User Guide
Page 2
... 1999-2001 © 199-2001 Intalio, Inc. Dell is a registered trademark of Symantec Corporation. Trademarks Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are trademarks of Microsoft Corporation. Windows is a registered trademark, and 95, 98, NT and 2002 are U.S. Symantec Network Security software contains/includes the following Third Party Software from external sources: "bzip2...
... 1999-2001 © 199-2001 Intalio, Inc. Dell is a registered trademark of Symantec Corporation. Trademarks Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are trademarks of Microsoft Corporation. Windows is a registered trademark, and 95, 98, NT and 2002 are U.S. Symantec Network Security software contains/includes the following Third Party Software from external sources: "bzip2...
User Guide
Page 3
...you are implementing requires registration and/or a license key, the fastest and easiest way to register, and from Symantec Security Response experts, which is to provide Alerting Services and Virus Definition Updates for current information on the level of service...and Web support components that you are using. Alternatively, you wish to register your questions in a variety of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. Contacting Technical Support Customers with Platinum support agreements may...
...you are implementing requires registration and/or a license key, the fastest and easiest way to register, and from Symantec Security Response experts, which is to provide Alerting Services and Virus Definition Updates for current information on the level of service...and Web support components that you are using. Alternatively, you wish to register your questions in a variety of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. Contacting Technical Support Customers with Platinum support agreements may...
User Guide
Page 5
Contents Chapter 1 Introduction About the Symantec Network Security foundation 9 About the Symantec Network Security 7100 Series 9 About other Symantec Network Security features 11 Finding information 14 About 7100 Series appliance documentation 14 About software documentation 15 About the Web sites 16 About this guide 17 Chapter 2 Architecture About Symantec Network Security 19 About the core architecture 19 About detection 20 About analysis 24...
Contents Chapter 1 Introduction About the Symantec Network Security foundation 9 About the Symantec Network Security 7100 Series 9 About other Symantec Network Security features 11 Finding information 14 About 7100 Series appliance documentation 14 About software documentation 15 About the Web sites 16 About this guide 17 Chapter 2 Architecture About Symantec Network Security 19 About the core architecture 19 About detection 20 About analysis 24...
User Guide
Page 6
... 48 Viewing objects in the topology tree 51 Viewing auto-generated objects 51 About location objects 51 About Symantec Network Security objects 52 About router objects 59 About Smart Agents 60 About managed network segments 62 Launching Symantec Decoy Server 63 Chapter 5 Protection Policies About protection policies 65 Viewing protection policies 66 Understanding the protection...
... 48 Viewing objects in the topology tree 51 Viewing auto-generated objects 51 About location objects 51 About Symantec Network Security objects 52 About router objects 59 About Smart Agents 60 About managed network segments 62 Launching Symantec Decoy Server 63 Chapter 5 Protection Policies About protection policies 65 Viewing protection policies 66 Understanding the protection...
