Administration Guide
Page 2
..., Inc. " Castor,"ExoLab Group, Copyright 1999-2001 © 199-2001 Intalio, Inc. All rights reserved. (http://www.exolab.org). All Rights Reserved. Trademarks Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are registered trademarks of the agreement. Cisco and Catalyst are U.S. The technical documentation is being delivered to you AS...
..., Inc. " Castor,"ExoLab Group, Copyright 1999-2001 © 199-2001 Intalio, Inc. All rights reserved. (http://www.exolab.org). All Rights Reserved. Trademarks Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton AntiVirus are registered trademarks of the agreement. Cisco and Catalyst are U.S. The technical documentation is being delivered to you AS...
Administration Guide
Page 3
...the level of support purchased and the specific product that ensure the highest level of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. Symantec technical support offerings include: ■ A range of support options that give you the... Base. Customers with a current support agreement may contact Platinum Technical Support via phone or online at www-secure.symantec.com/platinum/. Contacting Technical Support Customers with Platinum support agreements may contact the Technical Support group via the Platinum Web...
...the level of support purchased and the specific product that ensure the highest level of Symantec Security Response, the Symantec global Technical Support group maintains support centers throughout the world. Symantec technical support offerings include: ■ A range of support options that give you the... Base. Customers with a current support agreement may contact Platinum Technical Support via phone or online at www-secure.symantec.com/platinum/. Contacting Technical Support Customers with Platinum support agreements may contact the Technical Support group via the Platinum Web...
Administration Guide
Page 5
... 1 Chapter 1 Chapter 2 Chapter 3 Overview Introduction About the Symantec Network Security foundation 15 About the Symantec Network Security 7100 Series 15 About other Symantec Network Security features 17 Finding information 20 About 7100 Series appliance documentation 20 About Network Security software documentation 21 About the Web sites 22 About this guide 23 Architecture About Symantec Network Security 25 About the core architecture 25 About detection...
... 1 Chapter 1 Chapter 2 Chapter 3 Overview Introduction About the Symantec Network Security foundation 15 About the Symantec Network Security 7100 Series 15 About other Symantec Network Security features 17 Finding information 20 About 7100 Series appliance documentation 20 About Network Security software documentation 21 About the Web sites 22 About this guide 23 Architecture About Symantec Network Security 25 About the core architecture 25 About detection...
Administration Guide
Page 6
... 2 Chapter 4 Chapter 5 Managing user passphrases 57 Controlling user access 59 Planning the deployment 60 Deploying single nodes 61 Deploying a single Network Security software node 61 Deploying a single 7100 Series appliance node 62 Configuring single-node parameters 63 Deploying node clusters 64 Deploying software and appliance ... 83 Backing up ...83 Adding nodes and objects 83 About location objects 83 About nodes and interfaces 85 About Network Security software nodes 86 About 7100 Series appliance nodes 92 About router objects 101 About Smart Agents 104 About managed...
... 2 Chapter 4 Chapter 5 Managing user passphrases 57 Controlling user access 59 Planning the deployment 60 Deploying single nodes 61 Deploying a single Network Security software node 61 Deploying a single 7100 Series appliance node 62 Configuring single-node parameters 63 Deploying node clusters 64 Deploying software and appliance ... 83 Backing up ...83 Adding nodes and objects 83 About location objects 83 About nodes and interfaces 85 About Network Security software nodes 86 About 7100 Series appliance nodes 92 About router objects 101 About Smart Agents 104 About managed...
Administration Guide
Page 8
... parameters 172 Table element parameters 173 Segment parameters 175 Configuring port mapping 177 Configuring signature detection 179 About Symantec signatures 179 About user-defined signatures 180 Managing signatures 180 Managing signature variables 184 Using Symantec Network Security Monitoring About incident and event data 189 Viewing incident and event data 190 Adjusting the view 191...
