using a combination of these modes in a way that best suits your network.

About interface grouping


Interface grouping provides a solution when your network employs asymmetric routing. Asymmetric routing occurs when traffic arrives on one interface and departs on another. Because the request and reply sides of the client/server traffic are on different interfaces, a standard monitoring interface cannot see the full conversation to analyze it properly. With the Symantec Network Security 7100 Series, you can place up to four interfaces into a single group. One sensor is started for the interface group, allowing Symantec Network Security to analyze the different traffic flows as if they were combined on one interface. This is a very effective deployment mode for a network with asymmetric routing.

About in-line mode


In-line mode is another mode of deployment available only with the Symantec Network Security 7100 Series appliance. In-line mode uses an interface pair to place the appliance directly into the network path. Both interfaces connect to the monitored network segment, effectively separating it into two sides. Incoming packets are fully analyzed before being allowed to continue into the other side of the network. Because of the nature of the connection, it is necessary to interrupt network traffic briefly while you connect the cables to the appliance interfaces. You can configure a policy for an in-line pair that alerts on or blocks malicious traffic. When a malicious packet is detected in alerting mode, the appliance software executes the configured responses, which may be email, Network Security console displays, or other choices available on both appliances and Network Security software nodes. Blocking mode prevents malicious traffic of the designated event types from being transmitted into your protected network. When a blocked TCP/IP event is detected, the node sends TCP resets to both interfaces in the pair. For a blocked UDP event, the appliance drops the packet and marks the flow as dropped. For policies configured with both blocking and alerting, you can run Network Security with blocking disabled until you are sure the policy is correct. If you decide that the configured event types should be blocked, you can change the policy to enable blocking with a single mouse-click in the Network Security console.

64 Getting started Deploying single nodes

About fail-open
Fail-open is an option when using in-line mode and is the default for passive mode. Fail-open means that if the appliance has a hardware failure, network traffic will continue. Since the Symantec Network Security 7100 Series appliance is directly in the network path while deployed using in-line mode, fail-open capability requires the purchase and installation of a separate device. The Symantec Network Security In-line Bypass unit has been custom designed to provide fail-open capability for the Symantec Network Security 7100 Series. The bypass unit is available in two models, which accommodate two or four in-line interface pairs respectively. Fail-open is available for all copper gigabit or Fast Ethernet interfaces on the appliance. It is not an option for fiber interfaces at this time. The In-line Bypass unit is only necessary for fail-open when appliance interfaces are configured for in-line mode. All interfaces configured in passive mode are fail-open by default.

Configuring single-node parameters


Symantec Network Security provides configurable parameters to customize your network intrusion detection system from multiple levels. These parameters fall into the following three categories:

Node parameters: Apply to individual nodes, either within a cluster or set up as peers. For more information about node parameters, see Configuring node parameters on page 345. Cluster parameter: Applies to all nodes within a cluster. For more information about the cluster parameter, see Setting QSP Port Number on page 315. Sensor parameters: Dictate sensor detection behavior. You can fine-tune sensor parameters to recognize normal traffic behavior on your system and alert you to suspicious behavior. For more information about sensor parameters, see Configuring sensor detection on page 168.

Symantec Network Security provides node parameters to configure the following tasks on each node:

See Setting Maximum Login Failures on page 59. See Setting email notification parameters on page 149. See Setting SNMP notification parameters on page 152. See Tuning incident parameters on page 237. See Configuring FlowChaser on page 248.

Getting started Deploying node clusters

65

See Setting automatic logging levels on page 278. See Archiving log files on page 279. See Compressing log files on page 282. See Exporting data on page 285. See Integrating via Smart Agents on page 316. See Configuring watchdog processes on page 328. See Configuring advanced parameters on page 346.

Deploying node clusters


The full power and advanced features of Symantec Network Security become available when you create a group or cluster of nodes, and establish one node as the master. A cluster of software or appliance nodes enables Symantec Network Security to monitor all parts of a network from the central Network Security console, and share information between nodes. In a clustered deployment, the master node can check, update, and synchronize all nodes in the cluster. High-availability failover deployment becomes available using pair configurations of active and standby nodes. Users can view all Network Security software nodes and 7100 Series appliance nodes in the network simultaneously, and make full use of advanced capabilities. Clusters provide efficient administration of multiple nodes from a single console.

Network Security console

Master node Slave nodes

66 Getting started Deploying node clusters

For information about advanced cluster management, see Managing node clusters on page 309. This section includes the following:

Deploying software and appliance nodes in a cluster Monitoring groups within a cluster

See the Symantec Network Security Installation Guide and the Symantec Network Security 7100 Series Implementation Guide for special considerations when upgrading or migrating clusters.

Deploying software and appliance nodes in a cluster


Both Network Security software nodes and 7100 Series appliance nodes can be deployed as master nodes or slave nodes in a cluster. For information about clusters containing a mixture of various types or versions, see the Symantec Network Security 7100 Series Implementation Guide and the Symantec Network Security Installation Guide.

Monitoring groups within a cluster


The Network Security console provides a way to subdivide a cluster into different monitoring groups. You can then configure the Network Security console to display only the incidents of selected monitoring groups. In this way, you can manage the delegation of responsibilities in a large installation where each operator is responsible for only a subset of software or appliance nodes. This increases performance as well, because it reduces the number of incidents that a single Network Security console must load. When subdivided by monitoring groups, Symantec Network Security continues to perform cross-node correlation across all nodes in the cluster, even though the Network Security console displays incidents only from the subset. This section includes the following topics:

Creating a monitoring group Assigning a monitoring group Renaming a monitoring group Choosing monitoring groups Deleting a monitoring group

Getting started Deploying node clusters

67

Creating a monitoring group


By default, one monitoring group exists upon installation. You can create additional monitoring groups via the Network Security console. When you add a software or appliance node to the topology tree, the node is assigned a monitoring group either by default, or by your selection. After groups are established, you can activate one or more monitoring groups in the Network Security console. Note: SuperUsers can add, assign, and rename monitoring groups; Administrators, StandardUsers, and RestrictedUsers can choose them. See User groups reference on page 353 for more about permissions. To add a new monitoring group 1 2 3 4 On the Devices tab, right-click any software or appliance node. Click Edit. In the Monitoring Group field, enter a new name into the list by writing over the Default name. Click OK. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

Assigning a monitoring group


The Network Security console provides an efficient way to assign a node to a monitoring group. Note: SuperUsers can add, assign, and rename monitoring groups; Administrators, StandardUsers, and RestrictedUsers can choose them. See User groups reference on page 353 for more about permissions. To assign a node to a monitoring group 1 2 3 4 On the Devices tab, right-click any software or appliance node. Click Edit. In the Monitoring Group field, choose a group from the pull-down list. Click OK.

68 Getting started Deploying node clusters

Note: Always align the assignment of a node to a monitoring group with the view of that monitoring group. If you assign a node to a different monitoring group than the monitoring group that defines your incident subset, you can miss events even though the sensors detect them. See Choosing monitoring groups on page 69.

Renaming a monitoring group


To rename a monitoring group, you must remove the existing group altogether and create a new one. When you do this, the selection status of the previous group is lost, which can result in a change of behavior between the remaining existing groups. You must then reassign nodes to the new monitoring group. To rename a monitoring group 1 2 3 Remove the existing monitoring group. See Deleting a monitoring group on page 68. Create a new monitoring group with the new name. See Creating a monitoring group on page 67. Reassign nodes to the new monitoring group. See Assigning a monitoring group on page 67. Note: When you rename a monitoring group, reassign nodes to the renamed monitoring group to reestablish the preference. Note: If you reassign a node to a new monitoring group, change the view of the incident list as well. If you view incidents from a node in a different monitoring group than the one that defines your view subset, you can miss events even though the sensors detect them. See Choosing monitoring groups on page 69.

Deleting a monitoring group


Monitoring groups are deleted if they are not used. You can create a new monitoring group by entering its new name when you add or edit a node. If you later reassign that node to a different monitoring group and leave the original monitoring group unused, it disappears from the list. However, it can continue to define the subset of the incident list that you view. If you reassign nodes or rename monitoring groups so that a monitoring group is removed from the list, make sure to adjust the view of the incident list as well.

Getting started Deploying node clusters

69

If you view incidents from a node in a different monitoring group than the monitoring group that defines your view subset, you can miss events even though the sensors detect them. See Choosing monitoring groups on page 69.

Choosing monitoring groups


Symantec Network Security provides a way to display a subset of the incident list focused on only those software or appliance nodes that are included in the selected monitoring group. To focus the incident view on a monitoring group 1 2 3 On the main menu bar, click Configuration > Monitoring Groups. In Choose Monitoring Groups, select a group or check Default. Click OK to view incidents from the selected monitoring group. Note: Always assign at least one node to each monitoring group. If you create groups without assigning nodes to them, you can miss events even though the sensors detect them. In other words, you can inadvertently hide your view of the events by creating groups that you do not use.

Note: All users can select monitoring groups. See User groups reference on page 353 for more about permissions.

70 Getting started Deploying node clusters

Part II

Initial Configuration
This section explains how to set up your Symantec Network Security intrusion detection system. After getting started, indicate what to monitor by creating a network topology database, what kind of activity to look for by configuring detection signatures and parameters, and how to respond by establishing protection policies and response rules:

Populating the topology database Detecting Protection policies Responding

72

Chapter

Populating the topology database


This chapter includes the following topics:

About the network topology Managing the topology tree Adding nodes and objects

About the network topology


The first step in the initial configuration of Symantec Network Security is to establish the topology database. Do this by adding objects to the topology tree to represent routers, network segments, and intrusion detection devices in your network. Both the software and the appliance utilize the topology database in the same way. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail. This section describes the following topics:

About the Devices tab About topology mapping

74 Populating the topology database About the network topology

About the Devices tab


The Network Security console displays the network topology as a hierarchical tree structure. At a glance, you can see a representation of each network location, network segment, and router in your network, as well as the 7100 Series appliance nodes and/or software nodes and interfaces that monitor your network. The installation process generates some objects automatically. Security administrators can add the others, providing Symantec Network Security with the information it needs to monitor your network. The following figure shows an example:

The Devices tab provides a tree-oriented view of the network topology with a detailed summary of each device. When you select an object from the topology tree in the left pane, the right pane displays related information. Symantec Network Security updates this information at frequent intervals, so the status remains current. This section describes the following topics:

Types of objects Viewing object details

Types of objects
The Devices tab displays the following types of objects to represent the elements of your network and security system:

Populating the topology database About the network topology

75

Locations: Objects that represent physical or logical groups of one or more network segments. The installation procedure automatically creates the first location object, named Enterprise by default. Symantec Network Security nodes: The object category for both software and appliance nodes.

Software nodes: Objects that represent the Symantec Network Security software installed on a designated computer. 7100 Series nodes: Objects that represent the Symantec Network Security 7100 Series appliances. Routers: Objects that represent devices that store data packets and forward them along the most expedient route. Symantec Network Security monitors this connection between hosts or networks. Interfaces: Objects that represent boundaries across which separate elements can communicate. Interfaces provide the point of contact between Symantec Network Security and routers.

Network devices: The object category for both routers and router interfaces.

Smart Agents: Objects that represent the entry point for event data from Symantec Decoy Server, Symantec Network Security Smart Agents, and other third-party sensors. Managed network segments: Objects that represent subnets in which the network devices and interfaces reside. The Network Security console automatically creates a network segment object for each unique subnet. Interfaces: Objects that represent boundaries across which separate elements can communicate. Interfaces provide the point of contact between Symantec Network Security and your network devices.

Monitoring interfaces: Objects that represent dedicated ports that mirror incoming or outgoing traffic on a software or appliance node. In-line pairs: Objects that represent pairs of interfaces on a 7100 Series appliance node that are directly in the network traffic path. For a given flow, one interface connects to inbound traffic and the other to outbound traffic. Only in-line pairs can be configured to block malicious traffic. Interface groups: Objects that represent groups of two to four interfaces on a 7100 Series appliance node that share a common sensor. Interface groups are used to monitor asymmetrically routed network environments, and are configurable only on 7100 Series nodes.

76 Populating the topology database About the network topology

Viewing object details


When you select an object in the Devices tab, the right pane displays information about that object. Depending on the selected object, the following information can appear in the right pane:

Device Type: Displays the type of device selected. IP address: Displays the IP address of the selected device, or the management IP address for a device with multiple IP addresses. Node Number: Displays the node number assigned to the software or appliance node, between 1 and 120. Customer ID: Displays an optional user-defined ID. Customer IDs for in-line pairs and interface groups reflect the 7100 Series appliance nodes to which they belong. Model: Displays the model number of a 7100 Series appliance, either 7120, 7160, or 7161. Monitoring Group: Identifies the monitoring group of the selected device, if any. Monitored Networks: Identifies the networks for which port usage patterns are tracked and anomalies detected. Displayed only if you entered network IP addresses on the Network tab when editing interfaces, adding in-line pairs, or adding interface groups. Available only on 7100 Series interfaces. TCP Reset Interface: Displays the interface that sends TCP resets; either eth0, eth1, or eth2, corresponding to your choice of RST0, RST1, or RST2 when you added the interface group. Bandwidth: Displays the expected throughput for the selected object. Sensor Status: Displays the current status of the related sensor. Description: Displays a brief optional description of the object. Active Security Incidents: Displays the active incidents of the selected topology object, with name, state, node number, and last date modified.

About topology mapping


To configure Symantec Network Security, first populate the topology database. This includes the following basic steps:

Mapping the existing network Gathering information Adding objects for the first time

Populating the topology database About the network topology

77

Note: SuperUsers can view, add, edit, and delete all objects in the topology tree. Administrators can view, add, edit, and delete most objects in the topology tree except for software nodes and 7100 Series appliance nodes. StandardUsers and RestrictedUsers can view the topology tree. See User groups reference on page 353 for more about permissions.

Mapping the existing network


Before building the network topology database, we recommend that you create a map of your network topology. Include the devices and device interfaces that you want Symantec Network Security to monitor, or through which you want it to track attacks. The map becomes the model for your network topology:

Locations: Decide whether to divide the network into logical or physical groupings, depending on the network setup. A physical grouping might include all segments within a single building. A logical grouping might include all segments used by one department spread throughout multiple buildings. Managed Network Segments: Within each location, identify the existing network segments. Devices: Within each location or managed network segment, identify the routers that will send data to Symantec Network Security. Interfaces: For each router, decide which interfaces you want Symantec Network Security to monitor, and those interfaces that you merely want Symantec Network Security to be aware of to track an attack through them.

The following diagram shows an example of a simple topology map including locations, segments, devices, device interfaces and attachments between

78 Populating the topology database About the network topology

interfaces. This example might help you when taking inventory of your own network topology: Figure 4-1 Sample Network Topology Map
Interface

Device Segment A Device

Interface Interface Interface Interface Interface Interface

Device Location 1 Segment B Device

Interface Interface Interface Interface Interface Interface

Device Segment C Device

Interface Interface Interface Interface Interface Interface

Device Location 2 Segment D Device

Interface Interface Interface Interface Interface

Gathering information
After you have taken an inventory of your existing network, you can provide this information to the Symantec Network Security database by populating the topology tree. To prepare for this, we recommend that you gather information specific to each element of your topology. This section describes the information and conventions common to most devices and network elements that you might need to provide. Each individual procedure includes device-specific information.

Populating the topology database About the network topology

79

You can save time if you review both the general information, and each procedure, and verify that you have all the necessary data before starting the procedure. The following table describes the kind of information you will need to provide when populating the topology tree: Table 4-1 Field
Name

Information to gather Description


For all objects in the topology tree, you can provide a descriptive name of up to 40 characters. This is the object name displayed in the topology tree. Before you begin populating the topology database, establish a naming convention for all object types. A consistent and logical naming convention speeds the process of populating the topology database, and ensures that every object is uniquely named, thus making the topology tree easier to navigate. For all objects in the topology tree, you can provide an optional description of up to 255 characters. You may want to establish a convention regarding the type(s) of required and optional information to provide for each type of object. When you select an object in the topology tree, the Details pane displays your description, as well as other details about the object, such as its IP address or subnet mask, if applicable. For most objects in the topology tree, except monitoring interfaces and network segments, you can provide an optional customer ID of up to 40 characters; for example, to describe its physical location. This labels the device. If you set a customer ID at a location object, all device objects created under it inherits that customer ID by default. Likewise, interface objects inherit the customer ID of the parent device objects. You can edit the customer IDs on any individual object. For software and appliance nodes in the topology tree, you must provide a unique node number. Make a note of this number, because you must provide the same number when you perform the physical installation. The first node added defaults to 1 and to master status, if in a cluster. All subsequent nodes default to slave status if in a cluster, and you must assign unique numbers between 2 and 120, inclusive. For some objects in the topology tree, you must provide an established username and passphrase, or enable a passphrase for accessing device activity logs, if the device was set up in that way. Create a passphrase of up to 30 characters.

Description

Customer IDs

Node number

User name and passphrases

80 Populating the topology database Managing the topology tree

Table 4-1 Field


Interface name

Information to gather Description


For each interface in the topology tree, follow the naming convention of the manufacturer for that interface, such as qfe0 or fa/0. For some objects in the topology tree, provide a unique synchronization passphrase between 6 and 64 characters, inclusive. This enables nodes to communicate securely during database synchronization and cross-node event correlation. Make a note of the synchronization passphrase so you can supply it when you physically install the slave node. Note: You cannot edit this passphrase. If you fail to provide, or provide an erroneous passphrase when you add the slave node, you must delete the node, create a new one, and assign a new synchronization passphrase to it.

Synchronization passphrases

Managing the topology tree


To configure Symantec Network Security, first populate the topology database to provide key information about your network. Collect this key information described in the Gathering information section. After you add this information to the database, you can edit it at any time by modifying the tree, and adjust to new information, network reorganization, or other changes to the network. This section describes how to edit and delete object information, reverse or save your changes, refresh your view, and back up your topology database, as follows:

Viewing auto-generated objects Viewing node details Viewing node status Adding objects for the first time Editing objects Deleting objects Reverting changes Saving changes Forcing nodes to synchronize Backing up changes

Populating the topology database Managing the topology tree

81

Viewing auto-generated objects


The installation process automatically creates a number of objects in the topology tree. These objects can be renamed and configured, and in some cases, you can add more of them to the topology tree. For example, the installation process creates an object for one location in the topology tree, called Enterprise by default. You can add more location objects to represent other locations. Symantec Network Security also automatically creates objects for managed network segments in the topology tree. See the following for related information: See About location objects on page 86. See About managed network segments on page 112.

Viewing node details


When you click an object in the topology tree, the Network Security console displays the description, if applicable, and other pertinent details about the software or appliance node, such as its IP address or subnet mask. To view node details

On the Devices tab, click the corresponding device object. The Network Security console displays the details and optional description in the right pane.

Viewing node status


The Network Security console displays an object in the topology tree representing devices and interfaces in the network. When a software or appliance node experiences a process failure of any kind, the Network Security console displays the node with a red X, called the Node Status Indicator. This signifies that Network Security processes or connectivity to the network has failed. To view node status

On the Devices tab, see the Node Status Indicator for any software or appliance node. A red X or Node Status Indicator signifies that Network Security processes or network connectivity failed on a software or appliance node.

82 Populating the topology database Managing the topology tree

Adding objects for the first time


To populate the topology database by adding objects to the tree, follow the instructions below. To add or edit objects to an existing topology tree, proceed directly to Step 9. To populate the topology tree 1 On the Devices tab, click Topology > Expand All Objects to see the entire network topology tree. It contains default objects created during the initial installation procedure. Right-click the default location object (Enterprise) created during the initial install, click Edit, and replace the default name Enterprise with a meaningful name. See Viewing auto-generated objects on page 81. Right-click the default Symantec Network Security node for the master node, click Edit, and replace the default name with a meaningful name. This object was automatically added to the network topology tree during the initial installation, assigned the status of master node, and node number of 1. Note: Valid node numbers range from 1 to 120, inclusive. Do not use a node number over 120, or change the node number after it has been assigned. See Editing objects on page 83. 4 Right-click the location object (Enterprise by default) or Network Devices, click Add, and add network device objects. See About router objects on page 105. For each network device object, create an interface object for the interfaces you want Symantec Network Security to either be aware of or to monitor. See About nodes and interfaces on page 88. Click Topology > Save Changes to save the network topology tree. You will lose any unsaved changes when you exit. See Saving changes on page 84. Ensure that the Symantec Network Security software or appliance node can be detected. If the node cannot be detected, its corresponding object in the topology tree is marked with an X. See Viewing node status on page 81. If the node can be detected, continue to build your network topology by adding the following objects:

Locations

Populating the topology database Managing the topology tree

83

See About location objects on page 86.

Nodes and interfaces See About nodes and interfaces on page 88. Network devices See About router objects on page 105. Smart Agents See About Smart Agents on page 108. Managed Network Segments See About managed network segments on page 112.

Editing objects
The Network Security console provides a way to edit any user-created object, and some default objects. To edit an object 1 2 On the Devices tab, right-click the object you want to edit, and then click Edit. Edit each field as necessary, and click OK to save and exit.

About location objects About nodes and interfaces About router objects About Smart Agents About managed network segments

Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

Note: SuperUsers can add, edit, and delete Symantec Network Security software and appliance nodes. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot add, edit, or delete them. See User groups reference on page 353 for more about permissions.

Deleting objects
This section describes how to delete nodes, objects, and interface objects not created automatically during installation.

84 Populating the topology database Managing the topology tree

Caution: When an object is deleted, all of its sub-objects are also deleted. To delete an object 1 2 On the Devices tab, right-click the object from the topology tree, and click Delete. In Warning, click OK. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

Note: SuperUsers can add, edit, and delete any nodes (both software and appliance nodes) or objects that they create. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot add, edit, or delete them. See User groups reference on page 353 for more about permissions.

Reverting changes
The Network Security console provides a way to undo, cancel, or revert changes to the topology tree, if you change your mind before saving. Note: SuperUsers and Administrators can undo, cancel, or revert changes to the topology tree; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To undo changes to the topology tree 1 2 On the main menu bar, click Topology > Revert Changes before saving changes. In Warning, click Discard. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

Saving changes
The Network Security console provides a way to save all changes to the topology tree. Any unsaved changes will be lost upon quitting the Network Security console.

Populating the topology database Managing the topology tree

85

To save changes to the topology tree

On the main menu bar, click Topology > Save Changes before quitting the Network Security console. It can take a few minutes for topology changes to process. Caution: Any unsaved changes are lost when you exit the Network Security console.

Forcing nodes to synchronize


The Network Security console provides a way to eliminate a time lag for a database synchronization to occur by using Force Database Sync. When you finish making topology edits and saving them, use this option to synchronize the cluster with the changes. The operation takes a few minutes. Note: With a SuperUser or Administrator account, you must save topology edits before performing this step, and are given the option to do so if there are unsaved changes when the item is selected. See User groups reference on page 353. To synchronize all databases to the master 1 2 3 4 Save all changes before you force a database synchronization. See Saving changes on page 84. On the main menu bar, click Admin > Force Database Sync. In Confirmation, click OK to cause all synchronized databases in the cluster to synchronize with the most recent master copy. In Success, click OK to close. Note: You can see when the synchronication process has completed in the Devices tab, by clicking the node. In the right pane under Status Information For, see Last Database Sync.

Backing up changes
We recommend that you back up the topology database on a regular basis. See Backing up and restoring on page 332.

86 Populating the topology database Adding nodes and objects

Adding nodes and objects


This section describes in detail how to add the following individual objects using the network information described in the Gathering information section:

About location objects About nodes and interfaces About Network Security software nodes About 7100 Series appliance nodes About router objects About Smart Agents About managed network segments

About location objects


The Symantec Network Security installation process automatically adds one location named Enterprise. A location object represents any physical or logical group of managed network segments. Each location must contain one or more network segments. A cluster of Symantec Network Security nodes can contain multiple locations, and you can add more objects to represent them. At least one location object must exist in the topology tree before you can add software or appliance nodes, device objects, or interface objects. Note: SuperUsers can edit the default location object, add nodes and objects under it, and can create additional location objects; Administrators, StandardUsers, and RestrictedUsers can view it. See User groups reference on page 353 for more information about permissions.

Populating the topology database Adding nodes and objects

87

Adding or editing location objects


We recommend that you review the procedure before you add or edit a location object.

To add or edit a location object 1 On the Devices tab, do one of the following:

Click Topology > Add Location. Right-click an existing location (Enterprise by default) object, and click Edit from the pop-up menu.

In Add Location or Edit Location, enter a descriptive name for the location of up to 40 characters. This name appears in the topology tree. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See User name and passphrases on page 79. Click Color, and select a color to associate with this location. At a glance, you can view the Incidents tab and see which incidents and events were detected in this location by the color. You can select any color except white. Click OK or Reset. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

3 4

88 Populating the topology database Adding nodes and objects

Under any location object, SuperUsers can add the following nodes and objects:

See About router objects on page 105. See About nodes and interfaces on page 88. See About Smart Agents on page 108. See Deleting objects on page 83.

About nodes and interfaces


Under Enterprise, the location object created automatically during the installation process, SuperUsers can add objects to represent each software node and 7100 Series appliance node, as follows:

Network Security software nodes: The objects that represent Symantec Network Security software installed on designated computers. See Adding or editing software nodes on page 89. 7100 Series appliance nodes: The objects that represent Symantec Network Security software installed on the new Symantec Network Security 7100 Series appliance. See Adding or editing 7100 Series nodes on page 95. Node interfaces: Interface objects represent the point of contact between Symantec Network Security and the devices in the network. Some interface objects are mandatory, others are optional. See About monitoring interfaces on software nodes on page 92. See About 7100 Series interfaces on page 98. See About router interfaces on page 107. See About Smart Agent interfaces on page 111.

Note: SuperUsers can add, edit, and delete both software or appliance nodes. Administrators, StandardUsers, and RestrictedUsers can view them only. See User groups reference on page 353 for more about permissions.

Populating the topology database Adding nodes and objects

89

About Network Security software nodes


Under Enterprise, the location object created automatically during the installation process, SuperUsers can add an object to the topology tree to represent each software node.

Adding or editing software nodes


The Network Security console provides a way to add and edit software nodes and view the Advanced Network Options. The installation process populates the fields in the Advanced Network Options tab.

To add or edit a software node 1 On the Devices tab, do one of the following:

Right-click Symantec Network Security Nodes, and select Add Node > Software Node > OK. Right-click an existing node, and click Edit from the pop-up menu.

90 Populating the topology database Adding nodes and objects

In Add Software Node or Edit Software Node, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the node. You can position Symantec Network Security in front of and/or behind a NAT device. If behind, provide a local IP address and an administration IP address. Use the administration IP address when adding the node to the topology tree. Note: If you change the IP address of a physical node, you must edit the Advanced Network Options tab. Verify that the values in the Netmask and Default Router fields are valid for the new IP address. See Viewing advanced network options on page 91.

3 4

In Node Number, enter a unique node number between 2 and 120, inclusive, not assigned to any other node in the cluster. Note: Use this same number when you install Symantec Network Security on the designated computer. See Node number on page 79.

6 7

In Monitoring Group, select a group from the pull-down list. In Failover Group Information, do one of the following:

If you do not want to provide failover, proceed to the next step. If you want to provide failover, click Failover Group Member, and provide a Failover Group Number between 1 and 99, inclusive. All nodes within the failover group must use the same group number. See Establishing high availability failover on page 322. If adding a software node in a cluster, in Master Node Sync Information, enter the synchronization password. Use the same passphrase when you install Symantec Network Security on the designated computer. See Synchronization passphrases on page 80. If editing a software node, proceed to the next step.

Do one of the following:

In Description, enter an optional description of up to 255 characters, and click OK.

Populating the topology database Adding nodes and objects

91

See Description on page 79. Note: After adding a software node to the topology tree, you must install Symantec Network Security on the designated computer. The installation process populates the fields in the Advanced Network Options tab. See Viewing advanced network options on page 91. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. For the sensor to run, you must add interfaces and a protection policy to each interface. To enable TrackBack to query flow data from this node, you must apply the sensor parameter for flow statistics, and execute the TrackBack response rule.

See About monitoring interfaces on software nodes on page 92. See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Deleting objects on page 83.

Viewing advanced network options


The Advanced Network Options tab contains information about the designated computer that this node represents in the topology tree. The installation process automatically provides this information. The Advanced Network Options tab now provides a way to edit the node from the Network Security console after installation. You can add a NAT device, for example, and assign a private IP address after installation. When you edit the node, the Network Security console determines whether the IP address of the node has changed. If so, it prompts you to reboot. It modifies the topology database on the single node and the master node, in that order, and ensures that during synchronization, the data on the master node takes precedence. To view the advanced network options 1 2 On the Devices tab, right-click an existing node, and click Edit from the pop-up menu. In Edit Software Node, click the Advanced Network Options tab.

92 Populating the topology database Adding nodes and objects

The following list describes the advanced network option fields:


Local IP Netmask Indicates the internal IP address for a node behind a NAT router. Indicates which part of the nodes IP address applies to the network. Required field.

Default Router Indicates the IP address of the router that sends network traffic to and from the node. Required field. DNS Server 1 Indicates the primary Domain Name Service server for the node, which maps hostnames to IP addresses. Indicates the secondary Domain Name Service server for the node. Indicates the name of the host.

DNS Server 2 Hostname

Note: You must reboot the node after editing these fields. See About monitoring interfaces on software nodes on page 92.

About monitoring interfaces on software nodes


Monitoring interfaces communicate between the Symantec Network Security software or appliance node, and the network device, such as a router. The software or appliance node receives data about traffic on the router via the monitoring interface. SuperUsers can add objects to represent monitoring interfaces that connect software or appliance nodes to network devices.

Populating the topology database Adding nodes and objects

93

Adding or editing monitoring interface on software nodes


The Network Security console provides a way to add monitoring interfaces to the topology tree.

To add or edit a monitoring interface to a software node 1 On the Devices tab, do one of the following:

Right-click the software node, and select Add Monitoring Interface from the pop-up menu. Right-click an existing monitoring interface object, and click Edit from the pop-up menu.

2 3

In Add Monitoring Interface or Edit Monitoring Interface, enter a descriptive name. In Interface Name, enter the interface name. If entered incorrectly, the monitoring interface will not function. See Name on page 79. In Customer ID, enter an optional Customer ID. See Customer IDs on page 79. In Expected Throughput, enter the expected throughput from the pull-down list. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79.

4 5 6

94 Populating the topology database Adding nodes and objects

Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. See Deleting objects on page 83.

Adding or editing monitored networks


The Networks tab lists the networks that this interface monitors. Replace the default entry with valid monitored networks before starting a sensor on the interface.

To add or edit monitored networks 1 In Add Monitoring Interface or Edit Monitoring Interface, on the Networks tab, do one of the following:

Click Add. Select a monitored network, and click Edit.

2 3

In Add Network or Edit Network, replace the default 0.0.0.0/0 with all valid network IP addresses monitored by this interface, in CIDR format. Click OK. Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality.

Populating the topology database Adding nodes and objects

95

About 7100 Series appliance nodes


Under Enterprise, the location object created automatically during the installation process, SuperUsers can add objects to represent each Symantec Network Security 7100 Series appliance node.

Adding or editing 7100 Series nodes


The Network Security console provides a way to add or edit Symantec Network Security 7100 Series nodes. The installation process populates the fields in the Advanced Network Options tab blank. After installation, you can view the Advanced Network Options.

To add or edit a 7100 Series node 1 On the Devices tab, do one of the following:

Right-click Symantec Network Security Nodes, and select Add Node > 7100 Series Node > Select A Model. Click the desired model number and click OK. Right-click an existing node, and click Edit on the pop-up menu.

96 Populating the topology database Adding nodes and objects

Note: The model number of a 7100 Series node cannot be edited. To change it, you must delete the node object and add a new one using the desired model number. 2 In Add 7100 Series Node or Edit 7100 Series Node, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters. See Customer IDs on page 79. In IP, enter the IP address for the node. If the node is behind a NAT router, this IP address is the publicly visible address. Note: If you change the IP address of a node, a prompt requests you to edit settings in the Advanced Network Options tab. Make sure the values in the Netmask and Default Router fields are valid for the new IP address. See Viewing advanced network options on page 97. 5 In Node Number, enter a unique node number between 2 and 120, inclusive, that is not assigned to any other node in the cluster. Note: Use this same number for the QSP Node Number during initial configuration on the designated appliance. See Node number on page 79. 6 7 In Monitoring Group, select a group from the pull-down list. In Failover Group Information, do one of the following:

3 4

If you do not want to provide failover, proceed to the next step. If you want to provide failover, click Failover Group Member, and provide a Failover Group Number between 1 and 100, inclusive. All nodes within the failover group must use the same group number. See Establishing high availability failover on page 322. If adding a 7100 Series node in a cluster, in Master Node Sync Information, enter the synchronization password. Use the same passphrase for the Master Node Password during initial configuration on the designated appliance. See Synchronization passphrases on page 80. If editing a 7100 Series node, proceed to the next step.

Do one of the following:

Populating the topology database Adding nodes and objects

97

In Description, enter an optional description of up to 255 characters, and click OK. You may want to enter the serial number of the appliance here for later reference. The serial number is found on the label on the back panel of the appliance, with the prefix S/N. See Description on page 79. Note: After adding a 7100 Series node to the topology tree, you must perform initial configuration on the designated appliance. The initial configuration process populates the fields in the Advanced Network Options tab. See Viewing advanced network options on page 97. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

Adding the 7100 Series node automatically creates the interface objects. You cannot add or delete interfaces on a 7100 Series node, but you can create interface groups or in-line pairs from the existing interfaces on the node. For the sensor to run, you must add a protection policy to each interface, interface group, or in-line pair. To enable TrackBack to query flow data from this node, you must apply the sensor parameter for flow statistics, and execute the TrackBack response rule.

See About 7100 Series interfaces on page 98. See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Deleting objects on page 83.

Viewing advanced network options


The Advanced Network Options tab contains information about the designated appliance that this node represents in the topology tree. The initial configuration process automatically provides this information. The fields remain blank until then. After physical installation and initial configuration, you can edit the node object and click the Advanced Network Options tab to view the populated fields.

98 Populating the topology database Adding nodes and objects

To view the advanced network options 1 2 On the Devices tab, right-click an existing 7100 Series node, and click Edit on the pop-up menu. In Edit 7100 Series Node, click the Advanced Network Options tab. The following list describes the advanced network option fields for a 7100 Series node:
Local IP Netmask Indicates the internal IP address for a node behind a NAT router. Indicates which part of the nodes IP address applies to the network. Required field.

Default Router Indicates the IP address of the router that sends network traffic to and from the node. Required field. DNS Server 1 Indicates the primary Domain Name Service server for the node, which maps hostnames to IP addresses. Indicates the secondary Domain Name Service server for the node. Indicates the hostname of the 7100 Series node.

DNS Server 2 Hostname

Note: See the Symantec Network Security 7100 Series Implementation Guide to find out how to change the IP address of a node using the LCD panel. See Editing monitoring interfaces on 7100 Series nodes on page 99. See Adding or editing interface groups on page 101. See Adding or editing in-line pairs on page 103.

About 7100 Series interfaces


Each Symantec Network Security 7100 Series interface is a point of contact between the 7100 Series node and a network device. The node accesses traffic on the network device via the interface. There are three interface types available on a 7100 Series node:

Monitoring interface

A single interface that monitors network traffic copied to it from a network device. Also known as a passive mode interface. Monitoring interface objects are added by default when a node object is added, and should be edited. Two to four passive mode interfaces sharing a single sensor. Used in an asymmetrically routed environment.

Interface group

Populating the topology database Adding nodes and objects

99

In-line pair

Two interfaces cabled into the actual network traffic path, and configured for in-line mode. Allows blocking of malicious traffic.

The monitoring interface objects of a 7100 Series appliance node are automatically generated when the node is added to the topology. You cannot manually add or delete monitoring interfaces, but you must edit them to ensure that Network Security functions properly. SuperUsers can add, edit, or delete interface group and in-line pair objects. This section describes the following procedures:

Editing monitoring interfaces on 7100 Series nodes Adding or editing interface groups Adding or editing in-line pairs

Editing monitoring interfaces on 7100 Series nodes


The Network Security console provides a way to edit the automatically generated interface objects on a 7100 Series node. It is especially important that you enter monitored network information on the Networks tab.

100 Populating the topology database Adding nodes and objects

To edit a monitoring interface on a 7100 Series node 1 2 3 4 5 On the Devices tab, right-click an existing monitoring interface object, and click Edit on the pop-up menu. In Edit Monitoring Interface, optionally enter a descriptive name. See Name on page 79. In Customer ID, optionally enter a Customer ID. See Customer IDs on page 79. In Expected Throughput, click the expected throughput on the pull-down list. In TCP Reset Interface, click the reset interface on the pull-down list. The reset interface must be cabled to access the monitored network. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Note: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. See Deleting objects on page 83.

Adding or editing monitored networks


The Networks tab lists the networks that this interface monitors. Replace the default entry with valid monitored networks before starting a sensor on the interface.

Populating the topology database Adding nodes and objects

101

To add or edit monitored networks 1 In Add Monitoring Interface or Edit Monitoring Interface, on the Networks tab, do one of the following:

Click Add. Select a monitored network, and click Edit.

2 3

In Add Network or Edit Network, replace the default 0.0.0.0/0 with all valid network IP addresses monitored by this interface, in CIDR format. Click OK. Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality.

Adding or editing interface groups


The Network Security console provides a way to add and edit interface group objects on a 7100 Series node.

To add or edit an interface group 1 On the Devices tab, do one of the following:

Right-click the 7100 Series node object, and click Add Interface Group on the pop-up menu.

102 Populating the topology database Adding nodes and objects

Right-click an existing interface group object, and click Edit on the pop-up menu.

2 3 4

In Add Interface Group or Edit Interface Group, enter a descriptive name. See Name on page 79. In Expected Throughput, click the expected throughput on the pull-down list. In TCP Reset Interface, click the reset interface on the pull-down list. The reset interface must be cabled to access the monitored network. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters. See Description on page 79. On the Networks tab, click Add, enter the network IP address of all networks monitored by this interface group using CIDR format, and click OK. Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality.

5 6

On the Interfaces tab, press Ctrl and click to select multiple interfaces for the interface group, and click OK. Note: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

See Deleting objects on page 83.

Populating the topology database Adding nodes and objects

103

Adding or editing in-line pairs


The Network Security console provides a way to add and edit in-line pair objects on a 7100 Series node.

To add or edit an in-line pair 1 On the Devices tab, do one of the following:

Right-click the 7100 Series node object, and click Add In-line Pair on the pop-up menu. Right-click an existing in-line pair object, and click Edit on the pop-up menu.

2 3 4

In Add In-line Pair or Edit In-line Pair, enter a descriptive name. See Name on page 79. In Expected Throughput, click the expected throughput on the pull-down list. In Pair, click the interface pair on the drop-down list. The selected interfaces must be cabled for in-line mode. See the Symantec Network Security 7100 Series Implementation Guide. In Description, enter an optional description of up to 255 characters. See Description on page 79. On the Networks tab, click Add, enter a network IP address in CIDR format, and click OK. Enter all networks monitored by this in-line pair.

5 6

104 Populating the topology database Adding nodes and objects

Caution: You must replace the default entry (0.0.0.0/0) in the Networks tab with valid monitored networks in CIDR format before starting a sensor on the interface. If you fail to take this step, the database can fill with invalid data and result in a loss of detection and alerting functionality. 7 Click OK to add the in-line pair object to the topology. Note: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. See Deleting objects on page 83.

Configuring link state


Symantec Network Security provides reliable auto-negotiation that functions well under most circumstances. However, if you prefer to configure link state manually, the Network Security console provides a way to do so for interface objects on 7120 and 7160 appliance nodes. This feature is not available on 7161 appliances with fiber interfaces (re1000g0-re1000g3) or on software nodes. When auto-negotiation is enabled, Symantec Network Security automatically regulates the link speed (how fast data is transmitted along a communications channel) and link duplex (whether data can be transmitted in two directions simultaneously, or in one direction only). Symantec Network Security also automatically regulates both ends of the connection in the same way. When auto-negotiation is disabled, you can select link speed and link duplex. You must also configure the other end of the connection in the same way. For example, if you set one end to half-duplex and the other to full-duplex, or one link speed to 10 and the other to 100, unexpected behavior will result. You can set automatic Link On Active in a failover group, so that Symantec Network Security automatically ignores the interface on a failed machine and seeks that of the standby in the event of a failure. Enable this feature on nodes that are part of a failover group, and disable it on nodes that stand alone. See also Establishing high availability failover on page 322. Link state is also affected by the Enable PLSC (Propagate Link State Change) configurable parameter. When enabled, if the link fails on one interface in an in-line pair, this parameter propagates the failure to the other in the pair. The link state default is set to enable auto-negotiation for optimum performance and does not need to be changed under most circumstances. Consider disabling auto-negotiation only if you have a thorough understanding of both manual link state negotiation and link failure propagation. See also Enable PLSC (Propagate Link State Change) on page 184.

Populating the topology database Adding nodes and objects

105

To configure link state 1 2 On the Devices tab, right-click an appliance node interface object, and click Configure Link State from the pop-up menu. In Link On Active, do one of the following:

Select Enable if the node is part of a failover setup. Select Disable if the node is not part of a failover setup. Select Auto-Negotiate to enable Symantec Network Security to automatically select link speed and link duplex at both ends of the connection. Deselect Auto-Negotiate to manually configure the link speed and link duplex for the interface. Note that you must also apply the same link speed and link duplex settings at the other end of the connection as well.

In Link State Configuration: eth0, do one of the following:

4 5

In Link Speed (Mbps), select a speed from the pull-down menu. Link Speed is disabled when Auto-negotiate is enabled. In Link Duplex, do one of the following:

Select the Half radio button to choose half-duplex. Half-duplex is invalid if the link speed is set at 1000 Mbps. Select the Full radio button to choose full-duplex. Link Duplex is disabled when Auto-negotiate is enabled.

Click OK to save and close.

See also Establishing high availability failover on page 322. See also Enable PLSC (Propagate Link State Change) on page 184.

About router objects


Routers store data packets and forward them along the most expedient route between hosts or networks. Symantec Network Security monitors this connection. Add an object to the topology tree to represent each router that you want Symantec Network Security to monitor. If you plan to enable the TrackBack response action to read flow data exported from routers, you must add router objects and corresponding interface objects to the topology tree.

106 Populating the topology database Adding nodes and objects

Adding or editing router objects


The Network Security console provides a way to add router objects to the topology tree.

To add or edit a router object 1 On the Devices tab, do one of the following:

Right-click Network Devices or Location (Enterprise by default), and select Add Router from the pop-up menu. Right-click an existing router object, and click Edit from the pop-up menu.

In Add Router or Edit Router, enter a descriptive name of up to 40 characters for the device. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the device. In SNMP, enter an optional SNMP password of up to 64 characters, and confirm it. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79.

3 4 5 6

Populating the topology database Adding nodes and objects

107

Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. To enable TrackBack to query flow data from a router, you must add interfaces to each router object, apply the sensor parameter for flow statistics, and execute the TrackBack response rule. You can also view flow data from routers and enable flow alert rules.

See About router interfaces on page 107. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Managing flow alert rules on page 162. See Deleting objects on page 83.

About router interfaces


An interface object represents each router interface through which Symantec Network Security tracks attacks.

Adding or editing router interface objects


The Network Security console provides a way to add interface objects in the topology tree to represent each router interface through which you want Symantec Network Security to track attacks.

108 Populating the topology database Adding nodes and objects

To add or edit a router interface object 1 On the Devices tab, do one of the following:

Right-click the router object, and click Add Interface from the pop-up menu. Right-click an existing router interface object, and click Edit from the pop-up menu.

In Add Router Interface or Edit Router Interface, enter a descriptive name up to 40 characters long. See Name on page 79. In Interface Name, enter the name of the interface, following the manufacturers interface naming convention. See Interface name on page 80. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the interface. In Netmask, enter the netmask for the interface. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit. If you add an interface within a network segment that does not yet have an object in the topology tree, Symantec Network Security automatically creates an object for the new network segment under the Managed Network Segments category. You can edit the default name (Untitled) and description for this new network segment object. See About managed network segments on page 112. See Deleting objects on page 83.

4 5 6 7

About Smart Agents


Symantec Network Security Smart Agents (also called Symantec Smart Agents) are translation software that enable Symantec Network Security to receive event data from external sensors, and correlate that data with all other events. Smart Agents expand the security umbrella and enhance the threat detection value of existing security assets by aggregating third-party intrusion events into

Populating the topology database Adding nodes and objects

109

Symantec Network Security, which leverages its correlation, analysis, and response functionality. Symantec Network Security contains an internal Smart Agent configuration to integrate Symantec Decoy Server events. To integrate events from any other external sensor, you must install an external Smart Agent designed for that sensor, and add a Smart Agent object to the topology tree to represent it.

Adding or editing Smart Agent objects


The Network Security console provides a way to add Smart Agent objects to the topology tree.

To add or edit a Smart Agent object 1 On the Devices tab, do one of the following:

Right-click Enterprise or Smart Agents, and select Add Smart Agent from the pop-up menu. Right-click an existing Smart Agent object, and click Edit from the pop-up menu.

In Add Smart Agent or Edit Smart Agent, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79.

110 Populating the topology database Adding nodes and objects

3 4 5 6 7

In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the device. In Type, indicate the type from the pull-down list. In Receiver, indicate the node to receive data from this Smart Agent from the pull-down list. In EDP Password, do one of the following:

If you are adding a new Smart Agent, provide a password between 8 to 64 characters long, for Symantec Network Security to communicate with the Smart Agent via EDP proxy (Event Dispatch Protocol). If you are editing an existing Smart Agent, you cannot directly edit the EDP Password. To change the EDP Password, you must delete the object, create a new object, and provide the desired password. See Deleting objects on page 83. See also Changing passphrases on page 314.

In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

You can add interface objects to each Smart Agent object in the topology tree. For the sensor to run, you must add interfaces and at least one protection policy to the interface. To enable TrackBack to query flow data from this object, you must apply the sensor parameter for flow statistics, and execute the TrackBack response rule.

See About Smart Agent interfaces on page 111. See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Integrating with Symantec Decoy Server on page 319. See Deleting objects on page 83.

Populating the topology database Adding nodes and objects

111

About Smart Agent interfaces


Smart Agent interface objects serve as a visual reminder of the location of any Symantec Network Security Smart Agents in the network. They also make Symantec Network Security aware for the TrackBack response action. You do not need to add the optional Smart Agent interface objects for Symantec Network Security to accept event data from them. However, to apply the TrackBack response action, you must add objects to represent these interfaces.

Adding or editing Smart Agent interface objects


The Network Security console provides a way to add and edit Smart Agent interface objects on the topology tree.

To add or edit a Smart Agent interface object 1 On the Devices tab, do one of the following:

Right-click the Smart Agent object for which you want to create an interface, and click Add Smart Agent Interface from the pop-up menu. Right-click an existing Smart Agent Interface object, and click Edit from the pop-up menu.

In Add Smart Agent Interface or Edit Smart Agent Interface, enter a descriptive name. See Name on page 79. In Customer ID, enter an optional customer ID of up to 40 characters long. See Customer IDs on page 79. In IP, enter the IP address for the interface.

3 4

112 Populating the topology database Adding nodes and objects

5 6

In Netmask, enter the netmask for the interface. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

See Defining new protection policies on page 124. See Enable Flow Statistics Collection on page 171. See Setting TrackBack response action on page 154. See Deleting objects on page 83.

About managed network segments


Managed network segments include each unique subnet in which the network devices and interfaces reside. The Network Security console automatically creates an object in the topology tree to represent each such managed network segment in your network. Each time you add a new interface object, Symantec Network Security adds a new object for the network segment in which the interface resides, if not already represented. SuperUsers can edit the default name (Untitled) and the description.

Editing network segment objects


The Network Security console provides a way to edit the automatically created network segment objects on the topology tree.

Populating the topology database Adding nodes and objects

113

To edit a network segment object 1 2 On the Devices tab, right-click an object under a managed network segment, and click Edit. In Edit Network Segment, enter a descriptive name of up to 40 characters for the device. This name appears in the topology tree. See Name on page 79. In Description, enter an optional description of up to 255 characters, and click OK. See Description on page 79. Caution: Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

114 Populating the topology database Adding nodes and objects

Chapter

Protection policies
This chapter includes the following topics:

About protection policies Using protection policies Adjusting the view of event types Enabling or disabling logging rules Defining new protection policies Updating policies automatically Annotating policies and events Backing up protection policies

About protection policies


Symantec Network Security provides a new functionality called protection policies, that utilize multiple components such as signature and protocol anomaly detection to take action directly at the point of entry into the network. Protection policies enable users to tailor the protection based on security policies and business need. Policies can be tuned by threat category, severity, intent, reliability, and profile of protected resources. Common or individualized policies can be applied per sensor, for both in-line and passive monitoring. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.

116 Protection policies Understanding the protection policy work area

For example, when the 7100 Series appliance is deployed in-line, it can perform session-based blocking against malicious traffic and prevent attacks from reaching their targets.

Responding to malicious or suspicious events


Starting with a basic understanding of the usual traffic patterns on your network, you can configure Symantec Network Security to respond automatically to threats at the point of entry and beyond:

Direct the protection: If the data indicates that unexpected traffic is about to penetrate the firewall or router, you can block it by configuring a protection policy with blocking enabled. The option to block is available only using a Symantec Network Security 7100 Series appliance that is deployed in-line. See Overriding blocking rules globally on page 119. Direct the response: You can configure Symantec Network Security to respond automatically to traffic across the network by configuring a response rule, such as alerting, capturing data, tracking, and more. See Setting response actions on page 147.

Understanding the protection policy work area


The Protection Policies work area contains five tabs as follows: Search Events Protection Policies * Set policies to interfaces Full Event List Auto Update Notes

* Set search criteria * Search

* View unaltered event list * Adjust view of list * Select events to apply logging and/or blocking rules

* Override blocking rules

* View Search Events * Adjust view of list * Select events to apply logging and/or block rules

* Configure LiveUpdate so any new event types that match criteria are logged

* Apply/Unapply policies

* Annotate policies to show notes as tool tips

Protection policies Using protection policies

117

The following list describes each tab:

Protection Policies tab: Symantec Network Security installs with a set of pre-defined policies that you can use immediately by setting them to interfaces, override existing blocking rules, and applying them.

Selecting pre-defined policies Setting policies to interfaces Applying to save changes Overriding blocking rules globally Undoing policy settings

Search Events tab: At first, the Search Events tab displays the full list of event types that the selected policy can detect. You can reduce this list to a more manageable size by setting search parameters. Then the Search Results pane displays a subset of the types of events that you specified. You can apply logging and/or blocking rules from this tab, and add new protection policies that you define yourself.

Searching to create a subset of event types Adding or editing user-defined protection policies Enabling or disabling logging rules Enabling or disabling blocking rules

Full Event List tab: The Full Event List displays all event types that the selected policy can detect. Even after you define the display on the Search Events tab, you can use the Full Event List to view the total list of all event types. You can also set logging and blocking rules from this tab.

Enabling or disabling logging rules Enabling or disabling blocking rules

Auto Update tab: Provides the ability to establish automatic policy, signature, and engine updates through LiveUpdate.

Updating policies automatically

Notes tab: Provides the ability to annotate policies so that your note is displayed as a tool tip when you hover the cursor over the annotated policy.

Annotating policies and events

Using protection policies


Symantec Network Security provides a set of pre-defined protection policies that include attack policies, audit policies, and prevention policies. You can

118 Protection policies Using protection policies

immediately activate them by setting them to interfaces and applying them. You can also define your own policies and activate them using the same procedures.

1. Select a protection policy.

2. Set to interfaces. 3. Click Apply to save. Option: You can also override blocking rules here.

This section describes the following topics:


Selecting pre-defined policies Setting policies to interfaces Applying to save changes Overriding blocking rules globally Undoing policy settings

See also the following related topics:


Defining new protection policies Enabling or disabling blocking rules

Selecting pre-defined policies


On the Protection Policies tab, you can view all available protection policies in the left pane, and the node interfaces that they are applied to, in the right pane. To see all available protection policies and interfaces

On the Policies tab, click Protection Policies.

Protection policies Using protection policies

119

Setting policies to interfaces


You can immediately set the Symantec protection policies to work by setting them to specific node interfaces and applying the settings. You can set protection policies to both software and appliance nodes, with some important differences. To apply a protection policy 1 2 3 4 On the Policies > Protection Policies tab, select a protection policy to apply. Click Set to Interfaces. In Apply Policy to Selected Interfaces, select the interface, in-line pair, or interface group to apply this policy to, and click OK. In the Protection Policies tab, click Apply to save and apply changes.

Note: In a cluster, the master node stores the definitions of protection policies that you apply to slave nodes. If the master node fails or is demoted to slave, the link is broken between applied policies and their definitions. Slave nodes sometimes then appear to have viable policies applied that in reality are disabled. Prevent losing policies through failure by backing up the master node. Prevent losing policies when demoting by reapplying policy definitions to the new master node. See Backing up and restoring on page 332.

Applying to save changes


You can edit multiple protection policies and save multiple changes by clicking Apply. Before you apply protection policies, make sure to set the policies to interfaces. See also Setting policies to interfaces on page 119. To apply a protection policy 1 2 On the Policies > Protection Policies tab, select a protection policy to apply. Click Apply to save and apply changes.

Overriding blocking rules globally


The Symantec Network Security 7100 Series now provides the ability to prevent malicious traffic from entering your network. If sensors indicate that unexpected traffic is about to penetrate the firewall or router, you can block it

120 Protection policies Using protection policies

by configuring a protection policy with blocking enabled. You can enable blocking only on in-line interface pairs on a 7100 Series node. To make sure that blocking is enabled at the event list level, see also Enabling or disabling blocking rules on page 128. To enable or disable blocking on in-line interfaces 1 2 On the Policies > Protection Policies tab, in the right pane, click an in-line pair. Do one of the following:

Click Enable Blocking. Click Disable Blocking.

Click Apply to save and apply changes.

Undoing policy settings


This section describes how to remove or revert the application of policies to interfaces.

Unapplying protection policies


The Network Security console provides a way to unapply or remove the application of protection policies from node interfaces. To unapply a protection policy assignment 1 2 3 On the Policies > Protection Policies tab, in the right Policies Applied To Interfaces pane, right-click an interface. Click Unapply Policy from the pop-up list. In the Protection Policies tab, click Apply to save and apply changes.

