Symantec 10268947 - network security 7160 User manual

Symantec™ Network Security

User Guide

Symantec Network Security User Guide

The software described in this book is furnished under a license agreement and may be used only in

accordance with the terms of the agreement.

Documentation version 4.0

Any technical documentation that is made available by Symantec Corporation is the copyrighted work

of Symantec Corporation and is owned by Symantec Corporation.

NO WARRANTY. The technical documentation is being delivered to you AS-IS, and Symantec

Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the

information contained therein is at the risk of the user. Documentation may include technical or other

inaccuracies or typographical errors. Symantec reserves the right to make changes without prior

notice.

No part of this publication may be copied without the express written permission of Symantec

Corporation, 20330 Stevens Creek Blvd., Cupertino, CA 95014.

Trademarks

Symantec, the Symantec logo, LiveUpdate, Network Security, Symantec Decoy Server, and Norton

AntiVirus are U.S. registered trademarks of Symantec Corporation. Symantec AntiVirus, Symantec

Enterprise Security Architecture, and Symantec Security Response are trademarks of Symantec

Corporation.

Other brands and product names mentioned in this manual may be trademarks or registered

trademarks of their respective companies and are hereby acknowledged.

Windows is a registered trademark, and 95, 98, NT and 2002 are trademarks of Microsoft Corporation.

Pentium is a registered trademark of Intel Corporation. Sun is a registered trademark, and Java, Solaris,

Ultra, Enterprise, and SPARC are trademarks of Sun Microsystems. UNIX is a registered trademark of

UNIX System Laboratories, Inc. Cisco and Catalyst are registered trademarks of Cisco Systems, Inc.

Foundry is a registered trademark of Foundry Networks. Juniper is a registered trademark of Juniper

Networks, Inc. iButton is a trademark of Dallas Semiconductor Corp. Dell is a registered trademark of

Dell Computer Corporation. Check Point and OPSEC are trademarks and FireWall-1 is a registered

trademark of Check Point Software Technologies, Ltd. Tripwire is a registered trademark of Tripwire,

Inc.

Symantec Network Security software contains/includes the following Third Party Software from

external sources:

(http://sources.redhat.com/bzip2).

www.exolab.org).

Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1

Technical support

As part of Symantec Security Response, the Symantec global Technical Support

group maintains support centers throughout the world. The Technical Support

group’s primary role is to respond to specific questions on product feature/

function, installation, and configuration, as well as to author content for our

Web-accessible Knowledge Base. The Technical Support group works

collaboratively with the other functional areas within Symantec to answer your

questions in a timely fashion. For example, the Technical Support group works

with Product Engineering as well as Symantec Security Response to provide

Alerting Services and Virus Definition Updates for virus outbreaks and security

alerts.

Symantec technical support offerings include:

■A range of support options that give you the flexibility to select the right

amount of service for any size organization

■Telephone and Web support components that provide rapid response and

up-to-the-minute information

■Upgrade insurance that delivers automatic software upgrade protection

■Content Updates for virus definitions and security signatures that ensure

the highest level of protection

■Global support from Symantec Security Response experts, which is

available 24 hours a day, 7 days a week worldwide in a variety of languages

■Advanced features, such as the Symantec Alerting Service and Technical

Account Manager role, offer enhanced response and proactive security

support

Please visit our Web site for current information on Support Programs. The

specific features available may vary based on the level of support purchased and

the specific product that you are using.

Licensing and registration

If the product that you are implementing requires registration and/or a license

key, the fastest and easiest way to register your service is to access the

Symantec licensing and registration site at www.symantec.com/certificate.

Alternatively, you may go to www.symantec.com/techsupp/ent/enterprise.html,

select the product that you wish to register, and from the Product Home Page,

select the Licensing and Registration link.

Contacting Technical Support

Customers with a current support agreement may contact the Technical

Support group via phone or online at www.symantec.com/techsupp.

Customers with Platinum support agreements may contact Platinum Technical

Support via the Platinum Web site at www-secure.symantec.com/platinum/.

When contacting the Technical Support group, please have the following:

■Product release level

■Hardware information

■Available memory, disk space, NIC information

■Operating system

■Version and patch level

■Network topology

■Router, gateway, and IP address information

■Problem description

■Error messages/log files

■Troubleshooting performed prior to contacting Symantec

■Recent software configuration changes and/or network changes

Customer Service

To contact Enterprise Customer Service online, go to www.symantec.com, select

the appropriate Global Site for your country, then choose Service and Support.

