How it Works
Juniper
Loading...
P
Q
R
S
Loading...
Loading...
SECURITY THREAT RESPONSE MANAGER 2008.2
Administration Manual
370 pgs2.82 Mb0

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 Administration Manual

Security Threat Response Manager
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000
www.juniper.net
Part Number: 530-025612-01, Revision 1
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to chang e without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publicati on without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
STRM Administration Guide
Release 2008.2 Copyright © 2008, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History June 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
2
CONTENTS
ABOUT THIS GUIDE
Audience 1 Conventions 1 Technical Documentation 1 Documentation Feedback 1 Requesting Support 2
1 OVERVIEW
About the Interface 3 Accessing the Administration Console 4 Using the Interface 4 Deploying Changes 5 Viewing STRM Audit Logs 5
Logged Actions 5 Viewing the Log File 8
2 MANAGING USERS
Managing Roles 11
Creating a Role 11 Editing a Role 14
Managing User Accounts 15
Creating a User Account 15 Editing a User Account 17 Disabling a User Account 17
Authenticating Users 18
3 SETTING UP STRM
Managing Your License Keys 21
Updating your License Key 22 Exporting Your License Key Information 23
Creating Your Network Hierarchy 24
Considerations 24 Defining Your Network Hierarchy 25
Scheduling Automatic Updates 28
Scheduling Automatic Updates 29 Updating Your Files On-Demand 30
Configuring STRM Settings 31 Configuring System Notifications 36 Configuring the Console Settings 39 Starting and Stopping STRM 41 Resetting SIM 41 Accessing the Embedded SNMP Agent 42 Configuring Access Settings 43
Configuring Firewall Access 43 Updating Your Host Set-up 45 Configuring Interface Roles 46 Changing Passwords 47 Updating System Time 48
4 MANAGING BACKUP AND RECOVERY
Managing Backup Archives 53
Viewing Back Up Archives 53 Importing an Archive 54 Deleting a Backup Archive 55
Backing Up Your Information 56
Scheduling Your Backup 56 Initiating a Backup 58
Restoring Your Configuration Information 59
5 USING THE DEPLOYMENT EDITOR
About the Deployment Editor 62
Accessing the Deployment Editor 63 Using the Editor 63 Creating Your Deployment 65 Before you Begin 65 Editing Deployment Editor Preferences 66
Building Your Flow View 66
Adding STRM Components 67 Connecting Components 69 Connecting Deployments 70 Renaming Components 73
Building Your Event View 73
Adding Components 75 Connecting Components 77 Forwarding Normalized Events 77 Renaming Components 80
Managing Your System View 80
Setting Up Managed Hosts 81 Using NAT with STRM 87 Configuring a Managed Host 91 Assigning a Component to a Host 91 Configuring Host Context 92
Configuring STRM Components 95
Configuring a Flow Collector 95 Configuring a Flow Processor 98 Configuring a Classification Engine 104 Configuring an Update Daemon 106 Configuring a Flow Writer 108 Configuring an Event Collector 109 Configuring an Event Processor 110 Configuring the Magistrate 112
6 MANAGING FLOW SOURCES
About Flow Sources 115
NetFlow 115 sFlow 116 J-Flow 117 Packeteer 117 Flowlog File 118
Managing Flow Sources 118
Adding a Flow Source 118 Editing a Flow Source 120 Enabling/Disabling a Flow Source 121 Deleting a Flow Source 122
Managing Flow Source Aliases 122
Adding a Flow Source Alias 122 Editing a Flow Source Alias 123 Deleting a Flow Source Alias 124
7 MANAGING SENTRIES
About Sentries 125 Viewing Sentries 126 Editing Sentry Details 127 Managing Packages 132
Creating a Sentry Package 132 Editing a Sentry Package 134
Managing Logic Units 135
Creating a Logic Unit 135 Editing a Logic Unit 138
8 MANAGING VIEWS
Using STRM Views 139
About Views 139 About Global Views 140 Defining Unique Objects 141
Managing Ports View 142
Default Ports Views 142 Adding a Ports Object 142 Editing a Ports Object 144
Managing Application Views 146
Default Application Views 146 Adding an Applications Object 147 Editing an Applications Object 149
Managing Remote Networks View 151
Default Remote Networks Views 151 Adding a Remote Networks Object 151 Editing a Remote Networks Object 153
Managing Remote Services Views 154
Default Remote Services Views 154 Adding a Remote Services Object 155 Editing a Remote Services Object 156
Managing Collector Views 158
Adding a Flow Collector Object 158 Editing a Flow Collector Object 159
Managing Custom Views 161
About Custom Views 161 Editing Custom Views 170
Editing the Equation 171 Enabling and Disabling Views 172 Using Best Practices 174
9 CONFIGURING RULES
Viewing Rules 176 Enabling/Disabling Rules 177 Creating a Rule 177
Event Rule Tests 194
Offense Rule Tests 203 Copying a Rule 208 Deleting a Rule 208 Grouping Rules 209
Viewing Groups 209
Creating a Group 209
Editing a Group 211
Copying an Item to Another Group(s) 211
Deleting an Item from a Group 213
Assigning an Item to a Group 213 Editing Building Blocks 213
10 DISCOVERING SERVERS
11 FORWARDING SYSLOG DATA
Adding a Syslog Destination 219 Editing a Syslog Destination 220 Delete a Syslog Destination 221
A JUNIPER NETWORKS MIB
B ENTERPRISE TEMPLATE DEFAULTS
Default Sentries 237 Default Custom Views 245
IP Tracking Group 245 Threats Group 246 Attacker Target Analysis Group 249 Target Analysis Group 250 Policy Violations Group 251 ASN Source Group 252 ASN Destination Group 252 IFIndexIn Group 252 IFIndexOut Group 252 QoS Group 252
Flow Shape Group 253 Default Rules 254 Default Building Blocks 266
C UNIVERSITY TEMPLATE DEFAULTS
Default Sentries 281 Default Custom Views 289
IP Tracking Group 289
Threats Group 290
Attacker Target Analysis Group 293
Target Analysis Group 294
Policy Violations Group 295
ASN Source Group 296
ASN Destination Group 296
IFIndexIn Group 296
IFIndexOut Group 296
QoS Group 296
Flow Shape Group 297 Default Rules 298 Default Building Blocks 310
D ISP TEMPLATE DEFAULTS
Default Sentries 325 Default Custom Views 328
IP Tracking Group 328
Threats Group 329
Attacker Target Analysis Group 332
Target Analysis Group 333
Policy Violations Group 334
ASN Source Group 335
ASN Destination Group 335
IFIndexIn Group 335 IFIndexIn Group 335 QoS Group 335
Flow Shape Group 336 Default Rules 337 Default Building Blocks 346
INDEX
ABOUT THIS GUIDE
The STRM Administration Guide provides you with information for managing STRM functionality requiring administrative access.