User Guide
Page 7
... About detection 85 About sensor detection 86 Viewing sensor parameters 87 About port mapping 87 Viewing port mappings 87 About signature detection 87 About Symantec signatures 88 About user-defined signatures 88 Viewing signatures 89 About signature variables 89 About refinement rules 89 Chapter 8 Incidents and Events About ...103 Loading cross-node correlated events 104 Saving, printing, or emailing incidents 104 Chapter 9 Reports and Queries About reports ...109 Reporting via the Network Security console 109 About report formats 110 About top-level report types 110 Contents 7
... About detection 85 About sensor detection 86 Viewing sensor parameters 87 About port mapping 87 Viewing port mappings 87 About signature detection 87 About Symantec signatures 88 About user-defined signatures 88 Viewing signatures 89 About signature variables 89 About refinement rules 89 Chapter 8 Incidents and Events About ...103 Loading cross-node correlated events 104 Saving, printing, or emailing incidents 104 Chapter 9 Reports and Queries About reports ...109 Reporting via the Network Security console 109 About report formats 110 About top-level report types 110 Contents 7
User Guide
Page 8
8 Contents Reports of top events 111 Reports per incident schedule 112 Reports per event schedule 113 Reports by event characteristics 113 Reports per Network Security device 115 Drill-down-only reports 116 About querying flows 117 Viewing current flows 117 Viewing exported flows 119 Chapter 10 Log Files About the log files 121 About the install log 121 About the operational log 122 About log files ...122 Viewing log files 122 Viewing live log files 123 Refreshing the list of log files 123
8 Contents Reports of top events 111 Reports per incident schedule 112 Reports per event schedule 113 Reports by event characteristics 113 Reports per Network Security device 115 Drill-down-only reports 116 About querying flows 117 Viewing current flows 117 Viewing exported flows 119 Chapter 10 Log Files About the log files 121 About the install log 121 About the operational log 122 About log files ...122 Viewing log files 122 Viewing live log files 123 Refreshing the list of log files 123
User Guide
Page 9
... the Symantec Network Security foundation ■ Finding information About the Symantec Network Security foundation The Symantec™ Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. 1 Chapter Introduction This chapter includes the following topics: ■ About the Symantec Network Security 7100 Series ■ About other Symantec Network Security features About the Symantec Network Security 7100 Series Symantec™ Network Security...
... the Symantec Network Security foundation ■ Finding information About the Symantec Network Security foundation The Symantec™ Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that provides detection, analysis, storage, and response functionality. 1 Chapter Introduction This chapter includes the following topics: ■ About the Symantec Network Security 7100 Series ■ About other Symantec Network Security features About the Symantec Network Security 7100 Series Symantec™ Network Security...
User Guide
Page 10
... need. A single sensor handles all in-line interfaces with the Symantec Network Security 4.0 software, the Symantec Network Security 7100 Series appliance offers: ■ In-line Operation: The 7100 Series appliance can be deployed in enterprise network environments. ■ Dedicated Response Ports: The Symantec Network Security 7100 Series provides special network interfaces for sending anonymous TCP resets to tailor their protection based...
... need. A single sensor handles all in-line interfaces with the Symantec Network Security 4.0 software, the Symantec Network Security 7100 Series appliance offers: ■ In-line Operation: The 7100 Series appliance can be deployed in enterprise network environments. ■ Dedicated Response Ports: The Symantec Network Security 7100 Series provides special network interfaces for sending anonymous TCP resets to tailor their protection based...
User Guide
Page 11
... rapid deployment, centralized management, and cohesive and streamlined security content, service, and support. See also "About other Symantec Network Security features Symantec Network Security is centrally managed via the Symantec™ Network Security Management Console, a powerful and scalable security management system that fits your network connected even if the appliance has a sudden hardware failure. Symantec Network Security reduces the total cost of the latest threats.
... rapid deployment, centralized management, and cohesive and streamlined security content, service, and support. See also "About other Symantec Network Security features Symantec Network Security is centrally managed via the Symantec™ Network Security Management Console, a powerful and scalable security management system that fits your network connected even if the appliance has a sudden hardware failure. Symantec Network Security reduces the total cost of the latest threats.
User Guide
Page 12
...and environment. ■ Full packet capture, session playback and flow querying capabilities: Symantec Network Security can query existing or saved flows as well as they happen. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack,... offending packet is a benign event that can be filtered or flagged for incident response. 12 Introduction About the Symantec Network Security foundation of protocol anomaly detection, stateful signatures, event refinement, traffic rate monitoring, IDS evasion handling, flow policy ...
...and environment. ■ Full packet capture, session playback and flow querying capabilities: Symantec Network Security can query existing or saved flows as well as they happen. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack,... offending packet is a benign event that can be filtered or flagged for incident response. 12 Introduction About the Symantec Network Security foundation of protocol anomaly detection, stateful signatures, event refinement, traffic rate monitoring, IDS evasion handling, flow policy ...
User Guide
Page 13
... granular responses. All administrative changes made from a centralized management console. Policies can be configured to monitor up to 8 Gigabit Ethernet ports. Introduction 13 About the Symantec Network Security foundation ■ Policy-Based Detection: Predefined policies speed deployment by allowing users quickly configure immediate response to grant them roles to intrusions or denial-of...