Removing policies set to interfaces


The Network Security console provides an alternative to unapplying protection policies from interfaces. To remove policies from interfaces 1 2 3 On the Policies > Protection Policies tab, in the left pane, click a protection policy. Click Set to Interfaces. In Apply Policy to Selected Interfaces, uncheck the interface or group of interfaces from which to remove this policy, and click OK.

Protection policies Adjusting the view of event types

121

In the Protection Policies tab, click Apply to save and apply changes.

Reverting policy applications


The Network Security console provides a way to revert changes to protection policies if you change your mind before saving. Changes to policies cannot be reverted after they have been saved. To revert changes to an unsaved protection policy 1 2 3 On the Policies > Protection Policies tab, click an unsaved protection policy. Click Revert. In Revert Confirmation, click OK to confirm.

Adjusting the view of event types


The Network Security console provides a way to adjust the view of event types detected by the sensors by searching for event types that match specific characteristics. If an event type is a known characteristic of your network, you can instruct Symantec Network Security not to alert on it by setting logging rules. This section describes the following topics:

Searching to create a subset of event types Adjusting the view by columns Viewing event type details

Searching to create a subset of event types


The Network Security console provides search functionality so that you can focus the view on a manageable subset of possible event types with specific characteristics. The policy still detects and acts on the full list of event types; but you have a shorter list to sift through as you decide what to block and what to log. This section describes how to narrow or widen the view by searching for event types that match certain characteristics.

122 Protection policies Adjusting the view of event types

1. Set search parameters to select event types that match certain characteristics.

2. Click Logged and/or Blocked to display event types that have logging or blocking rules.

3. Click Search Events to display a manageable subset of event types.

To adjust the view by searching for specific characteristics 1 On the Policies > Protection Policies tab, do one of the following:

Click New > Search Events. Select a policy, and click View > Search Events. Select a policy, and click Edit > Search Events. In Event Name, enter a name to distinguish this search. In Protocol, select a protocol from the pull-down list. In Category, select a category from the pull-down list. In Severity, set a severity level from the pull-down list. In Confidence, set a confidence level from the pull-down list. In Intent, select an intention from the pull-down list. In Blocked, specify whether you want to view events that have blocking rules applied to them. In Logged, specify whether you want to view events that have logging rules applied to them. In Note, specify the contents of the Note to search for events containing the specified contents.

Provide some or all of the following search criteria:


3 4

Click Search Events. Search Results displays the total number of items shown in the subset. Click OK to save these search criteria. Note: Remember that the policy still contains the full list of event types. This search has provided a shorter, more manageable subset to view.

Protection policies Adjusting the view of event types

123

Adjusting the view by columns


Both the Search Events and Full Event List provide a way to adjust the display by selecting, moving, and sorting columns. To adjust the view of both full and search events 1 On the Policies > Protection Policies tab, do one of the following:

Click New. Select a protection policy, and click View. Click Search Events. Click Full Event List.

Do one of the following:


3 4 5 6

Click Columns. In Table Column Chooser, click each column that you want to see, and unclick each that you want to hide, and click OK. Optionally, you can click any column heading to sort the entire table, based on that column. Click OK.

Viewing event type details


The Network Security console provides a way to view and clone the pre-defined Symantec protection policies, but you cannot edit or delete them. To view individual protection policies 1 2 3 On the Policies > Protection Policies tab, select a protection policy. Click View. In the Full Event List tab, you can do any or all of the following:

View an event description by right-clicking an event type, and clicking View Description to display a detailed description in your browser. View logging and blocking rules by selecting an event type, and clicking Log/Block. Select all event rows by clicking Select All. If selecting to view all events includes event types with various settings, then clicking Log/Block will not display the settings. Adjust the view by clicking Columns to sort, move, or display columns. See also Adjusting the view by columns on page 123.

Click Cancel to exit.

124 Protection policies Defining new protection policies

Defining new protection policies


The Network Security console provides a way to define new policies, and clone and modify existing policies. For software and appliance nodes, you can add logging rules that specify which event types trigger events displayed in the Incidents tab. For 7100 Series appliance nodes, you can add blocking rules that specify which event types to prevent from entering the system.

1. Click New or Clone to begin defining your new protection policy.

2. Enter a Name for the new protection policy. Optional: Apply search parameters to display a subset of event types.

3. Click Log/Block to set logging and blocking rules in the new policy.

4. Set Logging rules to alert you when specified event types are detected. The alerts will be displayed in the Incidents tab.

Optional: Click here to be alerted periodically about non-logged event types. 5. Set Blocking rules to prevent specified event types from entering the network.

This section describes the following procedures:

Adding or editing user-defined protection policies

Protection policies Defining new protection policies

125

Cloning existing protection policies Enabling or disabling logging rules Enabling or disabling blocking rules Overriding blocking rules globally Deleting user-defined protection policies

Adding or editing user-defined protection policies


The Network Security console provides a way to add and edit user-defined protection policies. Symantec protection policies cannot be modified. If you want to modify a Symantec protection policy, clone it and modify the clone. To add or edit user-defined protection policies 1 On the Policies > Protection Policies tab, do one of the following:

Click New. Select an existing protection policy, and click Clone > Edit.

2 3

In Policy Name, enter a unique name to distinguish this policy. You have the option of doing any or all of the following:

In Search Events, you can change the search parameters to display a more manageable subset of event types to apply rules. See Searching to create a subset of event types on page 121. In Search Results, you can adjust the view. See Adjusting the view by columns on page 123. For software and appliance nodes, select event types to apply logging rules to direct the monitoring of events. See Enabling or disabling logging rules on page 126. For 7100 Series appliance nodes only, select event types to apply blocking rules. Software nodes do not currently support blocking rules. See Enabling or disabling blocking rules on page 128.

In Search Results, define the policy by doing any or all of the following:

5 6

In Search Events, click OK to exit. In the Protection Policies tab, click Apply to save and apply changes.

Cloning existing protection policies


Because Symantec protection policies cannot be edited, if you want to modify a Symantec protection policy, you must clone it and modify the clone.

126 Protection policies Defining new protection policies

To clone a protection policy 1 2 3 4 5 On the Policies > Protection Policies tab, select a protection policy. Click Clone. In Clone Policy, enter a name for the new protection policy, and click OK. In the Policies > Protection Policies tab, select the cloned protection policy. Click Edit to modify the cloned protection policy. See Adding or editing user-defined protection policies on page 125.

Enabling or disabling logging rules


The Network Security console provides the tools to determine how Symantec Network Security monitors the network. Do this by setting logging rules that specify which event types deserve alerting, and which can be ignored. This section describes how to enable or disable event logging rules. Symantec Network Security displays an event in the Incidents tab each time it detects an event type specified by a logging rule. You can also keep tabs on event types that you do not want logged every time they are detected. You can apply the For Every Non-Logged Events Log One Event option to notify you periodically, to prevent being inundated.
Set Logging rules to alert you when specified event types are detected. The alerts will be displayed in the Incidents tab.

Optional: Click here to be alerted periodically about non-logged event types. Set Blocking rules to prevent specified event types from entering the network.

To enable logging rules to monitor events 1 On the Policies > Protection Policies tab, do one of the following:

Protection policies Defining new protection policies

127

Click New > Full Event List. Select a protection policy, and click Edit > Full Event List. You can edit user-defined protection policies only.

2 3

To adjust your view of the event list, click Columns. See Adjusting the view by columns on page 123. To select the events, do one of the following:

To select the entire event list, click Select All. To select a subset of events, press Ctrl and select multiple events.

Click Log/Block. You can enable logging rules independently of blocking rules. See also Enabling or disabling blocking rules on page 128. In Logging Options, do one of the following:

Click Log Event to enable logging. This generates an event in the Incidents tab each time a selected event is detected and blocked. Unclick Log Event to disable logging. To log all events, click Log For All IPs. To log selected events, click Log For Selected IP Ranges. To avoid logging selected events, click Log All Except IP Ranges. You can use this option as a partial filter to alert you periodically about non-logged event types.

If you enabled logging, then under Log Event, do one of the following:

If you chose to log a subset of events, then in IP Ranges, specify the subset by doing the following:

Provide the Source and Destination IP addresses. Provide the optional mask and port numbers, and click Add.

In Logging Options, you can keep track of non-logged event types by clicking For Every Non-Logged Events Log One Event and entering a number. In Note For Selected Event Type(s), you can add an optional note, and click OK. Event Details displays this annotation each time this policy detects the annotated event. See Viewing event details on page 221.

128 Protection policies Defining new protection policies

Enabling or disabling blocking rules


The Symantec Network Security 7100 Series now provides the ability to prevent malicious traffic from entering your network. If sensors indicate that unexpected traffic is penetrating the firewall or router, you can block it by configuring a protection policy with blocking rules enabled. You can enable blocking rules only on interface pairs on Symantec Network Security 7100 Series appliances that are deployed in-line. To override these blocking rules globally without redefining the policy itself, see also Overriding blocking rules globally on page 119. To block events from entering the network 1 On the Policies > Protection Policies tab, do one of the following:

Click New > Full Event List. Select a protection policy, and click Edit > Full Event List. You can edit user-defined protection policies only.

2 3

To adjust your view of the event list, click Columns. See Adjusting the view by columns on page 123. To select the events, do one of the following:

To select the entire event list, click Select All. To select a subset of events, press Ctrl and select multiple events.

Click Log/Block. You can enable blocking rules independently of logging rules. See also Enabling or disabling logging rules on page 126. In Block Event (Applies only to in-line interfaces), do one of the following:

Click Block Event to enable blocking. Unclick Block Event to disable blocking.

Note: You can apply this option only to in-line interfaces on 7100 Series appliance nodes. It is not available on Network Security software nodes. 6 In Note For Selected Event Type(s), you can add an optional note, and click OK. Event Details displays this annotation each time this policy detects the annotated event. See Viewing event details on page 221.

You can override blocking rules globally from the Protection Policies tab. See also Overriding blocking rules globally on page 119. You can configure policies to include active blocking rules and LiveUpdate rules, so that when LiveUpdate adds new signatures, the blocking rules will be created

Protection policies Updating policies automatically

129

automatically. To do this, you must define at least one blocking rule in the policy so that blocking is enabled. See also Updating policies automatically on page 129.

Deleting user-defined protection policies


The Network Security console provides a way to delete user-defined protection policies only. Symantec protection policies cannot be edited or deleted. To delete a protection policy 1 2 3 On the Policies > Protection Policies tab, click a user-defined protection policy. Click Delete. In the right pane, click Apply to save and apply changes.

Updating policies automatically


The Network Security console provides a way to put new Security Update signatures to work immediately. Use the LiveUpdate tab to select the types of signatures that you know you want, using the given criteria (category, protocol, severity, and confidence). When LiveUpdate downloads new signatures into your system, Auto Update Rules selects those signatures that match your criteria, and automatically adds them to this policy. Even if the LiveUpdate

130 Protection policies Updating policies automatically

occurs in the middle of the night, Symantec Network Security immediately starts logging the matching events.

To add auto update rules 1 On the Policies > Protection Policies tab, do one of the following:

Click New > Auto Update Rules > Add. Click an existing policy, and click Edit > Auto Update Rules > Edit. In Category, choose a category from the pull-down list. In Protocol, choose a protocol from the pull-down list. In Severity, choose a severity from the pull-down list. In Confidence, choose a confidence from the pull-down list. In Blocking Option, choose whether to enable blocking by clicking the Apply Blocking checkbox. Symantec Network Security sorts the rule table, and first displays rules with blocking enabled, followed by rules without blocking enabled.

In Add Auto Update Rule, do any or all of the following:


Click OK.

Protection policies Annotating policies and events

131

Note: You can configure policies to include active blocking rules and LiveUpdate rules, so that when LiveUpdate adds new signatures, the blocking rules will be created automatically. To do this, you must define at least one blocking rule in the policy so that blocking is enabled. See also Enabling or disabling blocking rules on page 128.

Note: Engine Updates trigger the sensors to restart automatically when you apply them. See also Updating Symantec Network Security on page 303.

Annotating policies and events


The Network Security console provides a way to take notes on events at the following three levels:

Annotating an entire policy Annotating an event type in a policy Annotating an instance of an event

Annotating an entire policy


The Network Security console provides a way to make a note about an entire policy via the Network Security console. Then when you hover the cursor over that policy in the policy list, your note appears as a tool tip. To make a note about a policy 1 On the Policies > Protection Policies tab, do one of the following:

Click New. Select a policy and click Edit.

2 3

In Add Protection Policy or Edit Protection Policy, click the Notes tab. In Policy Notes, enter a note regarding this policy, and click OK.

To view a note about a policy

On the Policies > Protection Policies tab, hover the cursor over the policy to display the note as a tool tip.

132 Protection policies Annotating policies and events

Annotating an event type in a policy


The Network Security console provides a way to make a note about an event type within a policy via the Network Security console. When the event is triggered, your note is displayed in the Event Details. For example, you might note that this event is false positive if it occurs within a certain IP range. The note is specific to that event type when it occurs in that policy. Event Details displays the note each time this policy detects the annotated event. To make a note about an event within a policy 1 On the Policies > Protection Policies tab, do one of the following:

Click New. Click Edit. In Search Events, double-click an event. In Full Event List, double-click an event.

In Add Protection Policy or Edit Protection Policy, do one of the following:


In Note for Selected Event Type(s) in the lower pane, enter an annotation. Event Details displays this annotation each time this policy detects the annotated event. See Viewing event details on page 221. Click OK > OK > Apply.

Annotating an instance of an event


The Network Security console provides a way to make a note about a specific instance of an event via the Network Security console. This provides assistance to system analysts in resolving security incidents. To make a note about an instance of an event 1 On the Incidents tab, do one of the following:

Double-click an incident. In the upper pane, click an incident, and then in the lower pane, double-click the related event.

2 3 4

In Incident Details or Event Details, click Analyst Note. Enter your annotation, and click Add Note. Click Close.

Protection policies Backing up protection policies

133

Backing up protection policies


Back up the master node regularly. The master node stores protection policy definitions. If the master node of a cluster fails or is demoted to slave, the link is broken between policies applied on slave nodes, and the definitions of those policies on the master node. Slave nodes can then appear to have viable policies applied that are in reality disabled. See Backing up and restoring on page 332.

134 Protection policies Backing up protection policies

Chapter

Responding
This chapter includes the following topics:

About response rules About automated responses Managing response rules Setting response parameters Setting response actions Managing flow alert rules

About response rules


In addition to the ability to start detection and response immediately using protection policies, Symantec Network Security also provides an automated, rule-based response system. The response module responds to incidents immediately, even if you cannot maintain system analysts on site around the clock. The response module identifies, prioritizes, and responds appropriately to whole classes of attacks, without requiring a separate response rule for each of hundreds of individual base events. SuperUsers and Administrators can create separate response rules specific to an individual event type, to any subset of specified event types, or to all event types. This affords fast, effective responses to suspicious behavior, and enables you to move quickly to stop attacks, even DoS attacks, to mitigate potential damage, lost revenue, and the costs of recovery. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional

136 Responding About response rules

functionality that is unique to an appliance. Each section describes this additional functionality in detail. Symantec Network Security can take the following types of actions to respond to attacks, individually or in sequence:

Predefined actions See Setting response actions on page 147. Configured custom response actions See Setting a custom response action on page 154. Triggered actions from third-party applications via Smart Agents See Integrating third-party events on page 316. No actions See Setting no response action on page 148. Responding at the point of entry See Defining new protection policies on page 124.

The following diagram provides an overview of response rule procedures: 1. Add new rule
Set target

2. Choose action to set


Take no action Export flow data

3. Set parameters
From Address Subject Line SMTP Server Hostname for Email Notifications

Set type Notify via console Set severity and confidence Notify via email

Notify via SNMP Set source Record traffic Set action Reset TCP Take customized action Set next action Track suspicious event SNMP Manager SNMP Community String

Responding About automated responses

137

About automated responses


Symantec Network Securitys automated rule-based response system includes alerting, pinpoint traffic recording, flow tracing, session resetting, and custom responses on both the software and appliance nodes and the Network Security console. Symantec Network Security generates responses based on multiple criteria such as event targets, attack types or categories, event sources, and severity or confidence levels. Multiple responses can be configured for the same event type, as well as the order in which Symantec Network Security executes the responses. Symantec Network Security reviews each event, and iterates through the list of response rules configured by the user. It compares each event against configurable match parameters. If a match occurs on all parameters, it then executes the specified action. After Symantec Network Security processes one rule, it proceeds to one of three alternatives: to the rule indicated by the Next parameter, to a following rule beyond the Next rule, or it stops policy application altogether for this event. Some automated responses also use node parameters through Configuration > Node > Network Security Parameters. Symantec Network Security installs with some of the response rule parameters defaulted; however, they require more information from you to run successfully. Note: Response rule configurations are not immediately propagated. If you establish a response rule in the master node of a cluster, all subsequent nodes will automatically synchronize when you restart them. You can also force the resynchronization by clicking Admin > Force Database Sync. See also the following related sections:

Managing response rules Setting response parameters Setting response actions

Note: SuperUsers and Administrators can read and write response rules; StandardUsers and RestrictedUsers can view only. See User groups reference on page 353 for more about permissions.

138 Responding Managing response rules

Managing response rules


The Network Security console provides a way to view, add, insert, duplicate, and delete the responses that make up Symantec Network Securitys automated rule-based response system. This section describes the following:

Viewing response rules Adding new response rules Editing response rules Searching event types Deleting response rules Saving or reverting changes Backing up response rules

Viewing response rules


In the Network Security console, you can administer response rules and flow alert rules by clicking Configuration > Response Rules. All users can view the response rules in the Network Security console. To view response rules 1 2 On the main menu bar, click Configuration > Response Rules. In Response Rules, select an existing response rule by clicking in the Number cell of the response rule row. The background of the response rule turns purple. Click one of the following columns to view the response parameters:

Event Target Event Type Severity Confidence Event Source Response Action Next Action

Click the Response Actions column of a response rule to see all possible response actions.

Responding Managing response rules

139

Interpreting color coding


At a glance, you can tell which response rules have been saved, which rules remain to be saved, and which rule is selected, by the background color: Color White Yellow Purple Indication Indicates the response rule has been saved Indicates the response rule has not been saved Indicates the response rule is currently selected

Note: Make sure to click OK to save yellow response rules before proceeding.

Adding new response rules


The Network Security console provides a way to add new response rules at any time. To add or insert a response rule 1 2 On the main menu bar, click Configuration > Response Rules. In Response Rules, do one of the following:

Click Action > Add Response Rule to add a new row to the end of the response rule table. Click Action > Insert Response Rule to insert a new row into the response rule table. Click Action > Duplicate Response Rule to add a copy of an existing row to the response rule table. Setting event targets Setting event types Setting severity levels Setting confidence levels Setting event sources Setting response actions Setting next actions

Configure each of the following parameters:


Click OK to save and exit.

140 Responding Managing response rules

Editing response rules


The Network Security console provides a way to modify response rules easily. To view response rules 1 2 On the main menu bar, click Configuration > Response Rules. In Response Rules, select an existing response rule by clicking in the Number cell of the response rule row. The background of the selected response rule turns purple. Click one of the following to edit:

Setting event targets Setting event types Setting severity levels Setting confidence levels Setting event sources Setting response actions Setting next actions

Click OK to save and exit.

Searching event types


All users can view a more manageable subset of the entire event list by using any or all of the search criteria to shorten the list of event types in the Search Event List. To select a subgroup of event types 1 2 3 On the main menu bar, click Configuration > Response Rules. Click Event Types. In Search Events, provide some or all of the following search criteria:

In Event Name, enter a name to identify this search. In Protocol, select a protocol from the pull-down list. In Category, select a category from the pull-down list. In Severity, select a severity level from the pull-down list. In Confidence, select a confidence level from the pull-down list. In Intent, select an intention from the pull-down list.

After selecting the search criteria, click Search Events.

Responding Setting response parameters

141

Deleting response rules


The Network Security console provides a way to delete response rules at any time. To delete a response rule 1 2 3 On the main menu bar, click Configuration > Response Rules. In Response Rules, select an existing response rule by clicking in the Number cell of the response rule row. Click Action > Delete > Response Rule > OK to delete the response rule. Caution: Be sure to save your changes before exiting.

Saving or reverting changes


After you have finished adding, editing, or deleting response rules, you must save the changes to the database. This step provides a chance to change your mind and undo your changes before saving them. To save or revert response rules 1 2 On the main menu bar, click Configuration > Response Rules. In Response Rules, do one of the following:

Click OK to save and exit. Click Cancel to undo the configuration and return to the previous one.

Note: It can take a few minutes for response rule changes to take effect. You can bypass this wait interval by clicking Admin > Force Database Sync.

Backing up response rules


We recommend that you periodically back up your Symantec Network Security response rule database. See Backing up and restoring on page 332.

Setting response parameters


In Configuration > Response Rules, SuperUsers and Administrators can edit and configure response rule parameters to specify the characteristics of the events and incidents that Symantec Network Security responds to.

142 Responding Setting response parameters

Each response rule contains the following response parameters:


Setting event targets Setting event types Setting severity levels Setting confidence levels Setting event sources Setting response actions Setting next actions

Setting event targets


The event target parameter specifies the location where the detected incident occurs. The possible values for this parameter include the locations, network segments, and network border interfaces defined in the network topology database. Note: SuperUsers and Administrators can apply the response rule to a specific location or interface in the network using Event Target. To set the Event Target 1 2 3 On the main menu bar, click Configuration > Response Rules. Click the Event Target cell of the response rule you want to edit. In Select Event Target, select the locations, network segments, and/or peer interfaces to which the response rule will apply, and click OK.

See Adding nodes and objects on page 86.

Setting event types


The event type parameter specifies the base event or events for which the response rule is defined. Event types are grouped into several larger protocol and service attack categories. When Symantec Network Security detects a suspicious event, it analyzes the event to match it to an event type. SuperUsers and Administrators can apply the response rule to a specific type of event using Event Type. You can focus the display on a manageable subset of event types with specific characteristics. You can narrow or widen the view by searching for event types that match certain characteristics.

Responding Setting response parameters

143

To set the Event Type 1 2 3 On the main menu bar, click Configuration > Response Rules. Click the Event Type cell of the response rule you want to edit. In Search Events, select the attack types to which the response rule applies by providing some or all of the following search criteria:

In Event Name, enter a name. In Protocol, select a protocol from the pull-down list. In Category, select a category from the pull-down list. In Severity, set a severity level from the pull-down list. In Confidence, set a confidence level from the pull-down list. In Intent, select an intention from the pull-down list.

4 5

Click Search Events. Search Results displays the total number of items shown in the subset. In Search Results, do one of the following:

Click Select All to select the entire result list. Click Clear All to deselect any selected event types. Individually select the desired event types.

Click OK to save and exit.

Setting severity levels


The severity parameter describes the relationship between the action to take in response to an incident and the severity of that incident. Before the analysis process assigns a severity level to an incident, it analyzes the various events that make up the incident according to the following factors:

Intrinsic severity of the type of event: An event might consist of an FTP packet transmitted on port 80. Because port 80 is used for HTTP traffic, this event might represent an attack on a Web server. By itself, this example might represent a medium level of intrinsic severity. Level of traffic, if it is a counter event: If Symantec Network Security determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received. Severity of other events in the same incident: Symantec Network Security correlates severity levels from all events in the same incident.

By using these variables to perform statistical analysis, Symantec Network Security assigns different severity levels as they apply to an incident. As the

144 Responding Setting response parameters

system gains information about the network, it integrates characteristics that influence the levels to reflect the current state of the network security. Because the traffic on every network is different, the severity levels specified in the response rule parameters are relative values and contain no inherent absolute definition. The creation of response rules in general and the selection of severity levels for the specific response rules requires fine-tuning to existing security response rules, as well as to the network traffic and ambient conditions. If the severity assigned during analysis equals the severity level defined in the response rule, as well as all other parameters defined in the response rule, then Symantec Network Security responds to the incident by performing the action associated with the response rule. SuperUsers and Administrators can also specify that the action execute only if the incident priority level falls above or below that of a particular severity level. Possible severity parameter values include informational, low, medium, high, and critical.

Setting the severity level


The Network Security console provides a way to set the severity level of the response rule using Severity. To set the severity level 1 2 3 On the main menu bar, click Configuration > Response Rules. Click the Severity cell of the response rule you want to edit. Select one of the following symbols:

Less than (<) Greater than (>) Equal to (=) Any Critical High Medium Low Informational

Select one of the following severity levels from the pull-down list:

Responding Setting response parameters

145

Setting confidence levels


Symantec Network Security indicates the confidence level, a measure of the likelihood of an actual attack. It determines the confidence level of the event by analyzing the traffic behavior. To set the confidence level 1 2 3 On the main menu bar, click Configuration > Response Rules. Click the Confidence cell of the response rule you want to edit. Select one of the following symbols:

Less than (<) Greater than (>) Equal to (=) Any Very High High Medium Low Very Low

Select one of the following confidence levels from the pull-down list:

Setting event sources


The Network Security console can apply response rules to specific locations or interfaces in the network using Event Source. The event source parameter indicates that a rule applies only to events detected on a given interface. This interface is not necessarily the target of the attack, but may in fact be the point in the network at which Symantec Network Security is currently tracking the attack. If the interfaces being inspected are receiving VLAN encapsulated traffic, you can also specify that a rule applies to a specific VLAN ID. To set the event source 1 2 3 4 On the main menu bar, click Configuration > Response Rules. Click the Event Source cell of the response rule you want to edit. In Select Event Source, select the interfaces to which the response rule applies. Set VLAN if applicable, and click OK.

146 Responding Setting response parameters

Setting response actions


The Network Security console provides a way to apply the response rule to take a specific action when triggered using Response Action. The Response parameter determines the action Symantec Network Security takes if an incident matches the event target, attack type, severity, confidence level, and event source parameters. SuperUsers and Administrators can set multiple response actions to react to specific types of incidents, or set custom response actions to launch third-party applications in response to an incident. To set the response action 1 2 3 On the main menu bar, click Configuration > Response Rules. Click the Response Action cell of the response rule you want to edit. In Configure Response Action, select an action for Symantec Network Security to take if the event matches the response rule. Choose from the following list:

Setting no response action Setting email notification Setting SNMP notification Setting TrackBack response action Setting a custom response action Setting a TCP reset response action Setting traffic record response action Setting a console response action Setting export flow response action

Setting next actions


The Network Security console provides a way to direct a sequence of response rules that conclude with a follow-up action by using Next Action. The Next parameter determines whether or not Symantec Network Security continues checking for additional response rules that match the incident. Possible values are Stop, Continue to Next Rule, and Jump to Rule. The Continue to Next Rule value directs Symantec Network Security to search for the next matching response rule after executing the current response rule. This enables Symantec Network Security to make multiple responses to any particular incident type, in combination with each other and in a desired sequence. The Jump to Rule value directs Symantec Network Security to skip over intervening response rules and go directly to a particular response rule, such as from Rule 5

Responding Setting response actions

147

to Rule 8. The Stop value directs Symantec Network Security to discontinue searching for matching response rules. To set the next action 1 2 On the main menu bar, click Configuration > Response Rules. Select a Next Action to do one of the following:

Stop searching for matching response rules. Continue to the next rule. Jump to a specific rule.

Caution: Click OK to save your changes before exiting.

Setting response actions


Configurable response parameters indicate which action Symantec Network Security will take if the event target, attack type, severity, confidence level, and event source parameters match the incident. The SuperUser or Administrator can define and customize response actions from the Network Security console. If you specify a Smart Agent response action, the policy manager sends the respective values to the appropriate Smart Agent. In Configuration > Response Rules, select a rule, and click the Response Actions column to view the list of actions that Symantec Network Security can take in response to an incident. Symantec Network Security can respond to an incident by taking the following actions:

Setting no response action Setting email notification Setting SNMP notification Setting TrackBack response action Setting a custom response action Setting a TCP reset response action Setting traffic record response action Setting a console response action Setting export flow response action

148 Responding Setting response actions

Setting no response action


The None option directs Symantec Network Security not to respond to particular types of incidents. Selecting the None option, followed by Stop as the next action configures Symantec Network Security to take no action in response to specified types of incidents. SuperUsers and Administrators can also configure Symantec Network Security to ignore specific attacks by setting a filter. To enable None response actions 1 2 3 4 5 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click None. In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.

Setting email notification


Alerting is a standard component of most intrusion detection systems because security analysts must be kept informed of attack activity without having to constantly monitor the Network Security console. Unfortunately, many IDS products use the same interface for detection as for notification. In such a configuration, a flood attack could prevent the console from sending email notifications because the flood attack would overload the interface. Symantec Network Security uses a separate, independent interface for notification, thus enabling the Network Security console to successfully send email notification even during an attack. This section describes the following topics:

Setting email notification response actions Setting email notification parameters

Setting email notification response actions


The email response action enables you to customize using variables in the subject line. The minimum delay between responses is 1 minute. To enable email notifications 1 On the main menu bar, click Configuration > Response Rules.

Responding Setting response actions

149

2 3 4

In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Email Notification. In the Email Notification pane, provide the following information:

To: Enter the destination of the email notification. Subject: Enter the subject line of the email notification. Maximum number of email notifications: Enter the number of notifications you want to send while the incident remains active. Delay between email notifications (mins): Enter the time in minutes that you want Symantec Network Security to wait before sending another notification.

5 6

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.

Setting email notification parameters


The Network Security console provides a way to establish automatic notification response policies to alert you via email under specific conditions. Use the notification parameters to configure these procedures:

Setting From Address Setting Subject Line Setting SMTP Server Setting Hostname Used for Email Notifications

Setting From Address


From Address indicates the email address from which Symantec Network Security sends email notifications. The default value is root@localhost. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click From Address. In the lower right pane, enter the email address. Click Apply. In Apply Changes To, select the node to which to apply the parameter.

150 Responding Setting response actions

Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Setting Subject Line


Subject Line indicates the subject line used when Symantec Network Security sends automatic email notifications. The default value is Symantec Network Security Alert. You can use response variables to set the subject line. For example, to set the Subject Line to display Date, Time, Source, Destination, and Event, enter %T %s %d %t in the lower right pane. Optionally, you can separate the variables by a space to expedite possible future editing. Upon execution, the values from the corresponding event replace the variable. You can also specify the subject line with Configure Response Action using these same variables. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Subject Line. In the lower right pane, enter an alternative subject line. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

See Table of response variables on page 155.

Setting SMTP Server


SMTP Server indicates the SMTP mail server that Symantec Network Security uses to send email notifications. The default value is mail.

Responding Setting response actions

151

To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click SMTP Server. In the lower right pane, enter an alternative mail server. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Setting Hostname Used for Email Notifications


Hostname Used for Email Notifications indicates the hostname that Symantec Network Security uses to send email notifications. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Hostname Used for Email Notifications. In the lower right pane, enter the hostname. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

152 Responding Setting response actions

Setting SNMP notification


Symantec Network Security can initiate an SNMP notification in response to an attack. The SNMP notification option directs Symantec Network Security to send SNMP traps to an SNMP manager with a minimum delay of 1 minute between responses. The IP address of the SNMP manager must be provided, and the SNMP manager made aware of the Management Information Base (MIB). Refer to the SNMP manager documentation for this information. This section describes the following topics:

Setting SNMP notification response actions Setting SNMP notification parameters

Setting SNMP notification response actions


Symantec Network Security can initiate an SNMP notification in response to an attack. The minimum delay between responses is 1 minute. To enable SNMP notifications 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action column of a rule. In Configure Response Action, click SNMP Notification. Provide the following information:

SNMP Manager IP Address: Enter the IP address of the SNMP Manager to send notifications to. Maximum number of SNMP notifications: Enter the number of notifications you want to send. Delay between SNMP notifications (mins): Enter the time in minutes that you want Symantec Network Security to wait before sending another notification.

5 6

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.

Setting SNMP notification parameters


The Network Security console provides a way to refine the SNMP notification response action by tuning the following configurable parameters:

SNMP Manager SNMP Community String

Responding Setting response actions

153

SNMP Manager
SNMP Manager indicates where the software or appliance node sends SNMP traps. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click SNMP Manager. In the lower right pane, enter the SNMP Manager that will receive SNMP traps from the node. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

SNMP Community String


SNMP Community String indicates the community string that Symantec Network Security uses to send traps to the SNMP Manager. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click SNMP Community String. In the lower right pane, enter the community string. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

154 Responding Setting response actions

Click OK to save the changes to this node and close.

Setting TrackBack response action


Symantec Network Security provides the TrackBack response to track attacks back to their sources. This capability is especially important for tracking denial-of-service attacks that must be traced to their source in order to shut them down most effectively. TrackBack automatically tracks a data stream to its source within the cluster, or, if the source is outside the cluster, to its entry point into the cluster. It does this by gathering information from routers or its own sensor resources. Sensor require interfaces with applied protection policies to run, as well as sensor parameters for flow statistics.

Setting TrackBack response actions


Symantec Network Security can begin tracking in response to an attack. The minimum delay between responses is 1 minute. To enable TrackBack 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click TrackBack. Provide the following information:

Maximum number of trackbacks: Enter the number of tracking attempts that you want. Delay between trackbacks (mins): Enter the time in minutes that you want Symantec Network Security to wait before making another tracking attempt.

5 6

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.

Setting a custom response action


The Network Security console provides a way to set custom response actions to launch third-party applications in response to an incident. To do this, a command is entered in the Custom Response field which executes when the response rule is triggered. The minimum delay between responses is 0.

Responding Setting response actions

155

To enable custom responses 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Custom Response. Provide the following information:

Start Command: Enter the command with applicable arguments. See Table of response variables on page 155. Maximum number of executions: Enter the number of executions per incident of this response. Delay between executions (mins): Enter the time in minutes that you want Symantec Network Security to wait per incident, before making another execution.

5 6

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit. Note: If you create a custom response action, it will be enabled on all software and appliance nodes defined in your topology. Be sure to include the custom application binary in the same location for each node.

Note: SuperUsers can read and write custom response actions; Administrators, StandardUsers, and RestrictedUsers can view only. See User groups reference on page 353 for more about permissions.

Table of response variables


The Network Security console provides a way to specify case-sensitive variables in the commands that you enter for custom, Network Security console, and email response actions. For example, to set the Subject Line of an email notification to display Date, Time, Source, Destination, and Event, enter %T %s %d %t. Separate the variables by a space to expedite possible future editing. Upon execution, the values from the corresponding event replace the variable. To enable custom response actions, provide the path to the application binary, as well as any arguments, to pass on the command line (up to 255 characters long). The following is an example of a custom response command:

156 Responding Setting response actions

/usr/local/bin/myscript.sh -i %i -t %t -s %s [email protected]

The following table describes the variables that can be used in the command line of custom response actions, console response actions, and email responses: Table 6-1 Variable
%c %d

Response Variables Value


Indicates the event class, such as Sensor or Notice. Indicates a comma-delimited list of destination IP addresses and ports in the following format: <IP address>:port. Some attacks, such as syn floods, may have multiple destinations. Device name; for example: hub4. Flowcookie; for example: IP%COUNTER%172.16.32.236:0/192.168.0.162:0#255 The user-assigned name of the interface or interface group where the attack was detected. MAC address of the source, if available; otherwise left blank. Indicates a comma-delimited list of source IP addresses and ports in the following format: <IP address>:port. Some attacks, such as syn floods, may have multiple sources. Indicates a specific base event type, displayed in the Network Security console with a human-readable name; for example, Fragmentation Attack. Indicates when the first event was detected for the incident. Date and time appears in human-readable format. Indicates the VLAN number of the destination, if available; otherwise -1.

%D %F

%I

%m %s

%t

%T

%v

Preventing logging of passwords in cleartext


To prevent logging of passwords in cleartext, preface the password with a %* character sequence. Make sure to put the password directly after the %* with no spaces in between. For example, for the following password: &*%arG prepend the password as follows: %*&*%arG in the custom response dialog. No characters following the %* are interpreted, so a % is acceptable in a password.

Responding Setting response actions

157

Escaping the % directive


If you need to pass a % as the first character of an argument and do not want it to be interpreted as a replacement directive preface the % with another %. For example %s will be interpreted as a directive to replace this argument with the source address:port list, but %%s will be passed directly as %s and not interpreted.

Setting a TCP reset response action


The TCP reset response action directs Symantec Network Security to terminate a TCP connection to prevent further damage from an attack. The minimum delay between responses is 0. Configuring this response action requires two procedures. You must set the response action itself. You must also identify the reset port that this response action will use.

Configuring the TCP reset response action


Configure the reset response action. Make sure to identify the port that this response action will use. To enable TCP resets 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click TCP Reset. Provide the following information:

Maximum number of TCP resets: Enter the number of TCP resets per incident of this response. Delay between sending TCP resets (mins): Enter the time in minutes that you want Symantec Network Security to wait per incident, before sending another TCP reset.

5 6 7

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit. Set the reset port by doing one of the following:

For an appliance node, see Setting the reset port on appliance nodes on page 158. For a software node, see Setting the reset port on software nodes on page 158.

158 Responding Setting response actions

Setting the reset port on appliance nodes


Identify the reset port by setting the Reset Port sensor parameter. If you do not set this parameter, the TCP reset response action will fail. To identify the reset port on appliance nodes 1 2 On the Devices tab, right-click an existing monitoring interface object, and click Edit on the pop-up menu. In Edit Monitoring Interface, in TCP Reset Interface, click the reset interface on the pull-down list. The reset interface must be cabled to access the monitored network. See the Symantec Network Security 7100 Series Implementation Guide for more information about cabling the appliance. Click Topology > Save Changes before quitting the Network Security console. You will lose any unsaved changes when you exit.

Setting the reset port on software nodes


Identify the reset port by setting the Reset Port sensor parameter. If you do not set this parameter, the TCP reset response action will fail. To identify the reset port on software nodes 1 2 3 4 5 6 On the Devices tab, right-click the sensor. Click Configure Sensor Parameters. Under Basic Parameters, click Reset Port. In the lower right corner of the Sensor Parameters pane, enter the port number. Click Apply. In Apply Changes To, select the interface or device objects that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close. See also Reset Port on page 174.

Responding Setting response actions

159

Setting traffic record response action


The traffic record response dynamically records network traffic in response to an event. With this option, Symantec Network Security can record traffic for a specified period of time, or until a specified number of packets has been collected. The traffic record response action begins recording traffic when triggered. It continues to record based on the number of minutes and the number of packets specified in the response configuration. Traffic recording stops when either limit is reached, whichever comes first. If the maximum number of packets is reached before the maximum time, then traffic record stops recording, but waits until the maximum time has expired before starting a new record action. The number of responses per incident is also determined by the response configuration. The minimum delay between responses is 1 minute. Note: This response action records only fully assembled packets from actual flows, not malformed packets or packet fragments. You can view detected packet contents in the Advanced tab of Event Details. See Viewing event details on page 221.

Caution: Traffic record files are stored in the /usr/SNS/record directory, and can quickly fill the disk space, especially on a gigabit link. Make sure that this directory contains sufficient disk space. To enable traffic records 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Traffic Record. Provide the following information:

Maximum packets to record: Enter the maximum number of packets per incident of this response. Maximum # of record actions: Enter the maximum number of records per incident of this response. Maximum time to record (mins): Enter the time in minutes that you want Symantec Network Security to record per incident.

Click traffic record match parameters to select them:

160 Responding Setting response actions

Source IP: Click this parameter if you want to record only traffic with the same source address as the triggering event. Source Port: Click this parameter if you want to record only traffic with the same source port as the triggering event. Destination IP: Click this parameter if you want to record only traffic with the same destination address as the triggering event. Destination Port: Click this parameter if you want to record only traffic with the same destination port as the triggering event. Transport: Click this parameter if you want to record only traffic with the same transport protocol (such as TCP, UDP or ICMP) as the triggering event.

6 7

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit. Note: The Traffic Record and TrackBack response actions cannot run simultaneously.

See Playing recorded traffic on page 271.

Setting a console response action


Symantec Network Security can initiate an action on the Network Security console in response to an attack. A SuperUser or Administrator can configure the response rule to play an alert sound and/or to execute a program on the Network Security console. Any user can enable each Network Security console individually to execute console response actions. The minimum delay between responses is 1 minute. To configure console response actions 1 2 3 4 On the main menu bar, click Configuration > Response Rules. In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Console Response. Provide the following information:

Limit Action to One Console: Click this to apply this response action to a single Network Security console. Play Alert Sound: Click this to sound an alert. Execute Console Program: Click this to launch a program in response. Start command: Enter the command to launch the response program.

Responding Setting response actions

161

Maximum # of executions: Enter the maximum number of executions per incident of this response. Delay between executions (mins): Enter the time in minutes that you want Symantec Network Security to wait between executions.

5 6

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.

Enabling console response actions


You must enable console response actions on each Network Security console individually. To enable specific console response actions 1 2 3 On the main menu bar, click Configuration > Response Rules. In Response Rules, click Configuration > Console Response Configuration. In Local Console Configuration, choose from the following checkboxes:

Play Alert Sounds: Click this to enable this Network Security console to emit an alert sound when triggered by an event. Execute Programs: Click this to enable this Network Security console to perform the console response action.

In Local Console Configuration, click OK to save and close. Note: The Network Security console must be running in order for Symantec Network Security to execute the console response action. If a Network Security console starts after console response events are sent, it does not execute the actions. Instead, upon startup, it displays a prompt indicating that the actions did not execute.

Setting export flow response action


The export flow response action exports matching flows stored in the flow data store. The action is based on the characteristics of the triggering events, which are specified by parameters that the SuperUser provides when creating the rule. The SuperUser or Administrator can use Export Flow to specify the event characteristics of the triggering event. Flows that match the specified characteristics are exported and saved. The minimum delay between responses is 1 minute. To configure export flow response actions 1 On the main menu bar, click Configuration > Response Rules.

162 Responding Managing flow alert rules

2 3 4

In Response Rules, click the Response Action cell of the response rule you want to edit. In Configure Response Action, click Export Flows. Provide the following information:

Limit for the number of flows to export: Enter the maximum number of flows to export per incident. The default limit per policy match is 100, the minimum is 1, and the maximum is 2048. Maximum # of flow export actions: Enter the maximum number of attempts to export flows per incident. The default per incident is 10, the minimum is 1, and the maximum is 256. Delay between flow export actions (mins): Enter the time in minutes that you want Symantec Network Security to wait between actions per incident. The default delay is 10, the minimum is 1, and the maximum is 256. Source IP: Use the IP address from the triggering event. Destination IP: Use the IP address from the triggering event. Source Port: Make port significant when matching related FDS flow entries to the triggering event source IPs. Destination Port: Make port significant when matching related FDS flow entries to the triggering event destination IPs. Transport Protocol: Export only matching FDS flow entries of the same protocol as the triggering event (IP, TCP, UDP).

In Export flows matching which event attribute:, provide the following:


6 7

In Configure Response Action, click OK to save and exit. In Response Rules, click OK to save and exit.

For related information, see the following topics:


See Playing recorded traffic on page 271. See Exporting data on page 285. See About incident and event data on page 213. See Defining new protection policies on page 124.

Managing flow alert rules


In addition to response rules, Symantec Network Security can respond to network traffic according to flow alert rules. Flow alert rules respond to traffic flows that violate defined policies on monitored networks. Flow alert rules can

Responding Managing flow alert rules

163

be configured to notify you when a sensor or router detects flows that match specific criteria. Symantec Network Security collects data about network flows from various devices. It optimizes the data to enable advanced response actions such as TrackBack, and notifies you about illegal flows. Symantec Network Security uses FlowChaser to store the data, in coordination with TrackBack, which traces a DoS attack or network flow back to its source, or to the edges of the administrative domain. This section describes the following:

Viewing flow alert rules Adding flow alert rules

Viewing flow alert rules


Symantec Network Security provides a way to view flow alert rules from the Network Security console. To view flow alert rules

On the main menu bar, click Configuration > Flow Alert Rules. In Flow Alert Rules, you can view the rule details.

Note: SuperUsers and Administrators can read and write flow alert rules; StandardUsers can view only; and RestrictedUsers have no access at all. See User groups reference on page 353 for more about permissions.

Adding flow alert rules


We recommend that you initially configure flow alert rules to allow acceptable corporate traffic flow. Set the Permit and Alert rules to specify explicitly what to permit across each interface, and to alert on everything else. To add a flow alert rule 1 2 3 On the main menu bar, click Configuration > Flow Alert Rules. In Flow Alert Rules, click Add. In Flow Alert Rule, in Rule Type, do one of the following:

Click Permit. Click Alert. See Using the permit rule type on page 166.

164 Responding Managing flow alert rules

4 5 6

Click Set Interfaces. In Select Interface or Device, select the object where you want the rule applied, and click OK. In Flow Alert Rule, select the following information from the pull-down lists, and click Add:

Source IP address, mask, and port Destination IP address, mask, and port See Providing an appropriate mask on page 165.

7 8

In Flow Alert Rule, click OK. In Flow Alert Rules, click OK to save and exit.

Sample flow alert rule


In the following sample, any traffic on the 192.168.0.0/24 subnet triggers Rule 3, with the following exceptions: Rule 1 allows unlimited traffic on port 80 between 192.168.0.10 and 192.168.0.11, and Rule 2 allows unlimited traffic on any port between 192.168.0.55 and 192.168.0.100.

Editing flow alert rules


The Network Security console provides a way to modify or rearrange the sequence of flow alert rules. To modify or rearrange the order of flow alert rules 1 2 3 On the main menu bar, click Configuration > Flow Alert Rules. In Flow Alert Rules, select an existing flow alert rule and click Edit. In Flow Alert Rule, in Rule Type, do one of the following:

Click Permit. Click Alert. See Using the permit rule type on page 166.

Responding Managing flow alert rules

165

4 5 6

Click Set Interfaces. In Select Interface or Device, select the object where you want the rule applied, and click OK. In Flow Alert Rule, select the following information from the pull-down lists, and click Add:

Source IP address, mask, and port Destination IP address, mask, and port See Providing an appropriate mask on page 165.

7 8

In Flow Alert Rule, click OK. In Flow Alert Rules, do one of the following:

Click Move Up.

Click Move Down. The flow alert rules are applied in sequential order from the top of the list to the bottom. Moving a rule up or down shifts it in relation to the other rules, and determines when it will be applied in the sequence. 9 Click OK to save and exit.

Deleting flow alert rules


The Network Security console provides a way to delete unnecessary flow alert rules easily. To add or edit a flow alert rule 1 2 3 On the main menu bar, click Configuration > Flow Alert Rules. In Flow Alert Rules, select an existing flow alert rule and click Delete. Click OK to save and exit.

Providing an appropriate mask


Symantec Network Security checks the subnet mask, and sends an error message if the mask is not appropriate for the number of bits specified in the subnet address. For example, if a full 32-bit IP address is entered, then the mask must also be 32. However, if you enter just the network portion of the IP address, the number of bits in the mask should match the number of bits given in the network portion of the IP address. For example, an IP address entered as 172.27.101.0 must have, at least, a 24-bit mask but an IP address entered as 172.27.101.1 would require a 32-bit mask.

166 Responding Managing flow alert rules

Using the permit rule type


When selecting a Rule Type of Permit, apply a method similar to that used in router access lists. The following example illustrates how to use multiple permit rules in conjunction with an alert rule to target a specific network for triggering alerts. In this example, Symantec Network Security allows only traffic with source IP addresses from 192.168.0.1 through 192.168.0.3 to pass without generating an alert. All traffic originating from 192.168.0.x generates an alert.
Source IP Address 192.168.0.1/32 Permit Source IP Address 192.168.0.2/32 Permit Source IP Address 192.168.0.3/32 Permit Source IP Address 192.168.0.0/24 Alert

Note: Symantec Network Security examines these rules sequentially. After it makes an IP address/port match, it executes the corresponding rule, without examining or executing any further.

Chapter

Detecting
This chapter includes the following topics:

About detection Configuring sensor detection Configuring port mapping Configuring signature detection

About detection
In addition to the ability to start detection immediately using protection policies, Symantec Network Security also provides the tools to fine-tune the detection to a particular environment using sensor parameters and port mappings, and to enhance the detection using user-defined signatures. Symantec Network Security can run multiple detection methods concurrently, including protocol anomaly detection, signatures, IP traffic rate monitoring, IDS evasion detection, and IP fragment reassembly. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.

Protocol anomaly detection

Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be added to run services on non-standard ports or to ignore ports on which you

168 Detecting Configuring sensor detection

normally run non-standard protocols, to mitigate common violations of protocol from being falsely reported as events.

Signature detection

Symantec Network Security provides the functionality to begin detection immediately by applying protection policies. In addition to this initial ability, detection can also be enhanced and tuned to a particular network environment by creating and applying user-defined signatures.

Refinement rule detection

Symantec Network Security detects both known and unknown (zero-day) attacks, using multiple detection technologies concurrently. Event refinement rules extend the Protocol Anomaly Detection capabilities. Symantec Network Security matches generic anomalies against a database of refinement rules, and for known attacks, reclassifies an anomaly event by retagging it with its specific name. New refinement rules are available as part of SecurityUpdates on a periodic basis. Each software or appliance node downloads the refinement rules from LiveUpdate and stores them individually.

Configuring sensor detection


Symantec Network Security provides an array of sensor parameters that are preset for optimum performance and sensitivity. They can be tuned to address specific network environments, and each sensor can be set individually to devote it to specific tasks. These parameters perform multiple tasks, such as enabling the collection of flow statistics and full packet data, setting threshold levels for floods, scans, and sweeps, and regulating the percentage of traffic types that the sensor tolerates before it notifies you. The parameters also provide counter-based detection of floods and denial-of-service attacks such as resource reservation and pipe filling, regulate the suppression of duplicate events and enabling asymmetric routing, and enable checksum validation for a variety of traffic types. You can configure the basic sensor parameters to adjust them to your specific environment. This section includes a description of each sensor parameter, and how to set the value:

Configuring sensor parameters Restarting or stopping sensors Basic sensor parameters Basic flood and scan parameters

Detecting Configuring sensor detection

169

Advanced flood and scan parameters Other advanced parameters Advanced TCP engine parameters Advanced UDP engine parameters

Configuring sensor parameters


The Network Security console provides a way to control sensor processes by configuring sensor parameters. Each sensor process is associated with a specific interface on the Network Security node. To configure the sensor parameters 1 2 3 4 5 6 On the Devices tab, right-click the sensor. Click Configure Sensor Parameters. In Sensor Configuration Parameters, in the left pane, select a parameter to configure. In the lower right corner, click the radio button or enter the value of the parameter. Click Apply. In Apply Changes To, select the interface or device objects that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

See Other advanced parameters on page 184 for information about fine-tuning advanced parameters.

170 Detecting Configuring sensor detection

Restarting or stopping sensors


Some actions trigger an automatic sensor restart, and some actions require a sensor restart for the action to take effect. Table 7-1 Action Modifying expected throughput Modifying reset ports Modifying monitored networks on topology tree Modifying some sensor configuration parameters Applying protection policies Unapplying protection policies Removing interface groups Modifying interface groups Applying engine updates Restoring configuration from backup Restarting sensors Response You must restart the sensor for the action to take effect. You must restart the sensor for the action to take effect. You must restart the sensor for the action to take effect. You must restart the sensor for the action to take effect. Starts the sensor automatically. Stops the sensor automatically. Stops the sensor automatically. Restarts the sensor automatically. Restarts the sensor automatically. Restarts the sensor automatically.

See Restarting sensors via the Network Security console on page 49. Note: SuperUsers and Administrators can restart sensors at any time; StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Basic sensor parameters


We recommend that you tune all of the basic parameters to the normal traffic patterns of your network. At installation, leave the sensor parameters at default. Observe how the system detects events. Then adjust these parameters as needed until they are just barely alerting, such as once a day, under normal conditions

Detecting Configuring sensor detection

171

for your environment. In this way, you will quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert. This section describes the following basic sensor detection parameters:

Enable Flow Statistics Collection Enable Full Packet Capture Enable IPv4 Header Checksum Validation Enable TCP Checksum Validation Enable UDP Checksum Validation Enable BackOrifice Detection Event Delay Time Traffic Mode Reset Port

Enable Flow Statistics Collection


Enable Flow Statistics Collection serves as the on/off switch that enables the sensor to collect information about network flows. The default value is false. If your system has performance issues, leaving Enable Flow Statistics Collection turned off can provide a minor improvement. However, some Symantec Network Security features use the data collected by this parameter. For example, if you leave Enable Flow Statistics Collection off for all sensors, FlowChaser will receive no flow data from sensors. If no routers collect flow data either, FlowChaser will have nothing to query. However, you can enable or disable the parameters on each sensor independently without affecting the others. Note: In previous versions, the default value was true. See Configuring FlowChaser on page 248.

Enable Full Packet Capture


Enable Full Packet Capture serves as the on/off switch that enables the sensor to send full packet data with events, instead of sending only header packet data. The default value is true. Enabling this parameter impacts performance because it increases the size of each event record in the event database. However, it provides valuable information about which packets caused which alerts. If

172 Detecting Configuring sensor detection

enabled, the Network Security console displays all packet data in the Advanced tab of the Event Details. To disable the collection of full packet data, change the value to false. If you disable this parameter, the Network Security console displays only packet header data in the Advanced tab of the Event Details. Note: For software nodes, enabling this parameter can increase the size of the event database and reduce sensor performance. Do not install Symantec Network Security in the same partition as the operating system (the / partition) if disk space is low. The Network Security console displays low disk space events for less than 100,000 free blocks and less than 10% free space in the partition where it is installed. In earlier versions, the default value was false. See Viewing event details on page 221.

Enable IPv4 Header Checksum Validation


Enable IPv4 Header Checksum Validation serves as the on/off switch enabling the sensor to validate IPv4 header checksums. An IPv4 header unit generates a checksum, and transmits it with the unit. The sensor generates a second checksum and compares them. Matching checksums confirm that the sensor received the complete transmission. By default, this parameter is enabled. If you installed a Network Security software node on a computer with no checksum capability, you may choose to disable this parameter and enhance performance. 7100 Series appliances have checksum capability.

Enable TCP Checksum Validation


Enable TCP Checksum Validation serves as the on/off switch enabling the sensor to validate TCP checksums. An TCP header unit generates a checksum, and transmits it with the unit. The sensor generates a second checksum and compares them. Matching checksums confirm that the sensor received the complete transmission. By default, this parameter is enabled. If you installed a Network Security software node on a computer with no checksum capability, you may choose to disable this parameter and enhance performance. 7100 Series appliances have checksum capability.

Detecting Configuring sensor detection

173

Enable UDP Checksum Validation


Enable UDP Checksum Validation serves as the on/off switch enabling the sensor to validate UDP checksums. An UDP header unit generates a checksum, and transmits it with the unit. The sensor generates a second checksum and compares them. Matching checksums confirm that the sensor received the complete transmission. By default, this parameter is enabled. If you installed a Network Security software node on a computer with no checksum capability, you may choose to disable this parameter and enhance performance. 7100 Series appliances have checksum capability.

