Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1, NETWORK AND SECURITY MANAGER 2010.3 User Manual
Network and Security
Manager
Configuring Intrusion Detection and Prevention
Devices Guide
Release
2010.3
Published: 2010-08-17
Revision 01
Copyright © 2010, Juniper Networks, Inc.
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
This product includes the EnvoySNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997,
Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part
of them is in the public domain.
This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation
and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©
1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through
release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s
HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD
software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D.
L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Network and Security Manager Configuring Intrusion Detection and Prevention Devices Guide
Release 2010.3
Copyright © 2010, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
18 August 2010—01
The information in this document is current as of the date listed in the revision history.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through
the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
Copyright © 2010, Juniper Networks, Inc.ii
END USER LICENSE AGREEMENT
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.
BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS
CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO
BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED
HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS
REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or
Juniper Networks (Cayman) Limited (if the Customer’sprincipal office is locatedoutside the Americas) (such applicable entity being referred
to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable
license(s) for use of the Software (“Customer”) (collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for
which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by
Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades
and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper
equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer
a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the
following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by
Customer from Juniper or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units
for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access
Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space
and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines
(e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single
chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may
specify limits to Customer’s use of the Software. Such limits may restrict use to a maximum number of seats,registeredendpoints, concurrent
users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of
separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput,
performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use
of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software.
Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the
Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not
extend or create an additional trial period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s
enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the
Steel-Belted Radius software to support any commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase
the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees
not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized
copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the
Software,in any form, to any third party; (d) remove any proprietary notices, labels, or marks on or in any copy of the Software or any product
in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper
equipment sold in the secondhand market; (f) use any ‘locked’or key-restricted feature,function, service, application, operation,or capability
without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application,
operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the
iiiCopyright © 2010, Juniper Networks, Inc.
Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i)
use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that
the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking
of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly
provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper,
Customer shall furnish such records to Juniper and certify its compliance with this Agreement.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper.
As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence,
which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software
for Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to
the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance
of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies
of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty
statementthat accompanies the Software(the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligationto support
the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services
agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA,
OR COSTSOR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT,OR CONSEQUENTIALDAMAGES
ARISING OUT OF THIS AGREEMENT, THE SOFTWARE,OR ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.IN NO EVENT SHALL JUNIPER
BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE.
EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY
AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES
JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT
ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’
or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid
by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by
Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in
reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between
the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same
form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination
of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related
documentation in Customer’s possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from
the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction
shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All
payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in
connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing
Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to
be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with
all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any
liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under
this Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any
applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such
restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the
Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without
an export license.
Copyright © 2010, Juniper Networks, Inc.iv
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use,
duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS
227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer
with the interface information needed to achieve interoperability between the Software and another independently created program, on
payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use
such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products
or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement,
and such licensor or vendor shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party
software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent
portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such
portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper
will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three
years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA
94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL
at http://www.gnu.org/licenses/lgpl.html .
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws
principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes
arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal
courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer
with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written
(including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an
authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained
herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing
by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity
of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the
Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de
même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that
this Agreement and all related documentation is and will be in the English language)).
vCopyright © 2010, Juniper Networks, Inc.
