Alcatel-Lucent 6850-48 Guida Di Rete
Network Security Overview
Configuring Network Security
page 47-4
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
Network Security Overview
Network Security detects the anomalies in the network traffic by monitoring the difference in the rate of
ingress and egress packets on a port, matching a specific traffic pattern. The Network Security software
monitors these packets at configured intervals, counts the packets matching certain patterns, and applies
anomaly detection rules. If anomalies are detected, then it is reported through a syslog and/or an SNMP
trap and/or the anomalous port is shut down.
ingress and egress packets on a port, matching a specific traffic pattern. The Network Security software
monitors these packets at configured intervals, counts the packets matching certain patterns, and applies
anomaly detection rules. If anomalies are detected, then it is reported through a syslog and/or an SNMP
trap and/or the anomalous port is shut down.
The Network Security features include the following:
• Real-time network traffic monitoring
• Dynamic anomaly detection
• Dynamic anomalous port quarantining
Anomalies
A network traffic anomaly refers to deviations in the rates of a user-port’s ingress and egress packets from
expectations. The anomalies are monitored in the network by observing the network’s traffic for a config-
urable time period. During this period, the Network Security counts relevant packets on a port. Anomalies
may occur in scenarios, such as the following:
expectations. The anomalies are monitored in the network by observing the network’s traffic for a config-
urable time period. During this period, the Network Security counts relevant packets on a port. Anomalies
may occur in scenarios, such as the following:
• When a high number of TCP SYN packets are not expected from a user-port in a short period.
• When more than one ARP response is received for every ARP request.
• When a high number of TCP RST packets are not expected in a network in a short period.
The above listed scenarios occur in a network due to malicious systems in the network, or when a network
is attacked or misconfigured.
is attacked or misconfigured.
Network Security detects the following anomalies:
Anomaly
Description
ARP Address Scan
Occurs when a host sends a burst of ARP requests for multiple IP
addresses.
addresses.
ARP Flood
Occurs when a host receives a burst of ARP request packets.
ARP Failure
Occurs when ARP queries do not elicit ARP responses.
ICMP Address Scan
Occurs when multiple hosts receive ICMP echo request packets at the
same time.
same time.
ICMP Flood
Occurs when a host receives a burst of ICMP echo request packets.
ICMP Unreachable
Occurs when a host receives a flood of ICMP Unreachable packets.
TCP Port Scan
Occurs when a host receives a burst of TCP SYN packets for multiple
TCP ports.
TCP ports.
TCP Address Scan
Occurs when multiple hosts receive TCP SYN packets at the same
time.
time.
SYN Flood
Occurs when a host receives a burst of TCP SYN packets on the same
TCP port.
TCP port.
SYN Failure
Occurs when a host receives fewer SYNACKs than SYNs it sent out.
SYN-ACK Scan
Occurs when a host receives more SYNACKs than SYNs it sent out.