The Non-Local sensor is turned off by default. Consult with your technical representative to determine whether this sensor is beneficial for your network.
The Non-Local sensor looks for traffic that does not have either a private source or destination IP address. The sensor assumes that the enterprise uses private IP addresses internally--that the majority of traffic has a private source or destination IP address.
For example, suppose a system in the network has a fake external IP address and the system sends messages to another fake external IP address. The resulting traffic can stop legitimate network traffic by tying up the routers and interfaces closest to that system.
Depending on your enterprise network configuration, legitimate traffic may flow between non-private IP addresses. If this is the case, your technical representative may be able to help you configure the sensor to exclude IP address ranges and avoid false alerts.
Troubleshooting a Non-Local Alert
Determine whether the non-private IP addresses are used for legitimate traffic. If the traffic is not legitimate, use the router and interface information that CA Anomaly Detector provides to apply ACLs to mitigate the traffic while you locate the offending source device.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|