Copyright © 2010, Juniper Networks, Inc.vi
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
List of Technical Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Part 1 Getting Started
Chapter 1 Intrusion Detection and Prevention Device and NSM Installation
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Intrusion Detection and Prevention Device Installation Overview . . . . . . . . . . . . . . 3
NSM Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Understanding Intrusion Detection and Prevention Device Configuration
and Integration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
NSM and Intrusion Detection and Prevention Device Management Overview . . . . 5
Intrusion Detectionand PreventionServices and Device ConfigurationsSupported
in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Adding Intrusion Detection and Prevention Devices in NSM Overview . . . . . . . . . . 8
Adding Intrusion Detection and Prevention Clusters in NSM Overview . . . . . . . . . . 8
Using Templates and Configuration Groups in NSM Overview . . . . . . . . . . . . . . . . 8
Part 2 Configuring Intrusion Detection and Prevention Devices
Chapter 3 Configuring Profiler Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring Profiler Options (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Viewing Profiler Logs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Specifying General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Specifying Tracked Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Specifying Context Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Specifying Alert Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Application Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Protocol Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Network Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
viiCopyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Violation Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Modifying Profiler Settings (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring Profiler Database Preferences (NSM Procedure) . . . . . . . . . . . . . . . . 26
Displaying Profiler Database Information (NSM Procedure) . . . . . . . . . . . . . . . . . 27
Querying the Profiler Database (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 28
Purging the Profiler Database (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chapter 4 Configuring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Intrusion Detection and Prevention Devices and Security Policies Overview . . . . . 31
Configuring Predefined Security Policies (NSM Procedure) . . . . . . . . . . . . . . . . . . 33
Creating a New Security Policy (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 34
Modifying IDP Rulebase Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Specifying Rule Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Specifying IDP Rulebase Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Specifying Rule Session Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Specifying Rule IP Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Specifying Rule Notification Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Specifying Rule VLAN Matches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Specifying Rule Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Specifying Rule Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Specifying Rule Optional Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Specifying Rule Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring Exempt Rulebase Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 45
Configuring Backdoor Rulebase Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 47
Configuring SYN Protector Rulebase Rules (NSM Procedure) . . . . . . . . . . . . . . . 49
Configuring Traffic Anomalies Rulebase Rules (NSM Procedure) . . . . . . . . . . . . . 51
Configuring Network Honeypot Rulebase Rules (NSM Procedure) . . . . . . . . . . . . 54
Configuring Application Rulebase Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . 57
Chapter 5 Working with Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Attack Objects in Intrusion Detection and Prevention Security Policies
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Loading J-Security-Center Updates (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 62
Viewing Predefined Attack Objects (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 63
Working with Attack Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Creating Dynamic Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Creating Static Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Creating Custom Attack Objects (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 67
Configuring General Properties for Attack Objects . . . . . . . . . . . . . . . . . . . . . 67
Creating a Signature Attack Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Verifying the Attack Object Database Version (NSM Procedure) . . . . . . . . . . . . . 75
Updating the IDP Detector Engine (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 6 Configuring SNMP and Syslog Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring an SNMP Agent (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring Syslog Collection (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Copyright © 2010, Juniper Networks, Inc.viii
Table of Contents
Chapter 7 Configuring Anti-Spoof Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring Antispoof Settings in Intrusion Detection and Prevention Devices
(NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Example: Applying Antispoof to a Web Server and Database Server (NSM
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Chapter 8 Configuring Intrusion Detection and Prevention Device Settings . . . . . . . . 87
Configuring Load-Time Parameters (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 87
Configuring Run-Time Parameters (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 88
Configuring Router Parameters (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring Protocol Handling (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 95
Chapter 9 Configuring Additional Intrusion Detection and Prevention Features . . . . . 111
Configuring Additional Intrusion Detection and Prevention Features
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Enabling Intrusion Detection and Prevention Processing of Encrypted and
Encapsulated Traffic (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Enabling SSL Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Enabling GRE Decapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Enabling GTP Decapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Part 3 Managing Intrusion Detection and Prevention Devices
Chapter 10 Managing Security Policies in Intrusion Detection and Prevention
Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM
Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Validating a Security Policy (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Troubleshooting Security Policy Validation Errors (NSM Procedure) . . . . . . . . . . 118
Pushing Security Policy Updates to an IDP Device (NSM Procedure) . . . . . . . . . . 119
Troubleshooting Configuration Push Errors (NSM Procedure) . . . . . . . . . . . . . . . 121
Disabling Rules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Exporting Security Policies (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Chapter 11 Managing Profiler Settings in Intrusion Detection and Prevention
Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Managing Profiler Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Updating Profiler Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Starting the Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Stopping the Profiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
ixCopyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Part 4 Monitoring Intrusion Detection and Prevention Devices
Chapter 12 Working with NSM Logs and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
NSM Logs and Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Viewing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
IDP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Using NSM Log Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Using NSM Audit Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Viewing Device Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Viewing NSM Predefined Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Creating NSM Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configuring Log Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Chapter 13 Working with Intrusion Detection and Prevention Reporter Reports . . . . . 139
Intrusion Detection and Prevention Reporter Overview . . . . . . . . . . . . . . . . . . . . 139
Part 5 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Copyright © 2010, Juniper Networks, Inc.x
About This Guide
•
Objectives on page xi
•
Audience on page xi
•
Conventions on page xi
•
List of Technical Publications on page xiii
•
Requesting Technical Support on page xiv
Objectives
Network and Security Manager (NSM) is a software application that centralizes control
and management of your Juniper Networks devices. With NSM, Juniper Networks delivers
integrated, policy-based security and network management for all security devices.