... granular responses. All administrative changes made from a centralized management console. Policies can be configured to monitor up to 8 Gigabit Ethernet ports. Introduction 13 About the Symantec Network Security foundation ■ Policy-Based Detection: Predefined policies speed deployment by allowing users quickly configure immediate response to grant them roles to intrusions or denial-of...
User Guide
Page 14
... Introduction Finding information scheduled reports generated on the Symantec Web sites. This section includes the following : ■ Symantec Network Security 7100 Series: Model 7120 Getting Started Card ■ Symantec Network Security 7100 Series: Models 7160 and 7161 Getting Started Card Finding information You can find detailed information about Symantec Network Security software and Symantec Network Security 7100 Series appliances in the documentation sets, on...
... Introduction Finding information scheduled reports generated on the Symantec Web sites. This section includes the following : ■ Symantec Network Security 7100 Series: Model 7120 Getting Started Card ■ Symantec Network Security 7100 Series: Models 7160 and 7161 Getting Started Card Finding information You can find detailed information about Symantec Network Security software and Symantec Network Security 7100 Series appliances in the documentation sets, on...
User Guide
Page 15
... product, an abbreviated list of system requirements, and a basic checklist for getting started. ■ Symantec Network Security Installation Guide (printed and PDF): This guide explains how to install, upgrade, and migrate Symantec Network Security software on the 7160 and 7161. ■ Symantec Network Security 7100 Series Product Specifications and Safety Information (printed and PDF). This document provides instructions for all...
... product, an abbreviated list of system requirements, and a basic checklist for getting started. ■ Symantec Network Security Installation Guide (printed and PDF): This guide explains how to install, upgrade, and migrate Symantec Network Security software on the 7160 and 7161. ■ Symantec Network Security 7100 Series Product Specifications and Safety Information (printed and PDF). This document provides instructions for all...
User Guide
Page 16
... the following URL: You can view the entire documentation set on the Symantec Network Security Web site. To view the Patch Site 1 Open the following URL: http://www.symantec.com/techsupp/enterprise/select_product_manuals.h tml 2 Click Intrusion Detection > Symantec Network Security 4.0. About the Hardware Compatibility Reference The Symantec Network Security Hardware Compatibility Reference provides a detailed list of FAQs and troubleshooting tips...
... the following URL: You can view the entire documentation set on the Symantec Network Security Web site. To view the Patch Site 1 Open the following URL: http://www.symantec.com/techsupp/enterprise/select_product_manuals.h tml 2 Click Intrusion Detection > Symantec Network Security 4.0. About the Hardware Compatibility Reference The Symantec Network Security Hardware Compatibility Reference provides a detailed list of FAQs and troubleshooting tips...
User Guide
Page 17
... guide This guide contains the following chapters: ■ Chapter 1 Introduction: Describes the Symantec Network Security intrusion detection system and the Symantec Network Security 7100 Series appliance, documentation, and multiple sources of information. ■ Chapter 2 Architecture: Describes the system components, compatibility, and integration of Symantec Network Security and Symantec Network Security 7100 Series appliances. ■ Chapter 3 Getting started: Describes basic tasks to start...
... guide This guide contains the following chapters: ■ Chapter 1 Introduction: Describes the Symantec Network Security intrusion detection system and the Symantec Network Security 7100 Series appliance, documentation, and multiple sources of information. ■ Chapter 2 Architecture: Describes the system components, compatibility, and integration of Symantec Network Security and Symantec Network Security 7100 Series appliances. ■ Chapter 3 Getting started: Describes basic tasks to start...
User Guide
Page 19
.... Most procedures in detail. The following topics: ■ About Symantec Network Security ■ About the core architecture ■ About management and detection architecture About Symantec Network Security This chapter describes the underlying architecture of both the 7100 Series appliance and the Symantec Network Security 4.0 software. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that is unique...