Enable BackOrifice Detection


Enable BackOrifice Detection directs the sensor to detect attempts to connect to your network via BackOrifice Backdoor, a tool that grants administrative privileges to a remote user via an Internet link. The default value is set to true, which enables BackOrifice detection. Setting the value to false disables detection, which improves performance slightly for UDP traffic. If your network does not contain any hosts that are vulnerable to BackOrifice, you might consider disabling this parameter.

Event Delay Time


Event Delay Time regulates alert suppression by setting the number of seconds that the sensor waits between sending multiple alerts of the same type. The default is 2 seconds, which is the minimum. Under most circumstances, this provides optimum sensitivity and performance and does not need to be changed. However, if the sensor generates the same event types too frequently, you can either suppress or filter the event type. If you filter the event type, that type of event will not show at all. On the other hand, if you increase the Event Delay Time, you can reduce the number of events of this type without eliminating them altogether. Event suppression affects performance slightly, since the product performs faster if it sends fewer events. However, you risk missing important data by increasing this value.

Traffic Mode
Traffic Mode regulates asymmetric routing in the following modes:
Simplex: The sensor predominantly monitors the client-to-server side of the connection.

174 Detecting Configuring sensor detection

Duplex:

The sensor monitors both the client-to-server and the server-to-client sides of the connection.

The default is set to duplex, and Symantec Network Security generally performs best in this mode. Change to simplex only under specific conditions or for specific environments. Set this parameter during deployment, when you decide which mode to use. Note: Restart the sensor for changes to this parameter to take effect.

Caution: Switching this parameter to simplex has a broad effect on a number of Symantec Network Security features. Do not change this without a thorough understanding of the effects.

Note: If a sensor in duplex mode receives a lot of simplex traffic, it displays an operational log message indicating that the flow records have been recycled, and that a large number of them have detected packets in only one direction.

Reset Port
Reset Port determines the port that Symantec Network Security uses to send TCP resets. When a reset response rule is triggered, Symantec Network Security sends the TCP reset through the port designated by this parameter. This parameter is specific to software installations of Symantec Network Security. It is not relevant to 7100 Series appliances, which can be set via the topology tree on the Network Security console. Valid values include any valid physical network interface identifier. There is no default value for this parameter. If you create a reset response rule without configuring this parameter, the response rule will fail. Note: Restart the sensor for changes to this parameter to take effect.

Basic flood and scan parameters


Symantec Network Security uses statistical methods to detect flood attacks by examining the types of traffic across the wire and the changes in traffic over periods of time. For example, if the system suddenly receives more requests than it can respond to, Symantec Network Security flags these events as a

Detecting Configuring sensor detection

175

possible DoS attack. It generates events when traffic exceeds preset thresholds; that is, when a particular type of traffic exceeds a certain percentage of the traffic as a whole. For example, if a large percentage of traffic on a link is ICMP, it might indicate a ping flood. The following parameters set threshold levels for floods, scans, and sweeps. If activity levels remain below thresholds, the sensor detects the traffic but does not notify you. Breaching thresholds triggers an alert. Symantec Network Security provides counter-based detection of floods and denial-of-service attacks such as resource reservation and pipe filling. For example, in a reservation attack such as SYNflood, the attacker sends more SYN packets than the queue can hold, and thus reserves otherwise available resources and prevents new connections. In a pipe-filling attack, the attacker saturates the links by generating so much traffic on a network connection that it clogs a traffic pipe. This section describes the following basic flood and scan parameters:

TCP Flood Alert Threshold UDP Flood Alert Threshold Slow Scan Alert Threshold ICMP Saturation Alert Threshold UDP Saturation Alert Threshold IP Fragment Saturation Alert Threshold Bad Service Saturation Alert Threshold Other Saturation Alert Threshold

TCP Flood Alert Threshold


TCP Flood Alert Threshold regulates the level at which the sensor notifies you of a TCP flood. If the sensor detects a greater percentage of unacknowledged TCP connections than the Threshold, it triggers a flood event. The default is set to 0.50 (50%) for a high level of sensitivity. Valid values range from 0 to 1. A value of 1% is extremely sensitive, which impacts system performance somewhat if it generates a high volume of alerts. It interacts with Streak Interval and TCP Number of Streak Packets.

UDP Flood Alert Threshold


UDP Flood Alert Threshold regulates the level at which the sensor notifies you of a UDP flood. If the sensor detects a greater percentage of unacknowledged UDP connections than the Threshold, it triggers a flood event.

176 Detecting Configuring sensor detection

The default is set to 0.50 (50%) for a high level of sensitivity. Valid values range from 0 to 1. Increase the value to make the sensor less sensitive; decrease the value to make it more sensitive. A value of 1% is extremely sensitive, which impacts system performance somewhat if it generates alerts. It interacts with Streak Interval and UDP Number of Streak Packets, and affects performance slightly if changed. Note: In versions prior to 4.0, this parameter controlled input and detected both portscans and floods. Now this parameter controls output and detects either port scans or floods separately.

Slow Scan Alert Threshold


Slow Scan Alert Threshold regulates the level at which the sensor notifies you of sweep or scan activity. The sensor detects attempts to connect to the same port across multiple hosts, which can indicate sweep activity. The sensor also detects attempts to connect to the same host on multiple ports, which can indicate scan activity. If the number of attempts breaches the Threshold, it triggers a slow scan event. The default is set to 7, and valid values range from 3 to 15, inclusive. If your network traffic commonly includes many dropped or unacknowledged connections, you can increase the value to adjust the sensor's tolerance for this activity. You can decrease the value to make the sensor more sensitive to this activity, at the cost of affecting performance slightly.

ICMP Saturation Alert Threshold


ICMP Saturation Alert Threshold regulates the level at which the sensor notifies you that it detects a large amount of ICMP fragmentation traffic. The default is set to 0.25, and valid values range from 0 to 1, representing the percentage of total traffic. By default, the sensor notifies you if it detects ICMP traffic in 25% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. You can increase the threshold if you expect a high percentage of ICMP traffic in your environment.

UDP Saturation Alert Threshold


UDP Saturation Alert Threshold regulates the level at which the sensor notifies you that it detects a large amount of UDP fragmentation traffic.

Detecting Configuring sensor detection

177

The default is set to 0.50, and valid values range from 0 to 1, representing the percentage of total traffic. By default, the sensor notifies you if it detects UDP traffic in 50% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. You can increase the threshold if you expect UDP traffic, such as in a Windows environment.

IP Fragment Saturation Alert Threshold


IP Fragment Saturation Alert Threshold regulates the level at which the sensor notifies you that it detects IP fragmentation traffic. The default is set to 0.05, and valid values range from 0 to 1, representing the percentage of total traffic. By default, the sensor notifies you if it detects fragmented IP traffic in 5% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. You can increase the threshold if you expect a high percentage of fragmented IP traffic in your environment.

Bad Service Saturation Alert Threshold


Bad Service Saturation Alert Threshold regulates the level at which the sensor notifies you that it detects Bad Service traffic, such as traffic configured as BADSVC in the portmap.conf file over a port. The default is set to 0.20, and valid values range from 0 to 1, representing the percentage of total traffic. By default, the sensor notifies you if it detects Bad Service traffic in 20% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. You can increase the Threshold if you want to tolerate a high percentage of Bad Service traffic in your environment.

Other Saturation Alert Threshold


Other Saturation Alert Threshold regulates the level at which the sensor notifies you that it detects Other traffic, such as any IP traffic that is not TCP, UDP, ICMP, OSPF, IPSEC, or GRE traffic, or any non-IP traffic. The default is set to 0.09, and valid values range from 0 to 1, representing the percentage of total traffic. By default, the sensor notifies you if it detects Other traffic in 9% of the total network traffic. This avoids false positives on relatively quiet links. Adjust this parameter as necessary until it just barely alerts, such as once a day under normal conditions for your environment. A high

178 Detecting Configuring sensor detection

rate of alerting can slow performance, so you can increase the Threshold if you want to tolerate a high percentage of Other traffic in your environment.

Advanced flood and scan parameters


Symantec Network Security provides flood and scan parameters for advanced detection and control. Many flood and scan parameters monitor streaks, or segments of traffic that contain a sequence of packets meeting specific characteristics, such as the same source and destination IP addresses. These parameters enable you to distinguish between DoS attacks, portscans, and sweeps and to regulate what to monitor, how to analyze, and when to trigger an event. The following flood and scan parameters provide advanced detection and control. Defaults are preset for optimum performance and sensitivity and do not need to be changed under most circumstances. Changing the default settings may impact performance, sensitivity, or both.

Packet Counter Interval Streak Interval Counter Number of Streak Packets TCP Minimum Flows TCP Number of Streak Packets UDP Minimum Flows UDP Number of Streak Packets UDP Minimum Flows UDP Number of Streak Packets ICMP Minimum Flows ICMP Number of Streak Packets ICMP Flood Alert Threshold Saturation Counter Lapse Time Maximum Time to Streak Analysis Slow Scan Maximum IP Addresses Limit Slow Scan Max Entry Time (days)

Detecting Configuring sensor detection

179

Packet Counter Interval


The four interval and flow parameters function interactively, and setting one affects the others. Packet Counter Interval controls how often to check packets. Streak Interval controls how often to check for port scans. TCP Minimum Flows controls how many TCP flows warrant analysis. UDP Minimum Flows regulates port scan sensitivity. Counter Interval regulates how often the sensor checks for probes and attacks. The sensors check for a variety of flood-based, denial-of-service attacks, such as ICMP floods, UDP floods, IP fragmentation floods, fragmentation services floods, and IP Other floods. The default is set to 2,047 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 1,023 to 16,383, inclusive. Values that fall outside of the minimum or maximum are mapped to 1,023 or 16,383, respectively. You can decrease the value to make the sensor check more often, at the risk of decreasing performance under extreme conditions. You can increase the value to make the sensor check less frequently, at the risk of missing short bursts or peaks. Do not make changes to this parameter without a thorough understanding of how it interacts with Counter Number of Streak Packets. Note: In versions prior to 4.0, the streak interval and counter interval were controlled by the same parameter. Symantec Network Security now provides two parameters that you can configure independently.

Streak Interval
The four interval and flow parameters function interactively, and setting one affects the others. Packet Counter Interval controls how often to check packets. Streak Interval controls how often to check for port scans. TCP Minimum Flows controls how many TCP flows warrant analysis. UDP Minimum Flows regulates port scan sensitivity. Streak Interval regulates how often the sensor checks traffic for port scans. In past versions, Streak Interval and Counter Interval were controlled by the same parameter. Symantec Network Security now provides two parameters that you can configure independently. The default is set to 16,383 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 1,023 to 65,535, inclusive. You can increase sensitivity to port scans by lowering the value so that the sensor checks more often. Do not make changes to this parameter without a thorough understanding of how it interacts with TCP

180 Detecting Configuring sensor detection

Minimum Flows, UDP Minimum Flows, TCP Number of Streak Packets, and UDP Number of Streak Packets. Note: In versions prior to 4.0, Streak Interval and Counter Interval were controlled by the same parameter. Symantec Network Security now provides two parameters that you can configure independently.

Counter Number of Streak Packets


Counter Number of Streak Packets regulates how many packets to analyze. The sensor samples packets proportionally to thresholds set on Threshold parameters, analyzes them for similarities and streak patterns, and reports on the results. The default value of 36 collects 36 packets for streak analysis. Valid values range from 3 to 256, inclusive. If you notice large streaks, you can raise the value to collect more packets for analysis. This slows performance somewhat.

TCP Minimum Flows


The four interval and flow parameters function interactively, and setting one affects the others. Packet Counter Interval controls how often to check packets. Streak Interval controls how often to check for port scans. TCP Minimum Flows controls how many TCP flows warrant analysis. UDP Minimum Flows regulates port scan sensitivity. TCP Minimum Flows regulates the number of unacknowledged TCP flows that the sensor sends to analysis during the time period set by Streak Interval. If it detects an alarming number of them, it sends the packets to streak analysis, which inspects the sample of packets and compares IP addresses, ports, and other characteristics for similarities. The default is set to 3 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 3 to twice the value of the TCP Number of Streak Packets parameter. Increasing the value will decrease sensitivity. This parameter should not be changed without a thorough understanding of how it interacts with Streak Interval and TCP Number of Streak Packets.

TCP Number of Streak Packets


TCP Number of Streak Packets regulates how many TCP packets to analyze. The sensor collects all unacknowledged packets in a given streak interval, analyzes them for similarities and streak patterns, and reports on them.

Detecting Configuring sensor detection

181

The default value of 128 collects 128 unacknowledged packets. Valid values range from 3 to 256, inclusive. If you notice large streaks, you can increase the value to collect more packets for analysis at the cost of slowing performance somewhat.

UDP Minimum Flows


The four interval and flow parameters function interactively, and setting one affects the others. Packet Counter Interval controls how often to check packets. Streak Interval controls how often to check for port scans. TCP Minimum Flows controls how many TCP flows warrant analysis. UDP Minimum Flows regulates port scan sensitivity. UDP Minimum Flows regulates the number of unacknowledged UDP flows that the sensor sends to analysis during the time period set by Streak Interval. If it detects an alarming number of them, it sends the packets to streak analysis, which inspects the sample of packets and compares IP addresses, ports, and other characteristics for similarities. The default is set to 3 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 3 to twice the value of the UDP Number of Streak Packets parameter. You can troubleshoot an overactive network by increasing the value without changing Streak Interval. The sensor then takes a larger sample at each interval and returns more accurate results, at the cost of impacting system performance somewhat. This parameter should not be changed without a thorough understanding of how it interacts with Streak Interval and UDP Number of Streak Packets.

UDP Number of Streak Packets


UDP Number of Streak Packets regulates how many UDP packets to analyze. The sensor collects all unacknowledged packets in a given streak interval, analyzes them for similarities and streak patterns, and reports on them. The default value of 128 collects 128 unacknowledged packets. Valid values range from 3 to 256, inclusive. If you notice large streaks, you can increase the value to collect more packets for analysis at the cost of slowing performance somewhat.

ICMP Minimum Flows


The four interval and flow parameters function interactively, and setting one affects the others. Packet Counter Interval controls how often to check packets. Streak Interval controls how often to check for port scans. TCP Minimum Flows

182 Detecting Configuring sensor detection

controls how many TCP flows warrant analysis. UDP Minimum Flows regulates port scan sensitivity. ICMP Minimum Flows regulates the number of unacknowledged ICMP flows that the sensor sends to analysis during the time period set by Streak Interval. If it detects an alarming number of them, it sends the packets to streak analysis, which inspects the sample of packets and compares IP addresses, ports, and other characteristics for similarities. The default is set to 3 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 3 to twice the value of the ICMP Number of Streak Packets parameter. You can troubleshoot an overactive network by increasing the value without changing Streak Interval. The sensor then takes a larger sample at each interval and returns more accurate results, at the cost of impacting system performance somewhat. This parameter should not be changed without a thorough understanding of how it interacts with Streak Interval and ICMP Number of Streak Packets.

ICMP Number of Streak Packets


ICMP Number of Streak Packets regulates how many ICMP packets to analyze. The sensor collects all unacknowledged packets in a given streak interval, analyzes them for similarities and streak patterns, and reports on them. The default value of 128 collects 128 unacknowledged packets. Valid values range from 3 to 256, inclusive. If you notice large streaks, you can increase the value to collect more packets for analysis at the cost of slowing performance somewhat.

ICMP Flood Alert Threshold


ICMP Flood Alert Threshold regulates the level at which the sensor notifies you of an ICMP flood. If the sensor detects a greater percentage of unacknowledged ICMP connections than the Threshold, it triggers a flood event. The default is set to 0.50 (50%) for a high level of sensitivity. Valid values range from 0 to 1. Increasing the value to make the sensor less sensitive; decrease the value to make it more sensitive. A value of 1 (100%) is extremely sensitive, which impacts system performance somewhat if it generates alerts. Setting this parameter to 0 (0%) effectively disables it. It interacts with Streak Interval and ICMP Number of Streak Packets.

Detecting Configuring sensor detection

183

Saturation Counter Lapse Time


Saturation Counter Lapse Time regulates the time period to collect packets. The sensor must detect 2,048 packets in the time period set by this parameter and send them to analysis. If traffic moves slower than that, it skips analysis. If traffic exceeds the threshold, then it proceeds to analysis. The default is set to 5 seconds for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 0 to 3,600 (1 hour), inclusive. Consider changing it only for troubleshooting purposes, and with thorough knowledge of its functionality. If this parameter is set to lapse too often, such as 1 second, it decreases sensitivity to threshold alerts. It does not directly affect performance, and since it guards low-level threshold, fast traffic remains unaffected.

Maximum Time to Streak Analysis


Maximum Time to Streak Analysis regulates a periodic analysis, regardless of the number of packets detected, even if the sensor detects very little activity. In this way, it prevents the streak analysis functionality from being too quiet. The default is set to 10 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 0 to 60, inclusive. Consider changing it only for troubleshooting purposes, and with thorough knowledge of its functionality.

Slow Scan Maximum IP Addresses Limit


Slow Scan Maximum IP Addresses Limit regulates the number of IP addresses that the sensor monitors for slow scans. This pertains exclusively to port scans, not port sweeps. The default is set to 65,536 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 1 to 1,000,000, inclusive. Consider changing it only for troubleshooting purposes, and with thorough knowledge of its functionality. Changes to this parameter can affect memory consumption. Note: Restart the sensor for changes to this parameter to take effect.

Slow Scan Max Entry Time (days)


Slow Scan Max Entry Time (days) determines how many days an inactive entry remains valid. If the number of days that an entry remains inactive breaches

184 Detecting Configuring sensor detection

this limit, the entry is reset. Any old data is lost and new data in the entry is treated as an unrelated event. The default value is set to 30, and valid values range from 7 to 180, inclusive. If the slow scan functionality appears to be generating too many events, you can lessen the value to increase the inactive time period. This reduces detection sensitivity. Increase the sensitivity by increasing the value to keep inactive entries valid longer. These changes have little impact on performance.

Other advanced parameters


Symantec Network Security provides the following parameters for advanced troubleshooting purposes. Defaults are preset for optimum performance and sensitivity and do not need to be changed under most circumstances. Changing the default settings may impact performance, sensitivity, or both.

Enable PLSC (Propagate Link State Change) Maximum IPv4 Fragment Reassembly Table Elements Signature Engine Max Backbuffer Size

Enable PLSC (Propagate Link State Change)


Enable PLSC (Propagate Link State Change) enables the propagation of link state events on in-line sensors only, and ensures that link-state oriented routing protocols converge properly. When the value is set to True, the Symantec Network Security appliance propagates the link event on one interface to the other interface in an in-line pair. For example, for an in-line pair of re1000g0,re1000g1, if the link fails on the re1000g0 interface, the appliance takes the link down on the re1000g1 interface as well. Likewise, if the link comes back up on the re1000g0 interface, the appliance attempts to bring the link back up on the re1000g1 interface as well. In this way, this parameter ensures that the two interfaces in an in-line pair behave as one unit, similar to a single cable. When enabled, the PLSC parameter never allows one interface in an in-line pair to behave differently than the other. The default value is set to False, which disables this parameter. Note: This parameter applies to Symantec Network Security 7100 Series appliances only.

Note: Restart the sensor for changes to this parameter to take effect. See also Configuring link state on page 104.

Detecting Configuring sensor detection

185

Maximum IPv4 Fragment Reassembly Table Elements


Maximum IPv4 Fragment Reassembly Table Elements regulates the size of IP fragment tables by controlling the number of simultaneous IP fragments that the sensor handles. It directly impacts memory consumption. Each fragment table entry can consume slightly more than 64K of memory. The default is set to 2,048 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 32 to 32,768, inclusive. If you receive an operational log message indicating that the IPv4 Fragment Reassembly Table is full, you can eliminate the message by increasing this value, at the cost of greater memory consumption. If the system is running low on RAM, you can decrease this value, at the cost of reducing detection sensitivity because sensors have less traffic to inspect. Consider changing it only if you have a thorough understanding of its functionality.

Signature Engine Max Backbuffer Size


Signature Engine Max Backbuffer Size determines the maximum size of the packet cache that Symantec Network Security maintains per flow. For example, for a signature that calls for a match of abcde, if the sensor detects a partial match of ab in one packet, it stores the packet containing the ab match. Then it continues to look for cde and continues to store any partial matches that it finds. It can store partial matches until it reaches the limit set by this parameter. The default value is set to 65,536 for optimum performance and sensitivity, and you do not need to change it under most circumstances. Increasing the maximum will impact performance. Decreasing the maximum will lessen the detection quality. If you believe that this limit causes the sensor to miss an evasion, we recommend that you consult our support team before changing the value at http://www.symantec.com/techsupp/enterprise Note: Restart the sensor for changes to this parameter to take effect.

Advanced TCP engine parameters


Symantec Network Security provides the following TCP engine parameters for advanced troubleshooting purposes. Defaults are preset for optimum performance and sensitivity and do not need to be changed under most circumstances. Changing the default settings may impact performance, sensitivity, or both.

TCP Maximum Flow Table Elements (Fast Ethernet) TCP Maximum Flow Table Elements (Gigabit)

186 Detecting Configuring sensor detection

TCP Keepalive Timeout TCP Flow Max Queued Segments TCP Global Max Queued Segments (Fast Ethernet) TCP Global Max Queued Segments (Gigabit) TCP 2MSL Timeout TCP Default Window Size TCP Reset Quiet Period TCP Retransmitted Segment Alert Minimum Magnitude TCP Retransmitted Segment Alert Threshold TCP SYN Flood End Threshold TCP SYN Flood Retransmission Timeout TCP Retransmitted SYN Alert Magnitude TCP Opening Flows Target Ratio TCP Listening Flows Target Ratio TTL Allowed Variance for TCP over IPv4 for Inline Sensors TTL Allowed Variance for TCP over IPv4 for Passive Sensors TTL Change Timeout for TCP Over IPv4

TCP Maximum Flow Table Elements (Fast Ethernet)


TCP Maximum Flow Table Elements (Fast Ethernet) regulates the size of the TCP flow table by controlling the number of simultaneous flows that the fast Ethernet sensor handles. It has a direct impact on memory consumption. The default is set to 32,768 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 16,384 (16K) to 262,144 (256K). If you receive an operational log message indicating that the TCP Flow Table is full, you can eliminate the message by increasing this value, at the cost of greater memory consumption. Consider changing it only if you have a thorough understanding of its functionality.

TCP Maximum Flow Table Elements (Gigabit)


TCP Maximum Flow Table Elements (Gigabit) regulates the size of the TCP flow table by controlling the number of simultaneous flows that the gigabit sensor handles. It has a direct impact on memory consumption.

Detecting Configuring sensor detection

187

The default is set to 131,072 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 32,768 (32K) to 1,048,576 (1M), inclusive. If you receive an operational log message indicating that the TCP Flow Table is full, you can eliminate the message by increasing this value, at the cost of greater memory consumption. Consider changing it only if you have a thorough understanding of its functionality.

TCP Keepalive Timeout


TCP Keepalive Timeout regulates the period of time in seconds that a TCP connection can remain idle before it expires. The sensor closes both established and blocked flows if it remains idle longer than this period of time. The default is set to 14,400 seconds (4 hours) for optimum performance and sensitivity, and does not need to be changed under most circumstances. The minimum value is 1 second. Consider changing it only for troubleshooting purposes, and with thorough knowledge of its functionality. If you set it too low, it may ignore or miss connections and impact memory consumption. The default provides a balance between evasion resiliency and resource consumption.

TCP Flow Max Queued Segments


TCP Flow Max Queued Segments regulates the number of TCP segments that are out of order in a queue per TCP flow. If the number of out-of-order segments exceeds this maximum, the sensor discards the flow. Out-of-order segments in a flow usually signify a problem; either something wrong on the network, or a denial-of-service attack. The default is set to 64 for optimum performance and sensitivity, and does not need to be changed under most circumstances. The minimum value is 1. If you see an operational event indicating too many out-of-order TCP segments, you can eliminate the message by increasing this value, at the cost of greater memory consumption. If you decrease this value, it reduces detection sensitivity. Consider changing it only if you have a thorough understanding of its functionality.

TCP Global Max Queued Segments (Fast Ethernet)


TCP Global Max Queued Segments (Fast Ethernet) regulates the number of out-of-order TCP segments that can remain in queue globally. If the total number of out-of-order segments exceeds the value of this parameter, the fast Ethernet sensor reclaims the space by replacing old TCP flows and queued segments with new out-of-order segments.

188 Detecting Configuring sensor detection

The default is set to 65,535 for optimum performance and sensitivity, and does not need to be changed under most circumstances. The minimum value is 4,096. Although a high number of out-of-order segments is rare, if this is usual for your network, you can increase this value to compensate. If you see an operational event indicating too many out-of-order TCP segments, you can eliminate the message by increasing this value, at the cost of greater memory consumption. Consider changing it only if you have a thorough understanding of its functionality.

TCP Global Max Queued Segments (Gigabit)


TCP Global Max Queued Segments regulates the number of out-of-order TCP segments that can remain in queue globally. If the total number of out-of-order segments exceeds the value of this parameter, the gigabit sensor reclaims the space by replacing old TCP flows and queued segments with new out-of-order segments. The default for TCP Global Max Queued Segments (Gigabit) is set to 131,072 for optimum performance and sensitivity, and does not need to be changed under most circumstances. The minimum value is 4,096. Although a high number of out-of-order segments is rare, if this is usual for your network, you can increase this value to compensate. If you see an operational event indicating too many out-of-order TCP segments, you can eliminate the message by increasing this value, at the cost of greater memory consumption. Consider changing it only if you have a thorough understanding of its functionality.

TCP 2MSL Timeout


TCP 2MSL Timeout regulates the period of time that a closed connection must remain idle before it can be opened for a new connection. This idle time allows any out-of-order segments that may be in transit to drain from the network before a new connection is established. This enables the sensor to distinguish between straggling packets that belong to a flow that just closed, and packets that belong to a new flow. By default, this parameter is set to 30 seconds. Setting this parameter either too high or too low can reduce sensitivity. We recommend that you tune TCP 2MSL Timeout to the normal traffic patterns of your network, which may vary from host to host. At installation, leave this parameter at default and observe how the system detects events. Then adjust the parameter as needed until it just barely alerts, such as once a day, under normal conditions for your environment. In

Detecting Configuring sensor detection

189

this way, you will quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert.

TCP Default Window Size


TCP Default Window Size regulates the size of the TCP window that the sensor uses to determine if a TCP flow is valid. For valid TCP flows, it adds out-of-order segments to the appropriate queue to process later. The sensor drops out-of-order segments from TCP flows that it determines to be invalid. By default, this value is set to 134,217,728. We recommend that you tune TCP Default Window Size to the normal traffic patterns of your network, which may vary from host to host. At installation, leave this parameter at default and observe how the system detects events. Then adjust the parameter as needed until it just barely alerts, such as once a day, under normal conditions for your environment. In this way, you will quickly notice a shift in traffic patterns and easily pinpoint the events that triggered the alert.

TCP Reset Quiet Period


TCP Reset Quiet Period establishes a configurable period of latency that follows after each established TCP flow that has been reset. This enables Symantec Network Security to mitigate DoS attacks and floods by differentiating between straggling packets that belong to flows closed by the RST flag, and packets that belong to new flows. Packets control the TCP/IP connections between two computers, and one type of packet, called the RST packet, serves to reset old connections. RST is a control flag inside the packet indicating that the TCP connection should be closed or reset. Each time the RST packet closes or resets an old connection, the latent period configured by this parameter occurs. For the duration of this time, the sensor ignores packets that belong to flows closed by the RST flag, and allows packets that belong to new flows to pass as usual. RST packets can also be sent during a three-way connection establishment handshake. If a TCP flow fails to complete such a handshake, the quiet time has no effect on the failed connection. The default value is set to 30 seconds for optimum sensitivity and performance, and does not need to be changed under most circumstances. The minimum valid value is 0, which disables the quiet period. Configuring this parameter requires a thorough understanding of RST latency on the monitored network. Before making any changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise

190 Detecting Configuring sensor detection

TCP Retransmitted Segment Alert Minimum Magnitude


TCP Retransmitted Segment Alert Minimum Magnitude (RSAMM) interacts directly with the TCP Retransmitted Segment Alert Threshold (RSAT) parameter. RSAMM counts the number of TCP segments per flow. If the number exceeds the value of RSAMM, then the RSAT parameter checks the flow for retransmitted segments. If the ratio of retransmitted to total number of segments exceeds the value of the RSAT parameter, then an event is triggered. By default, the RSAMM value is set to 8 segments and the RSAT ratio is set to 0.20. Using this default configuration, a flow that exceeds the RSAMM limit of 8 segments is checked by the RSAT parameter. If the ratio of retransmitted to total segments exceeds the RSAT limit of 0.20, an event is triggered. Note that if this is calculated literally, an event is triggered by 1.60 retransmitted segments in a flow with 8 segments. However, fractional segments do not exist. Therefore, it would actually take 2 retransmitted segments to trigger an event in this configuration. The default for RSAMM is set to 8 TCP segments, and the minimum value is 2 segments. RSAMM is an advanced parameter. The defaults are set for the optimum balance between maximum sensitivity and minimum false positives. Increasing sensitivity can result in false positives. Decreasing sensitivity can result in missed evasions. Adjusting the values does not affect performance.

TCP Retransmitted Segment Alert Threshold


TCP Retransmitted Segment Alert Threshold (RSAT) interacts directly with the TCP Retransmitted Segment Alert Minimum Magnitude (RSAMM) parameter. RSAMM counts the number of TCP segments per flow. If the number exceeds the value of RSAMM, then the RSAT parameter checks the flow for retransmitted segments. If the ratio of retransmitted to total number of segments exceeds the value of the RSAT parameter, an event is triggered. By default, the RSAMM value is set to 8 segments and the RSAT ratio is set to 0.20. Using this default configuration, a flow that exceeds the RSAMM limit of 8 segments is checked by the RSAT parameter. If the ratio of retransmitted to total segments exceeds the RSAT limit of 0.20, an event is triggered. Note that if this is calculated literally, an event is triggered by 1.60 retransmitted segments in a flow with 8 segments. However, fractional segments do not exist. Therefore, it would actually take 2 retransmitted segments to trigger an event in this configuration. The default for RSAT is set to 0.20, and valid values range from 0.00 to 1.00, inclusive.

Detecting Configuring sensor detection

191

RSAT is an advanced parameter. The defaults are set for the optimum balance between maximum sensitivity and minimum false positives. Increasing sensitivity can result in false positives. Decreasing sensitivity can result in missed evasions. Adjusting the values does not affect performance.

TCP SYN Flood End Threshold


TCP SYN Flood End Threshold calculates the end of a SYN flood and sends an operational log message to notify you that flood mode has ended. The sensor determines that a flood has ended by computing the ratio of unacknowledged flows to the total number of flows during a given analysis period. When the number of completed connections exceeds the threshold set by this parameter, the sensor considers a SYN flood to have ended, and triggers an operational log message. The default value is set to 0.9 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 0 to 1, inclusive. Lowering this parameter can cause the sensor to trigger the message early, before a flood has actually ended. If SYN packets then continue, the sensor will return to flood mode. Note: This parameter applies to Symantec Network Security 7100 Series appliances only.

TCP SYN Flood Retransmission Timeout


TCP SYN Flood Retransmission Timeout determines the period of time that an in-line sensor waits for a SYN to be retransmitted before considering it to be part of a flood. The in-line sensor drops the initial SYN, the first transmission in a three-way handshake. If the sender retransmits the SYN within the time period set by this parameter, the in-line sensor acknowledges it, transmits the SYN, and creates a flow record. If the sender transmits a SYN outside of this time period, the in-line sensor drops it, saving the resources that SYN floods are designed to tie up. The default value is set to 5 seconds for optimum sensitivity and performance, and does not need to be changed under most circumstances. The minimum valid value is 0. Decreasing the value can result in preventing legitimate senders from connecting to your network by not allowing enough time for retransmission. Increasing the value can result in more floods getting through. Note: This parameter applies to Symantec Network Security 7100 Series appliances only.

192 Detecting Configuring sensor detection

TCP Retransmitted SYN Alert Magnitude


TCP Retransmitted SYN Alert Magnitude determines the number of initial and retransmitted SYNs that the sensor detects before triggering an event. The default value is set to 5 SYNs for optimum sensitivity and performance, and does not need to be changed under most circumstances. The minimum valid value is 2.

TCP Opening Flows Target Ratio


TCP Opening Flows Target Ratio determines one of three values that regulate and prioritize the allocation of internal memory resources to alleviate scarcity. If the sensor must discard some flows early because of memory scarcity, this parameter regulates which flows to discard, based on state. The sensor considers each flow to be in one of three states: listening, opening, or established. This parameter sets the ratio for flows in the opening state. It functions interdependently with TCP Listening Flows Target Ratio, which sets the ratio for flows in the listening state. The sum of the ratios of all three states is always equal to 1. Therefore, the ratio for flows in the established state is implied by setting the values for flows in the other two states. The default value is set to 0.15 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 0 to 1, inclusive. The default approximates the expected distribution of resources under normal circumstances. Adjusting the default does not impact performance or detection sensitivity.

TCP Listening Flows Target Ratio


TCP Listening Flows Target Ratio determines one of three values that regulate and prioritize the allocation of internal memory resources to alleviate scarcity. If the sensor must discard some flows early because of memory scarcity, this parameter regulates which flows to discard, based on state. The sensor considers each flow to be in one of three states: listening, opening, or established. This parameter sets the ratio for flows in the opening state. It functions interdependently with TCP Opening Flows Target Ratio, which sets the ratio for flows in the listening state. The sum of the ratios of all three states is always equal to 1. Therefore, the ratio for flows in the established state is implied by setting the values for flows in the other two states. The default value is set to 0.15 for optimum sensitivity and performance, and does not need to be changed under most circumstances. Valid values range from 0 to 1, inclusive. The default approximates the expected distribution of

Detecting Configuring sensor detection

193

resources under normal circumstances. Adjusting the default does not impact performance or detection sensitivity.

TTL Allowed Variance for TCP over IPv4 for Inline Sensors
TTL Allowed Variance for TCP over IPv4 for Inline Sensors determines how much the TTL of IPv4 packets carrying a TCP connection can vary on an inline sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. On inline sensors that monitor packets from a specific location, the TTL can be expected to remain consistent. The default value is set to 0, which provides the greatest sensitivity and tolerates zero variance. Raising this value decreases sensitivity to variation and susceptibility to false positives.

TTL Allowed Variance for TCP over IPv4 for Passive Sensors
TTL Allowed Variance for TCP over IPv4 for Passive Sensors determines how much the TTL of IPv4 packets carrying a TCP connection can vary on a passive sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. The TTL can be expected to vary on passive sensors that monitor packets from multiple locations on a network. The default value is set to 10 to tolerate a moderately sensitive, 10-hop variance. Raising this value decreases sensitivity to variation and susceptibility to false positives. Lowering this value increases sensitivity and susceptibility to false positives. The minimum value is 0, which does not tolerate variation at all.

TTL Change Timeout for TCP Over IPv4


TTL Change Timeout for TCP Over IPv4 regulates the timeout period for a change in the TTL of TCP packets. The sensor looks for a change in the TTL, a value that represents the number of servers that a request hops to, before it responds with a message indicating that the attempt failed. The TTL is normally constant across all packets in a TCP stream. If the sensor detects a decrease in the TTL, it sets the timer. If it then detects an increase following the decrease, it considers it to be a possible IDS evasion and reports it as an event. The default is set to 14,400 seconds for optimum sensitivity and performance, and does not need to be changed under most circumstances. If you run a dynamically routed environment in which you expect many router changes, you

194 Detecting Configuring sensor detection

can lower this value to avoid detection of expected activity. Setting the value to 0 effectively disables this parameter.

Advanced UDP engine parameters


Symantec Network Security provides the following UDP engine parameters for advanced troubleshooting purposes. Defaults are preset for optimum performance and sensitivity and do not need to be changed under most circumstances. Changing the default settings may impact performance, sensitivity, or both.

UDP Maximum Flow Table Elements (Fast Ethernet) UDP Maximum Flow Table Elements (Gigabit) UDP Connection Timeout TTL Allowed Variance for UDP over IPv4 for Inline Sensors TTL Allowed Variance for UDP over IPv4 for Passive Sensors TTL Change Timeout for UDP Over IPv4

UDP Maximum Flow Table Elements (Fast Ethernet)


UDP Maximum Flow Table Elements (Fast Ethernet) regulates the size of the UDP flow table by controlling the number of simultaneous flows that the fast Ethernet sensor handles. It has a direct impact on memory consumption. The default is set to 32,768 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 16,384 (16K) to 262,144 (256K), inclusive. If you receive an operational log message indicating that the UDP Flow Table is full, you can eliminate the message by increasing this value, at the cost of greater memory consumption. Consider changing it only if you have a thorough understanding of its functionality.

UDP Maximum Flow Table Elements (Gigabit)


UDP Maximum Flow Table Elements (Gigabit) regulates the size of the UDP flow table by controlling the number of simultaneous flows that the gigabit sensor handles. It has a direct impact on memory consumption. The default is set to 65,535 for optimum performance and sensitivity, and does not need to be changed under most circumstances. Valid values range from 32,768 (32K) to 1,048,576 (1M), inclusive. If you receive an operational log message indicating that the UDP Flow Table is full, you can eliminate the message by increasing this value, at the cost of greater memory consumption.

Detecting Configuring sensor detection

195

Consider changing it only if you have a thorough understanding of its functionality.

UDP Connection Timeout


UDP Connection Timeout regulates the period of time that a UDP flow can remain inactive before it expires. Because UDP does not include flow control, this parameter provides an adjustable means of controlling flow. The sensor allows a flow to remain inactive for the time indicated by this parameter. If a flow remains inactive past the timeout period, the sensor treats it as a new connection and processes it as new traffic. This prevents the sensor from linking new activity on a long-dormant flow with the previous activity, and reporting it as a false positive. The default is set to 1,800 for optimum sensitivity and performance, and does not need to be changed under most circumstances. You can raise the value to give each flow a longer life span, or lower it for a shorter life span, without impacting performance. Making extreme changes in either direction can lower detection sensitivity and result in an increase in false positives. Setting the value to 0 effectively disables this parameter.

TTL Allowed Variance for UDP over IPv4 for Inline Sensors
TTL Allowed Variance for UDP over IPv4 for Inline Sensors determines how much the TTL of IPv4 packets carrying a UDP connection can vary on an inline sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. The TTL can be expected to vary on passive sensors that monitor packets from multiple locations on a network. The default value is set to 255, which effectively disables detection of TTL variance. Lowering this value increases sensitivity and susceptibility to false positives. The minimum value is 0, which does not tolerate variation at all.

TTL Allowed Variance for UDP over IPv4 for Passive Sensors
TTL Allowed Variance for UDP over IPv4 for Passive Sensors determines how much the TTL of IPv4 packets carrying a UDP connection can vary on a passive sensor before triggering an event as a possible IDS evasion. The TTL specifies how many point-to-point transmissions, also called hops, that an IP packet travels before it expires, which prevents packets from looping indefinitely. The TTL can be expected to vary on passive sensors that monitor packets from multiple locations on a network.

196 Detecting Configuring port mapping

The default value is set to 255, which effectively disables detection of TTL variance. Lowering this value increases sensitivity and susceptibility to false positives. The minimum value is 0, which does not tolerate variation at all.

TTL Change Timeout for UDP Over IPv4


TTL Change Timeout for UDP Over IPv4 regulates the timeout period for a change in the TTL of UDP packets. The sensor looks for a change in the TTL, a value that represents the number of servers that a request hops to, before it responds with a message indicating that the attempt failed. The TTL is normally constant across all packets in a UDP stream. If the sensor detects a decrease in the TTL, it sets the timer. If it then detects an increase following the decrease, it considers it to be a possible IDS evasion and reports it as an event. The default is set to 14,400 seconds for optimum sensitivity and performance, and does not need to be changed under most circumstances. If you run a dynamically routed environment in which you expect many router changes, you can lower this value to avoid detection of expected activity. Setting the value to 0 effectively disables this parameter.

Configuring port mapping


Symantec Network Security provides a way to tune the sensors to look for particular types of anomalies and signatures on a port by reconfiguring the default port mapping, or adding new mappings. For example, mappings can be added to run services on non-standard ports or to ignore ports on which you normally run non-standard protocols, to mitigate common violations of protocol from being falsely reported as events. If port map settings change, all signatures in use at that time must be recompiled to synchronize with the new information. When you edit the port map settings, Symantec Network Security recompiles automatically. This section describes the following:

Adding or editing port mappings Delete port mappings

Note: SuperUsers and Administrators can add port mappings for any supported protocol; StandardUsers and RestrictedUsers can view only. See User groups reference on page 353 for more about permissions.

Detecting Configuring port mapping

197

Adding or editing port mappings


The Network Security console provides a way to add port mappings for any supported protocol or edit existing mappings. To add or edit port mappings 1 2 3 4 On the main menu bar, click Configuration > Node > Port Mapping. In Select Node, select the software or appliance node for which you want to edit the mappings. In Port Mapping, click New. In Add New Port Mapping, provide the following information:

In Protocol, choose a type of protocol from the pull-down list. In Port, enter a port number. In Transport Protocol, choose TCP or UDP from the pull-down list. In Note, you can enter an optional reminder to yourself. Click OK to save and exit. Click Cancel > Yes to undo your changes and exit.

Do one of the following:


Delete port mappings


The Network Security console provides a way to remove port mappings easily. We recommend that you remove only port mappings that you have added. Removing default port mappings can affect PAD detection. To delete port mappings 1 2 3 4 On the main menu bar, click Configuration > Node > Port Mapping. In Select Node, select the software or appliance node for which you want to delete the mappings. In Port Mapping, click a port mapping row, and click Delete. Do one of the following:

Click OK to save and exit. Click Cancel > Yes to undo your changes and exit.

Caution: Removing a port mapping can affect any PAD detection that relies on the mapping. Do not remove any pre-defined Symantec port mappings.

198 Detecting Configuring signature detection

Configuring signature detection


Symantec Network Security provides the functionality to begin detection immediately by applying protection policies. In addition to this initial ability, detection can also be enhanced and tuned to a particular network environment by creating and applying user-defined signatures. This section includes the following topics:

About Symantec signatures About user-defined signatures Managing signatures

About Symantec signatures


Symantec Network Security uses network pattern matching, or signatures, to provide a powerful layer of detection. Signature detection involves detecting threats by looking for a specific pattern or fingerprint of a known bad or harmful thing. This known-bad pattern is called a signature. These patterns are traditionally based on the observed network behavior of a specific tool or tools. Signature detection operates on the basic premise that each threat has some observable property that can be used to uniquely identify it. This can be based on any property of the particular network packet or packets that carry the threat. In some cases, this may be a literal string of characters found in one packet, or it may be a known sequence of packets that are seen together. In any case, every packet is compared against the pattern. Matches trigger an alert, while failure to match is processed as non-threatening traffic. Symantec Network Security uses signatures as a compliment to PAD. The combination provides robust detection without the weaknesses of either PAD alone or signatures alone. Symantec Network Security's high performance is maintained by matching against the smallest set of signatures as is possible given the current context. Since many threats are detected and refined through the PAD functionality, Symantec Network Security minimizes the set of required signatures to maximize performance. Symantec Network Security also uses methods of rapid response in creating signatures that detect attempts to exploit new vulnerabilities as soon as they hit the network, independent of the exploit tool. This results in earlier prevention of threats and more complete coverage.

Detecting Configuring signature detection

199

About user-defined signatures


The Network Security console provides a way to configure and enable additional user-defined signatures on a per-sensor basis, as well as global signature variables, such as creating the variable name port to stand for a value of 2600. User-defined signatures are synchronized across clusters so that each node has the title, severity, and definition of the user-defined signature. SuperUsers can create, define, edit, and delete user-defined signatures. All users can view them. The Signature Wizard is a simple and effective tool to deal with ever-evolving exploits. Using the Wizard, you can define and enable your own signature to tune detection to network needs. The Wizard takes you step-by-step through the process of providing the unique attributes necessary to create a focused, potent signature. You can also define signature variables to streamline signature maintenance. To create multiple signatures in a text file and import them in bulk, see also the Symantec Network Security Signature Developer Guide. Note: SuperUsers and Administrators can view and create user-defined signatures; StandardUsers and RestrictedUsers can view only. See User groups reference on page 353 for more about permissions.

Managing signatures
The Network Security console provides a way to configure and enable your own user-defined signatures on a per-sensor basis. You can also define variables, such as creating the variable name port to stand for a value of 2600. This section includes the following topics:

Viewing signatures Adding or editing user-defined signatures Deleting user-defined signatures Adding new signature variables Importing user-defined signatures Resolving signature compile errors Managing signature variables

Viewing signatures
All users can view all available PAD event types and user-defined signatures from the Policies tab. You can also see which signatures are applied to the

200 Detecting Configuring signature detection

monitoring interfaces, interface pairs, or interface groups, as well as the list of signature variables. To see interfaces

On the Policies > Protection Policies tab, the Policies Applied to Interfaces pane displays the interfaces with policies applied.

To see event types

On the Policies > Protection Policies tab, select a policy and click View to see the PAD event types.

To see available signatures

On the Policies tab, click the User-defined Signatures tab to see available user-defined signatures.

To see signature variables

On the Policies tab, click the Signature Variables tab to see available variables to use when defining your own signatures.

Summary of the signature writing process


You can write a user-defined signature quickly using the Signature Wizard in the Network Security console. This is useful for writing a single signature with few lines of regex and inline functions. The basic steps summarized in this section are described in greater detail in other sections of this Guide. To use the Signature Wizard to write a single signature 1 Start a user-defined signature using the Signature Wizard in the Network Security console. See Adding or editing user-defined signatures on page 201. Populate the required fields and any applicable optional fields. See About the Signature Wizard fields on page 203. Write the signature definition using some or all of the following:

2 3

Use regular expressions where applicable. See the Symantec Network Security Signature Developer Guide to find out more about regular expressions. Use inline functions where applicable. See the Symantec Network Security Signature Developer Guide to find out more about inline functions. Use optional signature variables if applicable.

Detecting Configuring signature detection

201

See Managing signature variables on page 206. 4 5 6 Save the signature in the Signature Wizard. Apply the signature to a policy. Apply the policy to an interface. See Setting policies to interfaces on page 119.

Adding or editing user-defined signatures


The Network Security console provides a way to customize Symantec Network Security to specific environments by creating user-defined signatures to match network traffic. Note: User-defined signatures are synchronized across the cluster. To add or edit a user-defined signature 1 On the Policies > User-defined Signatures tab, do one of the following:

Click New. Select an existing user-defined signature and click Edit.

In Add User-defined Signature or Edit User-defined Signature, provide information for the following fields:

In Name, enter a name for the user-defined signature. To find out more about each field, see About the Signature Wizard fields on page 203. In Severity, enter a level from the pull-down list. In Confidence, enter a level from the pull-down list. In Category, enter a type of event from the pull-down list. In Intent, enter an intention from the pull-down list. In Protocol, enter a protocol from the pull-down list. In Transit Type, which is active if you chose IP_OTHER from the Protocol pull-down list, enter a transit type from the pull-down list. Click Next to proceed.

3 4

In Signature Description, enter optional notes, and click Next. In User-defined Signature or Edit User-defined Signature, provide information for the following fields:

In Source IP, Source Port, Destination IP, and Destination Port, enter this information from the pull-down lists, if applicable.

202 Detecting Configuring signature detection

Source Port and Destination Port are enabled only if you selected USER-DEFINED as the protocol.

If transit type is TCP, in Match Type, click one of the following: Click Stream to create a stream-based signature. Click Packet to create a packet-based signature. Note that if you select anything other than TCP for transit type, Match Type is disabled. For stream-based protocols such as TCP, matches can span multiple packets. For packet-based protocols, which includes all other currently supported protocols, matches are per packet. In Match Type, however, you are indicating whether the signature should search for an offset in a stream or in a packet. In Direction, click server-bound or client-bound from the pull-down list, if applicable. Direction is enabled only if you set the Transit Type as TCP or UDP. In Encoding, enter the information from the pull-down list and click Next.

In User-defined Signature or Edit User-defined Signature, click Add and do one of the following:

Click Any Payload Offset, or specify a specific payload offset value. In Regular Expression, enter a regular expression (regex), and click OK. You can also use default or user-defined Signature Variables in this field. See Adding new signature variables on page 207. See the Symantec Network Security Signature Developer Guide to find out how to use regular expressions (regex) and inline functions in your user-defined signature.

If you return to User-defined Signature or Edit User-defined Signature, you can do the following:

Click Preview Signature to see the entire user-defined signature. Click Back to return to a previous step and change it. Click Finish to save and close. Click Cancel to exit without saving your work.

In User-defined Signatures, click Apply. Note: Expect a short delay while user-defined signatures are synchronized across the cluster. After synchronization, you must add the signature to a policy, and apply the policy to the appropriate monitoring interfaces.

Detecting Configuring signature detection

203

After synchronization, reapply the edited signatures to the appropriate monitoring interfaces for the changes to take effect. See Setting policies to interfaces on page 119.

Note: See the Symantec Network Security Installation Guide for upgrading user-defined signatures from Symantec ManHunt 3.0.

About the Signature Wizard fields


You can create user-defined signatures to trigger on most exploits if you use attributes that are unique enough. The more unique the attributes in a signature, the lower the risk that false positives will occur. Some attributes enhance detection by focusing the signature to search for unique criteria. Other attributes do not affect detection, but provide characteristics with which to categorize events triggered by the signature. Before starting the Signature Wizard, we recommend that you review the main attributes. Set each attribute to create potent signatures that make focused searches for specific criteria. Table 7-2 Attributes
Name

Attributes of the Signature Wizard Description


Appears in the events triggered by the signature, and provides a way to categorize and search for signatures. Indicates the title or name that you can give to identify a signature. Appears in the events triggered by the signature, and provides a way to categorize and search for signatures. Indicates the degree of alarm for an event triggered by a signature, ranging from informational to critical. Appears in the events triggered by the signature, and provides a way to categorize and search for signatures. Indicates the degree of confidence in the accuracy of the signature. Use Confidence to indicate how broad or narrow the signature is, or how many false positives you anticipate. Appears in the events triggered by the signature, and provides a characteristic by which to categorize and search for signatures. Appears in the events triggered by the signature, and provides a way to categorize and search for signatures. Use it to categorize signatures according to the presumed intent behind the behavior, such as access, degradation, reconnaissance, and so on.

Severity

Confidence

Category

Intent

204 Detecting Configuring signature detection

Table 7-2 Attributes


Protocol

Attributes of the Signature Wizard Description


Focuses the signature to search for specific protocols, such as FTP/TCP, DNS/UDP, USER-DEFINED, and so on. This narrows the scope of the search by limiting the signature to specific protocols, which reduces use of resources and improves performance. Focuses the signature to search a type of transit, such as TCP, UDP, ICMP, OSPF, or IP_OTHER. This attribute is enabled only if the protocol is USER-DEFINED. Appears in the events triggered by the signature, and serves as the event long description. Focuses the signature to search for specific source IP addresses that you type in, or that you select from the variable drop-down list, such as ANY, WINS_SERVERS, HTTP_SERVERS, and so on. Focuses the signature to search for specific source ports that you type in, or that you select from the variable drop-down list, such as ANY, HIGH, LOW, SARA_PORTS, and so on. This attribute is enabled only if the protocol is USER-DEFINED, and the transit type is TCP or UDP. Focuses the signature to search for specific destination IP addresses that you type in, or that you select from the variable drop-down list, such as ANY, WINS_SERVERS, HTTP_SERVERS, and so on. Focuses the signature to search for specific destination ports that you type in, or that you select from the variable drop-down list, such as ANY, HIGH, LOW, SARA_PORTS, and so on. This attribute is enabled only if the protocol is USER-DEFINED, and the transit type is TCP or UDP. Focuses the signature to make either packet or stream searches. This attribute is enabled only if the protocol is USER-DEFINED, and the transit type is TCP or UDP. Focuses the signature to search either server-bound traffic or client-bound traffic. This attribute is enabled only if the protocol is USER-DEFINED, and the transit type is TCP or UDP. Focuses the signature to search for traffic with any type of encoding, no encoding, or both. Using OPTIONAL encoding will result in the broadest search.

Transit Type

Signature Description Source IP

Source Port

Destination IP

Destination Port

Match Type

Direction

Encoding

Detecting Configuring signature detection

205

Table 7-2 Attributes


Payload Offset

Attributes of the Signature Wizard Description


Focuses the signature to start the search at a specific payload offset. This can improve performance if you can focus the signature search on a specific location in the payload in which you expect the behavior to occur. ANY starts the search at the first byte. Focuses the signature to search according to regular expressions that you provide.

Regular Expression

Deleting user-defined signatures


The Network Security console provides a way to delete user-defined signatures at any time. To delete user-defined signatures 1 2 On the Policies tab, click User-defined Signatures. Click the user-defined signature, and click Delete. Note: If you delete a user-defined signature that is currently used in a policy, the deletion takes effect immediately on the master node, and on slave nodes only after a database synchronization. See Forcing nodes to synchronize on page 85. Caution: When a user-defined signature is deleted, the descriptive information, title, and long descriptions of any events that were triggered in the past by the now-deleted signature will not have recognizable names.

Importing user-defined signatures


The Network Security console provides a way to import user-defined signatures in bulk from a file. Using a file browser from the Network Security console, select a signature file. To import multiple user-defined signatures from a file 1 2 3 4 On the Policies tab, click User-defined Signature > Import. In Import Signatures, locate the file containing bulk signatures. Click Import Signatures. Click OK to save and exit.

206 Detecting Configuring signature detection

See also the Symantec Network Security Signature Developers Guide to find out how to compose user-defined signatures that can be imported in bulk. See also the Symantec Network Security Installation Guide to find out how to upgrade user-defined signatures from Symantec ManHunt 3.0.

Resolving signature compile errors


If signatures fail to compile, the Network Security console displays the Compile Error Log. Check all new or uncompiled signatures for errors such as undefined variables or improperly formatted IP addresses or ports. Then recompile. If even one signature fails to compile, it will cause a group of signatures to fail.