Intrusion Detection and Prevention (IDP) series uses eight detection methods to detect
malicious network traffic. It is able to drop attacks to prevent damage to your network
and can operate inline as a forwarding gateway, directly in the path of traffic coming and
going on your network.
This guide provides the various steps to configure and manage IDP devices using NSM.
This guide also helps in understanding of how to configure basic and advanced NSM
functionality, including adding new devices, deploying new device configurations, updating
device firmware, viewing log information, and monitoring the status of IDP devices.
Audience
This guide is intended for the system administrators who are responsible for configuring
IDP devices.
Conventions
This section provides all the documentation conventions that are followed in this guide.
Table 1 on page xiidefines notice icons used in this guide.
xiCopyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Table 2 on page xii defines text conventions used in this guide.
Table 2: Text Conventions
Bold typeface like this
fixed-width font
Keynames linked with a plus (+) sign
Italics
The angle bracket (>)
•
Represents commands and keywords
in text.
•
Represents keywords
•
Represents UI elements
Represents information as displayed on
the terminal screen.
keys simultaneously.
•
Emphasizes words
•
Identifies variables
Indicates navigation paths through the UI
by clicking menu options and links.
ExamplesDescriptionConvention
•
Issue the clock source command.
•
Specify the keyword exp-msg.
•
Click User Objects
user inputRepresents text that the user must type.Bold typeface like this
host1#
show ip ospf
Routing Process OSPF 2 with Router
ID 5.5.0.250
Router is an area Border Router
(ABR)
Ctrl + dIndicates that you must press two or more
•
The product supports two levels of
access, user and privileged.
•
clusterID, ipAddress.
Object Manager > User Objects > Local
Objects
Table 3 on page xiii defines syntax conventions used in this guide.
Copyright © 2010, Juniper Networks, Inc.xii
Table 3: Syntax Conventions
About This Guide
ExamplesDescriptionConvention
terminal lengthRepresent keywordsWords in plain text
mask, accessListNameRepresent variablesWords in italics
Words separated by the pipe ( | )
symbol
Words enclosed in brackets followed
by and asterisk ( [ ]*)
variable to the left or right of this symbol. The
keywordor variable can be optional or required.
can be entered more than once.
Represent required keywords or variables.Words enclosed in braces ( { } )
diagnostic | lineRepresent a choice to select one keyword or
[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )
[ level1 | level2 | 11 ]*Represent optional keywords or variables that
{ permit | deny } { in | out } { clusterId
| ipAddress }
List of Technical Publications
This section provides the list of the documentations required for any additional
information.
Table 4: Network and Security Manager and IDP Device Publications
Network and Security Manager
Installation Guide
Network and Security Manager
Administration Guide
Details the steps to install the NSM management system on a single server or on separate
servers. It also includes information on how to install and run the NSM user interface. This
guide is intended for IT administrators responsible for the installation and/or upgrade to
NSM.
Describes how to use and configure key management features in the NSM. It provides
conceptual information, suggested workflows, and examples where applicable. This guide
is best used in conjunction with the NSM Online Help, which provides step-by-step
instructions for performing management tasks in the NSM UI.