.... Most procedures in detail. The following topics: ■ About Symantec Network Security ■ About the core architecture ■ About management and detection architecture About Symantec Network Security This chapter describes the underlying architecture of both the 7100 Series appliance and the Symantec Network Security 4.0 software. The Symantec Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that is unique...
User Guide
Page 20
...strengths and weaknesses. 20 Architecture About the core architecture Figure 2-1 Core Architecture of Symantec Network Security Refinement Correlation Policy Application Automated Response Network Traffic Protocol Anomaly Detection Stateful Signatures User-defined Signatures DoS Detection External Sources Scan Detection... the following topics: ■ About detection ■ About analysis ■ About response Response About detection Symantec Network Security uses multiple methods of threat detection that improve upon or replace existing ones. Signature-based approaches can miss ...
...strengths and weaknesses. 20 Architecture About the core architecture Figure 2-1 Core Architecture of Symantec Network Security Refinement Correlation Policy Application Automated Response Network Traffic Protocol Anomaly Detection Stateful Signatures User-defined Signatures DoS Detection External Sources Scan Detection... the following topics: ■ About detection ■ About analysis ■ About response Response About detection Symantec Network Security uses multiple methods of threat detection that improve upon or replace existing ones. Signature-based approaches can miss ...
User Guide
Page 21
... Flow Alert Rules and adding user-defined signatures. Anomaly detection looks for abnormal, unexpected, or unacceptable traffic. Symantec Network Security has overcome the issue of overly generic alerts, which looks for expected or acceptable traffic, and alerts when...searching for honey-tokens, or detecting disallowed application versions. Symantec Network Security can increase the detection capabilities by authorities. Symantec Network Security provides in-depth models of the most frequently used network protocols, providing extensive detection capability that breaches the defined ...
... Flow Alert Rules and adding user-defined signatures. Anomaly detection looks for abnormal, unexpected, or unacceptable traffic. Symantec Network Security has overcome the issue of overly generic alerts, which looks for expected or acceptable traffic, and alerts when...searching for honey-tokens, or detecting disallowed application versions. Symantec Network Security can increase the detection capabilities by authorities. Symantec Network Security provides in-depth models of the most frequently used network protocols, providing extensive detection capability that breaches the defined ...
User Guide
Page 22
... or unknown. When this happens, it . Threats identified by PAD are further analyzed to leverage the power of Symantec Network Security, such as a compliment to have specific threat identification instead of PAD with the detection performance. Signature detection involves...seen together. The combination provides robust detection without the weaknesses of threats and more complete coverage. Symantec Network Security's high performance is called a signature. Symantec Network Security provides an effective way to address this may be a literal string of characters found in earlier...
... or unknown. When this happens, it . Threats identified by PAD are further analyzed to leverage the power of Symantec Network Security, such as a compliment to have specific threat identification instead of PAD with the detection performance. Signature detection involves...seen together. The combination provides robust detection without the weaknesses of threats and more complete coverage. Symantec Network Security's high performance is called a signature. Symantec Network Security provides an effective way to address this may be a literal string of characters found in earlier...
User Guide
Page 23
...many stealth modes that slip through firewalls and other defenses. About DoS detection Symantec Network Security provides passive traffic monitoring on its traffic analysis. Symantec Network Security's aggregate analysis detects both aggregate traffic analysis and individual packet inspection. These ...such as firewalls, IDS sensors, and host-based IDS devices. Symantec Network Security also detects a variety of stealth scans. First, Symantec Network Security collects the data from the Network Security console. Architecture 23 About the core architecture define, manage, and ...
...many stealth modes that slip through firewalls and other defenses. About DoS detection Symantec Network Security provides passive traffic monitoring on its traffic analysis. Symantec Network Security's aggregate analysis detects both aggregate traffic analysis and individual packet inspection. These ...such as firewalls, IDS sensors, and host-based IDS devices. Symantec Network Security also detects a variety of stealth scans. First, Symantec Network Security collects the data from the Network Security console. Architecture 23 About the core architecture define, manage, and ...