Managing signature variables


Symantec Network Security provides signature variables for speed and accuracy, such as the variable name port to stand for a value of 12345. The signature variables apply globally to all signatures, both default Symantec signatures and any user-defined signatures. This section includes the following topics:

About default signature variables Viewing signature variables Adding new signature variables Editing signature variables Deleting signature variables Resetting signature variables Applying signature variables Reverting signature variables

About default signature variables


Symantec provides default variables with assigned ports or servers on which applications or attacks are usually expected. For example, the SUNRPC variable is set by default to 1177, the port through which the Sun Remote Procedure Call protocol is expected to run. Likewise, the BACKDOOR_BLASTER_PORTS variable is set to 8719, 4444, and 39581, the ports through which a Blaster attack is expected to occur. If a new variant of Blaster emerges, you can respond immediately by adding the new port to this variable. This updates all existing signatures that use that variable, rather than having to write a new signature to match the new variant.

Detecting Configuring signature detection

207

Note: We recommend that you review the list of signature variables to make sure that it accurately represents your network, and adjust wherever necessary. For example, if you chose a port other than 5050 when you installed Yahoo Instant Messenger, you must edit the IM_YAHOO_PORTS variable to correctly direct all signatures that use that variable.

Viewing signature variables


All users can view signature variables from the Policies tab. To see signature variables

On the Policies tab, click the Signature Variables tab to see available variables to use when defining signatures.

Adding new signature variables


Signature variables add speed and accuracy to all signatures, both the default Symantec signatures and any user-defined signatures that you add. You can also create your own signature variables, in addition to the Symantec signature variables that come with the product. To create new signature variables 1 2 3 4 On the Policies tab, click Signature Variables > New. In Variable Name, enter a name for the signature variable that you want to make available. In Value, enter a value, and click OK to save and exit. In Signature Variables, click Apply to save the changes to the database.

Editing signature variables


Symantec Network Security provides a quick method for editing both user-defined variables and Symantec variables for reuse. The signature variables apply to all signatures, both the default Symantec signatures and any user-defined signatures that you add. To edit signature variables 1 2 3 On the Policies tab, click Signature Variables. In Signature Variables, select a signature variable, and click Edit. In Edit Variable, do any or all of the following:

208 Detecting Configuring signature detection

In Variable Name, edit the name for the signature variable. In Value, edit the value.

4 5

In Edit Variable, click OK to save and exit. In Signature Variables, click Apply to save the changes to the database.

See also Resetting signature variables on page 208.

Deleting signature variables


Symantec Network Security provides a quick method for deleting user-defined variables. Note that you can delete only user-defined variables, but not Symantec variables. You can edit and reset Symantec variables, but not delete them. To delete signature variables 1 2 3 On the Policies tab, click Signature Variables. In Signature Variables, select a signature variable, and click Delete. In Signature Variables, click Apply to save the changes to the database. Note: If you delete any user-defined variables that are still used by signatures, a compile error will occur. You must manually edit the signatures to remove all references to the deleted variables. See also Adding or editing user-defined signatures on page 201.

Resetting signature variables


Symantec Network Security provides a quick method for resetting Symantec variables. You can use the Reset option to return an edited Symantec variable back to its original default value. You can edit and reset Symantec variables, but not delete them. Note: The Reset option does not apply to user-defined variables. You can create, edit, and delete user-defined variables, but not reset them. To reset signature variables 1 2 3 On the Policies tab, click Signature Variables. In Signature Variables, select a signature variable, and click Reset. In Signature Variables, click Apply to save the changes to the database.

Detecting Configuring signature detection

209

Applying signature variables


Symantec Network Security provides a quick method for saving signature variables in the list. The signature variables apply to all signatures, both the default Symantec signatures and any user-defined signatures that you add. To apply signature variables 1 2 On the Policies tab, click Signature Variables. In Signature Variables, do one of the following:

Click New. Select a signature variable, and click Edit. Select a signature variable, and click Delete. Select a signature variable, and click Reset.

In Signature Variables, click Apply to save the changes to the database.

Reverting signature variables


Symantec Network Security provides a quick method for undoing or reverting any changes to signature variables, if you act before saving. To revert changes to signature variables 1 2 On the Policies tab, click Signature Variables. In Signature Variables, do one of the following:

Click New, and create a new signature variable. Select a signature variable, and click Edit. Select a signature variable, and click Delete. Select a signature variable, and click Reset.

In Signature Variables, click Revert to undo the changes. This option is available only before saving to apply changes. See also the Symantec Network Security Installation Guide for upgrading user-defined signatures from Symantec ManHunt 3.0.

210 Detecting Configuring signature detection

Part III

Using Symantec Network Security


This section describes how to use your Symantec Network Security system to monitor your network, interpret incidents and events, generate reports and run queries, maintain logs and databases, and fine-tune your system using advanced configuration parameters, as follows:

Monitoring Reporting Managing log files Advanced configuration

212

Chapter

Monitoring
This chapter includes the following topics:

About incident and event data Examining incident and event data Managing incident and event data Tuning incident parameters Tuning operational event parameters Monitoring flow statistics

About incident and event data


The Network Security console provides a central point from which you can monitor attack activity in your network. The Network Security console displays detailed information about incidents and events, the elements of a possible attack. Symantec Network Security can correlates events from all nodes in a cluster, into incidents with similar or related characteristics, such as time, type, or location. This provides a shorter list to sift through as you examine them. An event is a significant security occurrence that appears to exploit a vulnerability of the system or application. When a sensor detects a suspicious event, it sends the data to be analyzed. The analysis process correlates the event with similar or related events, and categorizes them in the form of an incident. An incident is a set of events that are related, and is named after the event with the highest priority, and reported in the form of incidents that are displayed in the Network Security console. In the Network Security console, the Incidents tab displays both active and idle incidents and events taking place in the monitored network, and can be drilled down for multiple detail levels. Incidents to which no new events have been added for a given amount of time are considered idle, so Symantec Network

214 Monitoring About incident and event data

Security closes them. The condition of the incident can be viewed in the State column of the Incidents table. The incident idle time is a configurable parameter. This section describes the following topics:

Viewing incident and event data Adjusting the view Examining incident data Examining event data

Viewing incident and event data


The Network Security console displays incident and event data in the following:

Incidents tab: Displays both active and idle incidents. When you select an incident, Events At Selected Incident in the lower pane displays information about the related events. Devices tab: Displays the topology tree. When you select an object in the topology tree, the Network Security console displays related information in the right pane, including a link to security incidents that are currently active on that object.

The Incidents tab provides a multi-level view of both incidents and events. Incidents are groups of multiple related base events. Base events are the representation of individual occurrences, either suspicious or operational. The sensors notify the software or appliance node of any suspicious actions or occurrences that might warrant a response, such as a probe. Symantec Network

Monitoring About incident and event data

215

Security also monitors operational occurrences that the user should be aware of, such as a Symantec Network Security license approaching the expiration date.

The Incidents tab contains an upper and lower pane: Incidents, and Events at Selected Incident. The upper pane displays information about each incident, taken from the highest-priority event within that incident. The values may change if an event of higher priority is added to the same incident. To view incident data

In the Network Security console, click the Incidents tab.

Note: All users can view incident and event data. All users can modify the view by adjusting font size, selecting and sorting columns, and/or applying filters. See User groups reference on page 353 for more about permissions.

Adjusting the view


The Network Security console provides a way to control the way the incident and event data is displayed by setting font size, choosing the data to display, and sorting it.

See Setting font size on page 216. See Sorting column data on page 216.

216 Monitoring Examining incident and event data

Setting font size


At any time, all users can adjust the font size of the Incident and Event tables. To set the size of table fonts 1 2 On the Incidents tab, click Configuration > Table Font Size. Adjust the bar to the size that suits you, using immediate feedback from the display window. This change affects only the incident and event tables in the Incidents tab, and does not affect the rest of the Network Security console. Click OK to save and close.

Note: All users can set the font size for incident and event tables. See User groups reference on page 353 for more about permissions.

Sorting column data


All users can sort the incident data by clicking on the column heading. The toggle sorts the column in ascending or descending order. To sort the incidents

On the Incidents tab, do one of the following:


Click the heading of the column you want to sort. Click the column heading again to reverse the order.

Note: All users can sort incident and event table columns. See User groups reference on page 353 for more about permissions. See also Selecting columns on page 226.

Examining incident and event data


Because large chronological lists of events are difficult to humanly manage, Symantec Network Security categorizes events into incidents with similar or related characteristics, such as time, type, location, source, or destination. Using real-time analysis and correlation in this way, Symantec Network Security provides information about all incidents and events that occur in your network. You can control the way this information is displayed by setting font size, choosing the data to display, filtering the view, and sorting it. You can mark

Monitoring Examining incident and event data

217

what you have read and add notes. The display is described in the following sections:

Examining incident data Examining event data

Examining incident data


You can view incident and event data at several different levels.

Viewing top-level incident data Viewing incident details Viewing an incidents top event Loading cross-node correlated events

Viewing top-level incident data


The Incidents tab contains an upper and lower pane: Incidents, and Events at Selected Incident. In the upper pane, information about each incident is displayed. This information is taken from the highest-priority event within that incident. Therefore, the values may change if an event of higher priority is added to the same incident. To view incident data

In the Network Security console, click the Incidents tab.

Note: All users can view top-level incident data. See User groups reference on page 353 for more about permissions.

Viewing incident details


You can drill down to view detailed information about a specific incident, such as the unique incident identification number, or the CVE reference number, by double-clicking the incident row in the Incidents tab. The detail information is derived from the highest priority event within that incident. The values may change, therefore, if an event of higher priority is added to the incident. If the incident includes multiple events with the highest priority level, then the event most recently correlated to the incident is displayed.

218 Monitoring Examining incident and event data

Note: SuperUsers and Administrators can drill down to view incident details. See User groups reference on page 353 for more about permissions. To view incident details 1 2 On the Incidents tab, in the upper Incidents pane, right-click any incident row. Click View Incident Details from the pop-up list. Incident Details displays the following information:

Event name Severity

Indicates the name of the event. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that an incident can cause. Indicates the confidence level assigned to the incident. The confidence value indicates the level of certainty that a particular incident is actually an attack. If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward. Indicates the time at which Symantec Network Security stopped monitoring the incident. See Setting Incident Idle Time on page 237.

Confidence

End time

Detected At

Indicates the software or appliance node on which the top event for this incident was detected. Indicates the IP address and port of the node on which the top event for this incident was detected. Indicates the IP address and port of the node on which the top event for this incident was detected.

Top Source IPs

Top Destination IPs

From Incident Details, you can also do the following:


Annotating incident data Viewing an incidents top event

Click OK to exit Incident Details.

Monitoring Examining incident and event data

219

Viewing an incidents top event


The Network Security console provides a way to see the highest priority event that is correlated to any incident, called the top event. Note: SuperUsers and Administrators can drill down to view an incidents top event. See User groups reference on page 353 for more about permissions. To view the top event 1 2 3 On the Incidents tab, in the upper Incidents pane, right-click an incident. Click View Incident Details from the pop-up list. In Incident Details, click Top Event to view the highest priority event correlated to that incident. Event Details of the top event can display part or all of the following information:

Summary Severity

Indicates the name of the event. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that an incident can cause. Indicates the confidence level assigned to the incident. The confidence value indicates the level of certainty that a particular incident is actually an attack. If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward. Indicates the time at which Symantec Network Security started monitoring the event. Indicates the software or appliance node on which the event was detected, interface, current policy, and MAC addresses. Indicates the response rule triggered by this incident. Provides detailed information about the event. Indicates a summary information about the event. Indicates source and destination IP addresses and ports of the packet that triggered the event.

Confidence

Start time

Occurred At

Response Taken Attack Details Event Message Sources and Destinations

220 Monitoring Examining incident and event data

Event Note

Displays the optional note entered when the current policy was created, if any. See Annotating an event type in a policy on page 132.

Click Close to close top Event Details. From Event Details, you can do the following:

Annotating incident data Copying an incidents top event

Loading cross-node correlated events


If the selected incident is correlated to an incident from another software or appliance node (as denoted in the Other Node # column), then each tab of Incident details will contain one sub-incident of the cross-node incident, and the tab will carry the name of the node that detected that sub-incident. To load events

Click Load Events to load the events for the currently selected sub-incident. Load Events will be disabled if the currently selected sub-incident's events are already loaded.

Note: SuperUsers and Administrators can drill down to view cross-node events. See User groups reference on page 353 for more about permissions.

Examining event data


This section includes the following:

Viewing top-level event data Interpreting severity and confidence levels Viewing event details Viewing an events detailed description About operational event notices

Viewing top-level event data


The Incidents tab contains an upper and lower pane: Incidents, and Events at Selected Incident. In the upper pane, information about each incident is displayed. View the event data that is specific to a particular incident by clicking

Monitoring Examining incident and event data

221

the respective incident row. The related event information is then displayed in the lower pane. To view event data 1 2 On the Incidents tab, click an incident row. Related events are displayed in the lower Events at Selected Incident pane.

Note: All users can view top-level event data. See User groups reference on page 353 for more about permissions.

Interpreting severity and confidence levels


Symantec Network Security factors severity and confidence levels as follows: Table 8-1 Confidence
Very Low Low Medium High Very High

Severity and Confidence Levels Severity


Informational Low Medium High Critical

Viewing event details


The Network Security console provides a way to drill down for more detailed information about a specific event by double-clicking the event row in Events at Selected Incident. Note: SuperUsers can view advanced event details and packet contents; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. To view event details 1 2 3 On the Incidents tab, select an Incident. In Events at Selected Incident, right-click an event row. Click View Event Details from the pop-up list.

222 Monitoring Examining incident and event data

Event Details can display part or all of the following information:


Summary Severity

Indicates the name of the event type. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that an incident can cause. Indicates the confidence level assigned to the incident. The confidence value indicates the level of certainty that a particular incident is actually an attack. If the incident is merely suspicious, then its assigned confidence level is low. If Symantec Network Security collects more data on the incident to substantiate its confidence, the confidence is adjusted upward. Indicates the time at which Symantec Network Security started monitoring the event. Indicates summary information about the event such as the name of the software or appliance node on which the event was detected, interface, current policy, and MAC addresses. Provides detailed information about the event. Indicates a summary information about the event. Indicates source and destination IP addresses and ports of the packet that triggered the event. Displays the optional note entered when the current policy was created, if any. See Annotating an event type in a policy on page 132.

Confidence

Start time

Occurred At

Attack Details Event Message Sources and Destinations Event Note

Click Close to close Event Details.

Viewing an events detailed description


The Network Security console also provides a way to view event descriptions from the Policies tab. Right-clicking an event row in either the Search Events or Full Event Lists triggers a pop-up menu. Click View Description to display a detailed description of the event with links to additional references in your browser. To view detailed event descriptions 1 2 On the Policies tab, click Protection Policies. Do one of the following:

Monitoring Examining incident and event data

223

Click New. Select a policy, and click Edit. Select a policy, and click View. Click Search Events. Click Full Event List.

Do one of the following:


4 5

Right-click an event row. Click View Description.

Note: SuperUsers can view advanced event details and packet contents; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

About operational event notices


Symantec Network Security monitors operational events as they are processing, such as startup and shutdown of a software or appliance node, or errors experienced within a module. The Incidents tab displays notices about the following types of operational events:

Monitored Host Unavailable: Symantec Network Security has detected a drop in network availability. iButton Token Failure: The iButton, used only by Network Security software nodes, stores the private key portion of the Symantec Network Security signature certificate to safeguard the private key against being stolen or compromised. The iButton also confirms the identity of a software node. Note: Notify us of your iButtons impending expiration. Replace it before it expires to ensure that the log files continue to be signed and the iButton can continue to perform its authentication and data hashing functions. See the Symantec Network Security Installation Guide for instructions on iButton replacement.

iButton Certificate Expiration: Several times during the 30 days prior to the expiration of your encryption certificate, warnings of the impending expiration are displayed in the Active Incidents tab. The notices are sent every 6 hours. The priority of the notices increases as the certificate lifetime gets shorter: Lifetime Priority

224 Monitoring Examining incident and event data

life < 1 hour 1 hour =< life < 1 day 1 day =< life < 3 days 3 days =< life < 1 week 1 week =< life < 1 month

Critical Urgent High Medium Low

Warnings of the impending expiration are displayed in the Active Incidents tab. Expiration dates are also displayed when Symantec Network Security is restarted.

Network Security SuperUser Login: Symantec Network Security displays this event whenever a SuperUser logs into the Network Security console. Network Security Administrator Login: Symantec Network Security displays this event whenever an Administrator logs into the Network Security console. Network Security StandardUser Login: Symantec Network Security displays this event whenever a StandardUser logs into the Network Security console. Network Security RestrictedUser Login: Symantec Network Security displays this event whenever a RestrictedUser logs into the Network Security console. Email Initiation Request Failed: An error occurred while sending an email notification from Symantec Network Security. Successful Email: An email response was successfully sent by Symantec Network Security. SNMP Initiation Request Failed: An error occurred while sending an SNMP trap from Symantec Network Security. Email Alert Failed: An error occurred while sending an email alert from Symantec Network Security. SNMP Alert Successful, but Truncated: An SNMP trap was successfully sent by Symantec Network Security, but the message was too long and was truncated. SNMP Alert Failed: An error occurred while sending an SNMP alert from Symantec Network Security. Unable to Execute Custom Response Process: Failed to execute custom response to an event.

Monitoring Managing incident and event data

225

Disk Space Warning: Symantec Network Security displays this event whenever <100,000 blocks and <10% of disk space is available. Failover Active: Symantec Network Security displays this event whenever a software or appliance node with failover enabled becomes the active node. High CPU Load Logging Interval: Symantec Network Security displays this event when a software or appliance node carries a CPU load of 95% averaged over the specific time interval set by the High CPU Load Logging Interval parameter. See High CPU Load Logging Interval on page 244. Sensor No Traffic Detected Logging Interval: Symantec Network Security displays this event whenever a sensor does not detect any traffic beyond the specific time interval set by the Sensor No Traffic Detected Logging Interval parameter. See Sensor No Traffic Detected Logging Interval on page 245. Sensor Dropped Packet Percentage Threshold: Symantec Network Security displays this event whenever the sensor detects a greater percentage of dropped packets over a 30-second time interval than the threshold set by the Sensor Dropped Packet Percentage Threshold parameter. See Sensor Dropped Packet Percentage Threshold on page 246.

Note: All users can view operational events at the top level. See User groups reference on page 353 for more about permissions.

Managing incident and event data


Because large chronological lists of events are difficult to humanly manage, Symantec Network Security categorizes events into incidents with similar or related characteristics, such as time, type, location, source, or destination. Using real-time analysis and correlation in this way, Symantec Network Security provides a shorter list to sift through about what has occurred in your network. The Network Security console provides a way to mark the incidents that you have read and add notes. You can save and print the data in several formats, and copy and paste it into files or email.

Selecting columns Selecting view filters Marking and annotating Saving, copying, and printing data

226 Monitoring Managing incident and event data

Emailing incident or event data

Selecting columns
The Network Security console provides a way to adjust the view by selecting which columns the Network Security console displays.

See Selecting incident columns on page 226. See Selecting event columns on page 227.

Selecting incident columns


Not all incidents contain data in every category, so you may want to remove empty columns or add others to customize the display. All users can modify the display of incident data by selecting columns. To customize the incident columns 1 2 On the Incidents tab, in the upper Incidents pane, click Columns. In Table Column Chooser, do one of the following:

Click Select All to display all columns. Click the individual columns that you want to view.

Click OK to save and close. The Incidents tab can display the following incident data:

Last Mod. Time Name Severity

Indicates the date and time when Symantec Network Security last modified the incident record. Indicates the user group of the current user. Indicates the severity level assigned to the incident. An incidents severity is a measure of the potential damage that it can cause. Indicates the IP address of the attack source. If the source is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details. Indicates the IP address of the attack target. If the destination is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details.

Source

Destination

Event Count Indicates the total number of events associated with this incident that have been logged to the database.

Monitoring Managing incident and event data

227

Device Name Indicates the name of the device where the incident was detected. Location Indicates the location of the device where the incident was detected. Indicates the condition of the incident, either Active or Closed. Incidents to which no new events have been added for a given amount of time are considered idle, and Symantec Network Security closes them. Indicates whether you marked the incident as viewed. Indicates the number of the software or appliance node that detected the incident. Indicates the name of the software or appliance node that detected the incident. Indicates the numbers of the software or appliance node that the incident was cross-node correlated to, if any.

State

Marked Node #

Node Name

Other Node #s

Note: All users can select incident columns. See User groups reference on page 353 for more about permissions. See the following for related information:

See About incident/event reports on page 260. See Sorting column data on page 216.

Selecting event columns


Not all events contain data in every category, so you may want to remove empty or irrelevant columns, or add others to customize the display. All users can modify the display of event information by selecting columns. To select event columns 1 2 On the Incidents tab, in the lower Events at Selected Incidents pane, click Columns. In Table Column Chooser, do one of the following:

Click Select All to select all columns. Click the individual columns you want to view.

Click OK to save and close.

228 Monitoring Managing incident and event data

The Events at Selected Incident can display the following information:

Time

Indicates the date and time when Symantec Network Security first detected and logged the event. Indicates the event category of the detected event.

Event Type Name Source

Indicates the user group of the current user. Indicates the IP address of the packet that triggered the event. If the source is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details.

Destination Indicates the IP address of the attack target. If the destination is made up of multiple addresses, then the Network Security console displays (multiple IPs) and you can view the list of addresses by double-clicking the event to see Event Details. Severity Indicates the severity level assigned to the event. An events severity is a measure of the potential damage that it can cause.

Confidence Indicates the confidence level assigned to the event. An events confidence is a measure of the level of certainty that it is actually part of an attack and free from false positives. If the event is merely suspicious, then it is assigned a lower confidence level. If Symantec Network Security collects more data on the event to substantiate its confidence, the confidence is adjusted upward. Event Num Indicates the order in which the event was added to the incident. An event can be configured to be reported periodically, such as once every 500 times. The Event Num column indicates if an event is actually an aggregation of multiple events by displaying the number of suppressed events in parentheses. Indicates the name of the device where the event was detected.

Device Name Interface Group Location VLAN ID

Indicates the name of the interface group where the event was detected. Indicates the location of the device where the event was detected. Indicates the identification of the VLAN where the event was detected. Indicates whether the event was blocked or not. You can block events only with a 7100 Series appliance node.

Blocked

Monitoring Managing incident and event data

229

Note: All users can select event columns. See User groups reference on page 353 for more about permissions. See the following for further information:

See About incident/event reports on page 260. See Interpreting severity and confidence levels on page 221.

Selecting view filters


The Network Security console provides a way to adjust the view by selecting filters to display only a relevant subset of the total incident or event tables.

See Selecting incident filters on page 229. See Selecting event filters on page 230.

Selecting incident filters


You can filter the view of incident data to provide a shorter list to sift through, using the Incident Filter. For example, you can set the Incidents table to display only active incidents. You can choose between viewing the incidents detected by all software and appliance nodes, and viewing only those detected by a particular software or appliance node. By default, incidents from all nodes are displayed. Note: When you apply incident view filters, they apply only to the incidents, not to the events correlated to the incidents. For example, even if you select the Sensor Only filter, an operational event that is correlated to a sensor incident will still be displayed. To filter the view of incidents or events 1 2 3 On the Incidents tab, in the upper Incidents pane, click Filters. Click Hide Closed Incidents to show only active incidents in the cluster. In Incident Class, do one of the following:

Click Hide All Operational to show only those incidents classified as sensor events, and filter out all operational notice events. Click Hide Sensor to show only operational events, such as Network Security console logins. Click Show All Operational and Sensor to show both operational and sensor events.

230 Monitoring Managing incident and event data

In Marked State, do one of the following:

Click Hide Unmarked to show only the incidents that have been marked in the Network Security console. Click Hide Marked to show only the incidents that have not been marked in the Network Security console. Click Show Both to include both marked and unmarked incidents. Click Hide Unannotated to show only incidents with annotations and incidents that contain events with annotations. Click Hide Annotated to show only incidents that do not have annotations or that contain events with annotations. Click Show Both to include both annotated and unannotated incidents. In Show Incidents from Node #, click 1 from the pull-down list to show only incidents from the selected software or appliance node, or All (except standby) to view incidents from all the software or appliance nodes within the topology excluding standby nodes. Click Include Backup Nodes to preserve incidents during a failover scenario. In Maximum Incident Hours to Display, enter a value to limit the total number of hours. In Maximum Incidents Within Incident Hours, enter a value to limit the total number of incidents within the hour limit.

In Analyst Notes, do one of the following:

In Node List, do one of the following:

In Incident Hours, do one of the following:

Click Apply to save and exit.

Note: All users can select incident filtering criteria. See User groups reference on page 353 for more about permissions.

Selecting event filters


You can filter the event data that is displayed by using the Event Filter. To filter the view of events 1 2 On the Incidents tab, in the Events at Selected Incident pane, click Filters. In Event Class, do one of the following;

Monitoring Managing incident and event data

231

Click Hide Operational to show only those events classified as sensor events. Click Hide Sensor to show only events associated with notices. Click Show Both to show all events relating to the selected incident.

3 4

In Maximum Events to Display, enter a value. The default is 100 events per incident. Click Apply to save and exit.

Note: All users can select event filtering criteria. See User groups reference on page 353 for more about permissions. See also About operational event notices on page 223.

Marking and annotating


The Network Security console provides a way to keep track of your examination of the incidents by marking incidents as read and adding notes about them.

See Marking incidents as read on page 231. See Annotating incident data on page 232. See Customizing annotation templates on page 232.

Marking incidents as read


All users can mark incidents to distinguish new incidents from reviewed incidents. To mark incidents already viewed 1 2 On the Incidents tab, right-click an incident. In the pop-up list, click Mark Incident. The Marked column of the incident displays a red hash mark to indicate that it has been viewed.

Note: If an incident changes after it was marked, such as a new event being added to it, the red hash mark changes to a red circle to flag you.

Note: All users can mark incident data. See User groups reference on page 353 for more about permissions.

232 Monitoring Managing incident and event data

Annotating incident data


You can add comments to incidents and events. Each annotation receives a time stamp and lists the author of the annotation. You can sort multiple annotations for an event by time stamp in ascending or descending order. To annotate an incident or event 1 2 3 On the Incidents tab, double-click an incident or event. In Incident Details or Event Details, click Add Analyst Note. Enter the information relevant to this incident. The Note field can include guidelines established by the SuperUser, such as ticket number, owner, and the last action taken in response to the event. Click Add Note to preserve your annotation. In Analyst Note, click Close to save and close.

4 5

Note: All users can annotate incident and event data. See User groups reference on page 353 for more about permissions.

Customizing annotation templates


The Network Security console provides an informational template to make Analyst Notes consistent and pertinent to your enterprise. For example, the template can prompt for specific information such as identifying numbers or last actions taken. Note: SuperUsers and Administrators can create a template for Analyst Notes. All users can use the template to annotate incident and event data. See User groups reference on page 353 for more about permissions. To create an annotation template 1 2 3 On the main menu bar, click Configuration > Node > Analyst Note Template. In Select Node, select the software or appliance node from the pull-down list and click OK. In the Analyst Note Template, edit the file with the boilerplate information that you want to keep track of, and click OK to save and exit.

Monitoring Managing incident and event data

233

Saving, copying, and printing data


This section describes the following:

Saving incident data Copying and pasting incidents Copying an incidents top event Copying event details Printing incident data

Saving incident data


All users can save detailed information about each incident on the Network Security console Incidents tab. To save incident data 1 2 3 On the Incidents tab, right-click an incident row. Click Save from the pop-up list. Choose a file format from the following:

Click Save as PDF. Click Save as HTML. Click Save as PS.

Enter the desired filename, and click Save.

Note: All users can save incident data. See User groups reference on page 353 for more about permissions.

Copying and pasting incidents


You can copy and paste detailed information about each incident into another format from the Incidents tab. To copy and paste incident data 1 2 3 On the Incidents tab, right-click an incident row. Click To Clipboard. The incident data is saved and ready to paste. Paste this incident data into a document or email.

234 Monitoring Managing incident and event data

Note: All users can copy and paste incident data. See User groups reference on page 353 for more about permissions.

Copying an incidents top event


The Network Security console provides a way to copy the top event data from an incident, and paste it into a document or email. To copy event data 1 2 3 4 On the Incidents tab, double-click an incident row. Click Top Event to view the highest priority event correlated to that incident. In Event Details, click Copy to Clipboard. The incidents top event data is saved and ready to paste. Paste this event data into a document or email.

Note: SuperUsers and Administrators can copy data from an incidents top event. See User groups reference on page 353 for more about permissions.

Copying event details


The Network Security console provides a way to copy event data and paste it into a document or email. To copy event data 1 2 3 On the Incidents tab, in Events at Selected Incident, double-click an event row to view the details about any event. In Event Details, click Copy to Clipboard. The event data is saved and ready to paste. Paste this incident data into a document or email.

Note: SuperUsers and Administrators can copy event details. See User groups reference on page 353 for more about permissions.

Monitoring Managing incident and event data

235

Printing incident data


All users can print detailed information about each incident on the Network Security console Incidents tab. To print incident data 1 2 3 On the Incidents tab, right-click an incident row. Click Print. Optionally, you can choose from the following print options:

Click Page Setup to layout the page before printing or previewing. Click Print Preview to preview the page before printing.

Click Print to send the incident data to a printer.

Note: All users can print top-level incident data. See User groups reference on page 353 for more about permissions.

Emailing incident or event data


The Network Security console provides a way to configure Symantec Network Security to export incident or event data via email:

Configuring email Emailing incident data

Configuring email
All users can configure a Network Security console to email detailed information about each incident on the Incidents tab. To configure Symantec Network Security to email incident data 1 2 3 On the Incidents tab, right-click an incident row. Click Email > Configuration. In Email Configuration, indicate the following:

In SMTP Mail Server, enter your SMTP server for outgoing emails. In To, enter the destination. In From, enter the source. In Subject, enter the email subject.

Click OK to store this information in User Preferences.

236 Monitoring Managing incident and event data

Note: All users can configure Symantec Network Security to email top-level incident data. See User groups reference on page 353 for more about permissions.

Emailing incident data


You can send detailed information about each incident via email using the Incidents tab. To email incident data 1 2 3 On the Incidents tab, right-click an incident row. Click Email. To compose a message before sending the data, do one of the following:

Click Compose > in HTML Format to send an email in HTML format. Click Compose > in Text Format to send an email in plain text format. Click Send Directly > in HTML Format to send an email in HTML format. Make sure to configure email first. Click Send Directly > in Text Format to send an email in plain text format. Make sure to configure email first. Click Through Browser, and paste the incident content into the body of the email. Click Through Mail Client, and paste the incident content into the body of the email.

To send the data without additional messages, do one of the following:

To select a specific browser or mail client, do one of the following:

Note: The Network Security console and the software or appliance node may not use the same SMTP mail server. Setting the SMTP Server notification parameter does not necessarily affect the SMTP mail server referenced in this procedure. 6 Click Send.

Note: All users can email top-level incident data. See User groups reference on page 353 for more about permissions.

Monitoring Tuning incident parameters

237

Tuning incident parameters


Incident parameters define how Symantec Network Security handles incidents and events over time. Note: SuperUsers can configure incident parameters for a cluster or single node. See User groups reference on page 353 for more about permissions. This section describes the following incident parameters:

Setting Incident Idle Time Setting Maximum Incidents Setting Incident Unique IP Limit Setting Event Correlation Name Weight Event Correlation Source IP Weight Event Correlation Destination IP Weight Event Correlation Source Port Weight Event Correlation Destination Port Weight

Setting Incident Idle Time


Incidents are considered idle and are closed when no new events have been added for a given amount of time. SuperUsers and Administrators can define the period of time that an incident remains idle before Symantec Network Security discontinues monitoring it, by editing the incident idle time parameter. By default, the value for this parameter is set to 10 minutes. Incident Idle Time refines the correlation process by determining how long an inactive incident remains idle before it is retired. An incident that remains unchanged past the idle time is retired, no longer actively monitored, and events are no longer correlated into it. The default value is 10 minutes. Decreasing this value shortens the idle time for each incident, and reduces the chance that attacks will be correlated together. Increasing this value increases the chance that attacks will be correlated together, which impacts correlation performance. To edit the incident idle time parameter 1 2 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK.

238 Monitoring Tuning incident parameters

3 4 5 6

In the left pane under Incident Parameters, click Incident Idle Time. In the lower right pane, enter a value in minutes. By default, the value for this parameter is set to 10 minutes. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close. Caution: You will lose any unsaved changes when you exit.

Setting Maximum Incidents


Maximum Incidents determines the maximum number of incidents allowed to be active at a given time. The default value is 50. Raise the value if you expect to see traffic streams with more than 50 attacks at the same time. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Maximum Incidents. In the lower right pane, enter the number of incidents. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Monitoring Tuning incident parameters

239

Note: We recommend that this value be set between 10 and 100. Increasing this value can impact memory.

Setting Incident Unique IP Limit


Incident Unique IP Limit determines how many unique IP addresses can appear in an incident. The default value is 0, which indicates no limit. Increase the value to provide more focus and prevent diffusion in each incident. You can specify a limit to the number of IP addresses that can appear in any one incident. This prevents many multiple events getting correlated into the same incident, each being slightly similar enough to be included, but causing the incident to expand to a vague definition. This parameter gives you a way to maintain a tight and focused incident definition. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Incident Unique IP Limit. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Setting Event Correlation Name Weight


Event Correlation Name Weight determines the weight of the event name as a factor in event correlation. The default value is set to 4 for optimum performance in a typical enterprise deployment. Valid values range from 0 to 10, inclusive. A value of 0 means the event name will be completely ignored during correlation. A value of 10 means that a matching name alone is sufficient to correlate events.

240 Monitoring Tuning incident parameters

Note: Make sure that the sum of all Event correlation Weight values is equal to or greater than 10. If the sum is less than 10, no events will be correlated.

Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Name Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Event Correlation Source IP Weight


Event Correlation Source IP Weight determines the weight of the event name as a factor in event correlation. The default value is set to 4 for optimum performance in a typical enterprise deployment. Valid values range from 0 to 10, inclusive. A value of 0 means the event name will be completely ignored during correlation. A value of 10 means that a matching name alone is sufficient to correlate events. Note: Make sure that the sum of all Event correlation Weight values is equal to or greater than 10. If the sum is less than 10, no events will be correlated.

Monitoring Tuning incident parameters

241

Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Source IP Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Event Correlation Destination IP Weight


Event Correlation Destination IP Weight determines the weight of the event name as a factor in event correlation. The default value is set to 4 for optimum performance in a typical enterprise deployment. Valid values range from 0 to 10, inclusive. A value of 0 means the event name will be completely ignored during correlation. A value of 10 means that a matching name alone is sufficient to correlate events. Note: Make sure that the sum of all Event correlation Weight values is equal to or greater than 10. If the sum is less than 10, no events will be correlated.

Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise

242 Monitoring Tuning incident parameters

To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Destination IP Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Event Correlation Source Port Weight


Event Correlation Source Port Weight determines the weight of the event name as a factor in event correlation. The default value is set to 4 for optimum performance in a typical enterprise deployment. Valid values range from 0 to 10, inclusive. A value of 0 means the event name will be completely ignored during correlation. A value of 10 means that a matching name alone is sufficient to correlate events. Note: Make sure that the sum of all Event correlation Weight values is equal to or greater than 10. If the sum is less than 10, no events will be correlated.

Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK.

Monitoring Tuning incident parameters

243

3 4 5 6

In the left pane under Incident Parameters, click Event Correlation Source Port Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close.

Event Correlation Destination Port Weight


Event Correlation Destination Port Weight determines the weight of the event name as a factor in event correlation. The default value is set to 4 for optimum performance in a typical enterprise deployment. Valid values range from 0 to 10, inclusive. A value of 0 means the event name will be completely ignored during correlation. A value of 10 means that a matching name alone is sufficient to correlate events. Note: Make sure that the sum of all Event correlation Weight values is equal to or greater than 10. If the sum is less than 10, no events will be correlated.

Caution: Before making changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Incident Parameters, click Event Correlation Destination Port Weight. In the lower right pane, enter a value between 0 and 10. Click Apply. In Apply Changes To, select the node to which to apply the parameter.

244 Monitoring Tuning operational event parameters

Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Tuning operational event parameters


Operational event parameters define how Symantec Network Security reports operational events. Note: SuperUsers can configure operational event parameters for a cluster or single node. See User groups reference on page 353 for more about permissions. This section describes the following incident parameters:

High CPU Load Logging Interval Sensor No Traffic Detected Logging Interval Sensor Dropped Packet Percentage Threshold

High CPU Load Logging Interval


High CPU Load Logging Interval determines the time intervals at which the node measures the average CPU use. If the sensor detects CPU load at 95%, averaged over the time interval set by this parameter, it triggers an event to notify you of this condition. To disable this parameter, set the value to 0. The minimum value to enable this parameter is 3 minutes, and there is no maximum value. If you set a time interval of less than 3 minutes, the parameter defaults to the 3-minute interval. Setting this parameter higher increases tolerance for fluctuations in CPU use. Note: This parameter applies to Symantec Network Security 7100 Series appliances only. To configure this parameter 1 On the main menu bar, click Configuration > Node > Network Security Parameters.

Monitoring Tuning operational event parameters

245

2 3 4

In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click High CPU Load Logging Interval. In the lower right pane, do one of the following:

Enter a value of 0 to disable this parameter. Enter a value of 3 or greater to enable this parameter.

5 6

Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close.

Sensor No Traffic Detected Logging Interval


Sensor No Traffic Detected Logging Interval determines a time interval during which the node tolerates an absence of traffic detection. If the sensor does not detect any traffic beyond this time interval, the sensor triggers an event to notify you of this condition. The default value is set to 30 seconds. To disable this parameter, set the value to 0. The minimum value to enable this parameter is 30 seconds, and there is no maximum value. If you set a time interval of less than 30 seconds, the parameter defaults to the 30-second interval. Increasing the value above the default decreases sensitivity, and reduces the number of events if a condition of no traffic exists. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Sensor No Traffic Detected Logging Interval. In the lower right pane, do one of the following:

Enter a value of 30 or greater to enable this parameter. Enter a value of 0 to disable this parameter.

5 6

Click Apply. In Apply Changes To, select the node to which to apply the parameter.

246 Monitoring Tuning operational event parameters

Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Sensor Dropped Packet Percentage Threshold


Sensor Dropped Packet Percentage Threshold regulates the level at which the sensor tolerates dropped packets. If the sensor detects a greater percentage of dropped packets over a 30-second time interval than the threshold set by this parameter, it triggers an operational event to notify you of this condition. The default value is set to 5%. Valid values range from 0% to 100%, inclusive. To disable this parameter, set the value to 0. The minimum value to enable this parameter is 1%. Decreasing the value increases sensitivity, and increases the number of events if a condition of dropped packets exists. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Sensor Dropped Packet Percentage Threshold. In the lower right pane, do one of the following:

Enter a value between 1% and 100% to enable this parameter. Enter a value of 0% to disable this parameter.

5 6

Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close.

Monitoring Monitoring flow statistics

247

Monitoring flow statistics


This section describes the following topics:

Enabling flow data collection Configuring FlowChaser

Enabling flow data collection


Symantec Network Security can receive flow data from its own sensors, routers, and from third-party sensors. You can optimize this by enabling FlowChaser, a flow data store that provides data source for Symantec Network Security to analyze and correlate. FlowChaser receives information about network flows from Network Security sensors, routers, and third-party devices. FlowChaser stores the data in an optimized fashion that Symantec Network Security uses for TrackBack and response actions. Note: For flow data collection, you must add interfaces and protection policies to sensors. For TrackBack, you must enable Flow Statistics Capture in the sensor parameters, and execute the TrackBack response rule. See Adding or editing monitoring interface on software nodes on page 93, Defining new protection policies on page 124, and Setting TrackBack response action on page 154. To enable flow data collection 1 2 3 4 5 6 On the Devices tab, in the topology tree, right-click a monitoring interface. In the pop-up list, click Configure Sensor Parameters. In the left pane under Basic Parameters, click Enable Flow Statistics Collection. In the right pane, click True. Click Apply. In Apply Changes To, select a monitoring interface and click OK. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

248 Monitoring Monitoring flow statistics

Configuring FlowChaser
Configure the following FlowChaser parameters to enable the FlowChaser option and define how it functions:

Setting FlowChaser Maximum Flows Per Device Setting FlowChaser Router Flow Collection Threads Setting FlowChaser Router Flow Collection Port Setting FlowChaser Sensor Threads

Setting FlowChaser Maximum Flows Per Device


FlowChaser Maximum Flows Per Device limits the volume of flow data exported from the routers by setting a maximum number of flow entries stored per device in the FlowChaser flow data store. The default value is 24,567. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under FlowChaser Database, click FlowChaser Maximum Flows Per Device. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Note: Restart Symantec Network Security for changes to this parameter to take effect.

Setting FlowChaser Router Flow Collection Threads


FlowChaser Router Flow Collection Thread determines the number of threads for the FlowChaser database to receive flow data. To handle a large volume of data,

Monitoring Monitoring flow statistics

249

you can add threads by raising the value. This will affect system performance. In general, this should be set to 1 less than the number of processors on the software or appliance node, with a minimum value of 1. Set this to 0 if you are running the FlowChaser database but not receiving any router flow data. The default value is 3. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under FlowChaser Database, click FlowChaser Router Flow Collection Threads. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Note: Restart Symantec Network Security for changes to this parameter to take effect.

Setting FlowChaser Router Flow Collection Port


FlowChaser Router Flow Collection Port sets the UDP port by which routers send flow data to Symantec Network Security. Configure the routers to use this port as well. The default value is 12,387. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under FlowChaser Database, click FlowChaser Router Flow Collection Port. In the lower right pane, enter a value.

250 Monitoring Monitoring flow statistics

5 6

Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close.

Note: Restart Symantec Network Security for changes to this parameter to take effect.

Setting FlowChaser Sensor Threads


FlowChaser Sensor Threads determines how many threads for each sensor to receive flow data. In general, this should be set to 1 less than the number of processors on the software or appliance node, with a minimum value of 1. The default value is 2. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under FlowChaser Database, click FlowChaser Sensor Threads. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Note: Restart Symantec Network Security for changes to this parameter to take effect.

Monitoring Monitoring flow statistics

251

252 Monitoring Monitoring flow statistics

Chapter

Reporting
This chapter includes the following topics:

About reports and queries Scheduling reports Reporting top-level and drill-down About top-level report types Querying flows Playing recorded traffic

About reports and queries


Symantec Network Security provides a comprehensive reporting module that can automatically generate and send daily email reports of the most frequently occurring event types for the day. Pre-defined report types with drill-down data retrieval and dynamic chart and graph generation aid reporting and provide a clear picture of network events. These reports provide detailed data on the types of events and incidents that occurred, and protocols exploited during the specified time period. With any account, you can view and print reports, and save them in multiple formats. You can generate reports that appear in table format, and sort the table columns. Symantec Network Security can generate email reports of incidents logged for all Network Security software nodes in the cluster. You can also generate reports on demand about any Network Security software nodes in the cluster. These Network Security console reports are available as top-level reports and as drill-down reports. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this

254 Reporting Scheduling reports

section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.

Scheduling reports
You can administer and configure scheduled reports on any software or appliance node using the Network Security console. You can generate Network Security console reports in table format, and customize the table by sorting. You can print or save reports, and drill-down to details in the a top-level report, and save or print all the details, rather than printing each page of details individually. You can save and print Console Reports in text and HTML format. This section includes the following:

Adding or editing report schedules Refreshing the list of reports Deleting report schedules Managing scheduled reports

Note: SuperUsers and Administrators can schedule reports; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Adding or editing report schedules


The Network Security console provides a way to add or edit scheduled reports on any software or appliance node in a cluster. Regardless of which node is running the reports, Symantec Network Security gathers data from all nodes in the cluster, and generates a comprehensive, cluster-wide report. To add or edit scheduled reports 1 2 3 On the main menu bar, click Reports > Schedule Reports. In Select Node, choose a node from the pull-down list, and click OK. In Report Scheduling, do one of the following:

Click Add. Select a report and click Edit.

Reporting Scheduling reports

255

4 5

In Unscheduled Subreports, click a report type, and then click the double right arrows to move it to Scheduled Subreports. The following subreports require additional information:

In Top Event Types, enter the number of event types, and click OK. In Top Event Destinations, enter the number of addresses, and click OK. In Top Event Sources, enter the number of addresses, and click OK. In Event by Classful Destination, enter the number of networks, and click OK. In Event by Classful Source, enter the number of networks, and click OK.

6 7

To deselect a report, in Scheduled Subreports, click the report, and then click the double left arrows to move it to Unscheduled Subreports. In Report Generation Options, supply the generation options by selecting from the following:

In Report Name, enter a name for the report. In Report Format, choose plain text or HTML from the pull-down list. In Day to run, choose the day of the week from the pull-down list. In Hour to run, choose the hour from the pull-down list. In Report period in days, enter the number of days in the reporting period. In Send Via Email, enter the email address to send the report by email. In Save To File, click to save the report to a file. In Secure Copy, enter the hostname, directory, and username.

In Report Delivery Method, choose from the following:


Click OK to save and exit. Note: Saved scheduled reports are output to: /usr/SNS/reports on software and appliance nodes using <report name>.<time stamp>.<file type>. For example, Rpt3.1085630401.txt or Rpt5.1085634000.html.

Refreshing the list of reports


The Network Security console provides a way to update the view after each change to the report table, using Refresh Table.

256 Reporting Scheduling reports

To refresh the table 1 On the menu bar, do one of the following:


Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.

2 3

In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:

In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.

In Report Files, click Refresh Table.

Deleting report schedules


The Network Security console provides a way to delete the scheduled, periodic automatic reports. To delete scheduled reports 1 2 3 4 On the menu bar, click Reports > Schedule Reports. In Select Node, choose a node from the pull-down list, and click OK. In Manage Saved Scheduled Reports, select a scheduled report. Click Actions > Delete, and click OK.

Managing scheduled reports


Symantec Network Security provides an efficient way to manage scheduled reports using Manage Report Files. Symantec Network Security also provides the Admin menu as an alternative to managing saved reports via the Reports menu. Note: SuperUsers and Administrators can manage reports; StandardUsers and RestrictedUsers have read access only. See User groups reference on page 353 for more about permissions. This section includes the following topics:

Viewing saved reports Exporting saved reports Deleting saved reports

Reporting Scheduling reports

257

Viewing saved reports


The Network Security console provides a way to view saved reports easily. To view saved reports 1 On the main menu bar, do one of the following:

Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.

2 3

In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:

In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.

4 5 6

In Report Files, select a saved report. In Actions, click View. Click Close to exit.

Exporting saved reports


The Network Security console provides a way to configure the software or appliance node to export automatic reports to another secure location, using SCP. To export saved reports 1 On the main menu bar, do one of the following:

Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.

2 3

In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:

In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.

4 5 6

In Report Files, select a saved report. Click Actions > Secure Copy. In Secure Copy Options, provide or verify the following information:

Filename: Indicates the name of the selected report. Hostname, enter the name of the host to which the report will be copied. Directory, enter the directory to which the report will be copied.

258 Reporting Reporting top-level and drill-down

Username, enter the name of the user.

Click OK to launch and close.

Deleting saved reports


The Network Security console provides a way to delete saved reports. To delete saved reports 1 On the main menu bar, do one of the following:

Click Reports > Schedule Reports. Click Admin > Node > Manage Report Files.

2 3

In Select Node, choose a node from the pull-down list, and click OK. Do one of the following:

In Report Scheduling, click Manage Report Files. In Report Files, proceed to the next step.

4 5

In Report Files, select a saved report. Click Actions > Delete, and click OK.

Reporting top-level and drill-down


On the Reporting menu, the Network Security console lists top-level reports. In most top-level reports, you can generate one or more levels of drill-down reports that provide a more focused level of detail. By supplying report parameters, you can choose the report type. The types of reports that Symantec Network Security generates are described in detail in the following sections. In addition to scheduled reports, you can generate various report types on demand. Symantec Network Security generates reports from data collected from all Network Security software nodes in the cluster. You can supply various report parameters, depending on the type of report, such as start and end dates and times. This section includes the following:

About report formats About report types About incident/event reports Printing and saving reports

Reporting Reporting top-level and drill-down

259

About report formats


The reports are generated in one or more formats, depending on the type of report. Possible formats include tables, bar charts, column charts, and pie charts. The report generator makes most reports available in more than one format. All users can navigate from one format to another by selecting one of the report formats listed in the drop-down menu in the upper right corner of the report window.

About report types


Reports listed in the Network Security console Reporting menu are top-level reports. In most top-level reports, you can also generate one or more levels of drill-down reports that provide a more focused level of detail. For example, you can generate an Events Per Day report and then select a particular day from the report for which to generate an Events Per Hour drill-down report. The drill-down report will break out that days event count into 24 separate event countsone for each hour of the day you selected. For any hour of that day, you can generate other drill-down reports, such as a Top Event Types report to view the types of events that occurred most frequently during that hour. Notice that many reports, such as Events Per Hour and Top Event Types, can be generated as both top-level Network Security console reports, and also as drill-down reports from within other top-level reports, or even from within other drill-down reports. For example, from the Events Per Month report, you can drill down to an Events Per Day report, and from there to an Events Per Hour report, but all of these reports can also be generated as top-level reports. Some reports are only available as drill-down reports. To view drill-down reports, right-click in the area of the report representing the data for which you want to generate a drill-down report. For example, right-click in a column, bar, pie piece, or table row. Then select a report type from the pop-up menu that appears. Symantec Network Security will generate the drill-down report based on the data related to the column, bar, pie piece or table row you selected. After you generate drill-down reports, you can navigate between the top-level report and its drill-down reports by clicking Forward and Back in the Report window. Note: Allow a few seconds for the full report data to load when you generate a report or navigate between reports. Once the data is loaded, you can view pop-up menus for drill-down reports and any report counts on the chart report formats.

260 Reporting About top-level report types

About incident/event reports


Some reports list incidents, event types, and base events. Incidents are categories of related event types, and derive their names from the highest priority event type correlated to the incident. Event types are categories for one or more base events. For example, the following four base events are grouped under the Fragmentation Attack event type:
RCRS/IP_FRAG_ODDLENGTH RCRS/IP_FRAG_OVERDROP RCRS/IP_FRAG_TEARDROP RCRS/IP_FRAG_NOMATCH

A Fragmentation Attack event can consist of any one of these base event types. So, incidents can consist of one or more event types, and event types can map to one or more base events.

Printing and saving reports


With any account, you can save any Network Security console report as a PDF, PS, or HTML file. Select the report format, then simply go to the File menu in the Report window, and select Save to the desired location. To print reports from the Reports window

On the main menu bar, click Reports > File > Print.

About top-level report types


This section describes the following top-level reports that Symantec Network Security generates, most of which also include drill-down reports:

Reports of top events Reports per incident schedule Reports per event schedule Reports by event characteristics Reports per Network Security device Drill-down-only reports

Reporting About top-level report types

261

Reports of top events


Symantec Network Security generates the following top-level event reports: Table 9-1 Type
Top event types

Types of top-level event reports Description


The Top Event Types report lists the event types, such as Synflood, Telnet DoS and Portscan, that occurred most frequently during the specified time period, and the number of times each event type occurred. Also specify the maximum number of unique event types to display. For example, generate a report on the top 10 unique events or top 100 unique events. To view the number of times any event type occurred, hover the cursor over the event. Symantec Network Security generates the Top Event Types report in the table, pie chart and bar chart formats. You can generate several drill-down reports for each event type listed in the Top Event Type report.

Top blocked event types

The Top Blocked Event Types report displays the list of event types that have the most number of blocked events. Symantec Network Security generates the Top Blocked Event Types report in table, pie, and bar chart formats. You can generate several drill-down reports for each event type listed in the Top Blocked Event Types report.

Top event destinations

The Top Event Destinations report lists the most frequently occurring destination IP addresses of detected events. However, the top event destinations do not necessarily map to the top event types. You must specify the report start and end date/time, and number of unique addresses to display. For example, you could generate a report on the top 10 addresses or top 100 addresses. Symantec Network Security generates the Top Event Type report in the table, pie chart and bar chart formats. To view the number of times an IP address was an event destination during the report time period, hover the cursor over the table row, pie piece, or bar corresponding to the event destination. You can generate several drill-down reports for each event type listed in the Top Event Destinations report.

262 Reporting About top-level report types

Table 9-1 Type


Top event sources

Types of top-level event reports Description


The Top Event Sources report lists the IP addresses that were most frequently the source addresses of detected events. You specify the report start and end date/time, and the maximum number of unique addresses to display. Symantec Network Security generates this report in the table, pie chart and bar chart formats. To view the number of times an event source occurred during the report time period, hover the cursor over the table row, pie piece or bar corresponding to the event source. You can generate several drill-down reports for each event type listed in the Top Event Sources report.

Reports per incident schedule


Symantec Network Security generates the following types of incident reports: Table 9-2 Type Types of incident reports Description

Incidents per month This reports displays the total number of incidents that occurred during each month of the time period you specify. If a month is not listed in the report, then no incidents were detected during that month. Symantec Network Security generates this report in table and column chart formats. You can generate several drill-down reports for each month listed in the Incidents Per Month report. Incidents per day This reports displays the total number of incidents that occurred per day during the time period you specify. If a day is not listed in the report, then no incidents were detected during that day. Symantec Network Security generates this report in table and column chart formats. You can generate several drill-down reports for each day listed in the Incidents Per Day report. This report displays the total number of incidents that occurred per hour during the time period you specify. If an hour is not listed in the report, then no incidents were detected during that hour. The Incidents Per Hour report is generated in table and column chart formats. You can generate several drill-down reports for each hour listed in the Incidents Per Hour report.

Incidents per hour

Reporting About top-level report types

263

Table 9-2 Type


Incident list

Types of incident reports Description


For each incident that occurred during the report period you specify, this report lists the incident start date and time, event type to which the incident is mapped, the name of the device where Symantec Network Security detected the incident, and the number of the Network Security software node that detected the incident. Symantec Network Security generates this report in table format only. You can generate several drill-down reports for each incident listed in the Incident List report.

Reports per event schedule


Symantec Network Security generates the following types of event reports: Table 9-3 Type
Events per month

Types of event reports Description


This report displays the total number of events detected per month during the time period you specify. If a month is not listed in the report, then no events were detected during that month. Symantec Network Security generates this report in stacking bar chart, column chart, and table formats. You can generate several drill-down reports for each month listed in the Events Per Month report.

Events per day

This report displays the total number of events detected per day during the time period you specify. If a day is not listed in the report, then no events were detected during that day. Symantec Network Security generates this report in stacking bar chart, column chart, and table formats. You can generate several drill-down reports for each day listed in the Events Per Day report. This report displays the total number of events detected per hour during the time period you specify. If an hour is not listed in the report, then no events were detected during that hour. Symantec Network Security generates this report in stacking bar chart, column chart, and table formats. You can generate several drill-down reports for each hour listed in the Events Per Hour report.