Network and Security Manager
Configuring Firewall/VPN Devices
Guide
Network and Security Manager
Online Help
IDP Installation Guide
This guide is intended for application administrators or those individuals responsible for
owning the server and security infrastructure and configuring the product for multi-user
systems. It is also intended for device configuration administrators, firewall and VPN
administrators, and network security operation center administrators.
Describes NSM featuresthat relate to device configurationand management. It also explains
how to configure basic and advanced NSM functionality, including deploying new device
configurations, managing Security Policies and VPNs, and general device administration.
Provides task-oriented procedures describing how to perform basic tasks in the NSM user
interface. It also includes a brief overview of the NSM system and a description of the GUI
elements.
Details the physical features of Juniper Networks Intrusion Detection and Prevention (IDP)
series. It also explains how to install, configure, update/reimage, and service the IDP system.
xiiiCopyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Table 4: Network and Security Manager and IDP Device Publications (continued)
IDP Concepts & Examples Guide
IDP Reporter User's Guide
IDP ACM Online Help
IDP Detector Engine Release
Notes
Details about the Juniper Networks Intrusion Detection and Prevention (IDP) series that
uses multiple methods to detect and prevent network attacks. IDP is designed to reduce
false positives to ensure that only actual malicious traffic is detected and stopped.
Details about the IDP Reporter that enables you to analyze your enterprise network
thoroughly so you can assess attacks, attackers, and resource utilization.
Details about how to complete the IDP QuickStart and ACM Wizard which is available
through the IDP Appliance Configuration Manager (ACM) as context-sensitive online help.
Details about IDP Detector Engine features and resolved issues in the recent releases. It
also helps you to decide to update the IDP Detector Engine version in your deployment.
Requesting Technical Support
Technicalproduct support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
•
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
•
Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
•
Find CSC offerings: http://www.juniper.net/customers/support/
•
Search for known bugs: http://www2.juniper.net/kb/
•
Find product documentation: http://www.juniper.net/techpubs/
•
Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
•
Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
•
Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
Copyright © 2010, Juniper Networks, Inc.xiv
•
Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
•
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number,use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
•
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html .
About This Guide
xvCopyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Copyright © 2010, Juniper Networks, Inc.xvi
PART 1
Getting Started
•
Intrusion Detection and Prevention Device and NSM Installation Overview on page 3
•
Understanding Intrusion Detection and PreventionDevice Configuration and Integration
Overview on page 5
1Copyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Copyright © 2010, Juniper Networks, Inc.2
CHAPTER 1
Intrusion Detection and Prevention Device
and NSM Installation Overview
•
Intrusion Detection and Prevention Device Installation Overview on page 3
•
NSM Installation Overview on page 3
Intrusion Detection and Prevention Device Installation Overview
The Intrusion Detection and Prevention (IDP) series consists of hardware and software
components. You can install the IDP device and start configuring your system using the
following steps:
1. Decide on the physical location of the device.
2. Install the device into your equipment rack.
3. Connect power cables and power on.
4. Perform some initial configuration steps.
5. Install the device license key.
See the installation documentation for your IDP model to install, configure, update, and
service a Juniper Networks IDP device.
Related Topics NSM Installation Overview on page 3•
• NSM and Intrusion Detection and Prevention Device Management Overview on page 5
NSM Installation Overview
NSM is a software application that enables you to integrate and centralize management
of your Juniper Networks environment. Youneed to install two main software components
to run NSM: the NSM management system and the NSM user interface (UI).
See the Network Security Manager Installation Guide for the steps to install the NSM
management system on a single server or on separateservers. It also includes information
on how to install and run the NSM user interface. The Network Security Manager Installation
Guide is intended for IT administrators responsible for installing or upgrading to the NSM.
3Copyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Related Topics • Intrusion Detection and Prevention Device Installation Overview on page 3
• NSM and Intrusion Detection and Prevention Device Management Overview on page 5
Copyright © 2010, Juniper Networks, Inc.4
CHAPTER 2
Understanding Intrusion Detection and
Prevention Device Configuration and
Integration Overview
•
NSM and Intrusion Detection and Prevention Device Management Overview on page 5
•
Intrusion Detection and Prevention Services and Device Configurations Supported in
NSM on page 6
•
Adding Intrusion Detection and Prevention Devices in NSM Overview on page 8
•
Adding Intrusion Detection and Prevention Clusters in NSM Overview on page 8
•
Using Templates and Configuration Groups in NSM Overview on page 8
NSM and Intrusion Detection and Prevention Device Management Overview
NSM is the Juniper Networks network management tool that allows distributed
administration of network appliances. You can use the NSM application to centralize
status monitoring, logging, and reporting, and to administer IDP Series configurations.
IDP technology detects and stops attacks when deployed inline to your network. Unlike
intrusion detection service (IDS),, IDP uses multiple methods to detect attacks against
your network and to prevent attackers from gaining access and damaging your system.
IDP drops malicious packets or connections before the attacks enter your network. IDP
is designed to reduce false positives and ensure that only actual malicious traffic is
detectedand stopped. Youcan also deployIDP as a passive sniffer, similar to a traditional
IDS, but with greater accuracy and manageability.
NSM is the sole means for configuring and managing IDP on the ISG1000, ISG2000, and
standalone IDP Sensors running IDP 4.x. Standalone IDP sensors running IDP 3.x and
earlier are managed using the IDP management server and UI.
The ISG1000 and ISG2000 security modules have an optional component installed that
provides IDP functionality. If you have purchased an ISG1000 or ISG2000 device that
does not have IDP capability, you can upgrade the device to be an IDP-capable system
by replacing the memory chip in the CPU. You install up to three security modules and
instal the Advanced and IDP license keys for IDP.
5Copyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
With NSM, you can manage most of the parameters that you can configure through the
IDP admin console. The configuration screens rendered through NSM are similar to the
screens in the IDP admin console. NSM incorporates a broad configuration management
framework that allows co-management using other methods.
After you have completed installation, follow these steps to get started with managing
an IDP device with NSM:
1. Add the IDP device to NSM. When you first add the IDP device to NSM in first instance,
NSM pushes the policy named Recommended to the device.
2. Update the IDP detector engine and attack object database.
3. Update software version (if necessary).
4. Run the Profiler.
5. Examine the logs.
6. Create address objects for IDP rulebase rules.
7. Optionally, configure additional rulebases.
8. If adding this device changes your plan to distribute administrative responsibility,
create NSM users with the access privileges.
An administrator(a user of NSM or IDP) has a specific level of permission. You can create
multipleadministratorswith specific roles to control access to the devices in each domain.
Related Topics Intrusion Detection and Prevention Services and Device Configurations Supported in
•
NSM on page 6
• Adding Intrusion Detection and Prevention Devices in NSM Overview on page 8
Intrusion Detection and Prevention Services and Device Configurations Supported in
NSM
The Intrusion Detection and Prevention (IDP) device supports the following services in
NSM:
•
Inventory management service—NSM enables upgrading license and management of
the IDP hardware details. Adding or deleting licenses or upgrading or downgrading
software are not supported.
•
Status monitoring service—Allows the IDP device’s status to be obtained, including
name, domain, OS version, synchronization status, connection details, current alarms,
CPU, memory, and swap.
•
Logging service—Allows the IDP device’s logs to be obtained in a time-generated order.
Logging configuration details that are set on the IDP device will apply to NSM.
•
Packaging log files or debug files for remote analysis
•
Managing interface settings such as setting IP addresses, settings IDP device host and
network information, interoperability with NSM, Infranet Controllers, Secure Access
Copyright © 2010, Juniper Networks, Inc.6
Chapter 2: Understanding Intrusion Detection and Prevention Device Configuration and Integration Overview
devices, settings deployment mode, enabling layer 2 processing, and so on. For more
information see the ACM online Help.
