Detecting potential attacks and spoofing attempts

Article:HOWTO81160  |  Created: 2012-10-24  |  Updated: 2013-10-07  |  Article URL http://www.symantec.com/docs/HOWTO81160
Article Type
How To


Subject


Detecting potential attacks and spoofing attempts

You can enable the various settings that enable Symantec Endpoint Protection to detect and log potential attacks on the client and block spoofing attempts. All of these options are disabled by default.

The settings that you can enable are as follows:

Enable port scan detection

When this setting is enabled, Symantec Endpoint Protection monitors all incoming packets that any security rule blocks. If a rule blocks several different packets on different ports in a short period of time, Symantec Endpoint Protection creates a Security log entry.

Port scan detection does not block any packets. You must create a security policy to block traffic when a port scan occurs.

Enable denial of service detection

Denial of service detection is a type of intrusion detection. When enabled, the client blocks traffic if it detects a pattern from known signatures, regardless of the port number or type of Internet protocol.

Enable anti-MAC spoofing

When enabled, Symantec Endpoint Protection allows incoming and outgoing address resolution protocol (ARP) traffic if an ARP request was made to that specific host. All other unexpected ARP traffic is blocked and an entry is generated to the Security log.

Note:

To configure these settings in mixed control, you must also enable these settings in the Client User Interface Mixed Control Settings dialog box.

To detect potential attacks and spoofing attempts

  1. In the console, open a Firewall policy.

  2. In the Firewall Policy page, click Protection and Stealth.

  3. Under Protection Settings, check any of the options that you want to enable.

  4. Click OK.

  5. If you are prompted, assign the policy to a location.

See Creating a firewall policy

See Changing the user control level.

See Editing a policy.


Legacy ID



v8148994_v81626096


Article URL http://www.symantec.com/docs/HOWTO81160


Terms of use for this information are found in Legal Notices