Events per hour

264 Reporting About top-level report types

Reports by event characteristics


Symantec Network Security generates the following types of event reports: Table 9-4 Type
Events by classful destination

Types of event reports Description


This report sorts events by their destination IP addresses, and presents a count of the number of addresses that are from class A, class B and class C networks. Specify report start and end dates/times, and maximum number to display. This report is generated in table, column and bar chart formats. This report has no drill-down reports. This report sorts events by their source IP addresses and presents a count of the number of addresses that are from class A, class B and class C networks. Specify report start and end dates/times, and maximum number to display. This report is generated in table, column and bar chart formats. This report has no drill-down reports. This report lists the number of events detected that exploit each particular protocol, such as ICMP, UDP, TCP, or IP. You specify the report start and end dates/times. Symantec Network Security generates this report in table, bar, column and pie chart formats. This report has no drill-down reports. This report lists the number of events detected per vendor. For example, signatures detected by Symantec Network Security are grouped as RCRS events because RCRS is the vendor ID for Symantec Network Security. You specify the report start and end dates/times. Symantec Network Security generates this report in table, bar, column and pie chart formats. This report has no drill-down reports. This report lists the destination IP address(es) for any event source IP address you specify, and the number of times each address was the destination for the source address. You also specify the report start and end dates/times. This report is generated in table and bar chart formats. You can generate several drill-down reports from the Destinations of Source report. This report lists the source IP address(es) for any event destination IP address you specify, and the number of times each address was the source for the destination address. Specify the report start and end dates/times, and destination address. This report is generated in table and bar chart formats. You can generate several drill-down reports from the Sources of Destination report.

Events by classful source

Events by protocol

Events by vendor

Destinations of source

Sources of destination

Reporting About top-level report types

265

Table 9-4 Type


Events by VLAN ID

Types of event reports Description


This report lists all events for all VLAN IDs. If the VLAN ID has not been set up, the report lists any unknown VLAN IDs as -1. You can generate drill-down event types for each VLAN ID, and further, to the event list. This report lists all events for all devices and interfaces in the network topology. You can generate drill-down event types by interface. This report lists all events by destination IP address for all devices and interfaces in the network topology. You can generate drill-down event lists by destination IP from Top Event Destinations. This report lists all events by source IP address for all devices and interfaces in the network topology. You can generate drill-down event lists by source IP from Top Event Sources.

Events by device

Event list by destination IP

Event list by source IP

Reports per Network Security device


Symantec Network Security generates the following types of device reports: Table 9-5 Type
Network Security login history

Types of device reports Description


This report lists the user login times, IP addresses from which the user logged in, and the type of user that logged in, either a SuperUser with full read/write privileges, or one of the other user login accounts with limited permissions. Specify the report start and end dates/times. This report is generated in table format only. This report has no drill-down reports.

Network Security operational events

This report lists operational events such as user logins, communication errors, response actions, and license status notifications. This report allows you to drill-down to event details.

266 Reporting About top-level report types

Table 9-5 Type


Devices with flow statistics

Types of device reports Description


This report lists names for devices on which the Flow Status Collection sensor mode is enabled, and the number of the software or appliance node where the sensor is located. Symantec Network Security generates this report in table format only. With a SuperUser, Administrator, or StandardUser account, you can generate several drill-down reports for details on sources and destination IP addresses and ports for the flows, as well as flow protocols.

Note: SuperUsers, Administrators, and StandardUsers can generate reports from devices with flow statistics; RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Drill-down-only reports
Most top-level report types are also available as drill-down reports within other top-level reports. However, some Network Security console reports are accessible only as drill-down reports from within top-level reports or other drill-down reports. This section describes the following drill-down-only reports. For the incident you select, data is displayed within the Incident List report. Table 9-6 Report
Incident details

Drill-down-only reports Description


This report lists all the events contained in the selected incident or time period, as well as the event end time, the event source and destination IP addresses, and the name of the device where the event was detected. Symantec Network Security generates the Event List report in table format only. You can access this report from within any Incidents or Events report, as well as from within the Top Event Destination and Top Event Source reports. For the incident you select, data is displayed within the Incident List report. The Event Details report displays the data within any Event List report.

Event list

Events details

Reporting Querying flows

267

Table 9-6 Report


Sources of event

Drill-down-only reports Description


The Sources of Event report lists all of the source IP addresses for the event you select. Symantec Network Security generates this report in table, pie chart and bar chart formats. You can generate this report from within the Top Event Types report. The Destinations of Event report lists all of the destination IP addresses for the event you select. Symantec Network Security generates this report in table, pie chart and bar chart formats. You can generate this report from within the Top Event Types report. This report lists the source IP addresses of flows found on devices with the Flow Status Collection sensor mode enabled. You can generate this report from within the Devices with Flow Statistics report. This report lists the destination IP addresses of flows found on devices with Flow Status Collection sensor mode enabled. You can generate this report from within the Devices with Flow Statistics report. This report lists the source ports of flows found on devices with Flow Status Collection sensor mode enabled. You can generate this report from within the Devices with Flow Statistics report. This report lists the destination ports of flows found on devices with Flow Status Collection sensor mode enabled. You can generate this report from within the Devices with Flow Statistics report. This report lists the protocols of flows found on devices with Flow Status Collection sensor mode enabled. You can generate this report from within the Devices with Flow Statistics report.

Destinations of event

Flows by source address

Flows by destination address

Flows by source port

Flows by destination port

Flows by protocol

Querying flows
FlowChaser serves as a data source in coordination with Symantec Network Security TrackBack, a response mechanism that traces a DoS attack or network flow back to its source. The FlowChaser database can be queried for flows by port and arbitrary address. The Network Security console displays both current

268 Reporting Querying flows

flow data and exported flow data, and provides secondary query options from the results page. Symantec Network Security provides query options as follows:

In Query Current Flows or Query Exported Flows In Event Details, right-click the IP address to see the flow statistics In Event Details of an Exported Related Flows, exported flows are displayed

The Network Security console retrieves a limited number of records for each query, which prevents overloading memory, and displays the results in a table. If more results are available, click Next Results to proceed. This section includes the following:

Viewing current flows Viewing exported flows Playing recorded traffic

Note: SuperUsers, Administrators, and StandardUsers can view flow data; RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Viewing current flows


View Current Flows enables you to search against all of the collected flows by FlowChaser. These flows are stored in memory so they are not persistent. To query current flows 1 2 On the main menu bar, click Flows > View Current Flows. In Current Flow Data, select one of the following tabs:

Match Source and Destination: This will make a more focused query on specific source and destination IPs. Match Either Source or Destination: This will make a broader query on either a source IP or a destination IP.

In Match Source and Destination, you can display flows that pertain only to specific source IPs and destination IPs. To make this a more focused query, enter data in the following fields:

In Source IP, enter a numeric IP address. In Prefix Len, enter a mask of the IP address in integers between 1 and 32.

Reporting Querying flows

269

In Port, enter a valid port number. In Destination IP, enter a numeric IP address. In Prefix Len, enter a mask of the IP address in integers between 1 and 32. In Port, enter a valid port number.

In Match Either Source or Destination, you can display flows that pertain to either a source IP or a destination IP. To make this a broader query, enter data in the following fields:

In Source or Destination IP, enter a numeric IP address. In Prefix Len, enter a mask of the IP address in integers between 1 and 32. In Port, enter a valid port number.

Note: The Network Security console displays the flow data in table format, one page at a time. You can sort the table by clicking the heading of any column. This sort, however, applies only to the page currently displayed, which may be only a portion of the entire report. At the top of the display, a prompt indicates how many flows are currently displayed, out of the total report. 5 Do one of the following:

Click Start Query to run a flow query based on the parameters that you configured. Click Next Results to view the next page of a query that was too large to display in its entirety. Click Clear to stop the active query and remove the results from display.

Viewing Flow Statistics


The Incidents tab enables you to view the Flow Statistics of any particular event. To view flow statistics 1 2 3 4 On the Incidents tab, right-click an incident. Click View Incident Details. In Incident Details, right-click the Top Source IP. Click Flow Statistics. To run a query from this location, see Viewing current flows on page 268.

270 Reporting Querying flows

Viewing exported flows


Query Exported Flows enables you to search against flow data that has been logged to the disk database. This enables flow data to be saved when a certain condition is triggered. The result is that a new event appears in the Network Security console with a link to the actual flow data. The search dialog allows the user to search across all the flows that have been exported. To query exported flows 1 2 On the main menu bar, click Flows > View Exported Flows. Choose one of the following tabs:

Match Source and Destination: This will make a more focused query on specific source and destination IPs. Match Source or Destination: This will make a broader query on either a source IP or a destination IP.

In Match Source and Destination, you can display only flows that pertain to specific source and destination IPs. To make this more focused query, enter data in the following fields:

In Source IP, enter a numeric IP address. In Port, enter a valid port number. In Destination IP, enter a numeric IP address. In Port, enter a valid port number.

In Match Source or Destination, you can display flows that pertain to either a source IP or a destination IP. To make this broader query, enter data in the following fields:

In Source or Destination IP, enter a numeric IP address. In Port, enter a valid port number.

Note: The Network Security console displays the flow data in table format, one page at a time. You can sort the table by clicking the heading of any column. This sort, however, applies only to the page currently displayed, which may be only a portion of the entire report. At the top of the display, a prompt indicates how many flows are currently displayed, out of the total report. 5 Do one of the following:

Click Start Query to run a flow query based on the parameters that you configured. Click Next Results to view the next page of a query that was too large to display in its entirety.

Reporting Playing recorded traffic

271

Click Clear to stop the active query and remove the results from display.

Playing recorded traffic


Like the FlowChaser, Query Current Flows, and Query Exported Flows, the Traffic Playback Tool provides another way to search recorded data outside of the Network Security reporting system. When you set a response rule to record events of a particular description, you can then use the Traffic Playback Tool to replay and scrutinize the records of those events. See Managing response rules on page 138.

Replaying recorded traffic flow data


The Network Security console provides a way to review recorded traffic data in two ways: from the Query button or from the Incidents tab on the main menu of the Network Security console. The record of events is displayed as a table with each row corresponding to one event. By selecting an event, you can display the flow or delete the event. In the flow view, you can replay the details of the traffic flow data. To replay traffic flow data 1 On the main menu bar, do one of the following:

Click Flows > Traffic Playback > select a node > OK. Click Incidents > double-click the Traffic Record Finished event > Event Message. Skip Steps 2 and 3, and proceed directly to Step 4. To adjust your view of Recorded Events, click Column. To remove events you do not want to view, click the event, and then click Delete.

In Traffic Playback Configuration, you can adjust the view as follows:


3 4 5 6

In Recorded Events, click the row corresponding to an event to view the flow of that event in Flows of Selected Record. In Flows of Selected Record, click a row corresponding to a flow, then click Playback. In Packet Replay Tool, view the detailed packet data, one packet at a time. To view all packet data in a session that includes multiple packets, on Symantec Packet Replay Tool, click View > Show Session Window.

272 Reporting Playing recorded traffic

Return to Symantec Packet Replay Tool, and click Go.

Note: SuperUsers can view playbacks of recorded traffic; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Chapter

10

Managing log files


This chapter includes the following topics:

About the log files Managing logs Configuring automatic archiving Exporting data

About the log files


Symantec Network Security maintains multiple logging databases and tools to view, compress, and archive them. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail. This section describes the following:

About the install log About the operational log

About the install log


Symantec Network Security creates an install log that records all of the parameters entered during the installation procedure. The Network Security console provides a view of the install log file of each node via Admin > Node > Manage Logs, which displays the date and time of installation.

274 Managing log files Managing logs

About the operational log


The operational log records events that Symantec Network Security is processing, such as startup and shutdown of the Network Security software or appliance node, or errors experienced within the node. The Network Security console provides a view of the operational log file of each node via Admin > Node > Manage Logs. All actions or modifications made in the Network Security console to a software or appliance node are logged to the operational log file, which includes information such as the date and time, name, type of modification, and other data specific to the modification. Note: If you reset the system clock backward on a software or appliance node, you must rotate the log database. If you do not, the incident list displayed in the Network Security console may not update properly during the time difference.

Note: For information about how to convert logs to text manually, see About the Knowledge Base on page 22.

Managing logs
Symantec Network Security provides log and database management from the Network Security console, described in the following sections:

Viewing log files Viewing live log files Archiving log files Copying log files Deleting log files

Note: All users can view log files; only SuperUsers and Administrators can manage them. See User groups reference on page 353 for more about permissions.

Viewing log files


The Network Security console now provides a view of the log files easily.

Managing log files Managing logs

275

To view log files 1 2 3 On the main menu bar, click Admin > Node > Manage Logs. In Select Node, choose a node from the pull-down list, and click OK. In Log Files, do one of the following:

Click a log file to select it. Click Refresh Table to get the latest logs.

4 5

In Actions, click View. In View Log, do any or all of the following:


Scroll to read all lines on the log. On the Operational Log tab, view the log. On the Events tab, view the events. In Go To Page, enter a page number. Click Next Page to progress forward. Click Previous Page to progress backward.

Click Close to exit.

Note: All users can view log files. See User groups reference on page 353 for more about permissions.

Viewing live log files


The Network Security console now provides a view of the live log files easily. To view live log files 1 2 3 On the main menu bar, click Admin > Node > Manage Logs. In Select Node, choose a node from the pull-down list, and click OK. In Log Files, do one of the following:

Click a log file to select it. Click Refresh Table to get the latest logs.

4 5 6

In Actions, click View Live Log. In Live Log, scroll to read all lines on the log. Click Close to exit.

276 Managing log files Managing logs

Note: All users can view live log files. See User groups reference on page 353 for more about permissions.

Archiving log files


The Network Security console now provides a way to archive log files easily. The archiving process takes place in the background and may take a few minutes to complete. To archive log files 1 2 3 4 5 On the main menu bar, click Admin > Node > Manage Logs. In Select Node, choose a node from the pull-down list, and click OK. In Log Files, click a log file to select it. In Actions, click Archive > OK. Click Close to exit.

Note: SuperUsers and Administrators can archive log files; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Copying log files


The Network Security console now provides a way to copy log files easily. You must first establish a password-less SCP connection between the node and the target host before attempting this procedure. To copy log files 1 2 3 4 5 On the main menu bar, click Admin > Node > Manage Logs. In Select Node, choose a node from the pull-down list, and click OK. Select a log from the log file. In Actions, click Secure Copy. In Secure Copy Options, enter the following information:

In Filename, view the name of the selected log file. In Hostname, enter the name of the server receiving the log copy. In Directory, enter the directory. In Username, enter the user name.

Managing log files Managing logs

277

Click OK to save a copy of the log file in the desired location and exit.

Note: SuperUsers and Administrators can copy log files; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Deleting log files


The Network Security console now provides a way to delete log files easily. To delete log files 1 2 3 4 5 On the main menu bar, click Admin > Node > Manage Logs. In Select Node, choose a node from the pull-down list, and click OK. In Log Files, click a log file to select it. In Actions, click Delete. Click Yes.

Note: SuperUsers and Administrators can delete log files; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Refreshing the list of log files


The Network Security console now provides a way to update the view after each change to the log file table. To refresh the table 1 2 3 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK. In Logs, click Refresh Table.

Note: All users can refresh the log files table. See User groups reference on page 353 for more about permissions.

278 Managing log files Configuring automatic archiving

Configuring automatic archiving


Symantec Network Security provides configuration of automatic log and database tasks via the configurable parameters. SuperUsers and Administrators can configure Symantec Network Security to perform logging tasks automatically, such as archiving, transferring via SCP, rotating, and compressing, by setting log and database parameters:

Setting automatic logging levels Archiving log files Compressing log files

Setting automatic logging levels


The Network Security console provides a way to determine the amount of information written to the operational Network Security log file by configuring the Operational Logging Level parameter. Operational Logging Level controls the amount of information written to the operational log file. The default value is set to level 5. Values range from 0 to 10, inclusive. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Operational Logging Level. In the lower right pane, enter a log level. Values range from 0 to 10, inclusive, as follows:
0 1 5 Logs only critical messages Logs error and critical messages Logs informational, error, and critical messages; all modifications and additions to the software or appliance node configuration are logged (excluding the detailed request message). Verbose logging in which every add, modify, and search request from the Network Security console to the software or appliance node is logged, including the contents of the request message. Use this level for strict auditing.

10

Click Apply.

Managing log files Configuring automatic archiving

279

In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close.

Note: Restart Symantec Network Security for changes to this parameter to take effect.

Note: For information about how to manage logs manually, see About the Knowledge Base on page 22.

Archiving log files


To conserve disk space and ensure optimal performance, the Network Security incident and event logs should be archived and compressed periodically. SuperUsers and Administrators can archive the logs based on file size, time, or both. To conserve space on the node, you can use Secure Copy Protocol (SCP) to move the archived logs to another host. Symantec Network Security automatically performs log archiving based on log size. SuperUsers and Administrators can control log archiving by editing the Size to Trigger Rotation parameter. Alternatively, you can configure Symantec Network Security to perform time-based log archiving. In either case, you must configure the Compression On/Off Switch if log compression is desired. Caution: Tune your log file archiving based on the amount of attack traffic your site experiences. If the log directory becomes full, logging and reporting of incident and event data to the Network Security console will be suspended. Monitor your disk space to ensure that there continues to be sufficient space for the logs. Use the following Log and Database Parameters to establish a static system that shrinks and grows without intervention:

Setting Size to Trigger Rotation Setting Limit Size for Archive Directory Setting Limit Size for Traffic Record Directory

280 Managing log files Configuring automatic archiving

Setting Size to Trigger Rotation


Size to Trigger Rotation determines the size at which the logs and database files are archived. Symantec Network Security checks the log and database sizes periodically, and archives them when they exceed this size. The default value is set to 250 MB. Before changing this value, check the amount of available disk space. Increasing the value with compression enabled impacts performance during the compression process. The maximum value allowed is 10,000 MB. The Network Security console provides a way to edit this value, depending on the amount of available disk space, the rate of events, and the need for archived data. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Size to Trigger Rotation. In the lower right pane, enter the log size in megabytes. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Note: If you set this value at too large a number with compression enabled, it may put excess strain on the node when the logs eventually archive. See Setting Compression On/Off Switch on page 283.

Setting Limit Size for Archive Directory


Limit Size for Archive Directory indicates the size at which Symantec Network Security clears the archive directory. If archive data files take more disk space than indicated by this value, then files are removed, starting with the oldest, to satisfy the limit.

Managing log files Configuring automatic archiving

281

The default value is 5 GB, and the minimum effective value is 1 GB. If this parameter is not set, then the archive directory is not cleared at any size. Note: If Limit Size for Archive Directory is configured to any value greater than 0, Symantec Network Security automatically clears the archive directory each time the size limit is breached. If this occurs as you are attempting to view it, an error message appears. Simply close and reopen the window to refresh the available contents.

Note: This parameter refers only to the amount of data archived, not to the total disk usage. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Limit Size for Archive Directory. In the lower right pane, enter a size in GB. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Setting Limit Size for Traffic Record Directory


Limit Size for Traffic Record Directory indicates the size at which Symantec Network Security clears the traffic record directory. If traffic record files take more disk space than indicated by this value, then files are removed, starting with the oldest, to satisfy the limit. The default value is 5 GB, and the minimum effective value is 1 GB. If this parameter is not set, then the traffic record directory is not cleared at any size.

282 Managing log files Configuring automatic archiving

Note: If Limit Size for Traffic Record Directory is configured to any value greater than 0, Symantec Network Security automatically clears the traffic record directory each time the size limit is breached. If this occurs as you are attempting to replay it, an error message appears. Simply close and reopen the window to refresh the available contents.

Note: This parameter refers only to the amount of data recorded, not to the total disk usage. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Limit Size for Traffic Record Directory. In the lower right pane, enter a size in GB. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Compressing log files


The Network Security console provides a way to conserve disk space by configuring Symantec Network Security to automatically compress log files when they are archived, regardless of the method of archiving. Log file compression is also useful when transferring via SCP. If compression is enabled, then when the operational log is archived, it is renamed using the manhunt.YYMMDDHHMMSS.bz2 format. In that case, the incident and event logs are also compressed and named in the logs.YYMMDDHHMMSS.tar.bz2 format. If compression is disabled, then when the operational log is archived, it is renamed using the manhunt.YYMMDDHHMMSS format. In that case, the incident and

Managing log files Configuring automatic archiving

283

event logs are archived into a single file, and named in the logs.YYMMDDHHMMSS.tar format. In either case, when the event log is archived, it is signed by the iButton or soft token, whether compression is enabled or not. Note: Compression may require large amounts of memory and CPU for large logs. Use the following parameters to configure compression procedures:

Setting Compression On/Off Switch Setting Compression Command

Setting Compression On/Off Switch


Compression On/Off Switch determines whether Symantec Network Security automatically compresses log files when archived, regardless of the archiving method. Use Compression On/Off Switch to save disk space or to move log files via Secure Copy Protocol (SCP). If you activate log compression, you can also specify the compression command. By default, the value of this parameter is set to off. Note: You do not need to set Compression Command for 7100 Series nodes, because the command is predetermined on appliances. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Compression On/Off Switch. In the lower right pane, enter a value of on to enable log compression. Click Apply. In Apply Changes To, select the node to which to apply the parameter.

284 Managing log files Configuring automatic archiving

Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Note: For large logs, compression may require large amounts of memory and CPU usage.

Note: For how to verify log files manually, see About the Knowledge Base on page 22.

Setting Compression Command


Compression Command indicates the command that Symantec Network Security follows to compress operational log or database files during the archiving procedure. If you do not specify a compression command for the software node, Symantec Network Security makes a sequential search for bzip, gzip, and then compress, in that order. Note: You do not need to set Compression Command for 7100 Series nodes, because the command is predetermined on appliance nodes. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Compression Command. In the lower right pane, enter the compression command for Symantec Network Security to use on archived logs. Click Apply. In Apply Changes To, select the node to which to apply the parameter.

Managing log files Exporting data

285

Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Note: For large logs, compression may require large amounts of memory and CPU usage.

Note: To find out how to verify log files manually, visit the Knowledge Base. See About the Knowledge Base on page 22..

Exporting data
Symantec Network Security provides multiple ways to export log and database files, or transfer them to another host for long-term storage. Export to file if you want the log in a format that is readable by other programs or applications. Other methods of export use the Symantec format. This section includes the following forms of export:

Exporting to file Exporting to SESA Exporting to SQL Exporting to syslog Transferring via SCP

Exporting to file
Export to file if you want the log files written in a readable format that can be used by other applications.

Setting Event Writer File


Event Writer File enables you to export event data to a file in a format that other applications can read, in addition to exporting it to the database. To configure Symantec Network Security to output event data to a file, enter a valid pathname for the Event Writer File. There is no default.

286 Managing log files Exporting data

To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click Event Writer File. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect.

Exporting to SESA
Symantec Network Security can export event data to Symantec Enterprise Security Administrator (SESA) using the SESA Bridge Export node parameter. You can install the Bridge to both software and appliance nodes by running the Bridge installation script located in the /usr/SNS/install/sesabridge directory. The SESA Bridge enables you to send events form Symantec Network Security to the SESA management console. The Bridge is not required to use Symantec Network Security in native mode. This section describes the following topics:

Integrating with SESA Setting SESA Bridge Export

Integrating with SESA


Symantec Network Security includes the capability to send security events to SESA. You cannot configure Symantec Network Security from the SESA Console. The installation procedure installs the SESA Bridge with Symantec Network

Managing log files Exporting data

287

Security, so all have to do is enable exporting to SESA via the SESA Bridge Export parameter. You need the following:

Symantec Network Security installed on a dedicated computer, or Symantec Network Security 7100 Series appliance SESA 2.0 SESA Integration Package (SIP) installed on the SESA Manager, to register Symantec Network Security with SESA 2.0 SESA Bridge installed on each software or appliance node that will send events to SESA SESA Agent Symantec Event Manager for Intrusion Protection (The Symantec Event Manager is optional. To view reports, you must install it, but to view raw events, you do not need it.

See the Symantec Network Security Installation Guide and Symantec Network Security 7100 Series Implementation Guide for more information about the SESA Bridge.

Setting SESA Bridge Export


SESA Bridge Export serves as the on/off switch for sending events to Symantec Enterprise Security Administrator (SESA). If this value is true, events are sent to the local SESA Agent to be passed on to a SESA Manager. Note that you must have a local SESA Agent installed and configured for the SESA Bridge to function. The default value is false on 7100 Series appliances. On Network Security software nodes, this default reflects whether or not the SESA Bridge was installed during the installation process. You can use either the default SESA Event Manager, or the IDS Event Manager. The SESA Bridge option is not required to use Symantec Network Security in native mode. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under SESA Event Export, click SESA Bridge Export. In the lower right pane, do one of the following:

288 Managing log files Exporting data

Click True to enable the SESA Bridge. Click False to disable the SESA Bridge.

5 6

Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close. Note: It may take up to 10 minutes for changes to this parameter to take effect.

Exporting to SQL
Symantec Network Security can export event and incident data to two supported SQL-compliant databases: Oracle 9i and MySQL 4.0. A Java Database Connectivity (JDBC) driver identifies the type of database to use, and defines how Symantec Network Security communicates to the database. JDBC drivers for both Oracle and MySQL must be obtained externally and installed in the following directory before exporting to SQL:
/usr/SNS/java

You can set configurable parameters to indicate which driver you want to use, if any, create user login accounts, and establish tables on the database. Note: To find out how to set up export tables for incident and evernt databases to export to Oracle or MySQL, see SQL reference on page 365. To find out how to configure SQL export manually, visit the Knowledge Base. See About the Knowledge Base on page 22.. This section includes the following export parameters:

Setting Cluster ID Setting JDBC Driver Setting DB Connection String Setting DB User Setting DB Password

Managing log files Exporting data

289

Setting Cluster ID
Cluster ID indicates the Network Security cluster sending a message, so that you can distinguish messages from multiple clusters if spooled to the same database. This parameter is included in all event and incident messages sent to the database, and should be unique for each Network Security cluster. Assign the same Cluster ID to all nodes within a cluster that you enable to export to SQL. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect.

Setting JDBC Driver


JDBC Driver indicates the classpath of the JDBC driver that Symantec Network Security uses when exporting to MySQL or Oracle databases. The Symantec Network Security software does not include JDBC drivers, so you must obtain and install them separately. To configure this parameter 1 2 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK.

290 Managing log files Exporting data

3 4

In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter the JDBC Driver using one of the following classpath formats:
Oracle MySQL(Connect/J) oracle.jdbc.OracleDriver org.gjt.mm.mysql.Driver

5 6

Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close. Note: Restart Symantec Network Security after changing this parameter. Changes will not take effect until the cluster synchronizes the changes, and each node is restarted.

Setting DB Connection String


DB Connection String indicates the string that Symantec Network Security uses to connect to the MySQL or Oracle database. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter a string. Depending on the type of database, use one of the following:

Oracle: The standard Oracle NET8/SQL*NET port is 1521, and the format is as follows: jdbc:oracle:thin:\@//<FQDN of the oracle DB
server>:<port number>/<databasename>

MySQL: The default port for non-localhost MySQL connections is currently 3306, and the format is as follows: jdbc:mysql://<FQDN of

Managing log files Exporting data

291

the MySQL DB server>:<port number>/<database name>?autoReconnect=true

5 6

Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect.

Setting DB User
DB User indicates the user name that Symantec Network Security uses to authenticate against the database. Make sure to grant the proper permissions to the user. See Permissions by user group on page 354. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Depending on the type of database, use one of the following:

Oracle: The user must have CREATE SESSION permission granted. You may also want to grant UNLIMITED TABLESPACE, which means that the Oracle disk quota does not apply. Queries will begin failing once the Oracle user fills up the disk quota. See the Oracle documentation for creating user login accounts. MySQL: The user must have the following permissions granted: CREATE, INSERT, DELETE. See the MySQL documentation for creating user login accounts.

Click Apply.

292 Managing log files Exporting data

In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for a change to this parameter to take effect.

Setting DB Password
DB Password indicates the password that Symantec Network Security uses to authenticate against the MySQL or Oracle database. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under SQL Export Parameters, click this parameter to display it. In the lower right pane, enter a password. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for a change to this parameter to take effect. Note: See also SQL reference on page 365.

Managing log files Exporting data

293

Exporting to syslog
The Network Security console provides a way to export to syslog on a cluster-wide basis now, or override cluster configuration at the node level. Only events are exported to syslog, not incidents. The Network Security console provides a way to export log files to flat file or remote UNIX syslog. SuperUsers and Administrators can export log files to Oracle or to MySQL. SuperUsers and Administrators can configure Symantec Network Security to send copies of its operational log messages to the UNIX syslog facility. To do so, you must configure syslog to receive the operational log data, and enable Symantec Network Security to send data to a syslog server by entering a non-zero value for the Echo Operational Log to Syslog parameter. The value must correspond to syslog priority levels 1-4, inclusive. Note: To export to syslog, syslog must be running in remote mode. This may not necessarily be the default. See the Unix or Linux man pages for more details.

Note: SuperUsers and Administrators can export logs; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. Symantec Network Security can export event data to syslog. Data remains in the proprietary format. Syslog is always considered remote, even if located on the same host. This section includes the following syslog export parameters:

Setting Syslog Event Export Setting Echo Operational Log to Syslog Setting Remote Syslog Destination Host Setting Remote Syslog Destination Port Setting Syslog Maximum Message Size

Setting Syslog Event Export


Syslog Event Export serves as the main on/off switch for sending event data to syslog. If this value is true, then events are sent to syslog. The default value is false. Note that you must also configure the Remote Syslog Destinational Host for this parameter to function.

294 Managing log files Exporting data

To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Syslog Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: It may take up to 10 minutes for changes to this parameter to take effect.

Setting Echo Operational Log to Syslog


Echo Operational Log To Syslog determines whether operational log messages are copied to syslog. A value greater than 0 enables Echo Operational Log to Syslog, and sets the severity level as well. Syslog severity scale is from 1 through 4, inclusive, 1 being the most severe, and 4 being the least severe. A value of 0 disables Echo Operational Log to Syslog. You must also set Remote Syslog Destination Host, for Echo Operational Log to Syslog to function. To configure this parameter 1 2 3 4 5 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Syslog Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply.

Managing log files Exporting data

295

In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close.

Caution: Make sure that sufficient RAM exists on the system for this parameter. Restart Symantec Network Security for changes to this parameter to take effect.

Setting Remote Syslog Destination Host


Remote Syslog Destination Host indicates the remote syslog receiver that Symantec Network Security sends messages to, if exporting to syslog. This value does not affect the local UNIX system syslogd in any way. If this value is not set, the Network Security syslog module is disabled. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Syslog Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Caution: Make sure that sufficient RAM exists on the system for this parameter. It may take up to 10 minutes for changes to this parameter to take effect.

296 Managing log files Exporting data

Setting Remote Syslog Destination Port


Remote Syslog Destination Port indicates the remote syslog port that Symantec Network Security uses. The default value is the standard syslog port (514), if not set otherwise. This value does not affect the local UNIX system syslogd in any way. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Syslog Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Caution: Make sure that sufficient RAM exists on the system for this advanced parameter. It may take up to 10 minutes for changes to this parameter to take effect.

Note: To export to syslog, syslog must be running in remote mode. This may not be the default. See the Unix or Linux man pages for more details.

Setting Syslog Maximum Message Size


Syslog Maximum Message Size indicates the maximum syslog message size allowed for syslog messages. The default value is 1024. If you set the value to greater than 65,536, the Network Security syslog module uses the RFC-specified maximum of 1024.

Managing log files Exporting data

297

To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Syslog Export Parameters, click this parameter to display it. In the lower right pane, enter a value. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Note: Restart Symantec Network Security for changes to this parameter to take effect.

Caution: Messages exceeding 1024 bytes are not compliant with the BSD Syslog Protocol RFC (3164), and may be truncated or dropped by syslog servers.

Transferring via SCP


The Network Security console provides a way to transfer archived log files using Secure Copy Protocol (SCP), the Secure Shell (SSH) version of file transfer. Use SCP to move the logs to another host to prevent the software or appliance node from running low on free disk space. Use the following parameters to configure this process:

Setting Flag for SCP Usage Setting Destination Host for SCP Setting User Account for SCP Setting Destination Directory for SCP Setting Location of SCP Binary

298 Managing log files Exporting data

Setting Flag for SCP Usage


Flag for SCP Usage serves as the on/off switch for SCP transfer. All other SCP parameters must be set properly for SCP transfer to function. If on, Symantec Network Security rotates the logs and exports them to another host for long-term storage. SCP transfer is used more commonly than File Event Writer, which rotates logs on the original node. SCP transfer does not impact performance. The default value is false. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click this parameter to display it. In the lower right pane, enter a value of true. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Setting Destination Host for SCP


Destination Host for SCP indicates the remote host that log and database files are transferred to via SCP. The value can be either the host name or IP address of the remote host. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click this parameter to display it. In the lower right pane, enter either the IP address or hostname of the node in which to place the logs.

Managing log files Exporting data

299

Note: We recommend that you always use the same name for the software or appliance node when exporting archived logs, establishing an authorized public key, or exporting scheduled reports. For example, do not refer to the software or appliance node by its FQDN in one place, and its IP address in another. 5 6 Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

Setting User Account for SCP


User Account for SCP indicates the user name that log and database files are transferred to via SCP. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click this parameter to display it. In the lower right pane, enter the user name for moving logs to the remote host. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

300 Managing log files Exporting data

Setting Destination Directory for SCP


Destination Directory for SCP indicates the directory on the remote host that log or database files are transferred to via SCP. To configure this parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click this parameter to display it. In the lower right pane, enter a path to the destination directory on the remote host in which to place the logs. The user specified in the User Account for SCP parameter must have write permission to this directory. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close.

5 6

Setting Location of SCP Binary


Location of SCP Binary indicates the path to the SCP binary on the Network Security software node. By default, the binary is in the /usr/local/bin/scp directory. Set the value for this parameter if the SCP binary is in an alternative location. Note: You do not need to set Location of SCP Binary for 7100 Series nodes, because the location of the SCP binary is predetermined on appliances. To configure this parameter 1 2 3 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Log and Database Parameters, click this parameter to display it.

Managing log files Exporting data

301

4 5 6

In the lower right pane, enter the path to the SCP binary on the Network Security software node if it differs from the default. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this node and close.

Note: For how to verify remote log archiving manually, see About the Knowledge Base on page 22.

302 Managing log files Exporting data

Chapter

11

Advanced configuration
This chapter includes the following topics:

About advanced setup Updating Symantec Network Security Managing node clusters Integrating third-party events Establishing high availability failover Backing up and restoring Configuring advanced parameters

About advanced setup


This chapter describes specialized configuration tasks, including managing clusters, updating and upgrading Symantec Network Security, integrating third-party events, setting up high availability failover systems, and backing up and restoring. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.

Updating Symantec Network Security


Symantec Network Security provides product updates and enhancements in the form of Security Updates, Engine Updates, and Product Updates, using the new

304 Advanced configuration Updating Symantec Network Security

LiveUpdate functionality. Not to be confused with upgrading, LiveUpdate enables SuperUsers and Administrators to check for new updates, apply updates to peer nodes or node clusters, and schedule them to install automatically. This section includes the following topics:

About LiveUpdate Scanning for available updates Applying updates Setting the LiveUpdate server Adding or editing automatic updates Backing up LiveUpdate configurations

About LiveUpdate
Symantec Network Security provides the new LiveUpdate functionality to keep your system updated to the latest software levels in a seamless and timely manner. The Network Security console displays all available updates at any given time, and provides the LiveUpdate interface for you to selectively apply them or schedule them to be automatically applied. Symantec Network Security provides three kinds of LiveUpdates:

Security Updates: Add detection capabilities to the product, such as event data, refinement rules, and encrypted signatures. Security Updates are cumulative. Each update includes the data from the updates before it. Some Security Updates are dependent upon Engine Updates as well. Engine Updates: Add cumulative features and enhancements such as sensor functionality and data. Engine Updates are cumulative. Each update includes the data from the updates before it. Some Security Updates are dependent upon Engine Updates as well. Software or appliance Product Updates: Add restoration and repair functionality (database, configuration, and database updates), patches, or minor releases. Software and appliance Product Updates are incremental. You can choose any Product Update or patch level, even if it is not the latest, and each level will automatically install all previous levels. For example, you can select Patch 3, even if Patch 4 is available. However, it is not possible to select Patches 2 and 4, and skip Patch 3. When you install Patch 3, Patches 1 and 2 are automatically included.

See also Updating policies automatically on page 129.

Advanced configuration Updating Symantec Network Security

305

Scanning for available updates


Symantec Network Security provides a list of all available LiveUpdates in the Network Security console. To view available updates 1 On the main menu bar, click Admin > LiveUpdate.

2 3

In the left pane, select the nodes to receive updates. On the LiveUpdate tab, click Scan For Updates.

Note: SuperUsers and Administrators can view LiveUpdate using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Applying updates
The Network Security console provides a way to apply automatic updates to the system easily. To apply updates 1 On the main menu bar, click Admin > LiveUpdate.

306 Advanced configuration Updating Symantec Network Security

2 3 4

In the left pane, select the nodes to receive updates. On the LiveUpdate tab, click Scan For Updates. In Available Updates, do one of the following:

Click Select All to select the entire list. Click Clear All to deselect the entire list. Click each update to select it individually.

Click Apply Updates to activate the selection.

Note: SuperUsers and Administrators can apply updates using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Setting the LiveUpdate server


The Network Security console provides a way to establish a LiveUpdate server. To set the LiveUpdate server 1 2 3 On the main menu bar, click Admin > LiveUpdate. On the LiveUpdate tab, click Set LiveUpdate Server. In LiveUpdate Server Configuration, provide the following information:

In Host, enter the Hostname or IP address of the LiveUpdate server. In Type, select a HTTP or FTP from the pull-down list. In Username, enter a username if you selected the FTP type. In Password, enter a password if you selected the FTP type. Click OK.

Note: SuperUsers and Administrators can establish a LiveUpdate server using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Note: When you add them to an established cluster using an alternative LiveUpdate server, set the LiveUpdate server for each new node. New nodes do not automatically use the LiveUpdate server of the cluster, until you set an alternative LiveUpdate server.

Advanced configuration Scheduling live updates

307

Scheduling live updates


This section describes the following topics:

Adding or editing automatic updates Deleting automatic update schedules Reverting automatic update schedules

Adding or editing automatic updates


The Network Security console provides a way to schedule automatic updates. To schedule or reschedule automatic updates 1 2 On the main menu bar, click Admin > LiveUpdate. On the Schedule LiveUpdate tab, do one of the following:

Click Add to create a new schedule. Click an existing schedule, and click Edit to change the schedule. Click an existing schedule, and click Delete to remove the schedule. In Check for updates every, select Week, Day, or Hour from the pull-down list. In Day to run, select the day of the week from the pull-down list. In Hour to run, select a time from the pull-down list, and click a radio button to select AM or PM.

In LiveUpdate Frequency, provide the following information:

In Auto Install Options, click the checkbox if you want engine updates to be automatically installed, and Security Updates that meet policy rules to be applied. In Applies To Nodes, click Edit. In Select Nodes, click each node to receive updates, and click OK. In LiveUpdate Schedule, click OK. In the Schedule LiveUpdate tab, do one of the following:

5 6 7 8

Click Save to preserve your choices. Click Revert to undo your choices.

Note: SuperUsers and Administrators can schedule automatic updates using the Network Security console; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

308 Advanced configuration Scheduling live updates

Deleting automatic update schedules


The Network Security console provides a way to delete automatic update schedules easily. To delete an automatic update schedule 1 2 3 On the main menu bar, click Admin > LiveUpdate. On the Schedule LiveUpdate tab, select an existing schedule. Click Delete to remove the schedule.

Reverting automatic update schedules


The Network Security console provides a way to revert changes to automatic update schedules easily, if you have not already saved them. To revert changes to an automatic update schedule 1 2 3 On the main menu bar, click Admin > LiveUpdate. On the Schedule LiveUpdate tab, select an existing schedule. On the Schedule LiveUpdate tab, click Revert to undo your changes.

Backing up LiveUpdate configurations


The Network Security console provides a way to customize Symantec Network Security to allow for internal LiveUpdate servers. See the LiveUpdate documentation for this information. We recommend that you back up the liveupdate.conf file if you customize it. Because the Network Security console Manage Backup procedures do not include this file, you can provide backup by copying this file manually and storing it in a safe location. Note: If you uninstall Symantec Network Security, the procedure completely uninstalls LiveUpdate as well, and removes any configuration for the LiveUpdate client. If you customized the liveupdate.conf file to allow for internal LiveUpdate servers, you must restore it after reinstalling. So make sure to back up the customization.

Advanced configuration Managing node clusters

309

Managing node clusters


Clusters are based on a hierarchy consisting of one central master node that receives information from and manages multiple slave nodes. The Network Security console provides a way to configure slave nodes by logging into the master node from the Network Security console, and to view events and incidents from them. This section describes how to set up a cluster hierarchy and manage it:

Creating a new cluster Managing an established cluster Setting a cluster-wide parameter Backup up cluster-wide data

Creating a new cluster


In a cluster, one node acts as the master or primary node to which all other nodes in the cluster synchronize. By default, the first node added under the Enterprise location object acts as master node, and all subsequent nodes act as slave nodes. Superusers can change the status by setting a new node as the cluster master. SuperUsers can also assign a standby node to provide high availability for either a slave or master node, in case of an emergency failure. This section includes the following topics:

Building a cluster Establishing a master node Adding slave nodes to clusters Deleting nodes from clusters

Building a cluster
The installation process automatically creates an object in the topology tree to represent the first software or appliance node. This defaults to master node status, and the installation program automatically assigns it a node number of 1. By default, all software and appliance nodes installed in the network after this master node default to slave node status. The master node synchronizes the databases on all slave nodes in a cluster to its topology, detection, and response rule configuration databases. This section describes the order in which to add nodes to build a node cluster.

310 Advanced configuration Managing node clusters

To build a cluster 1 Install new nodes as slave nodes.

Establish one master node to serve as the sync node. Slave nodes will automatically run the database sync process. See Establishing a master node on page 310.

Add the new node into the topology map. See Adding nodes and objects on page 86.

Use the passphrase as established during installation of that node. Use the node number.

Create a master high-availability configuration. See Establishing high availability failover on page 322.

Note: Upgrading node clusters requires special consideration. See the Symantec Network Security Installation Guide for more details.

Establishing a master node


This section describes how to establish a cluster master node using the Network Security console. To deploy a 7100 Series node as a slave, the master node must be either a Symantec Network Security 4.0 node or another 7100 Series node. To set a cluster master 1 2 3 On the main menu bar, click Admin > Node > Set As Cluster Master. In Select Node, choose a node from the pull-down list, and click OK. In Warning, click OK to confirm the setting, and restart the old master node, the new master node, and the Network Security console.

Caution: Use Set As Cluster Master only if the master node in a cluster fails. After the original master comes back online, we recommend that you wait for at least 5 minutes before making any changes to give the returned node time to be fully initialized back into the cluster. Then, if you want to return the node to master status, force a database synchronization. This triggers the node to regenerate communication passwords with each slave node.

Advanced configuration Managing node clusters

311

Note: SuperUsers can establish a cluster master node; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Adding slave nodes to clusters


Symantec Network Security provides a way to add both Network Security software nodes and 7100 Series appliance nodes to a cluster, using the topology tree. Add a slave node to the topology tree after you physically install Symantec Network Security on the corresponding computer. Similarly, add a 7100 Series node to the topology tree after performing the initial configuration of the appliance itself. When you add slave nodes to the topology tree, use the same node numbers that you assigned during initial configuration of appliances, or installation of the Symantec Network Security software. See the following for additional related information:

See Adding or editing software nodes on page 89. See Adding or editing 7100 Series nodes on page 95. See Configuring availability for multiple nodes on page 324.

Caution: Verify that Network Time Protocol (NTP) is not running on any slave node within a cluster. If a slave node is running NTP, it cannot synchronize with the master node, which can cause the slave node to malfunction.

Note: SuperUsers can add both Network Security software nodes and 7100 Series appliance nodes to a cluster and assign them master and slave status. See User groups reference on page 353 for more about permissions.

Deleting nodes from clusters


Symantec Network Security provides a way to delete both Network Security software nodes and 7100 Series appliance nodes from a cluster, using the topology tree. See Deleting objects on page 83.

312 Advanced configuration Managing node clusters

If you want to re-add a node to the topology database after deleting it, you must do one of the following:

For a software node: Reinstall it. See the Symantec Network Security Installation Guide for reinstalling a software node. For an appliance node: Unconfigure and then rerun the initial configuration. See the Symantec Network Security 7100 Series Implementation Guide for unconfiguring an appliance node.

Note: SuperUsers can delete software and appliance nodes from the cluster. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot delete them. See User groups reference on page 353 for more about permissions.

Managing an established cluster


This section describes the following day-to-day tasks of managing an established cluster:

Licensing nodes in a cluster Synchronizing clustered nodes Changing node numbers Changing passphrases Restarting sensors in a cluster

Licensing nodes in a cluster


The Network Security console provides an efficient way to license nodes in a cluster. See Checking and applying licenses on page 49.

Synchronizing clustered nodes


Symantec Network Security automatically synchronizes between the master node across all nodes in the cluster. Master nodes accept changes from other master nodes, never from slave nodes. Slave nodes accept changes from any node with a newer database. The master node propagates information across clusters, including the global configuration, topology database, response rule database, usernames and passwords, user-defined signatures, and flow alert rules. Symantec Network

Advanced configuration Managing node clusters

313

Security does not synchronize incidents and events. Each node maintains this information separately.

Automatic synchronization
Synchronization occurs automatically at a random interval so that the nodes in a cluster do not expect updates at the same time. When you edit the master node or the network topology, your changes are automatically synchronized across all nodes in the cluster. Because automatic synchronization occurs randomly, rather than immediately, you may want to initiate an immediate synchronization using Force Database Sync. See Forcing nodes to synchronize on page 85.

Reapplying policy assignments after setting cluster master


This section describes setting protection policies to an interface and applying them to multiple interfaces. In a cluster, the master node stores the definitions of protection policies that you apply to slave nodes. If the master node fails or is demoted by setting a new cluster master, the link is broken between applied policies and their definitions. Slave nodes sometimes then appear to have viable policies applied that in reality are disabled. Prevent losing policies through failure by backing up the master node. Prevent losing policies when demoting by reapplying policy definitions to the new master node. Note: SuperUsers can reapply policies to an interface; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions. See Backing up and restoring on page 332. See Setting policies to interfaces on page 119.

Forcing synchronization
All software and appliance nodes synchronize with the master node. The Network Security console provides a way to trigger synchronization by restarting or rebooting slave nodes, or by forcing. To force databases to synchronize at any time 1 2 On the main menu bar, click Admin > Force Database Sync. Click OK.

314 Advanced configuration Managing node clusters

Note: SuperUsers and Administrators can force a database synchronization; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Changing node numbers


Node numbers cannot be edited directly. If you need to change the node number after adding the node to the topology tree, you must first delete the object, then create a new object, and last, assign a new node number to it. To change a node number 1 2 3 4 5 On the Devices tab, right-click the existing node. Click Delete, and OK. Click Topology > Save Changes. Add a new object. See Adding nodes and objects on page 86. Assign a new node number. See Node number on page 79.

Note: SuperUsers can change node numbers; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Note: The node with the lowest node number serves as the active node in a failover group. All nodes with higher node numbers remain on standby status.

Changing passphrases
Synchronization passphrases and EDP passwords cannot be edited directly. If you want to change a passphrase, you must first delete the node or object, create a new one, and assign a new passphrase to it. To change a node passphrase 1 2 3 On the Devices tab, right-click the existing node or object. Click Delete, and OK. Click Topology > Save Changes.

Advanced configuration Managing node clusters

315

4 5

Add a new node or object. See Adding nodes and objects on page 86. Assign a new passphrase. See Synchronization passphrases on page 80.

Note: SuperUsers can change node passphrases; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Restarting sensors in a cluster


Sensors are no longer restarted automatically, but you can restart sensors from the Network Security console at any time. See Restarting or stopping sensors on page 170. Note: SuperUsers can restart sensors in a cluster; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Setting a cluster-wide parameter


Symantec Network Security provides one cluster parameter called QSP Port Number to ensure communication between all nodes in a cluster. Note: SuperUsers can set parameters; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Setting QSP Port Number


QSP Port Number determines the port that all nodes in a cluster use to communicate with each other. It is set at the cluster level. The default value is 2600. The value must be a valid unused TCP port number between 1025 and 65535 that is not used by any other TCP service in the cluster. Do not use port numbers 1333, 1080, 6665-6669, 7000, and 8080, because software and appliance nodes monitor and analyze traffic on these ports. The QSP port number must be the same for all nodes in a cluster.

316 Advanced configuration Integrating third-party events

To configure this parameter 1 2 3 On the main menu bar, click Configuration > QSP Port Configuration. In QSP Port Configuration, type the desired QSP port number into the text box. Click OK to save the changes to this node and close. Note: If you change the QSP port number, restart all nodes in the cluster before logging in with the new number.

Backup up cluster-wide data


You can backup data from one node and exchange between nodes in the cluster to a certain degree. See Backing up and restoring on page 332. Note: SuperUsers can back up node configurations; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Integrating third-party events


Symantec Network Security can be configured to receive events from third-party devices including ManTrap 2.1 and later, and Symantec Decoy Server 3.1, as well as from other third-party security sensors. Symantec Network Security can be configured to aggregate and correlate those events with all other events that Symantec Network Security detects. Other third-party sensors require separate Smart Agent software. This section describes the following topics:

Integrating via Smart Agents Integrating with Symantec Decoy Server

Integrating via Smart Agents


Symantec Network Security Smart Agent technology enables enterprise-wide multi-source event collection, helping you to expand the security umbrella and enhance the threat detection value of your existing security assets. Aggregation of third-party security events into a centralized location leverages the power of the Symantec Network Security analysis framework. Automated incident

Advanced configuration Integrating third-party events

317

response enables the rapid identification of threats in real time to mitigate potential damage to mission critical enterprise assets. Symantec Network Security supports holistic security awareness through real-time third-party event correlation and analysis. Smart Agents enable Symantec Network Security to receive event data from external sensors and correlate that data with all other Network Security events. Symantec Network Security performs some internal Smart Agent configuration for integrating Symantec Decoy Server events. To integrate events from any other external sensor, you must install a separate Smart Agent for the external sensor as well. To integrate event data from third-party sensors, you must first purchase and install the corresponding Smart Agent. Detailed configuration and installation instructions are provided in the installation guide for the Smart Agent, including how to create an external sensor object. The Network Security console must be aware of the external sensor for you to be able to set response rules for events from it. See also About Smart Agents on page 108 for more about Smart Agents. To purchase Smart Agent software, see the following web site: http://www.symantec.com/techsupp/enterprise/select_product_manuals.html, and click Intrusion Detection > Symantec Decoy Server.

318 Advanced configuration Integrating third-party events

The following diagram illustrates Symantec Network Security integrating with third-party intrusion detection systems via Symantec Network Security Smart Agents to provide enterprise-wide correlation and analysis:

Smart Agent

Symantec Network Security Smart Agent

Smart Agent

You can set response actions via third-party sensors using Smart Agents. All response actions work for Smart Agents with the exception of TCP Reset and Traffic Record. You can set export flows, TrackBack, email and SNMP notification responses on events received via Smart Agents. This section includes the following Smart Agent parameter:

Setting EDP Port Number

Setting EDP Port Number


Symantec Network Security communicates with Smart Agents over an EDP proxy (Event Dispatch Protocol). In order to enable a software or appliance node to receive event data from an Smart Agent, the Smart Agent must share an EDP password with the software or appliance nodes. You can set the EDP passphrase when you create the external sensor object in the topology tree, but you cannot

Advanced configuration Integrating third-party events

319

edit the password directly after it is set. To change it, you must delete the object, create a new object, and provide the desired password. See About Smart Agents on page 108 to find out how to create an external sensor object. See Changing passphrases on page 314 to find out how to change EDP passwords. See the Symantec Network Security Installation Guide for further integration details. EDP Port Number indicates the port through which Symantec Network Security and Smart Agents communicate. Symantec Network Security listens for Event Dispatch Protocol (EDP) events through this port. The default value is set to 1333. If you edit this parameter, use a valid, unused TCP port between 1025 and 65535. Avoid using the QSP port number, or TCP port numbers 1080, 6665-6669, 7000, because software and appliance nodes monitor and analyze traffic on these ports. To configure this parameter 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, under Smart Agent Parameters, click EDP Port Number. In the lower right pane, enter the port number. Click Apply. In Apply Changes To, select the node to which to apply the parameter. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this node and close. Note: Restart Symantec Network Security for changes to this parameter to take effect. Caution: Do not use the QSP port for EDP communication.

Integrating with Symantec Decoy Server


Now you can launch and log into the Symantec Decoy Server console by simply right-clicking any external sensor object in the topology tree and selecting Start

320 Advanced configuration Integrating third-party events

Decoy Console. Note that the Symantec Decoy Server console remains open, even if you close the Network Security console. This section includes the following:

Integrating with Symantec Decoy Server Launching from a new location Launching from a known location

Integrating with Symantec Decoy Server


Symantec Network Security can be configured to receive events from ManTrap 2.1 and later, and Symantec Decoy Server 3.1, as well as from other third-party security sensors. Symantec Network Security can be configured to aggregate and correlate those events with all other events that Symantec Network Security detects. Other third-party sensors require separate Smart Agent software. To configure Symantec Decoy Server for integration with Symantec Network Security, or to purchase Smart Agent software, see the following web site: http://www.symantec.com/techsupp/enterprise/select_product_manuals.html, and click Intrusion Detection > Symantec Decoy Server. To download instructions for configuring Symantec Decoy Server to send events to Symantec Network Security, see the following web site: http://www.symantec.com/techsupp/enterprise/products/mantrap/files.html To integrate Symantec Decoy Server events into Symantec Network Security 1 Configure the alerting response policies for the Symantec Decoy Server cages. Based on these alerting response policies, Symantec Decoy Server sends events to Symantec Network Security, and these events appear in the Network Security console. For example, configure a cage to send all Root User Exec and File Opened for Writing events to the Network Security console. In the Network Security console, create an external sensor node for each IP address that will send event data to Symantec Network Security; that is, a separate node for each cage and host. See Adding or editing Smart Agent objects on page 109. Apply Symantec Network Security response rules to the Symantec Decoy Server events. See Setting response actions on page 147.