The following device configurations are not supported:
•
Editing licensing information, although licenses can be viewed
•
Rebooting the IDP device
On standalone IDP sensors and ISG security module settings inspects the following
protocols using Table 5 on page 7 .
Table 5: Intrusion Detection and Prevention: Supported Protocols
SMTPOracleHTTPAIM
SNMP/TrapPOP3ICMPCHARGEN
SQL MonPortMapperIDENTDHCP
SSHRADIUSIKEDISCARD
SSLRexecIMAPDNS
SyslogrloginIRCECHO
TELNETSunRPCLDAPFINGER
TFTPRshLPRFTP
VNCRTSPMSNGNUTELLA
WHOISNBNAMEMSRPCGOPHER
Yahoo MessengerNFSMS-SQLGRE*
NNTOPGTPH.225**
RusersNTP
SMB
* GRE inspection are supported only for IP (protocol 0x0800) and PPP for CDMA A10
channel (protocol 0x8881). PPP is a Layer 2 protocol, which can carry any Layer 3
protocols. Within PPP, IDP inspects IP and Van Jacobson compressed TCP.
** Standalone IDP only.
Related Topics Adding Intrusion Detection and Prevention Clusters in NSM Overview on page 8•
• Using Templates and Configuration Groups in NSM Overview on page 8
• NSM and Intrusion Detection and Prevention Device Management Overview on page 5
7Copyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Adding Intrusion Detection and Prevention Devices in NSM Overview
Before NSM can manage IDP devices, you must first add the IDP devices to the
management system using the NSM UI. To add an IDP device, you create an object in
the UI that represents the physical device, and then create a connection between the UI
object and the device so that their information is linked. When you make a change to the
UI device object, you can push that information to the real device so the two remain
synchronized. You can add a single IDP device at a time or add multiple IDP devices all
at once.
For complete details on adding IDP devices, see the Network and Security Manager
Administration Guide.
Related Topics Adding Intrusion Detection and Prevention Clusters in NSM Overview on page 8•
• Using Templates and Configuration Groups in NSM Overview on page 8
Adding Intrusion Detection and Prevention Clusters in NSM Overview
In IDP, maximum of two clusters join together to ensure continued network uptime. The
device configurations are synchronized, meaning all cluster members share the same
configuration settings, enabling an IDP device to handle traffic for another if one device
fails.
Adding a cluster is a two-stage process:
•
Add the cluster device object.
•
Add the members of the cluster to the cluster device object.
For complete details on adding IDP clusters, see the Network and Security Manager
Administration Guide.
Related Topics Using Templates and Configuration Groups in NSM Overview on page 8•
• NSM and Intrusion Detection and Prevention Device Management Overview on page 5
Using Templates and Configuration Groups in NSM Overview
Use templates to define an IDP device configuration and then reuse that configuration
information across multiple IDP devices. In a template, you need to define only those
configuration parameters that you want to set; you do not need to specify a complete
device configuration.
Templates provide these benefits:
•
You can configure parameter values for an IDP device by referring to one or more
templates when configuring the device.
Copyright © 2010, Juniper Networks, Inc.8
Chapter 2: Understanding Intrusion Detection and Prevention Device Configuration and Integration Overview
•
When you change a parameter value in a template and save the template, the value
also changes for all the IDP device configurations that refer to that template, unless
specifically overridden in the device object.
For complete details on using device templates and configuration groups, see the Network
and Security Manager Administration Guide.