Customer Service is available to assist with the following types of issues:

■Questions regarding product licensing or serialization

■Product registration updates such as address or name changes

■General product information (features, language availability, local dealers)

■Latest information on product updates and upgrades

■Information on upgrade insurance and maintenance contracts

■Information on Symantec Value License Program

■Advice on Symantec's technical support options

■Nontechnical presales questions

■Missing or defective CD-ROMs or manuals

Contents

Chapter 1 Introduction

About the Symantec Network Security foundation ..........................................9

About the Symantec Network Security 7100 Series .................................9

About other Symantec Network Security features ................................ 11

Finding information ............................................................................................ 14

About 7100 Series appliance documentation ......................................... 14

About software documentation ................................................................. 15

About the Web sites .................................................................................... 16

About this guide ........................................................................................... 17

Chapter 2 Architecture

About Symantec Network Security .................................................................. 19

About the core architecture ............................................................................... 19

About detection ........................................................................................... 20

About analysis .............................................................................................. 24

About response ............................................................................................ 25

About management and detection architecture ............................................. 26

About the Network Security console ........................................................ 26

About the node architecture ...................................................................... 28

About the 7100 Series appliance node ..................................................... 31

Chapter 3 Getting Started

Getting started ..................................................................................................... 35

About the management interfaces ................................................................... 35

About the Network Security console ........................................................ 36

About management of 7100 Series appliances ....................................... 38

About user permissions .............................................................................. 39

About user passphrases .............................................................................. 39

About deployment ............................................................................................... 40

About deploying single nodes ........................................................................... 41

About deploying single Network Security software nodes ................... 41

About deploying single 7100 Series appliance nodes ............................ 42

About deploying node clusters .......................................................................... 43

Monitoring groups within a cluster .......................................................... 44

6Contents

Chapter 4 Topology Database

About the network topology ...............................................................................47

Viewing the topology tree ...........................................................................48

Viewing objects in the topology tree .................................................................51

Viewing auto-generated objects .................................................................51

About location objects .................................................................................51

About Symantec Network Security objects ..............................................52

About router objects ....................................................................................59

About Smart Agents .....................................................................................60

About managed network segments ...........................................................62

Launching Symantec Decoy Server ...........................................................63

Chapter 5 Protection Policies

About protection policies ....................................................................................65

Viewing protection policies ...............................................................................66

Understanding the protection policy view ...............................................67

Adjusting the view of event types ......................................................................68

Adjusting the view by searching ...............................................................68

Adjusting the view by columns ..................................................................69

Viewing logging and blocking rule details ...............................................70

Viewing event detailed descriptions .........................................................70

Viewing policy automatic update ..............................................................70

Annotating policies or events ....................................................................71

Chapter 6 Response Rules

About response rules ...........................................................................................73

About automated responses ...............................................................................74

Viewing response rules ...............................................................................75

Searching event types .................................................................................76

About response parameters ........................................................................76

About event targets ......................................................................................76

About event types .........................................................................................77

About severity levels ....................................................................................77

About confidence levels ..............................................................................78

About event sources .....................................................................................78

About response actions ...............................................................................78

About next actions .......................................................................................79

About response actions .......................................................................................79

About no response action ............................................................................80

About email notification .............................................................................80

About SNMP notification ............................................................................80

About TrackBack response action .............................................................80

7Contents

About custom response action .................................................................. 81

About TCP reset response action .............................................................. 81

About traffic record response action ....................................................... 81

About console response action .................................................................. 82

About export flow response action ........................................................... 82

About flow alert rules ......................................................................................... 83

Viewing flow alert rules ............................................................................. 83

Playing recorded traffic ..................................................................................... 83

Replaying recorded traffic flow data ........................................................ 84

Chapter 7 Detection Methods

About detection ................................................................................................... 85

About sensor detection ....................................................................................... 86

Viewing sensor parameters ....................................................................... 87

About port mapping ............................................................................................ 87

Viewing port mappings .............................................................................. 87

About signature detection ................................................................................. 87

About Symantec signatures ....................................................................... 88

About user-defined signatures .................................................................. 88

Viewing signatures ...................................................................................... 89

About signature variables .......................................................................... 89

About refinement rules ...................................................................................... 89

Chapter 8 Incidents and Events

About incidents and events ............................................................................... 91

About the Incidents tab .............................................................................. 94

Monitoring incidents .......................................................................................... 96

Viewing incident data ................................................................................. 96

Filtering the view of incidents ................................................................... 98

Monitoring events ............................................................................................... 99

Viewing event data ...................................................................................... 99

Filtering the view of events ..................................................................... 101

Viewing event notices ............................................................................... 102

Managing the incident/event data ................................................................. 103

Loading cross-node correlated events ................................................... 104

Saving, printing, or emailing incidents ................................................. 104

Chapter 9 Reports and Queries

About reports ..................................................................................................... 109

Reporting via the Network Security console ................................................ 109

About report formats ................................................................................ 110

About top-level report types ............................................................................ 110

8Contents

Reports of top events ................................................................................ 111

Reports per incident schedule ................................................................. 112

Reports per event schedule ...................................................................... 113

Reports by event characteristics ............................................................ 113

Reports per Network Security device ..................................................... 115

Drill-down-only reports ........................................................................... 116

About querying flows ....................................................................................... 117

Viewing current flows .............................................................................. 117

Viewing exported flows ............................................................................ 119

Chapter 10 Log Files

About the log files ............................................................................................. 121

About the install log .................................................................................. 121

About the operational log ........................................................................ 122

About log files .................................................................................................... 122

Viewing log files ........................................................................................ 122

Viewing live log files ................................................................................. 123

Refreshing the list of log files ................................................................. 123

Chapter 1

Introduction

This chapter includes the following topics:

■About the Symantec Network Security foundation

■Finding information

About the Symantec Network Security foundation

The Symantec™ Network Security software and the Symantec Network Security

7100 Series appliance employ a common core architecture that provides

detection, analysis, storage, and response functionality. Most procedures in this

section apply to both the 7100 Series appliance and the Symantec Network

Security 4.0 software. The 7100 Series appliance also provides additional

functionality that is unique to an appliance. This additional functionality is

described in detail in each section.