Advanced configuration Integrating third-party events

321

Note: SuperUsers can integrate Symantec Decoy Server events; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Launching from a new location


This section describes how to launch the Symantec Decoy Server console from a new location on the network. To launch the Symantec Decoy Server console from a new location 1 2 3 On the Devices tab, right-click any external sensor object, and click Start Decoy Console. The first time, a Decoy Console Not Found message appears. Click OK. In Select the Symantec Decoy Server Console Directory, navigate to the directory containing mtadmin.jar, and click Open. This file is typically located in the following directory: Program Files\Symantec\Mantrap. In Start Decoy Console, click Yes to confirm the path to the jar file. After launching the Symantec Decoy Server console from this new location, the location of the mtadmin.jar file is stored in memory.

Launching from a known location


This section describes how to launch the Symantec Decoy Server console from a known location on the network. To launch the Symantec Decoy Server console from a known location 1 2 On the Devices tab, right-click any external sensor object, and click Start Decoy Console. In Start Decoy Console, click Yes to confirm the path to the mtadmin.jar file. Note: The Symantec Decoy Server console must be closed independently of the Network Security console. The Symantec Decoy Server console remains open, even if you close the Network Security console.

Note: SuperUsers and Administrators can add Smart Agents to launch Symantec Decoy Server; all users can launch it after configuration. See User groups reference on page 353 for more about permissions.

322 Advanced configuration Establishing high availability failover

Establishing high availability failover


Symantec Network Security provides a number of ways to recover from network, communication, or process failures. The Availability Monitor keeps track of each node on the network and notifies you if the node fails or becomes unavailable. The Watchdog Process Restart parameter keeps track of processes on a single node. If a process fails, the failure recovery feature notes the failure and takes action to restart that process. Failover groups, configured with the watchdog parameters, ensure detection coverage even if a node should fail. This section describes these topics in greater detail:

Monitoring node availability Configuring availability for single nodes Configuring availability for multiple nodes Configuring watchdog processes

Monitoring node availability


Symantec Network Security provides the Availability Monitor to keep track of each node on the network and notify you if the node fails or becomes unavailable. The Availability Monitor attempts to connect to each node at specified intervals. If a node fails to respond for a specified number of times, the Availability Monitor generates an event that indicates a drop in availability. To edit the Availability Monitor configuration file 1 2 3 On the main menu bar, click Configuration > Node > Availability Monitor. In Select Node, click the node from the pull-down list. In Availability Monitor Configuration, add the following line for each host that you want to monitor:
<hostname or ip address> PING [poll interval] [number failed responses]

Use the following guidelines in the configuration file:


List only one host per line. Delimit the variables with spaces or tabs. For example, the following line configures the Availability Monitor to ping the host every 8 seconds, and to generate an availability-drop

Advanced configuration Establishing high availability failover

323

event if the host fails to respond 8 times in a row, slightly longer than a minute:
10.0.5.8 PING 8 8

Note: SuperUsers can monitor availability; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Configuring availability for single nodes


Symantec Network Security provides a parameter to monitor the processes of a single node regularly, and automatically restart any processes that have failed. If a process on a single node fails, the failure recovery feature notes the failure and takes action to restart that process. This may include restarting or rebooting the system. You can enable this restart functionality on a single node outside of a failover group. Simply enable the Watchdog Process Restart Only parameter for the node, but do not add it to a failover group.

Setting Watchdog Process Restart Only


Watchdog Process Restart Only indicates whether to restart the product or execute a full system reboot, when a failure occurs. The default value is false. If set to true, Symantec Network Security restarts the product on failure. If this value is false, Symantec Network Security reboots the system on failure. Caution: Make sure that the system has enough RAM for this parameter. To set the Watchdog Process Restart Only parameter 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane under Watchdog Process Configuration, click Watchdog Process Restart Only. In the lower right corner of the Configuration Parameters pane, do one of the following:

Click True to restart the product on failure.

324 Advanced configuration Establishing high availability failover

Click False to reboot the system on failure.

5 6

Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save and close.

Note: SuperUsers can set this parameter; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Configuring availability for multiple nodes


Symantec Network Security provides a set of watchdog parameters to ensure uninterrupted event detection by deploying multiple nodes in a high-availability configuration called failover. In the following example, the master node and a standby slave node form a failover group in a cluster of three:
Symantec Network Security provides the ability to deploy redundant nodes to ensure high availability. Slave node

Master node

Slave node Network Security console Standby node

Advanced configuration Establishing high availability failover

325

All nodes monitor the network, but only active nodes record data. If the active node fails, the standby node immediately starts recording security events. The standby node does not become master; the cluster operates without a master node until a node is set to cluster master. In a failover group of three, the third standby node continues to monitor without recording, in case the second active node fails. This fault-tolerant feature occurs automatically and transparently, and ensures that Symantec Network Security remains continuously available. Do not confuse high-availability failover with load-balancing, in which systems providing balance through database synchronization methodology. This section includes the following:

Configuring a failover group Removing nodes from a failover group Viewing incidents during failover

Configuring a failover group


The minimum failover group size consists of two: an active node and a standby node. The maximum failover group size consists of five nodes: one active node and four standby nodes. To add a failover group 1 To deploy standby nodes as backup, simply add multiple Network Security nodes in the same location to form the failover group, considering the following:

You can set up a failover group using both software and appliance nodes interchangeably. You can set up a failover group for either a master or a slave node. Failover functions independently of master or slave status. The active and standby node must both have the same physical and logical configurations. The active and standby node must monitor the same subnet. The nodes must be installed in the same location. Each node must have a dedicated physical connection for detection.

On the Devices tab, add or edit the active and standby objects to the topology tree, with the following considerations:

In Add or Edit 7100 Series Node, or Add or Edit Software Node, under Failover Group Information, click Failover Group Member. Enter a Failover Group Number between 1 and 100.

326 Advanced configuration Establishing high availability failover

Each node within the failover group must have the same Failover Group Numbers. Valid numbers range from 1 to 100. Do not use a number over 100.

Click OK, and save the changes to the topology tree.

Set the following configuration parameters for each active and standby node:

Setting Enable Watchdog Process Setting Watchdog Process Stop Window Setting Watchdog Process Maximum Resets Setting Watchdog Process Restart Only Setting Watchdog Process Email Configuring link state

4 5

Enable Link On Active for link state for each active and standby node:

Repeat these steps for each node in the failover group.

Note: SuperUsers can create watchdog groups; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Removing nodes from a failover group


Symantec Network Security provides an efficient way to remove nodes from a failover group. To remove a node from a failover group 1 2 3 4 On the Devices tab, edit the active or standby objects to the network topology tree. In Edit Software Node or Edit 7100 Series Node, under Failover Group Information, deselect Failover Group Member. Click OK to save the changes to the topology tree. Reset the Enable Watchdog Process parameter for this node to false. See Setting Enable Watchdog Process on page 329.

Note: SuperUsers can remove nodes from a failover group; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Advanced configuration Establishing high availability failover

327

Viewing incidents during failover


Symantec Network Security provides the ability to view incidents from standby nodes during a failover. Enabling this feature causes incidents to load from all nodes in the cluster, including any standby nodes, and thus avoids dropping incidents. When a failover occurs, the incident table remains unchanged. However, this does not extend to the reporting feature, because reports are generated from active nodes only. In addition to viewing incidents from standby nodes during failover, the following includes characteristics of failover behavior:

Symantec Network Security maintains multiple nodes, each with its own unique ID number. One node in each failover group is recognized as active, the others as standby. Each node uses its own detection interface connections. Each node stores duplicate data that the Network Security console handles according to the precedence order. For exclusive actions, all nodes within the group communicate to determine the active node. Both the primary node and the standby node detect and report on incidents and events. The standby node processes the same data, performs the same analysis, and evaluates the same response rules as the active software or appliance node, but does not execute duplicate responses. If the active node fails for any reason, a standby node takes over recording data. If the original node comes back online, it resumes activity. There is no automatic recovery or failback. When the original node resumes activity, you must restart all nodes to reconnect. If a node fails, the Network Security console automatically connects to the standby node in the same failover group. You can configure the Network Security console to display standby node information. The console automatically connects to and pulls incidents and events from the standby node. New events automatically show up without reconfiguration, even though events from previous incidents before the failover is dependent on whether the masters were actually detecting traffic themselves, or acting as console servers only. There is no failback when the Network Security console is concerned. If the original master comes back online, the Network Security console does not automatically switch back.

328 Advanced configuration Establishing high availability failover

Response actions such as TrackBack that augment the incident may not be visible during a failover, as a result of storing the response events in the local event database of a given node.

To view incidents from both active and standby nodes 1 2 On the Incidents tab, click Filters. In Incident Filter Options, click Include Backup Nodes. If the network contains multiple nodes specified in a watchdog group, the incidents from all standby nodes are added to the incident table. See Selecting incident filters on page 229. Click Apply.

Note: SuperUsers can preserve failover incidents; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Configuring watchdog processes


Symantec Network Security provides a set of parameters that you can use to configure watchdog processes. Watchdog processes monitor each node closely, and if a failure occurs on any node, Symantec Network Security makes a number of attempts to reboot or restart the downed node. If the attempts to reboot or restart also fail, then Symantec Network Security shifts or fails over to the standby node. Watchdog processes are advanced configurations that employ advanced parameters. Make sure that sufficient RAM exists on the system. When deploying failover groups, keep in mind that the failover system is designed to work best for nodes that have a fast, reliable network interconnection between their administration interfaces. An example configuration would be two nodes in close proximity, connected through the Ethernet. Note: Do not confuse failover with fail-open, which is the state that permits (fail-open) or blocks (fail-closed) traffic from flowing through a sensor that is placed in-line with a firewall.

Note: SuperUsers can configure watchdog processes; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Advanced configuration Establishing high availability failover

329

Set up and enable watchdog processes by configuring the following parameters:


Setting Enable Watchdog Process Setting Watchdog Process Stop Window Setting Watchdog Process Maximum Resets Setting Watchdog Process Restart Only Setting Watchdog Process Email

Setting Enable Watchdog Process


Enable Watchdog Process serves as the on/off switch for the watchdog process. You must set the other parameters to configure this process. The default is false. To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click the parameter that you want to configure. In the lower right pane, click True to enable this parameter. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Caution: Make sure that the system has enough RAM for this parameter.

Setting Watchdog Process Stop Window


Watchdog Process Stop Window determines the time period during which Symantec Network Security decides if failures occur at too high a rate. If a node fails too many times during this time period, then it shuts down and fails over to the standby node. The default value is 10 minutes.

330 Advanced configuration Establishing high availability failover

To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click the parameter that you want to configure. In the lower right corner of the Configuration Parameters pane, enter a fail rate. If the number of failures breaches this threshold, it resorts to standby. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Caution: Make sure that the system has enough RAM for this parameter. Before setting this parameter, please review the failover procedure thoroughly.

Setting Watchdog Process Maximum Resets


Watchdog Process Maximum Resets defines the maximum number of reboots or restarts that Symantec Network Security executes within the time period defined by Watchdog Process Stop Window before failing over to the standby node. The default value is 2. To configure node parameters 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click the parameter that you want to configure. In the lower right corner of the Configuration Parameters pane, enter a retry value. If the number of retries breaches this threshold, it resorts to standby. Click Apply.

Advanced configuration Establishing high availability failover

331

In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes.

Click OK to save the changes to this sensor and close.

Caution: Make sure that the system has enough RAM for this parameter. Before setting this parameter, please review the failover procedure thoroughly.

Setting Watchdog Process Restart Only


Watchdog Process Restart Only indicates whether to restart the product or execute a full system reboot, when a failure occurs. The default value is false. If set to true, Symantec Network Security restarts the product on failure. If this value is not set, the default is to reboot the system on failure. Note: SuperUsers and Administrators can also enable the restart functionality on a single node outside of a failover group. Simply enable the Watchdog Process Restart Only parameter for the node, but do not add it to a group. To configure node parameters 1 2 3 4 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click the parameter that you want to configure. In the lower right corner of the Configuration Parameters pane, do one of the following:

Click True to enable restarting. Click False to enable rebooting.

5 6

Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to.

332 Advanced configuration Backing up and restoring

Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Caution: Make sure that the system has enough RAM for this parameter. Before setting this parameter, please review the failover procedure thoroughly.

Setting Watchdog Process Email


Watchdog Process Email indicates the email address to which Symantec Network Security sends a notification that it has failed over. If this value is not set, no email is sent. To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click the parameter that you want to configure. In the lower right corner of the Configuration Parameters pane, enter an email address to be notified that a node has failed over. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Backing up and restoring


Symantec Network Security provides the functionality to back up all configuration data from the node and restore it at a later time to the same or an alternative node. You must perform the back up procedure while Symantec

Advanced configuration Backing up and restoring

333

Network Security is running. The backup procedure produces a tar file of the copies of all backed up files and moves the tar file in a backup directory. For 7100 Series appliances, you have an additional alternative. You can mount a compact flash card on the appliance node, and back up the files to the compact flash. As a best practices policy, we recommend that you make periodic backups of the Symantec Network Security configuration on the master node. This section includes the following topics:

Backing up and restoring on the Network Security console Backing up and restoring on compact flash

Backing up and restoring on the Network Security console


This section describes backing up and restoring procedures from the Network Security console.

Backing up Symantec Network Security configurations Reapplying policy assignments after failure Copying Symantec Network Security configurations Deleting Symantec Network Security configurations Refreshing the list of backup configurations Restoring Symantec Network Security configurations Restoring an existing configuration to a node

Backing up Symantec Network Security configurations


The Network Security console provides a way to back up a Symantec Network Security configuration. The backup procedure includes most configuration data such as topology, parameter, policy, and report configurations, but does not include collected data such as flow records, traffic record sessions, and generated reports. To back up a configuration 1 2 3 4 5 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK. In Actions, click Backup Current Configuration. In Backup Name, enter a distinctive name and click OK. When the progress bar closes, click Close to exit.

334 Advanced configuration Backing up and restoring

Note: Back up master nodes to preserve policy definitions. Demoting a master node can leave slave nodes with policies applied to their sensors that are not defined. Back up a master node before demoting it, restore just the policies, and reapply them.

Note: SuperUsers and Administrators can back up a configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

See About protection policies on page 115.

Reapplying policy assignments after failure


In a cluster, the master node stores the definitions of protection policies that you apply to slave nodes. If the master node fails or is demoted, the link is broken between applied policies and their definitions. Slave nodes sometimes then appear to have viable policies applied that in reality are disabled. Prevent losing policies through failure by backing up the master node. Prevent losing policies when demoting by reapplying policy definitions to the new master node. See Setting policies to interfaces on page 119.

Copying Symantec Network Security configurations


The Network Security console provides a way to copy a configuration of Symantec Network Security easily. To copy a configuration 1 2 3 4 5 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK. In Backups, click an existing backup configuration. In Actions, click Secure Copy. Provide the following information:

In Filename, enter the name of the backup file. In Host Name, enter the name of the host to copy to. In Directory, enter the directory. In User Name, enter the user name.

Click OK to copy the configuration to the desired location and exit.

Advanced configuration Backing up and restoring

335

Note: SuperUsers and Administrators can copy a configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Deleting Symantec Network Security configurations


The Network Security console provides a way to delete an existing configuration of Symantec Network Security easily. To delete a configuration 1 2 3 4 5 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK. In Backups, click an existing backup configuration. In Actions, click Delete. Click Yes to confirm.

Note: SuperUsers and Administrators can delete an existing configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Refreshing the list of backup configurations


The Network Security console provides a way to update the view after each change to the backup table, using Refresh Table. To refresh the table 1 2 3 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK. In Backups, click Refresh Table.

Note: All users can refresh the list of backup configurations. See User groups reference on page 353 for more about permissions.

Restoring Symantec Network Security configurations


Symantec Network Security provides a way to restore a previous configuration to an entire cluster, so that all information that was synchronized throughout

336 Advanced configuration Backing up and restoring

the cluster reverts back to the original values. SuperUsers can do this selectively, and restore the configuration on a single node, a subset of selected slave nodes, or to the entire cluster by first restoring the master node and then synchronizing. Best practices rules include:

Backup the master node on a regular basis. Protection policy definitions are stored only on the master node. When reinstalling a node or unconfiguring an appliance, reapply all policies When restoring a slave node, force a database sync before reapplying policies on that node. This will ensure that the slave node has the most recent policy definitions. To restore a node to a previous configuration after a failure:

Reinstall the software or reconfigure the appliance Reapply all previous update packages Restore the configuration to the node If the restored node is a slave node, also restore the configuration to the master node Restore the old configuration to each individual slave node Restore the configuration to the master node

To restore a cluster to a previous configuration


You must perform the restoration procedure while Symantec Network Security is running. For the restoration procedure to succeed, you must make sure the following are true:

The hardware and operating system are the same The Symantec Network Security version is the same The root directory is the same The Symantec Network Security patch level is the same The Symantec Network Security Security Update and Engine Update levels must be the same or greater than the backup The restoration machine must have the same number and type of interfaces The restoration machine must have the same IP address as the original

Note: SuperUsers and Administrators can restore a configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Advanced configuration Backing up and restoring

337

Restoring an existing configuration to a node


Symantec Network Security provides a way to restore an existing configuration using the Network Security console. To restore an existing configuration 1 2 3 4 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK. In Backups, click an existing backup configuration. In Actions, click Restore Selected Backup > Yes. This will restart the node, and overwrite all configuration changes that were made since the backup.

Note: SuperUsers and Administrators can restore an existing configuration; StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Restoring an existing configuration to a cluster


If you want to restore a previous configuration to an entire cluster, you must restore each node individually. Restoring the master node does not propagate to the cluster. To re-add a node to the topology database after removing it, you must do one of the following:

For a software node: Reinstall it. See the Symantec Network Security Installation Guide for reinstalling a software node. For an appliance node: Unconfigure the initial configuration. See the Symantec Network Security 7100 Series Implementation Guide for unconfigure an appliance node.

Note: SuperUsers can delete software and appliance nodes from the cluster. Administrators, StandardUsers, and RestrictedUsers can view them, but cannot delete them. See User groups reference on page 353 for more about permissions.

Backing up and restoring on compact flash


This section describes the following topics:

Backing up on compact flash

338 Advanced configuration Backing up and restoring

Restoring from compact flash

Backing up on compact flash


On a 7100 Series node, SuperUsers can back up the node configuration onto a compact flash (CF) card. Symantec Network Security automatically writes the backup to the compact flash if the CF card is available as a mounted filesystem. To mount the CF card, you must reboot the appliance after inserting the card into the adaptor. For more information about using the compact flash, see the Symantec Network Security 7100 Series Implementation Guide. To back up a configuration onto compact flash 1 2 3 4 5 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK. In Actions, click Backup Current Configuration. In Backup Name, type in a file name for the backup, and click OK. Network Security adds a timestamp to the filename to ensure uniqueness. When the progress bar closes, click Refresh Table to view the backup.

Note: SuperUsers and Administrators can back up a configuration using a compact flash card (CR); StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Restoring from compact flash


SuperUsers can restore a previous configuration to a single slave node, a set of slave nodes, or to the entire cluster by first restoring the slave nodes, then restoring the master node. The restore process includes both per-node and cluster-wide configuration information. You must restore each node individually to get the per-node configuration. Cluster-wide configuration is synchronized from the master to the slave nodes. If the compact flash card is mounted, SuperUsers can choose from backup files on both the compact flash and the hard drive during the restore process. To restore an old configuration using compact flash 1 2 On the main menu bar, click Admin > Node > Manage Backups. In Select Node, choose a node from the pull-down list, and click OK.

Advanced configuration Backing up and restoring

339

3 4

In Backups, click a backup filename. In Action, click Restore Selected Backup > Yes. This will restart the node, and overwrite all configuration changes that were made since the backup.

Note: SuperUsers and Administrators can restore a configuration using a compact flash card (CF); StandardUsers and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Saving initial configuration


You can save an appliances configuration information onto the hard drive or onto a compact flash card for use during initial configuration.

Saving initial configuration to compact flash


If the compact flash card is available, Symantec Network Security automatically saves the configuration file to the CF card. Saving a nodes configuration information to compact flash provides a way to control the configuration of one or more appliances you are adding to a cluster. During initial configuration, lab personnel can use the compact flash to configure the new node exactly as planned. This type of saved configuration only records the information required for the initial configuration of an appliance. To save an initial configuration to compact flash 1 If a compact flash card is not already mounted on /mnt/cf, do the following:

Insert the compact flash card into the CF adaptor. Reboot the appliance. On Devices, right-click the 7100 Series node object whose configuration you wish to save, then click Configuration > 7100 Series Configuration > Save Configuration File. On Devices, click Configuration > Node > 7100 Series Configuration > Save Configuration File and choose a node from the pull-down list in Select Node. Click OK.

Do one of the following:

3 4

In Appliance Network Configuration, type the node netmask for Netmask. In Default Router, type a value for Default Router. This should be the IP address of the default router for this node.

340 Advanced configuration Backing up and restoring

Note: Values for the netmask and default router will be automatically updated after the slave appliance is connected to the network and initially configured. These values will appear on the Advanced Network Options tab when you edit the node. 5 6 7 In DNS Server 1 and DNS Server 2, optionally type the IP addresses for the DNS servers. Click OK. In Save Config File, enter the filename and click Save. Network Security adds a timestamp to the filename to ensure uniqueness. Note: The enc suffix is applied to any file name you enter. It means the file is encrypted. This is an automatic process and does not require you to enter a key or password.

Saving initial configuration to the hard drive


If no compact flash card is available during the save operation, the configuration is saved to the hard drive on the node. To save an initial configuration to the hard drive 1 On the Network Security console, do one of the following:

On the Devices tab, right-click the 7100 Series node object whose configuration you wish to save, then click Configuration > 7100 Series Configuration > Save Configuration File. On the main menu bar, click Configuration > Node > 7100 Series Configuration > Save Configuration File and choose a node from the pull-down list in Select Node. Click OK.

2 3

In Appliance Network Configuration, type the node netmask for Netmask. In Default Router, type a value for Default Router. This should be the IP address of the default router for this node. Note: Values for the netmask and default router will be automatically updated after the slave appliance is connected to the network and initially configured. These values will appear on the Advanced Network Options tab when you edit the node.

4 5

In DNS Server 1 and DNS Server 2, optionally type the IP addresses for the DNS servers. Click OK.

Advanced configuration Backing up and restoring

341

In the Save Config File window, do one of the following:

In File Name, click after the given path, enter a file name for the backup beginning with an appropriate slash character, and click Save. For example, on Windows:
\NodeA_backup1

Click Save. This saves the node configuration into the default file:
<path>\appcfg.enc

Browse to a different folder, enter a file name in the File Name text box, then click Save.

Note: The enc suffix is applied to any file name you enter. It means the file is encrypted. This is an automatic process and does not require you to enter a key or password.

Viewing a configuration file


You can view existing configuration files on compact flash, if available, and on the node hard drive. You can select the file to view from files on both the compact flash and the hard drive. To view a configuration file 1 On the Network Security console, do one of the following:

On the Devices tab, right-click the 7100 Series node object whose configuration you wish to view, then click Configuration > 7100 Series Configuration > View Configuration File. On the main menu bar, click Configuration > Node > 7100 Series Configuration > View Configuration File and choose a node from the pull-down list in Select Node. Click OK.

2 3

In View Configuration File, click the file you wish to view and click Open. In Configuration File, view the information and click OK.

Reverting to the original installation


You can cause the 7100 Series to revert to the original manufacturers installation if you want to completely reconfigure it. All existing configuration is erased, and the appliance is ready for initial configuration after this process. Warning: The Revert to Original Install process will completely remove Symantec Network Security on the appliance. The node will also be removed from the topology in the Network Security console.

342 Advanced configuration Backing up and restoring

To revert to the original installation 1 On the Network Security console, do one of the following:

On the Devices tab, right-click the 7100 Series node object that you wish to revert, then click Configuration > 7100 Series Configuration > Revert to Original Install. On the main menu bar, click Configuration > Node > 7100 Series Configuration > Revert to Original Install and choose a node from the pull-down list in Select Node. Click OK. Click Yes to revert the node. Click No to abort this process.

In Revert to Original Install, read the message and do one of the following:

Generating SSH keys


The Network Security console provides a way to generate SSH keys. Use SSH keys when using SCP to securely transfer log files from a 7100 Series appliance to another machine, or target host, which must support SSH and SCP. To use SCP, you must first generate SSH keys for your account on the 7100 Series node and install the resulting public key on the target host. To generate SSH keys 1 On the Network Security console, do one of the following:

On the Devices tab, right-click the 7100 Series node object on which you wish to generate SSH keys, then click Configuration > 7100 Series Configuration > Generate SSH Keys. On the main menu bar, click Configuration > Node > 7100 Series Configuration > Generate SSH Keys and choose a node from the pull-down list in Select Node. Click OK. Click Yes to generate new SSH keys. This replaces any existing keys. Click No to exit the process.

If a Warning is displayed, read the message and do one of the following:


3 4

In Generating SSH Keys, wait while Symantec Network Security generates the SSH keys. In Public Key, read the public key filename at the top, and the instructions for installing it on the target host. In the instructions, <user_home_dir> is the home directory of user on the target host who can use the public key to decrypt the transferred log files. This user should not be root.

Advanced configuration Configuring advanced parameters

343

Follow the instructions to add the public key to the target host, and click Close.

Using SCP to transfer log files


After generating and installing the SSH keys, you can configure log and database parameters for automatic log rotation to the target host. To configure automatic log rotation 1 On the Network Security console, do one of the following:

On the Devices tab, right-click the 7100 Series node object, then click Configuration > Network Security Parameters. On the main menu bar, click Configuration > Node > Network Security Parameters and choose a node from the pull-down list in Select Node. Click OK.

2 3 4 5 6 7 8 9

In Symantec Network Security Configuration Parameters, under Log and Database Parameters, set values for each of the listed parameters. In Size to Trigger Rotation, enter the rotation size. In Flag for SCP Usage, click True. In Destination Host for SCP, type the target host name or IP address. In User Account for SCP, type user name to transfer files to on the target host. In Destination Directory for SCP, type the directory to transfer files to on the target host. In Limit Size for Archive Directory, type the maximum disk space allowed for archived files. In Limit Size for Traffic Record Directory, type the maximum disk space allowed for traffic record data.

10 Click Apply.

Configuring advanced parameters


The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional

344 Advanced configuration Configuring advanced parameters

functionality that is unique to an appliance. Each section describes this additional functionality in detail. A variety of configurable parameters enable you to customize your Symantec Network Security intrusion detection system. Most parameters apply to both Symantec Network Security and Symantec Network Security 7100 Series systems, and to clusters, single nodes, and/or to sensors. This section describes the following topics:

About parameters for clusters, nodes, and sensors About basic setup and advanced tuning Configuring node parameters Configuring basic parameters Configuring advanced parameters

About parameters for clusters, nodes, and sensors


Configurable parameters provide the tools for customizing the intrusion detection system to your environment at all levels. The majority of parameters can be set in both Network Security software nodes and 7100 Series appliance nodes, with a few exceptions.

Cluster parameter: Applies to all Network Security software nodes or 7100 Series nodes across an entire cluster. Setting QSP Port Number is set cluster-wide because it controls communication between all nodes in a cluster. It is applied first to the master node in a cluster, and then propagated throughout the cluster. Node parameters: Apply to an individual Network Security software node or 7100 Series node, or a subset of nodes within a cluster. Some settings depend on the processing capacity of the node and the amount of traffic you expect it to monitor.

Software nodes: The Network Security software nodes include parameters that allow for variations from the default during installation, such as Setting Event Writer File, Setting Compression Command, and Setting Location of SCP Binary. These configurations are pre-determined for appliances. Appliance nodes: The Setting Lock LCD Screen parameter applies exclusively to 7100 Series nodes.

Sensor parameters: Apply to sensor processes only, and can be applied to a single sensor or a group of sensors.

Advanced configuration Configuring advanced parameters

345

About basic setup and advanced tuning


Configurable parameters provide the tools for customizing the intrusion detection system to your environment. Two sets of parameters exist, for basic setup and customizing to your environment, and for advanced tuning for specialized circumstances.

Basic: Include the basic tools to customize Symantec Network Security to your environment. Advanced: In most circumstances, advanced parameters are set with optimum defaults. For advanced users with very specialized circumstances, advanced parameters provide a way to tune the sensitivity.

Note: SuperUsers and Administrators can view and edit the parameter configurations. StandardUsers and RestrictedUsers can view them. See User groups reference on page 353 for more about permissions.

Configuring node parameters


The Network Security console provides a way to manage single peer nodes by configuring node parameters. To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click the parameter that you want to configure. In the lower right corner of the Configuration Parameters pane, click the radio button or enter the value of the parameter. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

346 Advanced configuration Configuring advanced parameters

Note: We recommend that you periodically back up the configuration database. Backing up Symantec Network Security configurations on page 333.

Note: SuperUsers can configure advanced cluster, node, and sensor parameters; Administrators, StandardUsers, and RestrictedUsers cannot. See User groups reference on page 353 for more about permissions.

Configuring basic parameters


The Network Security console provides a way to configure basic automatic tasks using the following parameters:

Configuring FlowChaser Tuning incident parameters Controlling user access Setting a cluster-wide parameter Integrating via Smart Agents Setting email notification parameters Configuring watchdog processes Configuring automatic archiving Transferring via SCP Exporting to file Setting automatic logging levels Exporting to SESA Exporting to SQL Exporting to syslog

Configuring advanced parameters


Advanced parameters are set with a default appropriate for optimum performance and sensitivity under most circumstances. The advanced parameters described in this appendix provide ways for a skilled SuperUser to troubleshoot, or to fine-tune some features for special circumstances. In most situations, it is not necessary to adjust advanced parameters.

Advanced configuration Configuring advanced parameters

347

This section includes the following advanced parameters:


Setting Event Message Hashes Setting Event Destination Hashes Setting Event Queue Length Setting Event Rate Throttle

Setting Event Message Hashes


Event Message Hashes balance the rate of incoming events and adjust the analyzing logic by setting the number of hash buckets to keep. The default value of 7 is set for optimum performance, and you do not need to change it under most circumstances. However, if you expect a node to monitor an excessively large volume and variety of different attacks, you might increase the value to provide a larger number of message hashes. To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Event Message Hashes. In the lower right pane, enter the value. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Caution: Take note of the following precautions:

Before making such changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this advanced parameter.

348 Advanced configuration Configuring advanced parameters

Restart Symantec Network Security for changes to this parameter to take effect.

Setting Event Destination Hashes


Event Destination Hashes balance the rate of incoming events and adjust the analyzing logic by setting the number of destination buckets to keep. The default value is set to 4 for optimum performance, and you do not need to change it under most circumstances. However, if you expect a node to monitor an excessively large number of ports, you might increase the value to provide a larger number of destination hashes. To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Event Destination Hashes. In the lower right pane, enter the value. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Caution: Take note of the following precautions:

Before making such changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this advanced parameter. Restart Symantec Network Security for changes to this parameter to take effect.

Advanced configuration Configuring advanced parameters

349

Setting Event Queue Length


Event Queue Length prevents the system from becoming overloaded during a denial-of-service attack. This parameter indicates the length of the event queue by setting the maximum number of elements that can wait in line in a particular hash bucket. This controls the rate that event data enters the system. The default value is set to 10 for optimum performance, and you do not need to change it under most circumstances. If a network experiences a high rate of DoS or other flood attacks, an increased number of event queues can prevent event expiration. Because there is little or no difference between individual events related to a flood incident, no critical information is lost by expiring the events. To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Event Queue Length. In the lower right pane, enter the value. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Caution: Take note of the following precautions:

Before making such changes, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this advanced parameter. Restart Symantec Network Security for changes to this parameter to take effect.

350 Advanced configuration Configuring advanced parameters

Setting Event Rate Throttle


Event Rate Throttle protects against system failure during flood attacks by controlling the rate at which the system accepts events. The default value is set to 150 events per second for optimum performance, and you do not need to lower it under most circumstances. Increase the value to see more events, but make sure that the system has sufficient RAM. Set the value at a number greater than 0, or the default will be triggered. To configure node parameters 1 2 3 4 5 6 On the main menu bar, click Configuration > Node > Network Security Parameters. In Select Node, choose the node from the pull-down list, and click OK. In the left pane, click Event Rate Throttle. In the lower right pane, enter the value. Click Apply. In Apply Changes To, select the node or subset of nodes that you want to apply the parameter to. Caution: If you apply this change to other nodes in the same cluster, those nodes receive the entire parameter configuration, in addition to the change you just made to a specific parameter. The new configuration overwrites any differences in parameter settings between the selected nodes. 7 Click OK to save the changes to this sensor and close.

Caution: Take note of the following precautions:

Before changing the value, we recommend that you consult our support team at http://www.symantec.com/techsupp/enterprise Make sure that the system has enough RAM to support this parameter. Restart Symantec Network Security for changes to this parameter to take effect.

Part IV

Appendices
The following appendices provide additional reference information:

User groups reference SQL reference

352

Appendix

User groups reference


This appendix includes the following topics:

About user groups Permissions by user group Permissions by task

About user groups


Symantec Network Security provides efficient, role-based administration using four user groups with predefined sets of permissions and access: SuperUser, Administrator, StandardUser, and RestrictedUser. During installation of the master node, a user login account is created for a SuperUser with full permissions to perform all tasks. The SuperUser can then create additional accounts in any of the four groups at any time after installation. Symantec Network Security grants specific sets of permissions to each of the four user groups: SuperUser, Administrator, StandardUser, and RestrictedUser. The four groups and their respective permissions are predefined, and SuperUsers can add new accounts, but cannot modify the permissions granted to each account. The SuperUser manages all accounts from the Network Security console by logging into the master node, and the user database is then synchronized across all slave nodes in a cluster. The installation procedure prompts for a passphrase. At a later time, change this passphrase or add new passphrases by clicking Admin > Manage Users in the Network Security console. To avoid making conflicting changes on master nodes, it is best to log into a single master node only, and make all changes there. See also Permissions by user group on page 354 and Permissions by task on page 355.

354 User groups reference Permissions by user group

Permissions by user group


Symantec Network Security grants specific sets of permissions to each of the following four user groups:

SuperUsers: A user authenticated with full administrative capabilities. This user is allowed to perform all administrative tasks that the Network Security console can execute. Administrators: A user authenticated with partial administrative capabilities. This user is allowed to perform most administrative tasks, with the exception of some advanced actions. StandardUsers: A user authenticated with full read-only capabilities. This user is allowed to view all information in the Network Security console. RestrictedUsers: A user authenticated with partial read-only capabilities. This user is allowed to view most information in the Network Security console, with the exception of some advanced information and network-sensitive data.

Note: If you are not a member of one of these predefined groups, you will not be allowed access to the Network Security console at all.

Summary of permissions
This table provides a summary of the general categories of tasks that each user group has permission to perform: Table A-1 Task category
Reboot and restarting nodes See Rebooting and restarting on page 355. Configure at node or cluster level See Configuring at node or cluster level on page 356. Restart sensors See Rebooting and restarting on page 355. Full permissions Full permissions No permissions No permissions Full permissions No permissions No permissions No permissions

Summary of user group capabilities SuperUsers


Full permissions

Administrators StandardUsers
No permissions No permissions

RestrictedUsers
No permissions

User groups reference Permissions by task

355

Table A-1 Task category

Summary of user group capabilities SuperUsers


Full permissions

Administrators StandardUsers
Full or partial permissions Full or partial permissions

RestrictedUsers
View only

Configure at interface level See Configuring at interface level on page 357. View See Viewing only on page 359.

Full permissions

Full permissions

Full or partial permissions

Full or partial permissions

See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.

Permissions by task
This section describes the tasks in more detail that each user group has permission to perform. To see the tasks listed by category as in Summary of user group capabilities, see the following:

Rebooting and restarting Configuring at node or cluster level Configuring at interface level Viewing only

To see all tasks listed in alphabetical order, see the following:

Master list of permissions by task

Rebooting and restarting


This table describes which tasks can be performed by each user group: Table A-2 Permissions
Login via the Network Security console

User group capabilities to reboot and restart SuperUsers


Allowed to login to both master and slave nodes, with read-only permission on the slave node except for promoting

Administrators
Not allowed to login to slave nodes Allowed to login to master node only

StandardUsers
Not allowed to login to slave nodes Allowed to login to master node only

RestrictedUsers
Not allowed to login to slave nodes Allowed to login to master node only

356 User groups reference Permissions by task

Table A-2 Permissions


Reboot software or appliance nodes Restart software or appliance nodes Restart sensors

User group capabilities to reboot and restart SuperUsers


Allowed to reboot

Administrators

StandardUsers

RestrictedUsers

Not allowed to reboot Not allowed to reboot Not allowed to reboot

Allowed to restart

Not allowed to restart Allowed to restart

Not allowed to restart Not allowed to restart

Not allowed to restart Not allowed to restart

Allowed to restart

See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.

Configuring at node or cluster level


This table describes which tasks can be performed by each user group at the node or cluster level. Table A-3 Permissions
Unconfigure appliances Licensing LiveUpdate Manage Users

User group capabilities to configure at the node or cluster level SuperUsers


Allowed to unconfigure Allowed full access Allowed full access Allowed to manage user login accounts Allowed to change passphrases of all users Allowed to add, assign, and rename monitoring groups Allowed to configure all response rules

Administrators
Not allowed to unconfigure Not allowed Not allowed Not allowed

StandardUsers
Not allowed to unconfigure Not allowed Not allowed Not allowed

RestrictedUsers
Not allowed to unconfigure Not allowed Not allowed Not allowed

Change Current Passphrase

Not allowed to change passphrases of other users

Not allowed to change passphrases of other users

Not allowed to change passphrases of other users

Monitoring Groups

Not allowed to Not allowed to Not allowed to configure monitoring configure monitoring configure monitoring groups groups groups Allowed to configure all except custom response actions Allowed to view only Allowed to view only Allowed to view only

Response Rules

Response Action, Custom

Allowed to add, edit, and delete custom response actions

Allowed to view only

Allowed to view only

User groups reference Permissions by task

357

Table A-3 Permissions


Set Cluster Master

User group capabilities to configure at the node or cluster level SuperUsers


Allowed to set cluster master Allowed to view, add, edit, and delete all objects in the topology tree

Administrators
Not allowed to set cluster master

StandardUsers
Not allowed to set cluster master

RestrictedUsers
Not allowed to set cluster master Allowed to view only

Edit objects on topology tree

Allowed to view, add, Allowed to view only edit, and delete most objects in the topology tree (such as routers, Smart Agents, and locations), but not software or appliance nodes

See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.

Configuring at interface level


This table describes which tasks can be performed by each user group at the interface level: Table A-4 Permissions
Edit interfaces on software and appliance nodes

User group capabilities to configure at the interface level SuperUsers


Allowed to add, edit, delete interfaces, interface groups, and in-line pairs Allowed to generate

Administrators

StandardUsers

RestrictedUsers
Not allowed

Allowed to add, edit, Not allowed delete interfaces, interface groups, and in-line pairs Allowed to generate Not allowed

Generate SSH keys on appliances Save Configuration File on appliances Write to Compact Flash on appliances Availability Monitor

Not allowed

Allowed to save

Allowed to save

Not allowed

Not allowed

Allowed to write to compact flash Allowed to edit availability monitor Allowed to force database sync

Allowed to write to compact flash Allowed to edit availability monitor Allowed to force database sync

Not allowed

Not allowed

Not allowed

Not allowed

Force Database Sync

Not allowed

Not allowed

358 User groups reference Permissions by task

Table A-4 Permissions


Protection Policies

User group capabilities to configure at the interface level SuperUsers


Allowed to add, apply, clone, edit, delete Allowed to add, edit, and delete flow alert rules Allowed to manage Allowed to edit template

Administrators
Allowed to add, apply, clone, edit, delete Allowed to add, edit, and delete flow alert rules Allowed to manage Allowed to edit template

StandardUsers
Allowed to view only

RestrictedUsers
Allowed to view only

Flow Alert Rules

Allowed to view only

Not allowed

Manage Backups Analyst Note Template for incidents and events Manage Logs Manage Reports Port Mapping

Not allowed Not allowed

Not allowed Not allowed

Allowed to manage Allowed to manage Allowed to add, edit, and delete Allowed to schedule

Allowed to manage Allowed to manage Allowed to add, edit, and delete Allowed to schedule

Not allowed Not allowed Not allowed to add, edit, and delete Not allowed

Not allowed Not allowed Not allowed to add, edit, and delete Not allowed

Reports, Scheduled Response Rules

Allowed to configure all response rules

Allowed to configure all except custom response actions Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to generate all reports

Allowed to view only

Allowed to view only

Signatures, User-defined Signature Variables

Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to generate all reports

Allowed to view only

Allowed to view only

Allowed to view only

Allowed to view only

Reports, Online

Allowed to generate all reports

Allowed to generate reports except devices with flow statistics reports Allowed to annotate

Annotate incidents and events Change Current Passphrase

Allowed to annotate

Allowed to annotate

Allowed to annotate

Allowed to change passphrases of all users Allowed to adjust Allowed to adjust

Allowed to change Allowed to change Allowed to change own passphrase only own passphrase only own passphrase only

Events, Columns Events, Filters

Allowed to adjust Allowed to adjust

Allowed to adjust Allowed to adjust

Allowed to adjust Allowed to adjust

User groups reference Permissions by task

359

Table A-4 Permissions

User group capabilities to configure at the interface level SuperUsers


Allowed to adjust Allowed to adjust Allowed to mark Allowed to add, assign, and rename monitoring groups Allowed to generate all reports

Administrators
Allowed to adjust Allowed to adjust Allowed to mark Allowed to choose

StandardUsers
Allowed to adjust Allowed to adjust Allowed to mark Allowed to choose

RestrictedUsers
Allowed to adjust Allowed to adjust Allowed to mark Allowed to choose

Incidents, Columns Incidents, Filters Mark Incidents Monitoring Groups

Reports, Online

Allowed to generate all reports

Allowed to generate all reports

Allowed to generate reports except devices with flow statistics reports Allowed to adjust

Table Font Size

Allowed to adjust

Allowed to adjust

Allowed to adjust

See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.

Viewing only
This table describes which tasks are view only by each user group. Table A-5 Permissions
Events, packet data

User group capabilities for viewing only SuperUsers


Allowed to view detailed packet data Allowed to add, edit, and delete flow alert rules Allowed to view only Allowed to view only Allowed to view only Allowed to view

Administrators
Allowed to view detailed packet data Allowed to add, edit, and delete flow alert rules Allowed to view only Allowed to view only Allowed to view only Allowed to view

StandardUsers
Allowed to view detailed packet data Allowed to view

RestrictedUsers
Not allowed

Flow Alert Rules

Not allowed

Traffic Playback View Current Flows View Exported Flows Appliance Configuration File Events, general data Incidents

Allowed to view only Allowed to view only Allowed to view only Allowed to view

Not allowed Not allowed Not allowed Allowed to view

Allowed to view Allowed to view

Allowed to view Allowed to view

Allowed to view Allowed to view

Allowed to view Allowed to view

360 User groups reference Permissions by task

Table A-5 Permissions


Parameters Port Mapping

User group capabilities for viewing only SuperUsers


Allowed to edit Allowed to add, edit, and delete Allowed to configure all response rules

Administrators
Allowed to edit Allowed to add, edit, and delete Allowed to configure all except custom response actions Allowed to view

StandardUsers
Allowed to view only Allowed to view only

RestrictedUsers
Allowed to view only Allowed to view only

Response Rules

Allowed to view only

Allowed to view only

Topology tree

Allowed to view

Allowed to view

Allowed to view

See also Master list of permissions by task on page 360 for a list of all permissions in alphabetical order.

Master list of permissions by task


This table provides a list of all tasks that can be performed by each user group in alphabetical order: Table A-6 Task
Analyst Note Template Annotate incidents and events Appliance-specific, Generate SSH keys Appliance-specific, Unconfigure Appliance-specific, Save Configuration File Appliance-specific, View Configuration File Appliance-specific, Write to Compact Flash

User account capabilities SuperUser


Allowed to edit template Allowed to annotate

Administrator
Allowed to edit template Allowed to annotate

StandardUser
Not allowed

RestrictedUser
Not allowed

Allowed to annotate

Allowed to annotate

Allowed to generate

Allowed to generate

Not allowed

Not allowed

Allowed to unconfigure Allowed to save

Not allowed

Not allowed

Not allowed

Allowed to save

Not allowed

Not allowed

Allowed to view

Allowed to view

Allowed to view

Allowed to view

Allowed to write to compact flash

Allowed to write to compact flash

Not allowed

Not allowed

User groups reference Permissions by task

361

Table A-6 Task

User account capabilities SuperUser


Allowed to edit availability monitor Allowed to change passphrases of all users Allowed to adjust Allowed to adjust Allowed to view Allowed to view detailed packet data Allowed to add, edit, and delete flow alert rules Allowed to force database sync Allowed to view Allowed to adjust Allowed to adjust Allowed full access Allowed full access Allowed to manage Allowed to manage Allowed to manage Allowed to manage user login accounts Allowed to mark Allowed to add, assign, and rename monitoring groups

Administrator
Allowed to edit availability monitor

StandardUser
Not allowed

RestrictedUser
Not allowed

Availability Monitor

Change Current Passphrase

Allowed to change Allowed to change Allowed to change own passphrase only own passphrase only own passphrase only

Events, Columns Events, Filters Events, general data Events, packet data

Allowed to adjust Allowed to adjust Allowed to view Allowed to view detailed packet data Allowed to add, edit, and delete flow alert rules Allowed to force database sync Allowed to view Allowed to adjust Allowed to adjust Not allowed Not allowed Allowed to manage Allowed to manage Allowed to manage Not allowed

Allowed to adjust Allowed to adjust Allowed to view Allowed to view detailed packet data Allowed to view

Allowed to adjust Allowed to adjust Allowed to view Not allowed

Flow Alert Rules

Not allowed

Force Database Sync

Not allowed

Not allowed

Incidents Incidents, Columns Incidents, Filters Licensing LiveUpdate Manage Backups Manage Logs Manage Reports Manage Users

Allowed to view Allowed to adjust Allowed to adjust Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed

Allowed to view Allowed to adjust Allowed to adjust Not allowed Not allowed Not allowed Not allowed Not allowed Not allowed

Mark Incidents Monitoring Groups

Allowed to mark Allowed to choose

Allowed to mark Allowed to choose

Allowed to mark Allowed to choose

362 User groups reference Permissions by task

Table A-6 Task

User account capabilities SuperUser Administrator


Allowed to edit the topology tree, but not software and appliance nodes

StandardUser
Not allowed

RestrictedUser
Not allowed

Nodes, both software Allowed to add, edit, and appliance delete all objects, including software and appliance nodes Nodes, logging in to both software and appliance via the Network Security console

Allowed to login to Allowed to login to both master and master nodes only slave nodes, with read-only permission on the slave node except for promoting

Allowed to login to master nodes only

Allowed to login to master nodes only

Node Interfaces, both Allowed to add, edit, software and delete interfaces, appliance interface groups, and in-line pairs Parameters Port Mapping Allowed to edit Allowed to add, edit, and delete Allowed to add, apply, clone, edit, delete Allowed to reboot

Allowed to add, edit, Not allowed delete interfaces, interface groups, and in-line pairs Allowed to edit Allowed to add, edit, and delete Allowed to add, apply, clone, edit, delete Not allowed Allowed to view Allowed to view

Not allowed

Allowed to view Allowed to view

Protection Policies

Allowed to view

Allowed to view

Reboot Symantec Network Security Nodes Reports, Online

Not allowed

Not allowed

Allowed to generate all reports

Allowed to generate all reports

Allowed to generate all reports

Allowed to generate reports except devices with flow statistics reports Not allowed

Reports, Scheduled Response Rules

Allowed to schedule

Allowed to schedule

Not allowed

Allowed to configure all response rules

Allowed to configure all except custom response actions Allowed to view

Allowed to view

Allowed to view

Response Action, Custom

Allowed to add, edit, and delete custom response actions

Allowed to view

Allowed to view

User groups reference Permissions by task

363

Table A-6 Task


Restart Symantec Network Security Application Restart Sensors

User account capabilities SuperUser


Allowed to restart

Administrator
Not allowed

StandardUser
Not allowed

RestrictedUser
Not allowed

Allowed to restart

Allowed to restart

Not allowed Not allowed

Not allowed Not allowed

Set as Cluster Master Allowed to set cluster Not allowed master Signatures, User-defined Signature Variables Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to adjust Allowed to view, add, edit, and delete all objects in the topology tree Allowed to add, edit, and delete Allowed to add, edit, and delete Allowed to adjust Allowed to view, add, edit, and delete most objects in the topology tree (such as routers, Smart Agents, and locations), but not software or appliance nodes Allowed to view

Allowed to view

Allowed to view

Allowed to view

Allowed to view

Table Font Size Topology tree, edit nodes

Allowed to adjust Allowed to view

Allowed to adjust Allowed to view

Topology tree, view Traffic Playback View Current Flows View Exported Flows

Allowed to view

Allowed to view

Allowed to view

Allowed to view Allowed to view Allowed to view

Allowed to view Allowed to view Allowed to view

Allowed to view Allowed to view Allowed to view

Not allowed Not allowed Not allowed

364 User groups reference Permissions by task

Appendix

SQL reference
This appendix includes the following topics:

About SQL export parameters Using Oracle tables Using MySQL tables

About SQL export parameters


Symantec Network Security can export event and incident data to two supported SQL-compliant databases: Oracle 9i and MySQL 4.0. SuperUsers can enable this functionality. The Symantec Network Security software does not include the JDBC drivers required to export to Oracle and MySQL, so you must obtain and install them separately. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. Most procedures in this section apply to both the 7100 Series appliance and the Symantec Network Security 4.0 software. The 7100 Series appliance also provides additional functionality that is unique to an appliance. Each section describes this additional functionality in detail.

Setting up SQL export


To export to Oracle 9i or MySQL 4.0, you must establish export tables for the incident and event databases, add the appropriate drivers manually, and configure the SQL Export Parameters. To set up SQL export 1 Establish export tables for the incident and event databases, referencing the following files provided by Symantec Network Security:

366 SQL reference Using Oracle tables

For the Oracle database, use the following:


/usr/SNS/dbs/oracle-sqltable.statements

For the MySQL database, use the following:


/usr/SNS/dbs/mysql-sqltable.statements

The Symantec Network Security software does not include the JDBC drivers required to export to Oracle and MySQL, so you must obtain and install them separately. Add a supported driver manually into the appropriate location and naming convention as follows:

For the Oracle driver, use the following:


<sns root dir>/java/jdbcdriver-oracle-9i.jar

For the MySQL driver, use the following:


<sns root dir>/java/jdbcdriver-mm.mysql.2.0.14.jar

3 4

Restart Symantec Network Security. Configure the SQL Export parameters. See Exporting to SQL on page 288.

Using Oracle tables


This section describes the structure of the incident and event tables that Symantec Network Security uses to export data to an Oracle database. To configure software or appliance nodes to export tables to Oracle, see also Exporting to SQL on page 288.

Oracle incident table Oracle event table

Oracle incident table


The following table describes the structure of the table that Symantec Network Security uses to export incident data to an Oracle database: Table B-1 Field Name
class clusterID

Oracle Incident Table Type


varchar(33) integer

Description
Indicates the class of the best event. Indicates the user-defined Network Security cluster ID where the incident originated. Indicates time when this incident was created. Indicates the Customer ID of the best event.

Notes

crtTime custID

integer varchar(41)

Standard UNIX time format

SQL reference Using Oracle tables

367

Table B-1 Field Name


devid

Oracle Incident Table Type


varchar(33)

Description
Indicates the ID of the device (deviceID from topology table) where the best event was detected. Indicates the device name of the best event. Indicates the eventNum of the best event. This is the event that best represents this incident (usually the one with the highest severity). Indicates the family of the best event. Indicates the flowcookie of the best event. Indicates whether there are annotations for this incident. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from the topology table) where the best event was detected. Indicates the actual name of the interface associated with the best event, corresponding to ifaceid. Indicates the unique string identifying this incident.

Notes
Used internally

devName eventNum

varchar(33) integer

family flowcookie hasNote

varchar(33) varchar(1025) integer

0 = no annotations 1 = has annotations

ident

varchar(33)

ifaceid

varchar(33)

Used Internally

ifName

varchar(65)

incidentID

varchar(33)

incidRefs

varchar(2049)

Indicates references to other incidents that have For example: been cross-node correlated using the following 3d20b47d091e45e8@2, format: 3d20b45191f6ec72@3 incidentID@nodenum, incidentID@nodenum, ... Indicates the last time when an event was added to this incident. Indicates the mapped type of the event/incident corresponding to type. Indicates the module name where this incident was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum. Used internally

lastEvtTime

integer

mappedType

varchar(128)

module

varchar(33)

nodeName

varchar(255)

368 SQL reference Using Oracle tables

Table B-1 Field Name


nodeNum

Oracle Incident Table Type


integer

Description
Indicates the Network Security Node number where the incident originated. Indicates the number of logged events in this incident. Indicates the ID of the interface group where this event was detected. Indicates the name of the interface group where this event was detected. Indicates the reliability of the best event. Indicates the severity of the best event. Indicates the state of this incident.

Notes

numEvts

integer

poolid

varchar(33)

Used internally

poolName

varchar(33)

reliability severity state

integer integer integer

Valid values are 1-10 Valid values are 1-10 1 = active (currently being monitored by the AF) 0 = closed (archived to the db)

time

integer

Indicates the time when incident record was last Standard UNIX time format updated. (seconds since 1970 GMT) Indicates the type of the best event. Indicates the marked status of this incident. 0 = Not yet marked by a Network Security console user. 1 = Marked by a Network Security console user, and unchanged since. 2 = Marked by a Network Security console user, but has changed since.

type viewed

varchar(129) integer

Oracle event table


The following table describes the structure of the SQL table that is used when Symantec Network Security exports event data to an Oracle database: Table B-2 Field Name
atkaction

Oracle Event Table Type


integer

Description
Indicates the attempted action.

Notes

SQL reference Using Oracle tables

369

Table B-2 Field Name


atkproc

Oracle Event Table Type


varchar(3000)

Description
Indicates the process name of the attacker, or blank if not applicable. Indicates the username of the attacker, or blank if not applicable. Indicates the event class.