Related Topics • NSM and Intrusion Detection and Prevention Device Management Overview on page 5
• Intrusion Detection and Prevention Services and Device Configurations Supported in
NSM on page 6
9Copyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Copyright © 2010, Juniper Networks, Inc.10
PART 2
Configuring Intrusion Detection and
Prevention Devices
•
Configuring Profiler Settings on page 13
•
Configuring Security Policies on page 31
•
Working with Attack Objects on page 61
•
Configuring SNMP and Syslog Settings on page 79
•
Configuring Anti-Spoof Settings on page 83
•
Configuring Intrusion Detection and Prevention Device Settings on page 87
•
Configuring Additional Intrusion Detection and Prevention Features on page 111
11Copyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
Copyright © 2010, Juniper Networks, Inc.12
CHAPTER 3
Configuring Profiler Settings
Before configuring security, you must first enable and set up the Profiler. The Profiler is
a network analysis tool that helps you learn about your internal network, enabling you
to create effective security policies and minimize unnecessary log records. After you
configurethe Profiler, it automatically learns about your internal network and the elements
that comprise it, including hosts, peers (communication between two hosts), ports
(non-IP protocols, TCP/UDP ports, RPC programs), and Layer-7 data that uniquely
identifies hosts, applications, commands, users, and filenames.
The Profiler is supported in all IDP modes and HA configurations, and also queries and
correlates information from multiple devices. For details on analyzing your network, see
the Network and Security Manager Administration Guide. This chapter providesinformation
on setting up the Profiler and configuring antivirus settings, including antispam and Web
filtering.
•
Configuring Profiler Options (NSM Procedure) on page 13
•
Viewing Profiler Logs (NSM Procedure) on page 20
•
Modifying Profiler Settings (NSM Procedure) on page 25
•
Configuring Profiler Database Preferences (NSM Procedure) on page 26
•
Displaying Profiler Database Information (NSM Procedure) on page 27
•
Querying the Profiler Database (NSM Procedure) on page 28
•
Purging the Profiler Database (NSM Procedure) on page 28
Configuring Profiler Options (NSM Procedure)
Profiler option settings are valid for standalone IDP sensors only. For more information,
see the NSM online Help.
To configure the Profiler on a given IDP sensor, open the Device window and select Profiler
Settings.
You configure Profiler options to enable Profiler features, set network addresses and
applications subject to profiling, and set alerts.
Setting Up the Profiler
Using the Profiler involves the following steps:
13Copyright © 2010, Juniper Networks, Inc.
Configuring Intrusion Detection and Prevention Devices Guide
•
Collecting specific information about your internal network
•
Starting the Profiler to enable your device to begin collecting data
•
Customizing Profiler preferences
You configure your device to collect specific information and compile it into the Profiler
database.
Configuring the Profiler
You can configure the Profiler using the Profiler settings available on the device settings
in the Device Manager. Using the Device Manager, double-click to access a device
managed in NSM, and click Profiler Settings.
The Profile Configuration dialog box appears with the General tab selected. Once you
select the device for profiling, you can configure the options for the device to collect data
from your internal network.
The following topics describe the steps to configure Profiler options:
•
Specifying General Options on page 14
•
Specifying Tracked Hosts on page 16
•
Specifying Context Targets on page 17
•
Specifying Alert Options on page 18
Specifying General Options
In this tab, indicate whether you want to enable Application Profiling and Probe and
Attemptand whether Non-tracked IP Profiles will be included in the profiling. Also indicate
the size of the Profiler database and whether to enable OS fingerprinting.
You configure Profiler general options to enable Profiler features.
OS fingerprinting passively detects the operating system of an end-host by analyzing
TCP handshake packets. To ensure that this works, you need to verify that OS
fingerprinting is first enabled on the profiled device. After you have configured the Profiler
with the tracked hosts and contexts, you must update the device.
OS fingerprinting works only for packets that contain a full-fledged TCP connection, that
is the TCP connection should have a SYN, SYN/ACK, and a FIN connection. OS
fingerprinting only works for operating systems that are supported on the device. A list
of the supported operating systems is available on the device in a file called
fingerprints.set at the following location:
/usr/idp/device/cfg/fingerprints.set
Configuring Network Objects
The first part of configuring the Profiler is to inform the device which network objects you
want the device to profile. When you start the Profiler, the device begins collecting data
from the selected hosts.
Copyright © 2010, Juniper Networks, Inc.14
Loading...