... parameters 172 Table element parameters 173 Segment parameters 175 Configuring port mapping 177 Configuring signature detection 179 About Symantec signatures 179 About user-defined signatures 180 Managing signatures 180 Managing signature variables 184 Using Symantec Network Security Monitoring About incident and event data 189 Viewing incident and event data 190 Adjusting the view 191...
Administration Guide
Page 9
... report types 230 Reports of top events 231 Reports per incident schedule 232 Reports per event schedule 233 Reports by event characteristics 233 Reports per Network Security device 235 Drill-down-only reports 236 Querying flows 237 Viewing current flows 238 Viewing Flow Statistics 239
... report types 230 Reports of top events 231 Reports per incident schedule 232 Reports per event schedule 233 Reports by event characteristics 233 Reports per Network Security device 235 Drill-down-only reports 236 Querying flows 237 Viewing current flows 238 Viewing Flow Statistics 239
Administration Guide
Page 10
... file 254 Exporting to SESA 255 Exporting to SQL 257 Exporting to syslog 260 Transferring via SCP 264 Advanced configuration About advanced setup 269 Updating Symantec Network Security 269 About LiveUpdate 270 Scanning for available updates 271 Applying updates 271 Setting the LiveUpdate server 272 Scheduling live updates 273 Adding or editing automatic...
... file 254 Exporting to SESA 255 Exporting to SQL 257 Exporting to syslog 260 Transferring via SCP 264 Advanced configuration About advanced setup 269 Updating Symantec Network Security 269 About LiveUpdate 270 Scanning for available updates 271 Applying updates 271 Setting the LiveUpdate server 272 Scheduling live updates 273 Adding or editing automatic...
Administration Guide
Page 11
... Acronyms Backup up cluster-wide data 282 Integrating third-party events 282 Integrating via Smart Agents 283 Integrating with Symantec Decoy Server 285 Establishing high availability failover 287 Monitoring node availability 287 Configuring availability for single nodes 288 Configuring ...and sensors 309 About basic setup and advanced tuning 309 Configuring node parameters 310 Configuring basic parameters 310 Configuring Network Security console parameters 311 Configuring advanced parameters 311 Appendices User groups reference About user groups 319 About group permissions ...
... Acronyms Backup up cluster-wide data 282 Integrating third-party events 282 Integrating via Smart Agents 283 Integrating with Symantec Decoy Server 285 Establishing high availability failover 287 Monitoring node availability 287 Configuring availability for single nodes 288 Configuring ...and sensors 309 About basic setup and advanced tuning 309 Configuring node parameters 310 Configuring basic parameters 310 Configuring Network Security console parameters 311 Configuring advanced parameters 311 Appendices User groups reference About user groups 319 About group permissions ...
Administration Guide
Page 13
...and software intrusion detection appliances, designed to detect and prevent attacks across multiple network segments at multi-gigabit speeds. The 7100 Series combines Symantec Network Security's powerful detection capabilities with basic deployment schemes as follows: ■ Copyright ...■ Architecture ■ Getting started This section introduces you to the Symantec Network Security intrusion detection system, describes the architecture of an appliance. Symantec Network Security contains multiple tools and techniques that provides an unprecedented ability to detect, analyze...
...and software intrusion detection appliances, designed to detect and prevent attacks across multiple network segments at multi-gigabit speeds. The 7100 Series combines Symantec Network Security's powerful detection capabilities with basic deployment schemes as follows: ■ Copyright ...■ Architecture ■ Getting started This section introduces you to the Symantec Network Security intrusion detection system, describes the architecture of an appliance. Symantec Network Security contains multiple tools and techniques that provides an unprecedented ability to detect, analyze...
Administration Guide
Page 15
... attacks, application exploits, scans and reconnaissance This section includes the following topics: ■ About the Symantec Network Security foundation ■ Finding information About the Symantec Network Security foundation The Symantec™ Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that proactively prevents and provides immunity against malicious attacks including denial of known, unknown (zero-day...
... attacks, application exploits, scans and reconnaissance This section includes the following topics: ■ About the Symantec Network Security foundation ■ Finding information About the Symantec Network Security foundation The Symantec™ Network Security software and the Symantec Network Security 7100 Series appliance employ a common core architecture that proactively prevents and provides immunity against malicious attacks including denial of known, unknown (zero-day...