Notes

atkuser

varchar(255)

class

varchar(33)

sniffer - for security events generic - for operational events, etc.

clusterID

integer

Indicates the user-defined Network Security cluster ID where the incident originated. Indicates additional information sent by the sensor. Not every event will have context information. Example: For HTTP events, this may be a URL. For FTP events, this may be a username. Base-64 encoded.

contextBuffer

varchar(512)

contextDesc

varchar(512)

Indicates the description of the data in contextBuffer.

crtTime

integer

Indicates the time when this event was realized in Standard UNIX time the Analysis Framework. format (seconds since 1970 GMT) Indicates the Customer ID that this event is associated with. Indicates a list of destination IPs for this event. Indicates the destination ethernet address. Indicates the name of the network device where the event was detected. Indicates the end time for this event, according to Standard UNIX time the sensor. format. Indicates the Symantec standard code representing the event. Indicates the event number for this incident. The first event in an incident will have an eventNum of 1. The eventNum will be incremented by 1 for each subsequent event.

custID

varchar(41)

dips dst_etheraddr dvName

varchar(195) varchar(33) varchar(41)

endTime

integer

eventCode

varchar(65)

eventNum

integer

370 SQL reference Using Oracle tables

Table B-2 Field Name


flowcookie fmly

Oracle Event Table Type


varchar(1025) varchar(33)

Description
Indicates the flowcookie. Indicates the event family.

Notes

For class=sniffer events, this is integrity or availability. For class=generic events, this is fnotice or notice

guiTxt hdrInfo

varchar(65) varchar(2727)

Deprecated. Indicates the TCP/IP header information OR full packet. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from topology table) where this event was detected. Indicates the name of the interface where this event was detected. For example: hme0 Indicates a unique string identifier that identifies the incident to which this event belongs. Indicates the mapped type of the event/incident corresponding to type Indicates the module name where this event was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum. Indicates the Network Security node number where the incident originated. Indicates that the event was blocked if integer is 1. Identifies the ending index of the region in payload where the anomaly was detected. Identifies the starting index of the region in payload where the anomaly was detected. Used internally Used internally Base-64 encoded.

ident

varchar(33)

ifID

varchar(33)

ifName

varchar(33)

incidentID

varchar(33)

mappedType

varchar(128)

module

varchar(33)

nodeName

varchar(255)

nodeNum

integer

outcome

integer

pldEnd

integer

pldStt

integer

SQL reference Using Oracle tables

371

Table B-2 Field Name


poolID

Oracle Event Table Type


varchar(33)

Description
Indicates the ID of the pool ("poolID" from ifpooldb) where this event was detected. Indicates the name of the interface group where this event was detected. Indicates that the protocol was either IP, TCP, UDP, or ICMP. Indicates the portion of the packet that triggered this event. Indicates the reliability of this event. Indicates the severity of this event. Indicates a list of source IPs for this event. Indicates the source ethernet address. Indicates the start time for this event, according to the sensor. Indicates the name of the attacker's target, or blank if not applicable. Indicates the type of the attacker's target. Identifies the type of this event. This is the violation/anomaly that caused the event to be triggered.

Notes
Used internally

poolName

varchar(41)

prot

varchar(33)

pyld

varchar(513)

Base-64 encoded

reliability severity sips src_etheraddr sttTime

integer integer varchar(195) varchar(33) integer

Valid values are 1-10 Valid values are 1-10

Standard UNIX time format.

trgtname

varchar(3000)

trgtntype type

integer varchar(129)

Format is as follows: VENDOR/EVENT_TAG Example: RCRS/COUNTER_ICM P_HIGH

vlanId vndr

integer varchar(33)

Indicates the VLAN ID. Indicates the vendor of the sensor that detected the event.

372 SQL reference Using MySQL tables

Using MySQL tables


This section describes the structure of the incident and event tables that Symantec Network Security uses to export data to a MySQL database. To configure software or appliance nodes to export tables to MySQL, see also Exporting to SQL on page 288. Note: MySQL supports varchar, but the maximum size of that field is limited to 255. Therefore, varchar fields that are larger than 255 in the MySQL statements become text fields, but if smaller than 255, they remain varchar.

MySQL incident table MySQL event table

MySQL incident table


The following table describes the structure of the table that Symantec Network Security uses to export incident data to a MySQL database: Table B-3 Field Name
class clusterID

MySQL Incident Table Type


varchar(33) integer

Description
Indicates the class of the best event. Indicates the Network Security cluster ID where the incident originated

Notes

crtTime custID devid

integer varchar(41) varchar(33)

Indicates the time that this incident was created. Standard UNIX time format Indicates the Customer ID of the best event. Indicates the ID of the device (deviceID from topology table) where the best event was detected. Indicates the device name of the best event. Indicates the eventNum of the best event. This is the event that best represents this incident (usually the one with the highest severity). Indicates the family of the best event. Indicates the flowcookie of the best event. Used internally

devName eventNum

varchar(41) integer

family flowcookie

varchar(33) text

SQL reference Using MySQL tables

373

Table B-3 Field Name


hasNote

MySQL Incident Table Type


integer

Description
Indicates whether there are annotations for this incident. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from topology table) where the best event was detected. Indicates the actual name of the interface associated with the event, corresponding to ifaceid Indicates the unique string identifying this incident.

Notes
0 = no annotations 1 = has annotations

ident

varchar(33)

ifaceid

varchar(33)

Used Internally

ifName

varchar(65)

incidentID

varchar(33)

incidRefs

text

Indicates references to other incidents that were For example: cross-node correlated using the following 3d20b47d091e45e8@2, format: 3d20b45191f6ec72@3 incidentID@nodenum, incidentID@nodenum, ... Indicates the last time when an event was added to this incident. Indicates the mapped type of the event/incident corresponding to type Indicates the module name where this incident was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum Indicates the Network Security node number where the incident originated Indicates the number of logged events in this incident. Indicates the ID of the interface group where this event was detected. Indicates the name of the interface group where this event was detected. Indicates the reliability of the best event. Valid values are 1-10 Used internally Used internally

lastEvtTime

integer

mappedType

varchar(128)

module

varchar(33)

nodeName

varchar(255)

nodeNum

integer

numEvts

integer

poolid

varchar(33)

poolName

varchar(41)

reliability

integer

374 SQL reference Using MySQL tables

Table B-3 Field Name


severity state

MySQL Incident Table Type


integer integer

Description
Indicates the severity of the best event. Indicates the state of this incident.

Notes
Valid values are 1-10 1 = active (currently being monitored by the AF) 0 = closed (archived to the db)

time

integer

Indicates the time that the incident record was last updated. Indicates the type of the best event. Indicates the marked status of this incident.

Standard UNIX time format (seconds since 1970 GMT)

type viewed

varchar(129) integer

0 = Not yet marked by a Network Security console user. 1 = Marked by a Network Security console user, and unchanged since. 2 = Marked by a Network Security console user, but has changed since.

MySQL event table


The following table describes the structure of the table that Symantec Network Security uses to export event data to a MySQL database: Table B-4 Field Name
atkaction atkproc

MySQL Event Table Type


integer text

Description
Indicates the attempted action. Indicates the process name of the attacker, or blank if not applicable. Indicates the username of the attacker, or blank if not applicable. Indicates the event class.

Notes

atkuser

varchar(255)

class

varchar(33)

sniffer - for security events generic - for operational events, etc.

SQL reference Using MySQL tables

375

Table B-4 Field Name


clusterID

MySQL Event Table Type


integer

Description
Indicates the user-defined Network Security cluster ID where the incident originated. Indicates additional information sent by the sensor. Not every event will have context information.

Notes

contextBuffer

text

Example: For HTTP events, this may be a URL. For FTP events, this may be a username. Base-64 encoded.

contextDesc

text

Indicates the description of the data in contextBuffer.

crtTime

integer

Indicates the time when this event was realized in Standard UNIX time the analysis framework. format (seconds since 1970 GMT) Indicates the Customer ID that this event is associated with. Indicates a list of destination IPs for this event. Indicates the destination ethernet address. Indicates the name of the network device where the event was detected. Indicates the end time for this event, according to Standard UNIX time the sensor. format. Indicates the Symantec standard code representing the event. Indicates the event number for this incident. The first event in an incident will have an eventNum of 1. The eventNum will be incremented by 1 for each subsequent event. Indicates the flowcookie. Indicates the event family. For class=sniffer events, this is integrity or availability. For class=generic events, this is fnotice or notice

custID

varchar(41)

dips dst_etheraddr dvName

varchar(195) varchar(33) varchar(41)

endTime

integer

eventCode

varchar(65)

eventNum

integer

flowcookie fmly

text varchar(33)

guiTxt

varchar(65)

Deprecated.

376 SQL reference Using MySQL tables

Table B-4 Field Name


hdrInfo

MySQL Event Table Type


text

Description
Indicates the TCP/IP header information OR full packet. Indicates the unique identifier for each type of message. Indicates the ID of the interface (interfaceID from the topology table) where this event was detected. Indicates the name of the interface where this event was detected. For example: hme0 Indicates a unique string identifier that identifies the incident to which this event belongs. Indicates the mapped type of the event/incident corresponding to type Indicates the module name where this event was generated. Indicates the hostname of the software or appliance node, corresponding to nodeNum Indicates the Network Security node number where the incident originated. Indicates that the event was blocked if integer is 1. Identifies the ending index of the region in payload where the anomaly was detected. Identifies the starting index of the region in payload where the anomaly was detected. Indicates the ID of the interface group where this event was detected. Indicates the name of the interface group where this event was detected. Indicates the protocol, either IP, TCP, UDP, or ICMP. Indicates the portion of the packet that triggered this event.

Notes
Base-64 encoded.

ident

varchar(33)

ifID

varchar(33)

Used internally

ifName

varchar(65)

incidentID

varchar(33)

mappedType

varchar(128)

module

varchar(33)

Used internally

nodeName

varchar(255)

nodeNum

integer

outcome

integer

pldEnd

integer

pldStt

integer

poolID

varchar(33)

Used internally

poolName

varchar(41)

prot

varchar(33)

pyld

text

Base-64 encoded

SQL reference Using MySQL tables

377

Table B-4 Field Name


reliability severity sips src_etheraddr sttTime

MySQL Event Table Type


integer integer varchar(195) varchar(33) integer

Description
Indicates the reliability of this event. Indicates the severity of this event. Indicates a list of source IPs for this event. Indicates the source ethernet address. Indicates the start time for this event, according to the sensor. Indicates the name of the attacker's target, or blank if not applicable. Indicates the type of the attacker's target. Identifies the type of this event. This is the violation/anomaly that caused the event to be triggered.

Notes
Valid values are 1-10 Valid values are 1-10

Standard UNIX time format.

trgtname

text

trgtntype type

integer varchar(129)

Format is as follows: VENDOR/EVENT_TAG Example: RCRS/COUNTER_ICM P_HIGH

vlanId vndr

integer varchar(33)

Indicates the VLAN ID. Indicates the vendor of the sensor that detected the event.

378 SQL reference Using MySQL tables

Glossary

This appendix defines terms used in this guide to categorize attack elements and system elements.
1000Base-SX 1000 Mbps (1 Gbps) baseband Ethernet over two multimode optical fibers using shortwave laser optics. The mechanisms and policies that restrict access to computer resources. An access control list (ACL), for example, specifies what operations different users can perform on specific files and directories. The act of permitting two or more users simultaneous access to file servers or devices. A predefined response to an event or alert by a system or application. A status that indicates that a program, job, policy, or scan is running. For example, when a scheduled scan executes, it is considered active. An individual with an account that is configured to perform administrative tasks, such as view reports, receive alerts, and add or delete objects. This group and its respective set of permissions is predefined, and cannot be modified. See also user account. A sound or visual signal that is triggered by an error condition. See notification. See also event. A rule that monitors suspicious activity based on access attempts and time intervals. You can customize or disable the default threshold according to your needs. Represents the number of times that the response rule has been triggered for the given incident. A specialized server designed for ease of installation and maintenance. Hardware and software are bundled, and applications are pre-installed. The device is plugged into a network and can begin working almost immediately with little configuration. A collection of computer files that have been packaged together for backup, to transport to some other location, for saving away from the computer so that more hard disk storage can be made available, or for some other purpose. An archive can include a simple list of files or files organized under a directory or catalog structure (depending on how a particular program supports archiving).

access control

access sharing action active

Administrator

alarm alert alert threshold

ALERT_NUMBER

appliance

archive

380 Glossary

asymmetric encryption A type of encryption that is based on the concept of a key pair. Also called public key cryptography. Each half of the pair (one key) can encrypt information so that only the other half (the other key) can decrypt it. One part of the key pair, the private key, is known only by the designated owner; the other part, the public key, is published widely but is still associated with the owner. See also synchronous transmission. asynchronous transmission A form of data transmission in which information is sent intermittently. The sending device transmits a start bit and stop bit to indicate the beginning and end of a piece of data. The features of network traffic, either in the heading of a packet or in the pattern of a group of packets, that distinguish attacks from legitimate traffic. A property of an object, such as a file or display device. A type of Secure Sockets Layer (SSL) that provides authentication and data encryption through a self-signed certificate. The process of determining the identity of a user attempting to access a network. Authentication occurs through challenge/response, time-based code sequences, or other techniques. Authentication typically involves the use of a password, certificate, PIN, or other information that can be used to validate identity over a computer network. See also PAP (Password Authentication Protocol). A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords. See also iButton. The process of determining the type of activities or access that is permitted on a network. Usually used in the context of authentication: once you have authenticated a user, the user can be authorized to have access to a specific service. An entry point to a program or a system that is hidden or disguised, often created by the software's author for maintenance. A certain sequence of control characters permits access to the system manager account. If the back door becomes known, unauthorized users (or malicious software) can gain entry and cause damage. The amount of data transmitted or received per unit time. In digital systems, bandwidth is proportional to the data speed in bits per second (bps). Thus, a modem that works at 57,600 bps has twice the bandwidth of a modem that works at 28,800 bps. The risk that exists before safeguards are considered. The effectiveness of a safeguard in terms of vulnerability measure. If the safeguard is applied by itself, it lowers the danger that the vulnerability poses by the amount specified. The front panel of a Symantec Network Security 7100 Series appliance. A configured mode for preventing malicious or unwanted network traffic from passing a certain point in the network.

attack signature

attribute authenticated, self-signed SSL authentication

authentication token

authorization

back door

bandwidth

baseline risk benefit

bezel blocking

Glossary

381

bps (bits per second) Bridge

A measure of the speed at which a device such as a modem can transfer bits of data. An application that retrieves events from non-SESA, native Symantec products and places them in the SESA DataStore. To simultaneously send the same message to all users on a network. A build-to-order server is a PC or laptop running Red Hat Linux, configured as a DHCP server, TFTP server, and NFS server. It uses the Red Hat kickstart mechanism to load a Symantec Network Security 7100 Series appliance with initial software. An attack that works by exploiting a known bug in one of the applications running on a server. This then causes the application to overlay system areas, such as the system stack, thus allowing the attacker to gain administrative rights. In most cases, this gives the attacker complete control over the system. Also called stack overflow. A device that provides the ability to transparently detour network traffic around a malfunctioning Ethernet network appliance. A group of wires that are enclosed in a protective tube. Usually this is an organized set of wires that correspond to specific pins on a 9- or 25-pin connector located at each end. A cable is used to connect peripheral devices to each other or to another computer. In remote computing, this can refer to a cable that is used to connect a computer to a modem, or a cable that connects two computers directly, that is sometimes called a null modem cable. A file that is used to improve the performance of Microsoft Windows. The cache file is established on the remote computer and is used to hold Windows bitmap data. If the bitmap data is in the cache file when a Windows screen is redrawn, the data does not have to be resent, that results in better performance. The measure of a threat's technical expertise or knowledge of a system's connectivity. A screen that is usually the first thing a customer will see after inserting the Symantec product CD. A file that is used by cryptographic systems as proof of identity. It contains a user's name and public key. A type of Secure Sockets Layer (SSL) that provides authentication and data encryption through a certificate that is digitally signed by a Certificate Authority. A denial of service attack that is aimed at the Common Gateway Interface (CGI). CGI is a standard way for a Web server to pass a Web user's request to an application program and to receive data back to forward to the user. It is part of the Web's Hypertext Transfer Protocol (HTTP). A communication medium for transferring information. Also called a line or circuit. Depending on its type, a communications channel can carry information in analog or digital form. A communications channel can be a physical link, such as a cable that connects two stations in a network, or it can consist of some electromagnetic transmission.

broadcast BTO server

buffer overflow attack

bypass unit

cable

cache file

capability CD start

certificate

Certificate Authority-signed SSL CGI (Common Gateway Interface) exploit

channel

382 Glossary

checksum

A count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, it is assumed that the complete transmission was received. Also called hash. A checksum is a value that is generated to verify the integrity of data, and stored or transmitted with the data that it verifies. To verify the data, the receiver generates a second checksum and compares the two checksums. If the values match, this confirms that the data has not been altered or contaminated. (Command Line Interface) A utility that provides an alternate way to execute commands in UNIX and Windows NT environments. A group of two or more nodes that are linked together to share attack data and/or to provide continued operation in the event that one server fails. A cluster can include up to 125 Network Security software nodes across multiple network segments within multiple network locations.

Checksums

CLI (Command Line Interface) cluster

COM (communications) A location for sending and receiving serial data transmissions. Also called a serial port. port These ports are referred to as COM1, COM2, COM3, and COM4. communications protocol compact flash (CF) A set of rules that are designed to let computers exchange data. A communications protocol defines issues such as transmission rate, interval type, and mode. Digital memory technology providing non-volatile data storage on a compact flash card, readable and writable by a compact flash adaptor on a computer. The graphical user interface (GUI) that is provided for centralized administration of software and appliance nodes and node clusters in Symantec Network Security. The ability to review the actual information that an end user sees when using a specific Internet application, for example, the content of email messages. A virus that is commonly protected against with a virus scanner. See also data-driven attack. A safeguard that mitigates a vulnerability or exposure and reduces risk. Examples are strong user passwords, applying vendor patches, and removing unneeded services. See interface, monitoring. The intelligent association of disparate items into a related group. A protocol that packages and sends data from component to component using the various transports that ESM supports. CSP bundles the data and places it on the network in whatever way is appropriate for the transport mechanism. The risk that remains after safeguards have been applied. The danger that is posed by a vulnerability after you have accounted for the safeguards that you use to secure it. If you use a valid safeguard, the current vulnerability measure is less than the default vulnerability measure.

Network Security console content scanning or screening content virus

control

copy port correlation CSP (Client Server Protocol)

current risk current vulnerability measure

Glossary

383

daemon

A program that runs continuously and exists for the purpose of handling periodic service requests that a computer system expects to receive. The daemon forwards the requests to other programs (or processes) as appropriate. A typical example of a daemon can be seen on Web servers. Each server has a Hypertext Transfer Protocol Daemon (HTTPD) that continually waits for requests to come in from Web clients and their users. The speed at which information is moved from one location to another. Data rates are commonly measured in kilobits (thousand bits), megabits (million bits), and megabytes (million bytes) per second. Modems, for example, are generally measured in kilobits per second (Kbps). The movement of information from one location to another. The speed of transfer is called the data rate or data transfer rate. The electronic transfer of information from a sending device to a receiving device. A form of intrusion in which the attack is encoded in seemingly innocuous data. It is subsequently executed by a user or other software to actually implement the attack. To convert encoded text to plain text through the use of a code. To convert either encoded or enciphered text into plain text. A special-purpose device. Although it is capable of performing other duties, it is assigned to only one. A type of attack in which a user or program takes up all of the system resources by launching a multitude of requests, leaving no resources and thereby denying service to other users. Typically, denial of service attacks are aimed at bandwidth control. The installation of a network of security products, such as Symantec Network Security (nodes and Network Security console), Symantec Network Security 7100 Series appliances, and Symantec Network Security Smart Agents to form an enterprise security environment. A widely-used method of data encryption using a private (secret) key that was judged so difficult to break by the U.S. government that it was restricted for exportation to other countries. There are 72,000,000,000,000,000 (72 quadrillion) or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and the receiver must know and use the same private key. To initiate a connection via LAN, modem, or direct connection, whether or not actual dialing is involved. A program that uses your system, without your permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges. A secondary window containing command buttons and options available to users for carrying out a particular command or task.

data rate

data transfer

data transmission data-driven attack

decode decrypt dedicated device

denial of service (DoS) attack

deployment

DES (Data Encryption Standard)

dial

dialer

dialog box

384 Glossary

digital certificate

A digital certificate is an electronic credit card that establishes a user's credentials when doing business or other transactions on the Web. It is issued by a Certificate Authority (CA). It contains the user's name, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting and decrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. An electronic rather than a written signature that can be used by someone to authenticate the identity of the sender of a message or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged. Additional benefits to the use of a digital signature are that it is easily transportable, cannot be easily repudiated, cannot be imitated by someone else, and can be automatically time-stamped. A form of data communication in which one computer is directly connected to another, usually via a null modem cable. A status that indicates that a program, job, policy, or scan is not available. For example, if scheduled scans are disabled, a scheduled scan does not execute when the date and time specified for the scan is reached. A network added between a protected network and an external network to provide an additional layer of security. Sometimes called a perimeter network. A hierarchical system of host naming that groups TCP/IP hosts into categories. For example, in the Internet naming scheme, names with .com extensions identify hosts in commercial businesses. The act of breaching the trust relationship by assuming the Domain Name System (DNS) name of another system. This is usually accomplished by either corrupting the name service cache of a victim system or by compromising a Domain Name Server for a valid domain. A group of computers or devices that share a common directory database and are administered as a unit. On the Internet, domains organize network addresses into hierarchical subsets. For example, the .com domain identifies host systems that are used for commercial business. To transfer data from one computer to another, usually over a modem or network. Usually refers to the act of transferring a file from the Internet, a bulletin board system (BBS), or an online service to one's own computer. A proprietary technology that is patented and works in the following way. The operating system has a system call (or vector) table that contains memory address pointers for each system call. These pointers point to a location in memory where the actual kernel code of the system calls resides. DSX stores the address pointers for the security-sensitive system calls and then redirects these pointers to the corresponding SECURED system call code, which is located elsewhere in memory.

digital signature

direct connection

disabled

DMZ (de-militarized zone) DNS (Domain Name System)

DNS spoofing

domain

download

DSX (Dynamic Security Extension)

Glossary

385

email bomb

A code that, when executed, sends many messages to the same address(es) for the purpose of using up disk space or overloading an email or Web server. An application from which users can create, send, and read email messages. An application that controls the distribution and storage of email messages. A status that indicates that a program, job, policy, or scan is available. For example, if scheduled scans are enabled, any scheduled scan will execute when the date and time specified for the scan is reached. A method of scrambling or encoding data to prevent unauthorized users from reading or tampering with the data. Only those who have access to a password or key can decrypt and use the data. The data can include messages, files, folders, or disks. The process of using encryption at the point of origin in a network, followed by decryption at the destination. A standard that provides confidentiality for IP datagrams or packets by encrypting the payload data to be protected. Datagrams and packets are the message units that the Internet Protocol deals with and that the Internet transports. A local area network (LAN) protocol developed by Xerox Corporation in cooperation with DEC and Intel in 1976. Ethernet uses a bus or star topology and supports data transfer rates of 100 Mbps. NIC interfaces on the Network Security or network devices capable of up to 100Mb/s, half or full-duplex, of ethernet traffic. A message that is generated by a product to indicate that something has happened. The centralized collection, classification, and normalization of events to enable alerting and reporting across multivendor managed security products. A predefined event category that is used for sorting reports and configuring events and alerts. A significant occurrence in a system or application that Symantec Network Security detects. Base events are the detected activities at the most elemental level. For detailed descriptions of events, see About the Web sites on page 22.

email client email server enabled

encryption

end-to-end encryption

ESP (Encapsulated Security Payload)

Ethernet

Ethernet interface

event event management

event type

event, base

exploit

1. A method used to compromise the integrity, availability, or confidentiality of information or services. 2. A program that automates a method to compromise the integrity, availability, or confidentiality of information or services. A vulnerability that is inherent in a legitimate service or system. A threat that originates outside of an organization. The ability of a network appliance to allow network traffic to continue even when the appliance itself experiences a failure. This differs from failover in that other appliance functionality is not continued by another device when the failure occurs.

exposure external threat fail-open

386 Glossary

failover

An automated strategy to provide high availability and redundancy by deploying a standby node to take over if the master node fails or is shut down for servicing. See also watchdog process. An unrecognized and/or unreported activity or state that requires response, such as a virus or intrusion that is not detected. A reported activity or state that does not require response because it was reported incorrectly or does not pose a threat. Too many false positives can become intrusive in themselves. A design method that ensures continued systems operation in the event of individual failures by providing redundant system elements.

false negative

false positive

fault tolerance

FDDI (Fiber Distributed A set of ANSI protocols used for sending digital data over fiber optic cable. FDDI networks Data Interface) are token-passing networks and support data rates of up to 100 Mb (100 million bits) per second. FDDI networks are typically used as backbones for wide area networks. file transfer The process of using communications to send a file from one computer to another. In communications, a protocol must be agreed upon by sending and receiving computers before a file transfer can occur. A program or section of code that is designed to examine each input or output request for certain qualifying criteria and then process or forward it accordingly. Also a method of querying a list to produce a subset of items with specified characteristics. A program that protects the resources of one network from users from other networks. Often, an enterprise with an intranet that allows its workers access to the wider Internet will install a firewall to prevent outsiders from accessing its own private data resources. A denial of service attack aimed directly at the firewall. A physical or virtual boundary to secure a network or network segment. A firewall can identify and permit or block network traffic based on multiple criteria including originating domain, network port number, and originating network IP address. A program that contains code that, when executed, will bombard the selected system with requests in an effort to slow down or shut down the system. A message in string format that includes details about a particular event, such as IP addresses, attack details, ports, etc. The final phase of incident response to an incident. All other phases seek the most efficient path to this phase. Reporting is a key action in this phase. A URL that consists of a host and domain name, including top-level domain. For example, www.symantec.com is a fully qualified domain name. www is the host, symantec is the second-level domain, and .com is the top-level domain.

filter

firewall

firewall denial of service firewall hardware/software

flooding program

flowcookie

follow-up

FQDN (fully qualified domain name)

Glossary

387

FTP (File Transfer Protocol)

The simplest way to exchange files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers email, FTP is an application protocol that uses the Internet's TCP/IP protocols. A network point that acts as an entrance to another network. In a company network, a proxy server acts as a gateway between the internal network and the Internet. A gateway can also be any computer or service that passes packets from one network to another network during their trip across the Internet. See blocking. NIC interfaces on the Network Security or network devices capable of up to 1000Mb/s, half or full-duplex, of ethernet traffic. The relative fineness or coarseness by which a mechanism can be adjusted. Programs that do not contain viruses and that are not obviously malicious, but which can be annoying or even harmful to the user. For example, hack tools, accessware, spyware, adware, dialers, and joke programs. A category of user accounts in Symantec Network Security that contains specific, predefined permissions and rights. See also user account. A subset of a cluster. A program in which a significant portion of the code was originally another program. A tool that is used by a hacker to gain unauthorized access to a computer. One type of hack tool is a keystroke logger, which is a program that tracks and records individual keystrokes and can send this information back to the hacker. A term used by some to mean a clever programmer and by others, especially journalists or their editors, to mean someone who tries to break into computer systems. A set of hardware parameters, such as modem type, port/device, and data rate, that is used as a singular named resource in launching a host or remote session. A technology that uses experience-based knowledge rather than virus definitions to identify new threats by examining files for suspicious behavior. See watchdog process. The control of a connection taken by the attacker after the user authentication has been established. 1. In a network environment, a computer that provides data and services to other computers. Services might include peripheral devices, such as printers, data storage, email, or World Wide Web access. 2. In a remote control environment, a computer to which remote users connect to access or exchange data.

gateway

gating gigabit Ethernet interface granularity greyware

group

group, monitoring hack hack tool

hacker

hardware setup

heuristic

high availability hijacking

host

388 Glossary

host-based security

The technique of securing an individual system from attack. Host-based security is operating system-dependent and version-dependent. A standard set of commands used to structure documents and format text so that it can be used on the Web. The set of rules for exchanging files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. Similar to the TCP/IP suite of protocols (the basis for information exchange on the Internet), HTTP is an application protocol. A variation of HTTP that is enhanced by a security mechanism, which is usually Secure Sockets Layer (SSL). An unusual configuration with routers that maintain the complete state of the TCP/IP connections or examine the traffic to try to detect and prevent attack (this may involve the bastion host). If very complicated, it is difficult to attach, and difficult to maintain and audit. A dime-size hardware device that stores the private key portion of the Network Security signature certificate to safeguard the private key against being stolen or compromised. The iButton also confirms the identity of a Network Security node. A graphic representation of a container, document, network object, or other data that users can open or manipulate in an application. A status that indicates that a program, job, policy, or scan is not currently running. For example, when a scheduled scan is waiting for the specified date and time to execute, it is inactive. A security occurrence that requires closure. Incidents are derived from an event or a group of events that are generated by a security point product. When a sensor detects a suspicious event, it correlates the event to an incident containing similar or related events. Multiple related events that indicate a possible attack are categorized as incidents. Incidents derive their names from the highest priority event type that is correlated to the incident. A generic grouping that indicates key aspects of an incident based on attributes of related vulnerabilities. Denial of service (DoS) and root compromise are examples of such groupings. To prepare for use. In communications, to set a modem and software parameters at the start of a session. A method of connecting to the network that makes the device an integral part of the network traffic path or route. The place where typed text or a dragged or pasted selection appears. An attack originating from inside a protected network.

HTML (Hypertext Markup Language) HTTP (Hypertext Transfer Protocol)

HTTPS (Hypertext Transfer Protocol Secure) hybrid gateway

iButton

icon

inactive

incident

incident type

initialize

in-line

insertion point insider attack

Glossary

389

intelligence

The continual analysis of threats, vulnerabilities, and system and network environments to better provide information, as opposed to data, which aids in the protection of system and network environments. A collection of multiple monitoring interfaces on a Symantec Network Security 7100 Series appliance sharing one sensor process which correlates all network traffic as if it were seen by a single interface. Two monitoring interfaces which are configured together using in-line mode. One of the pair connects to the inside network, and the other connects to the outside network. A designated port (also called copy port or mirror port) that creates a copy of the traffic flow on a specific network device. The monitor interface sends this data to Symantec Network Security to examine out-of-band so there is no loss of network functionality. A threat that originates within an organization. A web of different, intercommunicating networks funded by both commercial and government organizations. It connects networks in many countries. No one owns or runs the Internet. There are thousands of enterprise networks connected to the Internet, and there are millions of users, with thousands more joining every day. A security service that monitors and analyzes system events for the purpose of finding and providing real-time, or near real-time, warning of attempts to access system resources in an unauthorized manner. The centralized management of intrusion-based security technologies to identify, manage, and mitigate network intrusions based on security policy. The method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one address that uniquely identifies it to all other computers on the Internet. A unique number that identifies a workstation on a TCP/IP network and specifies routing information. Each workstation on a network must be assigned a unique IP address, which consists of the network ID, plus a unique host ID assigned by the network administrator. This address is usually represented in dot-decimal notation, with the decimal values separated by a period (for example 123.45.6.24). An attack in which an active, established session is intercepted and taken over by the attacker. This attack may take place after authentication has occurred, which allows the attacker to assume the role of an already authorized user. An attack in which someone intercepts and co-opts an active, established session. IP spoofing is also an attack method by which IP packets are sent with a false source address, which may try to circumvent firewalls by adopting the IP address of a trusted source. This fools the firewall into thinking that the packets from the hacker are actually from a trusted source. IP spoofing can also be used simply to hide the true origin of an attack.

interface group

interface pair

interface, monitoring

internal threat Internet

intrusion detection

intrusion management

IP (Internet Protocol)

IP address

IP hijacking

IP spoofing

390 Glossary

IPSec (Internet Protocol A developing standard for security at the network or packet-processing layer of network Security) communication. IPSec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both the authentication of the sender and encryption of data as well. IPSec is widely used with virtual private networks. ISDN (Integrated Services Digital Network) ISP (Internet service provider) joke program A high-speed, digital, high-bandwidth telephone line that allows simultaneous voice and data transmission over the same line. ISDN is one of the always-on class of connections. An organization or company that provides dial-up or other access to the Internet, usually for money. A program that changes or interrupts the normal behavior of a computer, for example, making the mouse click in reverse. A variable value in cryptography that is applied (using an algorithm) to a string or block of unencrypted text to produce encrypted text. A key is also a series of numbers or symbols that are used to encode or decode encrypted data. A protocol that supports the creation of secure virtual private dial-up networks over the Internet. A group of computers and other devices in a relatively limited area (such as a single building) that are connected by a communications link that enables any device to interact with any other device on the network. A software protocol that enables anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the Internet or on a corporate intranet. LDAP is a lightweight (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. The process of designing operational aspects of a system to operate with a minimum amount of system privilege. This reduces the authorization level at which various actions are performed and decreases the chance that a process or user with high privileges can perform unauthorized activity resulting in a security breach. A unique identification number used to register a Symantec product. An attack that takes place against a computer or a network to which the attacker already has either physical or legitimate remote access. This can include the computer that the attacker is actually using or a network to which that computer is connected. A record of actions and events that take place on a computer. The process of storing information about events that occurred on a firewall or network. The malicious code that is inserted into a program and designed to lie dormant until a specific event occurs, such as a specific date being reached or a user typing a specific command. At this time, the logic bomb triggers, usually to destroy or modify data without the knowledge or authorization of the computer user.

key

L2F (Layer Two Forwarding) Protocol LAN (local area network)

LDAP (Lightweight Directory Access Protocol)

least privilege

license key local attack

log logging logic bomb

Glossary

391

MAC (Media Access Control)

On a network, a computer's unique hardware number. The MAC address is used by the Media Access Control sublayer of the Data Link Control (DLC) layer of telecommunication protocols. There is a different MAC sublayer for each physical device type. The data-link layer is the protocol layer in a program that handles the moving of data in and out across a physical link in a network. Programs such as viruses, worms, logic bombs, and Trojan horses that are surreptitiously inserted into programs to destroy data, run destructive or intrusive programs, or otherwise compromise the security or integrity of the victim's computer data. Programs and files that are created to do harm. Malware includes computer viruses, worms, and Trojan horses. The insertion of arbitrary streams of data without the user noticing. The horizontal area at the top of a window containing all of the commands appropriate to the selected console view tab. A database of objects that can be monitored by a network management system. Both SNMP and RMON use standardized MIB formats that allow any SNMP and RMON tools to monitor any device defined by an MIB. An application that connects two otherwise separate applications. A protocol used for transmitting documents with different formats via the Internet.

malicious code

malware

manipulation menu bar

MIB (Management Information Base)

middleware MIME (Multipurpose Internet Mail Extensions) mirror port mode

See interface, monitoring. A system state in which a single action or a series of actions are performed. A mode has an On condition and an Off condition. For example, in-line mode for interfaces in a Symantec Network Security 7100 Series appliance is On if a security administrator configures those interfaces for in-line mode, and does the proper cabling of the ports. Using in-line mode, the appliance is placed into the network path, and can block malicious traffic. The viewing of activity in a security environment, generally in real-time. Monitoring allows security administrators to view the content of applications that are being used. See interface, monitoring. See Symantec Network Security Smart Agents. To simultaneously send the same message to a select group of recipients on a network, as opposed to broadcasting to all recipients on a network. Sometimes used synonymously as narrowcast. Of, or pertaining to, the ability of multiple, concurrent users to log on and run applications from a single server. A computer running a program that converts domain names into appropriate IP addresses and vice versa.

monitoring

monitoring interface MSA multicast

multiuser

name server

392 Glossary

near real-time network

The timely action in response to an event, incident, or alert. A group of computers and associated devices that are connected by communications facilities (both hardware and software) to share information and peripheral devices such as printers and modems. See interface, monitoring. A program or command file that uses a computer network as a means for adversely affecting a system's integrity, reliability, or availability. A network worm can attack from one system to another by establishing a network connection. It is usually a self-contained program that does not need to attach itself to a host file to infiltrate network after network. See Ethernet interface and gigabit Ethernet interface. A type of intrusion detection system that works at the network level by monitoring packets on the network and gauging whether a hacker is attempting to sending a large number of connection requests to a computer on the network, indicating an attempt either to break into a system or cause a denial of service attack. Unlike other intrusion detection systems, a NIDS is able to monitor numerous computers at once. The predominant protocol used by computers (servers and clients) for managing the notes posted on newsgroups. NNTP replaced the original Usenet protocol, UNIX-to-UNIX. The primary node in a watchdog process or failover group, from which all activity predominates. See also node, standby. A primary Symantec Network Security installation that ranks above all other Network Security nodes in a group or cluster. By default, the first Network Security installation is designated as a master node, and all other Network Security nodes within the cluster are designated as slave nodes. Changes to a master node are propagated to the slave nodes in a cluster. See object.

network tap network worm

NIC NIDS (network-based intrusion detection system)

NNTP (Network News Transfer Protocol) node, active

node, master

node, network

node, Network Security The main component of Symantec Network Security that includes comprehensive detection, analysis, and response functionality. Network Security nodes can be administered via the Network Security console, and can be deployed singly or grouped for cross-node correlation. node, standby The standby node or nodes in a watchdog process or failover group serve as a backup if your active master node fails or is shut down for servicing. A Symantec Network Security installation that ranks below a master Network Security node in a group or cluster. By default, the first Symantec Network Security installation is designated as a master node, and all other Network Security nodes within the cluster are designated as slave nodes. The slave nodes receive updates to their topology, response rule, and configuration databases from a master Network Security software node in the cluster.

node, slave

Glossary

393

node, standby

The secondary node or nodes in a watchdog process or failover group. Standby nodes monitor traffic flows on designated network devices, but do not log data unless the active node fails. Standby nodes wait until the active node is out of commission before becoming active. An automatic alert message that notifies a security administrator that an event or error has occurred, or a predefined response that is triggered by a system condition, such as an event or error condition. Typical responses include sound or visual signals, such as displaying a message box, sending email, or paging a security administrator. The security administrator may be able to configure the response. A graphical representation of a device or entity on your network with a unique address. You can create objects to represent network or Network Security devices such as servers or routers, as well as entities such as network segments or interfaces. The Network Security console displays objects in the topology tree on the Devices tab. A standard or open application programming interface (API) for accessing a database. By using ODBC statements in a program, you can access files in a number of different databases, including Access, dBase, DB2, Excel, and Text. In addition to the ODBC software, a separate module or driver is needed for each database to be accessed. In network security, a password that is issued only once as a result of a challenge-response authentication process. This cannot be stolen or reused for unauthorized access. The state of being connected to the Internet. When a user is connected to the Internet, the user is said to be online. A one-size-fits-all authentication sequence for protocols that require transparency or have their own authentication. OOBA allows you to authenticate with proxies, such as HTTP, SQLnet, and h323, that have not supported authentication on the firewall in the past. A program whose source code is available for public inspection and revision. Open source software is often distributed freely, in the hope that the computing community will contribute to the program, helping to identify and eliminate bugs. Two well-known examples of open source programs are the Apache Web server and the Linux operating system. The interface between the hardware of the computer and applications (for example a word-processing program). For personal computers, the most popular operating systems are MacOS, Windows, DOS, and Linux. A unit of data that is formed when a protocol breaks down messages that are sent along the Internet or other networks. Messages are broken down into standard-sized packets to avoid overloading lines of transmission with large chunks of data. Each of these packets is separately numbered and includes the Internet address of the destination. Upon arrival at the recipient computer, the protocol recombines the packets into the original message.

notification

object

ODBC (Open Database Connectivity)

one-time password

online

OOBA (out-of-band authentication)

open source code

OS (operating system)

packet

394 Glossary

packet filter

A filter that keeps out certain data packets based on their source and destination addresses and service types. You can use packet filters to block connections from or to specific hosts, networks, or ports. Packet filters are simple and fast, but they make decisions based on a very limited amount of information. A firewall technique that examines the headers of packets requesting connection to a computer behind the firewall and either grants or denies permission to connect based on information held within the packet header according to a set of preestablished rules. The interception of packets of information (for example, a credit card number) that are traveling across a network. See Protocol Anomaly Detection. A procedure used to validate a connection request. After the link is established, the requester sends a password and an ID to the server. The server either validates the request and sends back an acknowledgement, terminates the connection, or offers the requester another chance. A port that transmits synchronous, high-speed flow of data along parallel lines. Parallel ports are usually used for printers. A value that is assigned to a variable. In communications, a parameter is a means of customizing program (software) and hardware operation. A unique string of characters that a user types as an identification code to restrict access to computers and sensitive files. The system compares the code against a stored list of authorized passwords and users. If the code is legitimate, the system allows access at the security level approved for the owner of the password.

packet filtering

packet sniffing

PAD PAP (Password Authentication Protocol)

parallel port

parameter

passphrase

password-based attack An attack in which repetitive attempts are made to duplicate a valid logon or password sequence. patch A type of programming code that is used to repair an identified software bug or vulnerability or mitigates a vulnerability by resolving the underlying implementation error. The part of the packet, message, or code that carries the data. In information security, payload generally refers to the part of malicious code that performs the destructive operation. A set of rights of a user determining the level of access to Symantec Network Security components and functions. Permissions are granted through assignment of predefined accounts to Users. See user account. A freeware (for non-commercial users) encryption program that uses the public key approach: messages are encrypted using the publicly available key, but the intended recipient can only decipher them via the private key. PGP is perhaps the most widely used encryption program.

payload

permissions

PGP (Pretty Good Privacy)

Glossary

395

physical exposure

A rating used to calculate vulnerability that is based on whether a threat must have physical access to your system to exploit a vulnerability. In computer security, a number used during the authentication process that is known only to the user. A program that security administrators and hackers or crackers use to determine whether a specific computer is currently online and accessible. Pinging works by sending a packet to the specified IP address and waiting for a reply; if a reply is received, the computer is deemed to be online and accessible. An attack that focuses on vulnerabilities in the operating system that is hosting the firewall. 1. A document (hardcopy or electronic) that outlines specific requirements or rules that must be met. 2. The activities or states that are allowed, required, or forbidden within a specific environment. See response rule. The creation, configuration, and monitoring of security assets and information to ensure that they are compliant with policies. A protocol that allows clients to retrieve email from a mail server. An email protocol used to retrieve email from a remote server over an Internet connection. 1. A hardware location for passing data into and out of a computing device. Personal computers have various types of ports, including internal ports for connecting disk drives, monitors, and keyboards, and external ports, for connecting modems, printers, mouse devices, and other peripheral devices. 2. In TCP/IP and UDP networks, the name given to an endpoint of a logical connection. Port numbers identify types of ports. For example, both TCP and UDP use port 80 for transporting HTTP data. An intrusion method in which hackers use software tools called port scanners to find services currently running on target systems. This is done by scanning the target for open ports, usually by sending a connection request to each port and waiting for a response. If a response is received, the port is known to be open. A protocol used for communication between two computers. This is most commonly seen with dial-up accounts to an ISP. However, Point-to-Point Protocol over Ethernet (PPPoE) has now become more popular with many DSL providers. A number between 1 and 5 (inclusive) that is assigned to an incident. The number is assigned based on signature attributes, system attributes, organization attributes, and vulnerability attributes.

PIN (personal identification number) ping (Packet Internet Groper)

platform attack

policy

policy management

POP (Post Office Protocol) POP3 (Post Office Protocol 3) port

port scan

PPP (Point-to-Point Protocol)

priority

396 Glossary

private key

A part of asymmetric encryption that uses a private key in conjunction with a public key. The private key is kept secret, while the public key is sent to those with whom a user expects to communicate. The private key is then used to encrypt the data, and the corresponding public key is used to decrypt it. The risk in this system is that if either party loses the key or the key is stolen, the system is broken. An effort, such as a request, transaction, or program, that is used to gather information about a computer or the state of a network. For example, sending an empty message to see whether a destination actually exists. Ping is a common utility for sending such a probe. Some probes are inserted near key junctures in a network for the purpose of monitoring or collecting data about network activity. A set of rules for encoding and decoding data so that messages can be exchanged between computers and so that each computer can fully understand the meaning of the messages. On the Internet, the exchange of information between different computers is made possible by the suite of protocols known as TCP/IP. Protocols can be stacked, meaning that one transmission can use two or more protocols. For example, an FTP session uses the FTP protocol to transfer files, the TCP protocol to manage connections, and the IP protocol to deliver data. One of an array of methodologies by which Symantec Network Security inspects network traffic, compares observed behavior during network protocol exchange to structured protocols, analyzes defiant behavior in context, and detects deviations from the norm. A server that acts on behalf of one or more other servers, usually for screening, firewall, or caching purposes, or a combination of these purposes. Also called a gateway. Typically, a proxy server is used within a company or enterprise to gather all Internet requests, forward them out to Internet servers, and then receive the responses and in turn forward them to the original requester within the company. A part of asymmetric encryption that operates in conjunction with the private key. The sender looks up the public key of the intended recipient and uses the public key to encrypt the message. The recipient then uses his or her private key, which is not made public, to decrypt the message.

probe

protocol

Protocol Anomaly Detection

proxy server

public key

public key cryptography A cryptographic system in which two different keys are used for encryption and decryption. Also called asymmetric cryptography. The sender of the message looks up the public key of the intended recipient and uses the public key to encrypt the message. The recipient then uses his or her private key, which is not made public to decrypt the message. This method of encryption is considered more secure than symmetrical cryptography because one of the keys is kept strictly private. QoS (quality of service) The idea that transmission rates, error rates, and other characteristics on the Internet and in other networks, can be measured, improved, and, to some extent, guaranteed in advance. QoS is of particular concern for the continuous transmission of high-bandwidth video and multimedia information.

Glossary

397

RAM (Random Access Memory)

The memory that information required by currently running programs is kept in, including the program itself. Random access refers to the fact that it can be either read from or written to by any program. Many operating systems protect critical, occupied, or reserved RAM locations from tampering. An immediate action in response to an event, incident, or alert. To capture and store a set of data that consists of a series of actions and events. See watchdog process. The use of programs that allow access over the Internet from another computer to gain information or to attack or alter your computer. The process of duplicating data from one database to another. A set of data that is collected by Symantec Network Security that allows all types of data to be selectively examined, scheduled, exported, or printed. An action that clears any changes made since the last apply or reset action. An interface on a Symantec Network Security 7100 Series appliance through which TCP resets are sent to stop a malicious TCP/IP flow. A predefined reaction to an event or alert to a defined security threat, such as capturing the attackers section, triggering tracking, or emailing an alert. Response actions can be configured for each type of incident that is handled by Symantec Network Security. The method of action for handling security risks that is selected from alternatives, given specific conditions to guide and determine present and future decisions. A logical statement that lets you respond to an event based on predetermined criteria. An individual with an account that is configured to perform a restricted set of tasks, such as view reports, and receive alerts. This group and the respective set of permissions is predefined, and cannot be modified. See permissions. The oldest routing protocol on the Internet and the most commonly used routing protocol on local area IP networks. Routers use RIP to periodically broadcast the networks that they know how to reach. The anticipated adverse impact that can result if a threat exploits a vulnerability in an asset. Any program intended to damage programs or data (such as malicious Trojan horses). An administrative position that is defined by a set of permissions. A method of administration in which access rights or permissions are granted to user roles in hierarchical responsibilities. The set of permissions define the administrative or user positions.

real-time record redundancy remote access

replication report

reset reset interface

response action

response rule

RestrictedUser

rights RIP (Routing Information Protocol)

risk

rogue program role role-based administration

398 Glossary

ROM (read-only memory) router

The memory that is stored on the hard drive of the computer. Its contents cannot be accessed or modified by the computer user, but can only be read. A device that helps local area networks (LANs) and wide area networks (WANs) achieve interoperability and connectivity. A logical statement that lets you respond to an event based on predetermined criteria. To execute a program or script. An email security protocol that was designed to prevent the interception and forgery of email by using encryption and digital signatures. S/MIME builds security on top of the MIME protocol and is based on technology originally developed by RSA Data Security, Inc. The control or countermeasure employed to reduce the risk associated with a specific threat or group of threats. Examples of safeguards are patches, policies, deterrence measures, surveillance, physical security, upgrades, education, and training. A type of program that consists of a set of instructions for an application. A script usually consists of instructions that are expressed using the application's rules and syntax, combined with simple control structures. An unskilled cracker who uses code and software (or scripts) downloaded from the Internet to inflict damage on targeted sites. Often these destructive activities are carried out for no other purpose than to prove the script kiddie's hacking prowess. A Web browser that can use a secure protocol, such as SSL, to establish a secure connection to a Web server. The policies, practices, and procedures that are applied to information systems to ensure that the data and information that is held within or communicated along those systems is not vulnerable to inappropriate or unauthorized use, access, or modification and that the networks that are used to store, process, or transmit information are kept operational and secure against unauthorized access. As the Internet becomes a more fundamental part of doing business, computer and information security are assuming more importance in corporate planning and policy. The functionality of Network Security sensors to perform detection, analysis and take responsive action against perceived attacks. A location for sending and receiving serial data transmissions. Also known as a communications port or COM port. DOS references these ports by the names COM1, COM2, COM3, and COM4. A computer or software that provides services to other computers (known as clients) that request specific services. Common examples are Web servers and mail servers. The centralized, scalable management architecture that is used by Symantec's security products.

rule run S/MIME (Secure/Multipurpose Internet Mail Extensions) safeguard

script

script kiddie

secure browser

security

sensor process

serial port

server

SESA (Symantec Enterprise Security Architecture)

Glossary

399

session

In communications, the time during which two computers maintain a connection and, usually, are engaged in transferring information. A collection of parameters (key/value pairs, data blobs, and so on). A level that is assigned to an incident. See also incident. A mailbox that stores messages for an entire domain and that allows organizations with part-time Internet connections to exchange mail. 1. A state or pattern of activity that indicates a violation of policy, a vulnerable state, or an activity that may relate to an intrusion. 2. Logic in a product that detects a violation of policy, a vulnerable state, or an activity that may relate to an intrusion. This can also be referred to as a signature definition, an expression, a rule, a trigger, or signature logic. 3. Information about a signature including attributes and descriptive text. This is more precisely referred to as signature data. A TCP/IP protocol used for communication between two computers that have been previously configured for communication with each other. See Symantec Network Security Smart Agents.

setting severity shared POP3 mailbox

signature

SLIP (Serial Line Internet Protocol) Smart Agents

SMF (Standard Message A message file format established by Novell and used by many email applications. Format) SMON SMTP (Simple Mail Transfer Protocol) SMTP alert See interface, monitoring. The protocol that allows email messages to be exchanged between mail servers. Then, clients retrieve email, typically via the POP or IMAP protocol. A Simple Mail Transfer Protocol notification of a major system event, such as shutdown, startup, crash, or virus definition update error. A file in which information about the system's configuration and properties is stored.

snapshot

SNMP (Simple Network The protocol governing network management and the monitoring of network devices and Management Protocol) their functions. SNMP alert A Simple Network Management Protocol notification of a major system event, such as shutdown, startup, crash, virus definitions update, or virus definitions update error. An attack based on tricking or deceiving users or security administrators into revealing passwords or other information that compromises a target system's security. Social engineering attacks are typically carried out by attackers who telephone users or operators and pretend to be authorized users. A security package that allows a host behind a firewall to use finger, FTP, telnet, Gopher, and Mosaic to access resources outside the firewall while maintaining the security requirements.

social engineering

SOCKS

400 Glossary

software

The instructions for the computer to perform a particular task. A series of instructions that performs a particular task is called a program. Software instructs the hardware of the computer how to handle data in order to perform a specific task. A form of spoofing in which the routing, as indicated in the source routed packet, is not coming from a trusted source and therefore the packet is being routed illicitly.

source-route attack

SPI (Security Parameter An Authentication Header (AH) SPI number between 1 and 65535 that you assign to each Index) tunnel endpoint when using AH in a VPN policy. spoofing The act of establishing a connection with a forged sender address. This normally involves exploiting a trust relationship that exists between source and destination addresses or systems. Stand-alone programs that can secretly monitor system activity and detect passwords and other confidential information and relay the information back to another computer. A program that allows a user to log on to another computer securely over a network by using encryption. SSH prevents third parties from intercepting or otherwise gaining access to information sent over the network. A protocol that allows mutual authentication between a client and server and the establishment of an authenticated and encrypted connection, thus ensuring the secure transmission of information over the Internet. An individual with an account that is configured to perform a specific set of tasks, such as view reports, receive alerts, and add or delete objects. This group and the respective set of permissions is predefined, and cannot be modified. The last known status, or current status of an application or a process. Of, or pertaining to, a computer or computer program that is designed to note and remember one or more preceding events in a given sequence of interactions with a user, another computer or program, a device, or other outside element. Stateful means that the computer or program keeps track of the state of interaction, usually by setting values in a storage field designated for that purpose. Stateless does not. A simple and transparent protection approach that renders stack or buffer overflow attacks unsuccessful. Stack or buffer overflow attacks continue to be a favorite technique used by hackers to break into servers. STOP reallocates the location of the system stack (the area to which the attacker is trying to have the data overflow). This is like reshuffling the cards in a deck, making it very difficult for the attacker to predict the location for the overflow data. A segment of traffic that contains a sequence of packets that meet specific characteristics, such as the same source and destination IP addresses. To distinguish between DoS attacks, portscans, and sweeps, Symantec Network Security analyzes the characteristics and behavior of streaks. Many of the flood and scan parameters regulate what elements in a streak to monitor, how to analyze them, and when to trigger an event. See group.

spyware

SSH (Secure Shell)

SSL (Secure Sockets Layer)

StandardUser

state stateful

STOP (Stack Overflow Protection)

streak

sub-cluster

Glossary

401

SuperUser

An individual with an account that is configured to perform all tasks. During installation of the master node, an account is created for a SuperUser with full permissions. This group and the respective set of permissions is predefined, and cannot be modified. Formerly called MSAs, the Symantec Network Security Smart Agents are a translation software that enable Symantec Network Security to receive event data from external sensors and correlate that data with all other events. An encryption method involving a single secret key for both encryption and decryption. The sender of the encrypted message must give that key to the recipient before the recipient can decrypt it. Although this method of encryption is efficient, there is a danger that if the secret key is intercepted, the message can be read by an unintended audience. A type of attack in which a system is bombarded with bogus TCP/IP SYN (synchronous idle) requests. When a session is initiated between the Transmission Control Program (TCP) client and server in a network, a very small buffer space exists to handle the handshaking or exchange of messages that sets up the session. The session establishing includes a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can't be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. In general, this problem depends on the operating system providing correct settings or allowing the network administrator to tune the size of the buffer and the time-out period. To copy files between two directories on host and remote computers to make the directories identical to one another. A form of data transmission in which information is sent in blocks of bits separated by equal time intervals. The sending and receiving devices must first be set to interact with one another at precise intervals, then data is sent in a steady stream. See also asynchronous transmission. An error made by an author when creating a script, for example, not enclosing a string in quotes or specifying the wrong number of parameters. A Unix operating system logging capability to log to a remote server. A set of related elements that work together to accomplish a task or provide a service. For example, a computer system includes both hardware and software. The suite of protocols that allows different computer platforms using different operating systems (such as Windows, MacOS, or UNIX) or different software applications to communicate. Although TCP and IP are two distinct protocols, the term TCP/IP includes Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), and many others.