This section includes the following topics:

■About the Symantec Network Security 7100 Series

■About other Symantec Network Security features

About the Symantec Network Security 7100 Series

Symantec™ Network Security 7100 Series security appliances provide real-time

network intrusion prevention and detection to protect critical enterprise assets

from the threat of known, unknown (zero-day) and DoS attacks. The 7100 Series

appliances employ the new and innovative Network Threat Mitigation

Architecture that combines anomaly, signature, statistical and vulnerability

detection techniques into an Intrusion Mitigation Unified Network Engine

(IMUNE), that proactively prevents and provides immunity against malicious

attacks including denial of service attempts, intrusions and malicious code,

network infrastructure attacks, application exploits, scans and reconnaissance

10 Introduction

About the Symantec Network Security foundation

activities, backdoors, buffer overflow attempts and blended threats like MS

Blaster and SQL Slammer.

In addition to the features it shares with the Symantec Network Security 4.0

software, the Symantec Network Security 7100 Series appliance offers:

■In-line Operation: The 7100 Series appliance can be deployed in-line as a

transparent bridge to perform real-time monitoring and blocking of

network-based attacks. This ability to prevent attacks before they reach

their targets takes network security to the next level over passive event

identification and alerting. The 7100 Series appliance's One-Click Blocking

feature enables users to automatically enable blocking on all in-line

interfaces with the click of a single button, saving critical time in the event

of worm attacks.

■Policy-based Attack Prevention: Deployed in-line, the 7100 Series appliance

is able to perform session-based blocking against malicious traffic,

preventing attacks from reaching their targets. Predefined and customizable

protection policies enable users to tailor their protection based on their

security policies and business need. Policies can be tuned based on threat

category, severity, intent, reliability and profile of protected resources, and

common or individualized policies can be applied per sensor for both in-line

and passive monitoring.

■Interface Grouping: 7100 Series appliance users can configure up to four

monitoring interfaces as an interface group to perform detection of attacks

for large networks that have asymmetric routed traffic. A single sensor

handles all network traffic seen by the interface group, keeping track of

state even when traffic enters the network on one interface and departs on

another. This feature greatly increases the attack detection capacity of the

7100 Series and allows it to operate more effectively in enterprise network

environments.

■Dedicated Response Ports: The Symantec Network Security 7100 Series

provides special network interfaces for sending anonymous TCP resets to

attackers. With this configuration, network monitoring continues

uninterrupted even when sending resets.

■Reduced Total Cost of Solution: A single 7100 Series appliance can monitor

up to eight network segments or VLANs. The Symantec Network Security

7100 Series reduces the cost of a network security solution by enhancing the

security and reliability of the hardware, simplifying deployment and

management, and providing a single point of service and support.

■Flexible Licensing Options: Each model of the Symantec Network Security

7100 Series offers licensing at multiple bandwidth levels. Whether you

This manual suits for next models

Table of contents

Other Symantec Firewall manuals

Symantec

Symantec 10521146 - Network Security 7120 Instruction Manual

Symantec

Symantec 10521146 - Network Security 7120 User manual

Symantec

Symantec 10744983 - Mail Security 8320 Instruction Manual

Symantec

Symantec 10521148 - Network Security 7161 User manual

Symantec

Symantec 16-00-00091 - FNC XGRD FW VPN 200 Operator's manual

Symantec

Symantec ASG-S400-20 User manual

Symantec

Symantec 10547829 - Mail Security For Smtp 5.0 Smb User manual

Symantec

Symantec SSL Visibility SV3800 User manual

Popular Firewall manuals by other brands

Fortinet

Fortinet FSM-500F Configuration guide

Cisco

Cisco Meraki MX100 installation guide

Cisco

Cisco S190 quick start guide

Fortinet

Fortinet FortiGate Voice Series install guide

SecureLogix

SecureLogix ETM System installation guide

Huawei

Huawei USG6000 Series Upgrade guide

NETGEAR

NETGEAR ProSafe FVX538 Reference manual

Lanner

Lanner FW-8877 user manual

Nexcom

Nexcom DNA 1150 user manual

Cisco

Cisco 3110 Hardware installation guide

Fortinet

Fortinet FortiGate-60 series install guide

ADTRAN

ADTRAN NetVanta 2300 Specifications

Swisscom

Swisscom Internet Backup manual

SonicWALL

SonicWALL NSa 5700 quick start guide

DPtech

DPtech FW1000 SERIES Maintenance manual

FEITIAN

FEITIAN MultiPass FIDO product manual

Trend Micro

Trend Micro Deep Edge quick start guide

Smoothwall

Smoothwall S10 Appliance Getting started guide

Symantec 10268947 - Network Security 7160 User manual

Popular Firewall manuals by other brands