Administration Guide
Page 16
... can be applied per sensor for both in enterprise network environments. ■ Dedicated Response Ports: The Symantec Network Security 7100 Series provides special network interfaces for large networks that have asymmetric routed traffic. The Symantec Network Security 7100 Series reduces the cost of a network security solution by the interface group, keeping track of network-based attacks. This ability to prevent attacks before...
... can be applied per sensor for both in enterprise network environments. ■ Dedicated Response Ports: The Symantec Network Security 7100 Series provides special network interfaces for large networks that have asymmetric routed traffic. The Symantec Network Security 7100 Series reduces the cost of a network security solution by the interface group, keeping track of network-based attacks. This ability to prevent attacks before...
Administration Guide
Page 17
... an organization, even on gigabit backbones. The optional Symantec Network Security In-line Bypass unit provides fail-open : When using in-line mode, the Symantec Network Security 7100 Series appliance is placed directly into the network path. Symantec Network Security reduces the total cost of delivering security and product updates to Symantec Network Security using the Symantec Network Security Smart Agents to provide enterprise-wide, multi-source...
... an organization, even on gigabit backbones. The optional Symantec Network Security In-line Bypass unit provides fail-open : When using in-line mode, the Symantec Network Security 7100 Series appliance is placed directly into the network path. Symantec Network Security reduces the total cost of delivering security and product updates to Symantec Network Security using the Symantec Network Security Smart Agents to provide enterprise-wide, multi-source...
Administration Guide
Page 18
...organization and environment. ■ Full packet capture, session playback and flow querying capabilities: Symantec Network Security can be filtered or flagged for incident response. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack, and ...custom responses to be configured on the type and the location of the event within the network. 18 Introduction About the Symantec Network Security foundation of protocol anomaly detection, stateful signatures, event refinement, traffic rate monitoring, IDS evasion handling,...
...organization and environment. ■ Full packet capture, session playback and flow querying capabilities: Symantec Network Security can be filtered or flagged for incident response. Symantec Network Security implements session termination, traffic recording and playback, flow export and query, TrackBack, and ...custom responses to be configured on the type and the location of the event within the network. 18 Introduction About the Symantec Network Security foundation of protocol anomaly detection, stateful signatures, event refinement, traffic rate monitoring, IDS evasion handling,...
Administration Guide
Page 19
...inspection capabilities. Independently configurable detection settings make it easy for complete, scalable control. ■ Role-based Administration: Symantec Network Security provides the ability to define administrative users and assign them roles to grant them varying levels of access rights. ...cluster consisting of up to 12 Fast Ethernet ports or 6 to 8 Gigabit Ethernet ports. In addition, Symantec Network Security provides cluster-wide The Network Security console provides complete cluster topology and policy management, node and sensor management, incident and event monitoring, and ...
...inspection capabilities. Independently configurable detection settings make it easy for complete, scalable control. ■ Role-based Administration: Symantec Network Security provides the ability to define administrative users and assign them roles to grant them varying levels of access rights. ...cluster consisting of up to 12 Fast Ethernet ports or 6 to 8 Gigabit Ethernet ports. In addition, Symantec Network Security provides cluster-wide The Network Security console provides complete cluster topology and policy management, node and sensor management, incident and event monitoring, and ...
Administration Guide
Page 20
... a remote computer using secure copy. ■ Symantec Network Security Smart Agents Technology: Symantec Network Security Smart Agents enable enterprise-wide, multi-source intrusion event collection, helping companies to expand the security umbrella and enhance the threat detection value of their existing security assets. This section includes the following : ■ Symantec Network Security 7100 Series: Model 7120 Getting Started Card ■ Symantec Network Security 7100 Series: Models...