Symantec Network Security Smart Agents

symmetric encryption

SYN flood

synchronize

synchronous transmission

syntax error

syslog system

TCP/IP (Transmission Control Protocol/Internet Protocol)

402 Glossary

Telnet

The main Internet protocol for creating an interactive control connection with a remote computer. Telnet is the most common way of allowing users a remote connection to a network, as with telecommuters or remote workers. The area in which a user can type text. A low-cost computing device that works in a server-centric computing model. Thin clients typically do not require state-of-the-art, powerful processors and large amounts of RAM and ROM because they access applications from a central server or network. Thin clients can operate in a server-based computing environment. A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. The identification and quantification of human threats to an organization or its systems. An attack that uses multiple methods to transmit and spread. The damage caused by blended threats can be rapid and widespread. Protection from blended threats requires multiple layers of defense and response mechanisms. The number of events that satisfy certain criteria. SuperUsers and Administrators define threshold rules to determine how notifications are to be delivered. A predetermined period of time during which a given task must be completed. If the time-out value is reached before or during the execution of a task, the task is cancelled. A counter in the Internet Protocol (IP) header that specifies how many point-to-point transmissions, also called hops, that an IP packet can travel before it expires. The TTL prevents IP packets from traveling indefinitely. The area at the top of a window showing the name of the program, function, document, or application. An authentication tool or a device used to send and receive challenges and responses during the user authentication process. Tokens can be small, handheld hardware devices similar to pocket calculators or credit cards. See also iButton. A type of computer network in which all of the computers are arranged schematically in a circle. A token, which is a special bit pattern, travels around the circle. To send a message, a computer catches the token, attaches a message to it, and then lets it continue traveling around the network. The various rows below the menu bar containing buttons for a commonly used subset of the commands that are available in the menus. The logging of inbound and outbound messages based on a predefined criteria. Logging is usually done to allow for further analysis of the data at a future date or time.

text field thin client

threat

threat assessment threat, blended

threshold

time-out

Time to Live

title bar

token

token ring

toolbar

tracking

Glossary

403

trackware

Stand-alone or appended applications that trace a user's path on the Internet and send information to the target computer. For example, a user could download an application from a Web site or an email or instant messenger attachment. That attachment can then obtain confidential information regarding user behavior. A secret entry point into a computer program that illegitimate users can use to get around authentication and validation methods that are intended to prevent unauthorized entry. The result of monitoring and analyzing data to show a tendency in some direction over time. A rogue program that disguises itself as a legitimate file to lure users to download and run it. It takes the identity of a trusted application to collect confidential user information or avoid detection. A Trojan horse neither replicates nor copies itself, but causes damage and compromises the security of an infected computer. A process that allows a company to securely use public networks as an alternative to using its own lines for wide-area communications. A router or system capable of routing traffic by encrypting it and encapsulating it for transmission across an untrusted network, for eventual de-encapsulation and decryption. A type of authentication that is based on something a user knows (factor one) plus something the user has (factor two). In order to access a network, the user must have both factors (in the same way that a user must have an ATM card and a personal identification number [PIN] to retrieve money from a bank account). In order to be authenticated during the challenge/response process, the user must have this specific (private) information. A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP provides very few error recovery services, offering instead a direct way to send and receive datagrams over an IP network. UDP is used primarily for broadcasting messages over a network. A threat that tends to be technically unskilled or unsophisticated. To send a file from one computer to another via modem, network, or serial cable. With a modem-based communications link, the process generally involves the requesting computer instructing the remote computer to prepare to receive the file on its disk and wait for the transmission to begin. See also download. A device that allows your computer and firewall equipment to run for a short time after a power failure. This allows you to power the device down in an orderly manner. A UPS also provides protection in the event of a power surge.

trapdoor

trending

Trojan horse

tunnel

tunneling router

two-factor authentication

UDP (User Datagram Protocol)

unstructured threat upload

UPS (uninterruptible power supply)

URL (Uniform Resource The standard addressing system for the World Wide Web. A URL consists of two parts: The Locator) first part indicates the protocol to use (for example http://), and the second part specifies the IP address or the domain name and the path where the desired information is located (for example www.securityfocus.com/glossary). URL blocking The tracking and denying of user access to undesirable Web sites based on predefined site content.

404 Glossary

user

A person who is enabled to perform Symantec Network Security administrative tasks, such as view reports or receive notifications. See also SuperUser, Administrator, StandardUser, and RestrictedUser. A file that contains information that identifies a user to the system. This information includes the user name and password, the groups in which the user account has membership, and the rights and permissions that the user has for using the system and accessing its resources. A process that verifies a user's identity to ensure that the person requesting access to the private network is, in fact, that person to whom entry is authorized. The process by which a user is identified to the system as a valid user (as opposed to authentication, which is the process of establishing that the user is indeed that user and has a right to use the system). A form of authentication that is in place to ensure that the user is authorized to use the services being requested. The user name also signifies the primary user or users of a particular computer. Commands or utilities such as ssh and syslog which are available from the underlying operating system. A set of UNIX programs for copying (sending) files between different UNIX systems and for sending commands to be executed on another system. A data encoding standard developed to translate or convert a file or email attachment (an image, text file, or program) from its binary or bit-stream representation into the 7-bit ASCII set of text characters. The process of checking a configuration for completeness, ensuring that all values are valid, and determining if all logical and physical references can be resolved. An executable file (usually an applet or an ActiveX control) associated with a Web page that is designed to be harmful, malicious, or at the very least inconvenient to the user. Because these applets or application programs can be embedded in any HTML file, they can also arrive as an email attachment or automatically as the result of being pushed to the user. Vandals can be viewed as viruses that can arrive over the Internet stuck to a Web page. Vandals are sometimes referred to as hostile applets. A network that appears to be a single protected network behind firewalls, but which actually encompasses encrypted virtual links over untrusted networks. A piece of programming code inserted into other programming to cause some unexpected and, for the victim, usually undesirable event. Viruses can be transmitted by downloading programming from other sites or present on a diskette. The source of the file you are downloading or of a diskette you have received is often unaware of the virus. The virus lies dormant until circumstances cause the computer to execute its code. Some viruses are playful in intent and effect, but some can be harmful, erasing data or causing your hard disk to require reformatting.

user account

user authentication

user identification

user name

user-level services

UUCP (UNIX-to-UNIX Copy) uuencode

validation

vandal

virtual network perimeter virus

Glossary

405

VPN (virtual private network)

A network that has characteristics of a private network such as a LAN, but which is built on a public network such as the Internet. VPNs allow organizations to implement private networks between geographically separate offices and remote or mobile employees by means of encryption and tunneling protocols. A design, administrative, or implementation weakness or flaw in hardware, firmware, or software. If exploited, it could lead to an unacceptable impact in the form of unauthorized access to information or disruption of critical processing. A weakness or flaw that lets a human threat exploit or compromise a network or system. An open global standard for communications between a mobile handset and the Internet or other computer applications as defined by the WAP forum. A message that informs the user that performing an action can or will result in data loss on the user's system. A strategy for supporting failover, high availability, and redundancy. The watchdog process deploys a group of Network Security nodes in a hierarchical group so that one is active and the remaining are standby. If the active node fails, a standby node takes its place so that the transition is seamless. An attack from the outside that is aimed at Web server vulnerabilities. A denial of service attack that specifically targets a Web server. A symbol that enables multiple matching values to be returned based on a shared feature. A special type of virus. A worm does not attach itself to other programs like a traditional virus, but creates copies of itself, which create even more copies. A program's ability to continue displaying information on a new line or page when the end of a line or page is reached.

vulnerability

WAP (Wireless Application Protocol) warning

watchdog process

Web attack Web denial of service wildcard character worm

wrap

WWW (World Wide Web) An application on the Internet that allows for the exchange of documents formatted in Hypertext Markup Language (HTML), which facilitates text, graphics, and layout. The World Wide Web is also a system of Internet servers that support specially formatted documents. X.509 The most widely used standard for defining digital certificates. X.509 is actually an ITU Recommendation, which means that it has not yet been officially defined or approved. The ability to detect newly emerging, previously unknown, variant, and/or polymorphic exploits as they occur, without requiring prior exposure or signatures. A computer that is used by hackers to attack the computers that they are targeting for denial of service. The legitimate user of the zombie may not be aware that the computer has been controlled by the hacker; however, if the computer is used to launch a damaging attack, the legitimate user may be investigated or held legally responsible.

zero-day detection

zombie

sub-cluster

See group.

406 Glossary

Acronyms

This section defines acronyms used in this guide to categorize attack elements and system elements.
ACL AF API ASN BTO CF CGI CLI CPU CSP CTR CVE DDOS DMZ DNS DOS DSX EDP EHS EHU ESP Access Control List Analysis Framework, a Symantec Network Security component Application programming interface Abstract Syntax Notation Build-to-order Compact flash Common Gateway Interface Command Line Interface Central Processing Unit Client server protocol Cisco Threat Response Common Vulnerabilities and Exposures Distributed denial of service Demilitarized Zone Domain Name System Denial of Service Dynamic Security Extension Event Dispatch Protocol External hostile structured threat External hostile unstructured threat Event Stream Provider, a Symantec Network Security component (Encapsulated Security Payload) Fiber Distributed Data Interface

FDDI

408 Acronyms

FQDN FTP GMT GUI HMAC HTML HTML HTTP HTTPS ICMP ICQ IDS IDWG IETF IHS IHU IKE IM IMAP INS INU IO-APIC IP IPSec IRC ISDN ISP JDBC L2F

Fully qualified domain name File Transfer Protocol Greenwich Mean Time Graphical user interface Has Message Authentication Code HyperText Markup Language Hypertext Markup Language HyperText Transfer Protocol Hypertext Transfer Protocol Secure Internet Control Message Protocol "I-Seek-You," an online instant messaging program Intrusion Detection System Intrusion Detection Working Group Internet Engineering Task Force internal hostile structured threat internal hostile unstructured threat Internet Key Exchange Instant Message Internet Message Access Protocol Internal nonhostile structured threat Internal nonhostile unstructured threat IO-Advanced Programmable Interrupt Controller Internet Protocol Internet Protocol Security Internet Relay Chat Integrated Services Digital Network Internet service provider Java Database Connectivity Layer Two Forwarding Protocol

Acronyms

409

LAN LDAP MAC MIB MIME N/A NACS NAR NASI NAT NCSA NIC NIDS NNTP NOC NTP ODBC OS PAD PAP PGP PIN ping POP3 PPP PRDP QoS QSP RAM

Local area network Lightweight Directory Access Protocol Media Access Control Management Information Base Multipurpose Internet Mail Extensions Not Applicable NetWare Asynchronous Communication Services Network Address Retention NetWare Asynchronous Services Interface Network Address Translation National Computer Security Association Network Interface Card Network-based intrusion detection system Network News Transfer Protocol Network Operation Center Network Time Protocol Open Database Connectivity Operating system Protocol Anomaly Detection Password Authentication Protocol Pretty Good Privacy Personal Identification Number Packet Internet Groper Post Office Protocol Point-to-Point Protocol Policy Response Dispatch Protocol Quality of service Query Service Provider Random Access Memory

410 Acronyms

RIP ROM S/MIME SCP SESA SLIP SMF SMON SMP SMTP SNMP SPI SQL SSH SSL STOP STP TCP/IP TTL UDP UPS URL UUCP VLAN WAP XML

Routing Information Protocol Read-only memory Secure/Multipurpose Internet Mail Extensions Secure Copy Protocol Symantec Enterprise Security Architecture Serial Line Internet Protocol Standard Message Format See Monitored Interfaces Simple Management Protocol Simple Mail Transfer Protocol Simple Network Management Protocol Security Parameter Index Structured Query Language Secure Shell Secure Sockets Layer Stack Overflow Protection Shielded Twisted Pair Transmission Control Protocol/Internet Protocol Time to Live Protocol User Datagram Protocol Uninterruptible power supply Uniform Resource Locator UNIX-to-UNIX Copy Virtual Large Area Network Wireless Application Protocol eXtensible Markup Language

Index

Numerics
7100 Series. See appliances

A
access controlling users 59 intent 203 managing users 59 accounts about administration of 33 user 353 user login permissions 360 adding appliance nodes 95 flow alert rules 163 in-line pairs 103 interface groups 101 LiveUpdates 307 location objects 87 monitoring groups 67 monitoring interfaces to software nodes 93 nodes 82 nodes and objects 86 objects 82 port mappings 197 protection policies 124, 125 report schedules 254 response rules 139 sample flow alert rule 164 signature variables 207 Smart Agent interfaces 111 Smart Agents 109 software nodes 89 user login accounts 55 user-defined signatures 201 adjusting view by columns 123 view of incidents 215 view of policies 121 administration console. See Network Security

console administration service node architecture 35 Administrators about 354 pre-defined login account 224 advanced parameters configuring 343, 346 alert manager node architecture 35 alerting. See logging alerts. See notifications analysis about 30 about correlation 30 about cross-node correlation 31 about event responses 35 about refinement rules 30 about Smart Agents 37 about the architecture 35 assigning priority level 143 annotating entire policies 131 event instances 132 event types in a policy 132 events 131 incidents 232 policies 131 appliances about 37 about blocking 38 about compact flash 40 about detection 38 about in-line mode 38 about interface groups 38 about LCD panel 39 about nodes and interfaces 88 about passive mode 38 about response 38 about serial console 40 about the 7100 Series 15 adding nodes 95

412 Index

appliances (cont.) adding or editing in-line pairs 103 adding or editing interface groups 101 auto-negotiation 104 blocking override 119 clustering with software nodes 66 configuring link state 104 deleting nodes 311 deployment checklist 43 documentation 20 enabling blocking rules 128 fail-open 39 management via consoles 39 monitoring interfaces 99 node status indicator 81 parameters 344 powering off 54 queries from TrackBack 97 shutting down from the serial console 51 single-node deployment 62 applying flow data collection 247 incident view during failover 327 LiveUpdates 305 parameters to nodes 344, 345 parameters to sensors 344 policies after failure 334 policies to interfaces 119 response rules to Decoy Server events 320 sensor parameters to objects 169 signature variables 209 applying user-defined signatures 201 architecture about the core 25 about the management and detection 32 about the node 34 FlowChaser 37 archive clearing automatically 280 archiving configuring automatic 278 log files 279 logs 276 assigning monitoring groups 67 attack responses. See responses attacks categories 142 flood-based 148

attacks (cont.) fragmentation 260 syn floods 156 target IP address 226, 228 traffic 279 Auto Update tab about 117 automated response architecture 137 availability for single nodes 323 monitoring node 322

B
backing up cluster-wide data 316 configurations 333 LiveUpdate configurations 308 on the Network Security console 333 protection policies 133 refreshing the configuration list 335 response rules database 141 Symantec Network Security 332 using compact flash 338 via compact flash 40 watchdog process 324 Bad Service Saturation Alert Threshold setting sensor parameters 177 basic parameters configuring 346 basic setup advanced tuning 345 blocking about 38 automatically 128, 131 disabling 128 enabling 128 in LiveUpdate 128, 131 overriding globally 119 bypass unit. See in-line

C
cancelling changes to topology tree 84 LiveUpdate schedules 308 policy applications 121 reverting signature variables 209

Index

413

category about Wizard fields 203 changing EDP 314 checklist appliance-specific deployment 43 general deployment 42 cleartext preventing passwords in 156 cloning protection policies 125 Cluster ID setting node parameters 289 cluster parameters about 344 clusters about deployment 61 about parameters 64 adding slave nodes 311 applying policies after setting masters 313 backing up 316 creating 309 deploying 65 licensing nodes 312 managing 309 monitoring groups 66 restarting sensors 315 software and appliance nodes 66 subclusters 66 synchronization with 313 synchronizing nodes 312 tracking data stream 154 upgrading 310 columns adjusting the view of event types 123 selecting 226, 227 sorting incident data 216 communication via EDP proxy 318 via QSP proxy 35 compact flash about 40 backing up 338 backing up and restoring 337 restoring 338 saving configurations 339 Compression Command setting node parameters 284 Compression On/Off Switch setting node parameters 283

confidence about Wizard fields 203 assigning levels 218, 219, 222 likelihood of attack 145 mapping level 228 response rules 145 setting level 145 viewing events 221 configuration auto-negotiation enabling or disabling 104 via compact flash 40 console response action configuring 160 console. See Network Security console, serial console, Symantec Decoy Server console, LCD panel conventions node description 79 node naming 79 copy ports. See monitoring interfaces copying configurations 334 event details 234 incident data and pasting 233 logs 276 top events 234 correlation about 30 about cross-node analysis 31 Counter Number of Streak Packets setting sensor parameters 180 creating clusters 309 monitoring groups 67 policies 124 protection policies 124 response rules 154 cross-node correlation loading events from 220 custom response actions creating rules 154 failure to execute 224 customer IDs devices 79

D
data events displayed 226, 228

414 Index

data (cont.) exporting to syslog 293 incidents 214, 226 tracking stream 154 databases architecture 35 deleting user-defined signatures 205 forcing synchronization 85, 313 time delay while loading 45 DB Connection String setting node parameters 290 DB Password setting node parameters 292 DB User setting node parameters 291 deception device nodes 319 setting EDP passphrases 110 Decoy Server integrating with 320 launching from a new location 321 Decoy Server console launching from Network Security console 320 defining protection policies 124 signature variables 207 signatures 201 view of incidents 69 deleting configurations 335 flow alert rules 165 LiveUpdate schedules 308 log files 277 monitoring groups 68 nodes 83, 311 objects 83 passphrases 80 report schedules 256 response rules 141 saved reports 258 signature variables 208 user login accounts 56 user-defined protection policies 129 denial of service. See DoS deployment about clusters 61 about in-line mode 61 about passive mode 61 about single-node 61

deployment (cont.) appliance-specific checklist 43 clustering software and appliance nodes 66 general checklist 42 monitoring groups 66 node clusters 65 planning 61 single appliance node 62 single node 61, 62 slave node 311 Destination Directory for SCP setting node parameters 300 Destination Host for SCP setting node parameters 298 destination IP 204 destination port about Wizard fields 204 details viewing event types 123 viewing objects 76 detection about 167 about 7100 Series appliances 38 about architecture 26 about denial of service 29 about protocol anomaly detection 167 about refinement rules 168 about signature 168 about traffic rate monitoring 29 about user-defined signatures 28 adding or editing port mappings 197 adding or editing user-defined signatures 201 adding user-defined signatures 201 creating signature variables 207 deleting port mappings 197 deleting user-defined signatures 205 deselecting signatures 205 disabling signatures 205 external EDP 29 managing user-defined signatures 199 port mapping 196 protocol anomaly 27 removing signatures 205 signature 198 Symantec signatures 28, 198 upgrading signatures 203, 209 user-defined signatures 199 devices event data display 226, 228

Index

415

Devices tab about 74 direction about Wizard fields 204 documentation 7100 Series 20 software 21 DoS about detection architecture 29 top Telnet event type 261 drill-down reports destination sources 264 devices with flow statistics 266 drill-down-only reports 266 event destinations 267 event details 266 event lists 266 event sources 267 events per day 263 events per hour 263 events per month 263 flows by destination address 267 flows by destination port 267 flows by protocol 267 flows by source address 267 flows by source port 267 incident details 266 incidents list 263 incidents per day 262 incidents per hour 262 incidents per month 262 source destinations 264 top blocked event types 261 top events 261, 262 top level 260 types 259

E
Echo Operational Log to Syslog setting node parameters 294 editing flow alert rules 164 in-line pairs 103 interface groups 101 LiveUpdates 307 location objects 87 monitoring interfaces on appliance nodes 99 monitoring interfaces on software nodes 93 network segments 112

editing (cont.) node numbers 314 node passphrases 314 objects in topology tree 83 port mappings 197 protection policies 125 report schedules 254 response rules 140 root password on serial consoles 58 secadm password 59 signature variables 207 Smart Agent interfaces 111 Smart Agents 109 software nodes 89 user passphrases 57 user-defined signatures 201 EDP about Event Dispatch Protocol 29 changing passwords 314 communicating with Smart Agents 110, 318 communication by proxy 318 detection architecture 29 Network Security node passphrase 318 setting passphrases 110 setting port numbers 318 EDP Port Number setting node parameters 318 ELS checking licenses 49 licensing clusters 312 email configuring incidents 235 format 267 incident data 236 initiation request failure 224 notification failure 224 notification messages 148 Enable BackOrifice Detection setting sensor parameters 173 Enable Flow Statistics Collection setting sensor parameters 171 Enable Full Packet Capture setting sensor parameters 171 Enable IPv4 Header Checksum Validation setting sensor parameters 172 Enable PLSC setting sensor parameters 184 Enable TCP Checksum Validation setting sensor parameters 172

416 Index

Enable UDP Checksum Validation setting sensor parameters 173 Enable Watchdog Process setting node parameters 329 enabling Symantec Decoy Server 319 encoding about Wizard fields 204 Engine Updates about 303 Enterprise Licensing System checking licenses 49 licensing clustered nodes 312 errors compiling signatures 206 email initiation request failure 224 email notification failure 224 iButton 223 SNMP alert failure 224 SNMP initiation request failure 224 truncated SNMP message 224 ESP about node architecture 36 ethernet deploying failover groups through 328 Event Correlation Destination IP Weight setting node parameters 241 Event Correlation Destination Port Weight setting node parameters 243 Event Correlation Name Weight setting node parameters 239 Event Correlation Source IP Weight setting node parameters 240 Event Correlation Source Port Weight setting node parameters 242 Event Delay Time setting sensor parameters 173 Event Destination Hashes setting node parameters 348 Event Dispatch Protocol. See EDP Event Message Hashes setting node parameters 347 Event Queue Length setting node parameters 349 Event Rate Throttle setting node parameters 350 event source response rules 145

event target response rules 142 event types 142 adjusting the view by columns 123 searching response rules 140 viewing details 123 Event Writer File setting node parameters 285 events about event dispatch protocol 29 about event stream provider. See ESP annotating 232 annotating an instance 132 annotating policies 131 availability monitor 322 base 260 copying details 234 copying incidents top 234 customizing annotation templates 232 customizing responses 154 data displayed 226, 228 destination report 267 detail reports 266 email notifying 148 enabling logging 126 enabling SNMP notifications 152 examining data 220 filtering 229, 230 filtering tables 229, 230 integrating third-party 316 interpreting severity and confidence levels 221 list reports 266 modifying the view 47 modifying the view of types 47 next action parameter 146 none option 148 operational 223 protocol 267 report types 260 reporting per day 263 per hour 263 per month 263 response parameter 147 searching for types 121 selecting columns 227 SNMP notification 152 sorting 216

Index

417

events (cont.) sorting by classful destination 264 sorting by classful source 264 sorting by protocol 264 sorting by vendor 264 source parameter 145, 146 source reports 267 target parameter 142 top blocked types 261 top destinations 261 top report type 261 top sources 262 TrackBack function 154 type parameters 142 viewing descriptions 222 viewing details 221 viewing non-logged 126 viewing top of incident 219 viewing top-level 220 export flow action response rules 161 exporting about SQL 365 data to syslog 293 log data 285 saved reports 257 to file 285 to SESA 286 to SQL 288 to syslog 293 external sensors queries from TrackBack 110

F
fail-open about 39, 62 failover configuring watchdog group 325 configuring watchdog parameters 328 viewing incidents during 327 failures applying policies after 334 See also errors setting maximum logins 59 fault tolerance watchdog process 324 files exporting logs to 285

filters applying to incident tables 229, 230 ignoring attacks 148 incident filter options 328 preserving incidents during fail-over 230 showing incidents from selected nodes 230 showing operational events 229 viewing incidents from all nodes 328 Flag for SCP Usage setting node parameters 298 floods advanced flood parameters 178 flow alert rules deleting 165 editing 164 providing a mask 165 using permits 166 viewing 163 flow statistics viewing 269 FlowChaser about 37 collecting flow status 247 configuring 248 FlowChaser Maximum Flows Per Device setting node parameters 248 FlowChaser Router Flow Collection Port setting node parameters 249 FlowChaser Router Flow Collection Threads setting node parameters 248 FlowChaser Sensor Threads setting node parameters 250 flows adding alert rules 163 alert rules 162 configuring FlowChaser 248 devices with statistics 266 enabling data collection 247 mask for alert rules 165 querying 267 replaying traffic 271 reports by destination address 267 reports by destination port 267 reports by protocol 267 reports by source address 267 reports by source port 267 sample alert rule 164 status collection 247 TrackBack 247

418 Index

flows (cont.) traffic playback tool 271 using permit types 166 viewing current 268 viewing exported 270 font size setting in incident tables 216 forcing database synchronization 85, 313 formats report 259 From Address setting node parameter 149 Full Event List tab about 117

G
generating SSH keys 342 groups about interface groups 38 about monitoring groups 66 about user accounts 54

H
Hardware Compatibility Reference viewing 22 high availability watchdog process 324 host name SMTP server for email alerts 150, 151 Hostname Used For Email Notifications setting node parameter 151

I
iButton certificate expiration 223 See also software token signing rotated event log 282 token failure 223 ICMP Minimum Flows setting sensor parameters 181, 182 ICMP Number of Streak Packets setting sensor parameters 182 ICMP Saturation Alert Threshold setting sensor parameters 176

importing signatures 205 Incident Idle Time setting node parameters 237 Incident Unique IP Limit setting node parameters 239 incidents annotating events 232 configuring email 235 copying and pasting 233 copying top event 234 cross-node correlated details 220 customizing annotation templates 232 data 214, 226 details 266 emailing 236 examining data 217 filtering 229, 230 list 263 marking as viewed 231 modifying the view 47 parameters 237 printing 235 reporting 260 reporting per day 262 reporting per hour 262 reporting per month 262 saving data 233 selecting columns 227 selecting data to display 226 setting idle time 237 setting table font size 216 sorting events 216 viewing 326 viewing details 217 viewing flow statistics 269 viewing from monitoring groups 69 viewing top event 219 viewing top-level data 217 in-line about 16, 38, 62 about blocking 116 about bypass unit 17 about deployment 61 bypass unit 39 creating in-line pairs 103 creating interface groups 101 enabling blocking on in-line pairs 128 fail-open 39

Index

419

in-line (cont.) overriding blocking on in-line pairs 119 permitting fail-open 328 sensor processes 36 setting policies to in-line pairs 119 in-line pairs adding or editing 103 on appliance nodes 98 inserting response rules 139 intent about Wizard fields 203 interface groups about 38, 62 adding or editing 101 on appliance nodes 98 interfaces about 7100 Series appliance 98 about Smart Agents 111 adding nodes 88 adding or editing Smart Agent 111 auto-negotiation 104 configuring link state 104 for external sensors 111 for nodes 88 monitoring on software nodes 92 name 80 IP Fragment Saturation Alert Threshold setting sensor parameters 177

J
JDBC Driver exporting to SQL databases 288 setting node parameters 289

K
Knowledge Base viewing 22

L
LCD panel about 39, 52 power off nodes 54 rebooting nodes 53 restarting nodes 53 setting lock 60 shutting down nodes 54

LCD panel (cont.) stopping nodes 54 unlocking 52 LCD screen. See LCD panel licenses checking status 49 checking via Network Security console 49 licensing clustered nodes 312 Limit Size for Archive Directory setting node parameters 280 Limit Size for Traffic Record Directory setting node parameters 281 link state configuring negotiation 104 LiveUpdate about 303, 304 adding or editing 307 applying 305 backing up configurations 308 blocking automatically 128, 131 deleting schedules 308 reverting schedules 308 scanning for available updates 305 setting the server 306 loads events button 220 location adding 87 editing 87 Location of SCP Binary setting node parameters 300 Lock LCD Screen setting node parameter 60 locking LCD panel 60 logging about 38 enabling rules 126 preventing cleartext passwords 156 viewing non-logged events 126 login adding user accounts 55 deleting user login accounts 56 editing user accounts 56 from Windows 45 history report 265 Network Security Administrator 224 Network Security console 223, 224

420 Index

login (cont.) setting maximum failures 59 logs about 273 about install 273 about operational 274 archiving 276, 279 clearing directory 280 compressing files 282 copying 276 deleting 277 exporting data 285, 293 managing 274 managing operational 274 refreshing the list 277 rotating by size 280 rotating with SCP 297 secure copy protocol 297 setting automatic logging levels 278 viewing 274 viewing live 275

M
managed network segments about 112 managers alert 35 sensor 35 managing controlling user access 59 from the LCD panel 52 from the Network Security console 44 from the serial console 50 node clusters 309 report schedules 256 response rules 138 topology tree 80 user access 59 user login accounts 54, 55 user passphrases 57 via user interfaces 44 managing flow statistics 247 ManTrap. See Symantec Decoy Server mapping adding ports 197 deleting ports 197 event type to base event 260 event type to incident 263 gathering topology data 78

mapping (cont.) network sample 62, 78 ports 196 topology 76 your network 77 marking incidents as viewed 231 master nodes adding 89 adding appliance 95 adding or editing software 89 editing 82, 89 editing appliance 95 establishing 310 primary default 309 set as cluster master 310 match type about Wizard fields 204 maximum nodes in failover group 325 Maximum Incidents setting node parameters 238 Maximum IPv4 Fragment Reassembly Table Elements setting sensor parameters 185 Maximum Login Failures setting node parameter 59 Maximum Time to Streak Analysis setting sensor parameters 183 modes about alerting 38 about blocking 38 about cluster 61 about in-line 38, 61 about passive 38, 61 about single-node 61 monitoring flow statistics 247 node availability 322 traffic rate 29 monitoring groups assigning 67 choosing view 69 creating 67 deleting 68 deploying 66 renaming 68 monitoring interfaces adding or editing on software nodes 93

Index

421

monitoring interfaces (cont.) editing on appliance nodes 99 on appliance nodes 98 on software nodes 92 MSAs. See Smart Agents MySQL event table 374 exporting to 288 incident table 372 using tables 372

N
name about Wizard fields 203 names interface 80 Network Security accessing the Network Security console 44 logging in 224 logging in as Administrator 224 login history 265 Network Security console about 32 accessing 44 backing up 333 changing font size 47 checking licenses and Security Updates 49 choosing view 46, 47 creating synchronization passphrases 80 expanding or collapsing view 46 launching from Windows 45 logging in 223 login 45 node status indicator 47 rebooting nodes 48 restoring 333 viewing 46 Network Security node about alert manager architecture 35 deployment checklist 42 QSP proxy architecture 35 sensor manager architecture 35 Network Security nodes starting and stopping from the Network Security console 47 stopping from the command line 48 networks about managed segments 112

networks (cont.) about monitoring interfaces on appliance nodes 100 editing managed segments 112 sample topology map 62, 78 topology map 77 viewing advanced options 91, 97 viewing the monitoring interface networks tab 94 next action configuring 146 response rules 146 node numbers changing 314 node parameters about 344 configuring 345 configuring basic 346 node status indicator appliance or software 81 nodes about appliances 37 about cross-node correlation 31 about parameters 64 about software and appliances 88 adding 82, 89 adding 7100 Series appliance nodes 95 adding interfaces 88 adding slaves to cluster 311 adding software nodes 89 administration service architecture 35 cluster deployment 65 customer IDs 79 database architecture 35 deleting 83, 311 description conventions 79 incident details 220 interface naming 80 modifying the view 46 monitoring groups 66 monitoring interfaces on software nodes 93 naming conventions 79 passphrase 79 rebooting from the LCD panel 53 rebooting from the Network Security console 48 rebooting from the serial console 51 restarting from the LCD panel 53 restarting from the serial console 50

422 Index

nodes (cont.) shutting down 54 single node deployment 62 single-node appliance deployment 62 single-node availability 323 status indicator 47, 81 stopping from the LCD panel 54 stopping from the serial console 51 synchronization in cluster 313 synchronizing clustered 312 user name 79 viewing 46 viewing details 81 viewing status 81 none option configuring 148 non-logged viewing events 126 Notes tab annotating policies 117 notifications about alert manager 35 configuring email 148

operational logs (cont.) setting parameter level 278 options configuring none 148 viewing advanced network 91, 97 Oracle event table 368 exporting to 288 incident table 366 using tables 366 Other Saturation Alert Threshold setting sensor parameters 177

P
Packet Counter Interval setting sensor parameters 179 PAD about 167 panel LCD 39 parameters about 64 about cluster 64 about clusters, nodes, and sensors 344 about node 64 about sensor 64 advanced 346 advanced sensor 184, 194 advanced sensor TCP engine 185 basic sensor 170 configuring advanced 343 configuring sensors 169 configuring watchdog 328 Event Correlation Name Weight 239 event source 145, 146 event target policy 142 event type 142 incident 237 operational logging level 278 response rules 141, 147 setting Bad Service Saturation Alert Threshold 177 setting Cluster ID 289 setting Compression Command 284 setting Compression On/Off Switch 283 setting Counter Number of Streak Packets 180 setting DB Connection String 290 setting DB Password 292 setting DB User 291

O
objects adding 82 adding or editing Smart Agent 109 adding or editing Smart Agent interface 111 customer IDs 79 deleting 83 description conventions 79 editing 83 editing network segments 112 interface naming 80 naming conventions 79 types in topology tree 74 user name and passphrase 79 viewing 81 viewing details 76 offsets about Wizard fields 205 Operational Logging Level setting logging level 278 setting node parameters 278 operational logs about 274 event notice 223 sending copies to syslog 293

Index

423

parameters (cont.) setting Destination Directory for SCP 300 setting Destination Host for SCP 298 setting Echo Operational Log to Syslog 294 setting EDP Port Number 318 setting email notification 149 setting Enable BackOrifice Detection 173 setting Enable Flow Statistics Collection 171 setting Enable Full Packet Capture 171 setting Enable IPv4 Header Checksum Validation 172 setting Enable PLSC 184 setting Enable TCP Checksum Validation 172 setting Enable UDP Checksum Validation 173 setting Enable Watchdog Process 329 setting Event Correlation Destination IP Weight 241 setting Event Correlation Destination Port Weight 243 setting Event Correlation Source IP Weight 240 setting Event Correlation Source Port Weight 242 setting Event Delay Time 173 setting Event Destination Hashes 348 setting Event Message Hashes 347 setting Event Queue Length 349 setting Event Rate Throttle 350 setting Event Writer File 285 setting Flag for SCP Usage 298 setting FlowChaser Maximum Flows Per Device 248 setting FlowChaser Router Flow Collection Port 249 setting FlowChaser Router Flow Collection Threads 248 setting FlowChaser Sensor Threads 250 setting From Address 149 setting Hostname Used For Email Notifications 151 setting ICMP Minimum Flows 181, 182 setting ICMP Number of Streak Packets 182 setting ICMP Saturation Alert Threshold 176 setting Incident Idle Time 237 setting Incident Unique IP Limit 239 setting IP Fragment Saturation Alert Threshold 177 setting JDBC Driver 289 setting Limit Size for Archive Directory 280

parameters (cont.) setting limit size for archive directory 280 setting Limit Size for Traffic Record Directory 281 setting Location of SCP Binary 300 setting Lock LCD Screen 60 setting Maximum Incidents 238 setting Maximum IPv4 Fragment Reassembly Table Elements 185 setting Maximum Login Failures 59 setting Maximum Time to Streak Analysis 183 setting Operational Logging Level 278 setting Other Saturation Alert Threshold 177 setting Packet Counter Interval 179 setting QSP Port Number 315 setting Remote Syslog Destination Host 295 setting Remote Syslog Destination Port 296 setting Reset Port 174 setting Saturation Counter Lapse Time 183 setting SESA Bridge Export 287 setting Signature Engine Max Backbuffer Size 185 setting Size to Trigger Rotation 280 setting Slow Scan Alert Threshold 176 setting Slow Scan Max Entry (days) 183 setting Slow Scan Maximum IP Addresses Limit 183 setting SMTP Server 150 setting SNMP Community String 153 setting SNMP Manager 153 setting Streak Interval 179 setting Subject Line 150 setting Syslog Event Export 293 setting Syslog Maximum Message Size 296 setting TCP 2MSL Timeout 188 setting TCP Default Window Size 189 setting TCP Flood Alert Threshold 175 setting TCP Flow Max Queued Segments 187 setting TCP Global max Queued Segments (Fast Ethernet) 187 setting TCP Global max Queued Segments (Gigabit) 188 setting TCP Keepalive Timeout 187 setting TCP Listening Flows Target Ratio 192 setting TCP Maximum Flow Table Elements (Fast Ethernet) 186 setting TCP Maximum Flow Table Elements (Gigabit) 186 setting TCP Minimum Flows 180

424 Index

parameters (cont.) setting TCP Number of Streak Packets 180 setting TCP Opening Flows Target Ratio 192 setting TCP Retransmitted Segment Alert Minimum Magnitude 190 setting TCP Retransmitted Segment Alert Threshold 190 setting TCP Retransmitted SYN Alert Magnitude 192 setting TCP RST Quiet Period 189 setting TCP SYN Flood End Threshold 191 setting TCP SYN Flood Retransmission Timeout 191 setting Traffic Mode 173 setting TTL Allowed Variance for TCP over IPv4 193 setting TTL Allowed Variance for UDP over IPv4 195 setting TTL Change Timeout for TCP Over IPv4 193 setting TTL Change Timeout for UDP Over IPv4 196 setting UDP Connection Timeout 195 setting UDP Flood Alert Threshold 175 setting UDP Maximum Flow Table Elements (Fast Ethernet) 194 setting UDP Maximum Flow Table Elements (Gigabit) 194 setting UDP Minimum Flows 181 setting UDP Number of Streak Packets 181 setting UDP Saturation Alert Threshold 176 setting User Account for SCP 299 setting Watchdog Process Email 332 setting Watchdog Process Maximum Resets 330 setting Watchdog Process Restart Only 323, 331 setting Watchdog Process Stop Window 329 passive about 38 sensor processes 36 passive modes about deployment 61 passphrases changing node 314 collecting 79 deleting 80 editing 57 managing 57

passphrases (cont.) synchronizing 80 passwords editing 58 editing on serial consoles 58 editing secadm 59 preventing cleartext logging 156 pasting incident data 233 patches accessing sites 22 payload offset about Wizard fields 205 PDF saving console reports 260 permissions by group 354 by task 360 PLSC Propagate Link State Change parameter 184 policies about 31 about protection 115 adding 125 adding new 124 adjusting the view 121 annotating 131 applying to save 119 Auto Update tab 117 backing up 133 cloning 125 column view 123 creating 124 creating new 124 defining new 124 deleting user-defined 129 editing 125 enabling blocking 128 enabling logging rules 126 Full Event List tab 117 modifying the view 47 Notes tab 117 overriding blocking rules 119 Protection Policies tab 117 removing application 120 removing set to interfaces 120 responding to events 116 reverting applications 121 saving changes 119

Index

425

policies (cont.) Search Events tab 117 searching event types 121 selecting pre-defined 118 setting to interfaces 119 unapplying 120 understanding the workarea 116 updating 129 using 117 viewing event type details 123 portable document format. See PDF ports adding or editing mappings 197 deleting mappings 197 flow reports by destination 267 flow reports by source 267 mapping 196 portscan top event type 261 powering off nodes from the serial console 51 primary default master node 309 printing incident data 235 reports 260 priority configuring levels 143 mapping level 228 processes about sensors 36 Product Updates about 303 accessing 22 protection policies about 31, 115 adding 125 adjusting the view 121 annotating 131 applying to save 119 Auto Update tab 117 backing up 133 cloning 125 column view 123 deleting user-defined 129 editing 125 enabling blocking 128 enabling logging rules 126 Full Event List tab 117

protection policies (cont.) Notes tab 117 overriding blocking rules 119 Protection Policies tab 117 removing application 120 removing set to interfaces 120 responding to events 116 reverting application 121 saving changes 119 Search Events tab 117 selecting pre-defined 118 setting to interfaces 119 unapplying 120 understanding the workarea 116 updating 129 using 117 using Search Events 121 viewing event type details 123 Protection Policies tab about 117 protocol about Wizard fields 204 protocol anomaly detection. See PAD protocols about anomaly detection architecture 27 adding mappings to supported 197 deleting mappings to supported 197 EDP 29 EDP proxy 110, 318 flow 266 flow reports by 267 list of events 264 matching event transport 160 moving logs with SCP 297 rotating logs with SCP 279 SCP 297

Q
QSP query service proxy. See QSP secure communication 35 setting port number for cluster 315 QSP Port Number setting cluster parameter 315 queries about 253 event type list 140 replaying traffic flow data 271 traffic playback tool 271

426 Index

queries (cont.) viewing current flows 268 viewing exported flows 270

R
read-only RestrictedUser partial permissions 354 StandardUser permissions 354 user login permissions 360 read-only See passphrases read-write Administrator partial permissions 354 SuperUser permissions 354 user login permissions 360 read-write See passphrases rebooting nodes from the LCD panel 53 nodes from the Network Security console 48 nodes from the serial console 51 redundancy watchdog process 324 refinement about 30 detection rules method 168 Security Updates 304 regex about Wizard fields 205 Remote Syslog Destination Host setting node parameters 295 Remote Syslog Destination Port setting node parameters 296 renaming monitoring groups 68 reports about 253 about top-level and drill-down 258 adding or editing schedules 254 by event characteristics 264 deleting saved 258 deleting schedules 256 drill-down 266 exporting saved 257 format 259 managing scheduled 256 per event schedule 263 per incident schedule 262 per Network Security device 265 printing 260 querying flows 267

reports (cont.) refreshing list 255 replaying traffic flow 271 saving 260 scheduling 254 top events 261 top level 260 traffic playback 271 type 259 viewing current flows 268 viewing exported flows 270 viewing Flow Statistics 269 viewing saved 257 Reset Port setting sensor parameters 174 resetting signature variables 208 response actions command variables 155 enabling console 161 response rules 146 setting email notification parameters 149 TCP reset 157 using percent sign as argument 157 response rules 142 about automated 31 adding 139 color coding 139 configuring console response 160 custom response 154 database backup 141 editing 140 enabling SNMP notifications 152 event source parameters 145, 146 event target parameter 142 event type parameters 142 export flow action 161 inserting 139 managing 138 next action parameter 146 none option 148 parameters 141 response parameter 147 saving configurations 141 searching for event types 140 setting confidence levels 145 setting event sources 145 setting event targets 142 setting event types 142

Index

427

response rules (cont.) setting next actions 146 setting response actions 146 setting TrackBack response actions 154 SNMP notification 152 TCP reset 157 TrackBack 154 viewing 138 responses about 31 about automated 137 adding flow alert rules 163 adding Smart Agent nodes 108 assigning priority levels 143 automated 137 configuring confidence level 145 configuring parameters 141 configuring priority 143 customizing arguments 156 customizing responses 154 deleting 141 email notifications 148 enabling automatic next action 146 failure of custom 224 flow alert rules 162 mask for flow alert rules 165 modifying response rules 140 monitoring service availability 322 none option 148 sample flow alert rule 164 setting parameters 147 setting SNMP notifications 152 setting TrackBack response actions 154 SNMP notifications 152 tracking data stream to source 154 traffic record 159 using permit types 166 viewing rules 138 restarting Network Security sensors 49 nodes from the LCD panel 53 nodes from the Network Security console 47 nodes from the serial console 50 sensors in a cluster 315 restoring configurations 335 existing configuration to cluster 337 existing configuration to node 337 on Network Security console 333

restoring (cont.) Symantec Network Security 332 using compact flash 338 via compact flash 40 RestrictedUser pre-defined login account 224 RestrictedUsers about 354 reverting changes to topology tree 84 LiveUpdate schedules 308 policy applications 121 signature variables 209 to original install 341 roles about administration of 33 creating user login accounts 55 deleting user login accounts 56 editing user login accounts 56 establishing user accounts 353 user login permissions 360 rotation clearing directories 280 moving logs 297 size-based logs 280 routers queries from TrackBack 107 rules about refinement 30 adding flow alert 163 blocking 119 flow alert 162 mask for flow alert 165 refinement detection 168 sample flow alert 164 using permit types 166

S
Saturation Counter Lapse Time setting sensor parameters 183 Save Changes topology tree 83 saving changes to response rules 141 changes to topology tree 83, 84 configurations to hard drive 340 incident data 233 initial configuration 339 initial configurations to compact flash 339

428 Index

saving (cont.) reports 260 scans advanced scan parameters 178 scheduling deleting reports 256 refreshing report list 255 reports 254 SCP 297 rotating logs 279 transferring with 343 Search Events tab about 117 creating a subset of event types 121 secadm password editing 59 secure copy protocol. See SCP Security Updates about 303 security updates checking status 49 selecting protection policies 118 sensor manager node architecture 35 sensor parameters about 344 advanced flood and scan parameters 178 setting Enable PLSC 184 setting Packet Counter Interval 179 threshold 174 sensor processes definition 398 setting enable PLSC parameter 184 setting packet-counting interval 179 sensors about node architecture 36 about parameters 64 about sensor processes 36 advanced parameters 184 advanced TCP engine parameters 185 advanced UDP engine parameters 194 basic parameters 170 configuring parameters 169 restarting from Network Security console 49 restarting in a cluster 315 restarting or stopping 170 setting Enable PLSC parameter 184 setting Packet Counter Interval parameter 179

sensors (cont.) tweaking sensitivity 170, 184, 185, 194 serial console about 40, 50 editing root password 58 editing secadm passwords 59 powering off nodes 51 rebooting nodes 51 restarting nodes 50 shutting down nodes 51 stopping nodes 51 SESA exporting data to 286 integrating with 286 setting SESA Bridge Export 287 SESA Bridge Export setting node parameters 287 Set to Interfaces protection policies 119 removing or undoing 120 setting policies to interfaces 119 severity 143 about Wizard fields 203 mapping level 228 viewing events 221 shutting down appliance nodes from the serial console 51 appliances from the LCD panel 54 signature descriptions about Wizard fields 204 Signature Engine Max Backbuffer Size setting sensor parameters 185 signature variables applying 209 deleting 208 editing 207 resetting 208 reverting 209 viewing 207 signatures about 28 about detection 168 about user-defined 28 adding or editing user-defined 201 adding user-defined 201 creating global variables 207 deleting 205 deselecting 205

Index

429

signatures (cont.) detection by 198 disabling 205 importing 205 managing 199 removing 205 resolving compile errors 206 Symantec 28, 198 upgrading 203, 209 user-defined 199 variables 206 viewing 199 size to trigger editing log rotation size 280 Size to Trigger Rotation setting node parameters 280 slave nodes adding 89 adding appliance 95 adding or editing software 89 creating topology tree 89 editing 89 editing appliance 95 setting passphrase 90, 96 synchronizing 309 Slow Scan Alert Threshold setting sensor parameters 176 Slow Scan Max Entry (days) setting sensor parameters 183 Slow Scan Maximum IP Addresses Limit setting sensor parameters 183 Smart Agents about 37, 108 about interfaces 111 adding external sensor nodes 108 adding or editing 109 communicating via EDP proxy 318 communicating with Symantec Network Security 110, 318 third-party integration 316 SMTP Server node parameter 150 sniffer. See sensor processes SNMP alert failure 224 configuring notification 152 request failure 224 truncated message 224

SNMP Community String setting node parameters 153 SNMP Manager setting node parameters 153 software about parameters 344 about the node architecture 34 accessing Knowledge Base 22 adding nodes 89 adding or editing nodes 89 clustering with appliances 66 deleting nodes 311 documentation 21 node status indicator 81 queries from TrackBack 91 viewing Hardware Compatibility Reference 22 sorting incident data 216 source destination reports 264 source IP about Wizard fields 204 source port about Wizard fields 204 SQL exporting parameters 365 setting up export 365 SSH keys generating 342 StandardUser pre-defined login account 224 StandardUsers about 354 standby nodes about failover 65 configuring high availability 324 creating failover groups 325 node numbers 314 watchdog process 324 state configuring link negotiation 104 stateful signatures. See signatures statistics devices with flow 266 stopping end time 218 incident response 148 nodes from the command line 48 nodes from the LCD panel 54

430 Index

stopping (cont.) nodes from the Network Security console 47 nodes from the serial console 51 Streak Interval setting sensor parameters 179 Subject Line node parameter 150 SuperUsers about 354 Symantec Decoy Server external sensors 319 integrating with Symantec Network Security 108, 317 launching via Network Security 319 Symantec Decoy Server console launching from Network Security console 320 Symantec Network Security about analysis 30 about database architecture 35 about detection 26 about response 31 about software features 17 about the 7100 Series 15 about the core architecture 25 about the node architecture 34 accessing patch site 22 accessing the Network Security console 44 adding nodes 89 detection architecture 32 management architecture 32 software documentation 21 Symantec signatures. See signatures synchronizing automatic 313 forcing 85, 313 nodes in a cluster 312 passphrases 80 slave nodes 309 synflood top event type 261 syslog exporting data to 293 exporting to 293 Syslog Event Export setting node parameters 293 Syslog Maximum Message Size setting node parameters 296

T
tabs about Advanced Network Options tab 91, 97 about Auto Update tab 117, 129 about Devices tab 33, 74, 214 about Full Event List tab 117 about Incidents tab 33, 214 about Networks tab 94, 100 about Notes tab 117, 131 about Policies tab 33 about Protection Policies tab 117 about Search Events tab 117, 121 TCP 2MSL Timeout setting sensor parameters 188 TCP Default Window Size setting sensor parameters 189 TCP Flood Alert Threshold setting sensor parameters 175 TCP Flow Max Queued Segments setting sensor parameters 187 TCP Global max Queued Segments (Fast Ethernet) setting sensor parameters 187 TCP Global max Queued Segments (Gigabit) setting sensor parameters 188 TCP Keepalive Timeout setting sensor parameters 187 TCP Listening Flows Target Ratio setting sensor parameters 192 TCP Maximum Flow Table Elements (Fast Ethernet) setting sensor parameters 186 TCP Maximum Flow Table Elements (Gigabit) setting sensor parameters 186 TCP Minimum Flows setting sensor parameters 180 TCP Number of Streak Packets setting sensor parameters 180 TCP Opening Flows Target Ratio setting sensor parameters 192 TCP reset 157 TCP Retransmitted Segment Alert Minimum Magnitude setting sensor parameters 190 TCP Retransmitted Segment Alert Threshold setting sensor parameters 190 TCP Retransmitted SYN Alert Magnitude setting sensor parameters 192 TCP RST Quiet Period setting sensor parameters 189

Index

431

TCP SYN Flood End Threshold setting sensor parameters 191 TCP SYN Flood Retransmission Timeout setting sensor parameters 191 third-party integration events 316 Smart Agents 37 via Decoy Server 317, 319 via Smart Agents 316 time setting incident idle 237 tool tips annotating policies 131 topology adding external sensor device nodes 109, 113 adding external sensor interfaces 111 adding locations 87 adding nodes and objects 86 adding router device interface nodes 108 adding router nodes 106 adding Symantec Decoy Server nodes 319 backing up 85 deleting nodes 83 editing locations 87 editing nodes 83 establishing the database 80 gathering information for map 78 managing the tree 80 mapping 76 modifying the view 46 numbering nodes 311 populating the tree 80, 82 saving changes 84 saving changes to 83 saving or reverting changes 84 viewing 46 viewing node details 81 viewing node status 81 topology tree objects in 74 saving changes 84 TrackBack about 18, 19 configuring 154 flow data collection 247 limitation with Traffic Record 160 querying appliance nodes 97 querying external sensors 110 querying routers 107

TrackBack (cont.) querying software nodes 91 setting response action 154 traffic about rate monitoring 29 configuring record response 159 playback tool 271 record response 159 replaying recorded 271 viewing current flows 268 viewing exported flows 270 Traffic Mode setting sensor parameters 173 Traffic Record limitation with TrackBack 160 transferring using SCP 343 transit types about Wizard fields 204 TTL Allowed Variance for TCP over IPv4 setting sensor parameters 193 TTL Allowed Variance for UDP over IPv4 setting sensor parameters 195 TTL Change Timeout for TCP Over IPv4 setting sensor parameters 193 TTL Change Timeout for UDP Over IPv4 setting sensor parameters 196

U
UDP Connection Timeout setting sensor parameters 195 UDP Flood Alert Threshold setting sensor parameters 175 UDP Maximum Flow Table Elements (Fast Ethernet) setting sensor parameters 194 UDP Maximum Flow Table Elements (Gigabit) setting sensor parameters 194 UDP Minimum Flows setting sensor parameters 181 UDP Number of Streak Packets setting sensor parameters 181 UDP Saturation Alert Threshold setting sensor parameters 176 undoing changes to topology tree 84 LiveUpdate schedules 308 policy applications 121 reverting signature variables 209

432 Index

unlocking LCD panel 52 updating protection policies 129 scanning for LiveUpdates 305 Symantec Network Security 303 upgrading node clusters 310 User Account for SCP setting node parameters 299 user accounts creating 55 definition 353 deleting 56 editing 56 establishing 54, 353 logged actions 61 user-defined signatures about 28 deleting user-defined signatures 205 user-defined signatures. See also signatures users about administration of 33 controlling access of 59 editing passphrases 57 locking LCD screen 60 login accounts 353 login history 265 managing access 54, 59 name 79 Network Security console login 224 permissions 360 setting maximum login failures 59 SuperUser login 223 tracking activities 61

viewing (cont.) expanding and collapsing the view 46 flow alert rules 163 incident details 217 incidents and events 215 live logs 275 logs 274 marking as viewed 231 monitoring groups 69 Network Security console 46 object details 76 objects 81 response rules 138 saved reports 257 severity and confidence levels of events 221 signature variables 207 signatures 199 top event of incident 219 top-level events 220 top-level incident data 217 topology 46, 47 VLAN specifying rules 145

W
watchdog process adding failover groups 325 high availability 324 preserving incidents 326 viewing incidents 327 Watchdog Process Email setting node parameters 332 Watchdog Process Maximum Resets setting node parameters 330 Watchdog Process Restart Only setting node parameters 323, 331 Watchdog Process Stop Window setting node parameters 329 watchdog processes configuring parameters 328 Windows launching Network Security console 45 writing about Wizard fields 203 summary via the Wizard 200

V
variables about default 206 creating for signatures 207 response command 155 signatures 206 viewing adjusting policies 121 changing font size 47 color-coded response rules 139 configuration files 341 event descriptions 222 event details 221

You might also like