... a remote computer using secure copy. ■ Symantec Network Security Smart Agents Technology: Symantec Network Security Smart Agents enable enterprise-wide, multi-source intrusion event collection, helping companies to expand the security umbrella and enhance the threat detection value of their existing security assets. This section includes the following : ■ Symantec Network Security 7100 Series: Model 7120 Getting Started Card ■ Symantec Network Security 7100 Series: Models...
Administration Guide
Page 21
... specifications for removing the hard drive on CD). About Network Security software documentation The documentation set for Symantec Network Security core software includes: ■ Symantec Network Security Getting Started (printed and PDF): This guide provides basic introductory information about Symantec Network Security core software. The bypass unit may be purchased separately from Symantec. ■ Symantec Network Security 716x Service Manual (printed and PDF). This card...
... specifications for removing the hard drive on CD). About Network Security software documentation The documentation set for Symantec Network Security core software includes: ■ Symantec Network Security Getting Started (printed and PDF): This guide provides basic introductory information about Symantec Network Security core software. The bypass unit may be purchased separately from Symantec. ■ Symantec Network Security 716x Service Manual (printed and PDF). This card...
Administration Guide
Page 22
... The Patch Site provides downloadable patches as the continually updated Hardware Compatibility Reference, Knowledge Base, and patch Web sites. About the Hardware Compatibility Reference The Symantec Network Security Hardware Compatibility Reference provides a detailed list of FAQs and troubleshooting tips as they are developed. To view the Hardware Compatibility Reference 1 Open the following URL...
... The Patch Site provides downloadable patches as the continually updated Hardware Compatibility Reference, Knowledge Base, and patch Web sites. About the Hardware Compatibility Reference The Symantec Network Security Hardware Compatibility Reference provides a detailed list of FAQs and troubleshooting tips as they are developed. To view the Hardware Compatibility Reference 1 Open the following URL...
Administration Guide
Page 23
... sections: ■ Part 1 Introduction: This section introduces you to the Symantec Network Security core intrusion detection system and the Symantec Network Security 7100 Series appliance, describes the architecture, and outlines a high-level setup and deployment scheme. ■ Chapter 1 Introduction: Describes the Symantec Network Security intrusion detection system and the Symantec Network Security 7100 Series appliance, documentation, and alternative sources of information. ■...
... sections: ■ Part 1 Introduction: This section introduces you to the Symantec Network Security core intrusion detection system and the Symantec Network Security 7100 Series appliance, describes the architecture, and outlines a high-level setup and deployment scheme. ■ Chapter 1 Introduction: Describes the Symantec Network Security intrusion detection system and the Symantec Network Security 7100 Series appliance, documentation, and alternative sources of information. ■...
Administration Guide
Page 24
... incidents and their related events, and how to view incident data in the Network Security console. ■ Chapter 9 Reporting: Describes the types of reports that Symantec Network Security can generate, and how to generate them. ■ Chapter 10 Managing log files: Describes the Network Security log databases, and how to view, compress, save, export, and archive them...
... incidents and their related events, and how to view incident data in the Network Security console. ■ Chapter 9 Reporting: Describes the types of reports that Symantec Network Security can generate, and how to generate them. ■ Chapter 10 Managing log files: Describes the Network Security log databases, and how to view, compress, save, export, and archive them...
Administration Guide
Page 25
...an appropriate response. About the core architecture Symantec Network Security's challenges are to detect malicious or ...Symantec Network Security ■ About the core architecture ■ About management and detection architecture About Symantec Network Security This chapter describes the underlying architecture of both the 7100 Series appliance and the Symantec Network Security 4.0 software. 2 Chapter Architecture This chapter includes the following diagram describes this section apply to both the Symantec Network Security core software and the Symantec Network Security...
...an appropriate response. About the core architecture Symantec Network Security's challenges are to detect malicious or ...Symantec Network Security ■ About the core architecture ■ About management and detection architecture About Symantec Network Security This chapter describes the underlying architecture of both the 7100 Series appliance and the Symantec Network Security 4.0 software. 2 Chapter Architecture This chapter includes the following diagram describes this section apply to both the Symantec Network Security core software and the Symantec Network Security...