Audience This guide is intended for the system administrator responsible for setting up
STRM in your network. This guide assumes that you have STRM administrative access and a knowledge of your corporate network and networking technologies.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Technical Documentation
Documentation Feedback
Caution Information that alerts you to potential loss of
data or potential damage to an application, system, device, or network.
Warning Information that alerts you to potential personal
injury.
You can access technical documentation, technical notes, and release notes directly from the Juniper networks Support Web site at
www.juniper.net/support/.
http://
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be
sure to include the following information with your comments:
Document name
Document part number
STRM Administration Guide
2 ABOUT THIS GUIDE
Page number
Software release version
Requesting Support
Open a support case using the Case Management link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,
Canada, or Mexico) or 1-408-745-9500 (from elsewher e).
STRM Administration Guide
OVERVIEW
1
This chapter provides an overview of the STRM Administration Console and STRM administrative functionality including:
About the Interface
Accessing the Administration Console
Using the Interface
Deploying Changes
Viewing STRM Audit Logs
About the Interface Y ou must have administrative privileges to access the Administration Console. The
STRM Administration Console provides access to following administrative functionality:
Manage users. See Chapter 2 Managing Users.
Manage STRM. See Chapter 3 Setting Up STRM.
Backup and recover your data. See Chapter 4 Managing Backup and
Recovery.
Manage your deployment views. See Chapter 5 Using the Deployment Editor.
Managing flow sources. See Chapter 6 Managing Flow Sources.
Configure sentries. See Chapter 7 Managing Sentries.
Configure views. See Chapter 8 Managing Views.
Configure syslog forwarding. See Chapter 11 Forwarding Syslog Data.
All configuration updates using the Administration Console are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment.
STRM Administration Guide
4 OVERVIEW
Accessing the Administration Console
You can access the STRM Administration Console through the main STRM interface. To access the Administration Console, click Config in the main STRM interface. The Administration Console appears.
Using the Interface The Administration Console provides several tab and menu options that allow you
to configure STRM including:
System Configuration - Provides access to administrative functionality, such
as, user management, automatic updates, license key, network hierarchy, sentries, STRM settings, system notifications, backup and recovery and Console configuration.
Views Configuration - Provides access to STRM views.
SIM Configuration - Provides access to scanners, sensor device
management, syslog forwarding, and reset the SIM model.
Flow Configuration - Provides access to flow source configuration, such as
NetFlow.
The Administration Console also includes several menu options including:
Table 1-1 Administrative Console Menu Options
Menu Option Sub-Menu Description
File Close Closes the Administration Console. Configurations Deployment Editor Opens the deployment editor
interface.
Deploy configuration changes
Deploy All Deploys all configuration settings to
System STRM Start Starts the STRM application.
STRM Stop Stops the STRM application.
Deploys any configuration changes from the current session to your deployment.
your deployment.
STRM Administration Guide
Deploying Changes 5
Table 1-1 Administrative Console Menu Options (continued)
Menu Option Sub-Menu Description
STRM Restart Restarts the STRM application.
Help Help and Support Opens user documentation.
About STRM Administration Console
Displays version information.
The Administration Console provides several toolbar options including:
Table 1-2 Administration Console Toolbar Options
Icon Description
Opens the deployment editor interface.
Deploys all changes made through the Administration Console.
Deploying Changes Once you update your configuration settings using the Administration Console,
you must save those changes to the staging area. You must either manually deploy all changes using the Deploy menu option or, upon exit, a window appears prompting you to deploy changes before you exit. All deployed changes are then enforced throughout your deployment.
Using the Administration Console menu, you can deploy changes as follows:
Deploy All - Deploys all configuration settings to your deployment.
Deploy configuration changes - Deploys any configuration changes from the
current session to your deployment.
Viewing STRM Audit Logs
Changes made by STRM users are recorded in the audit logs. You can view the audit logs to monitor changes to STRM and the users performing those changes.
All audit logs are stored in plain text and are archived and compressed once the audit log file reaches a size of 200 MB. The current log file is named Once the file reaches a size of 200 MB, the file is compressed and renamed as follows:
audit.1.gz, audit.2.gz, etc with the file number incrementing each
time a log file is archived. STRM stores up to 50 archived log files. This section provides information on using the audit logs including:
Logged Actions
Viewing the Log File
Logged Actions STRM logs the following categories of actions in the audit log file:
audit.log.
STRM Administration Guide
6 OVERVIEW
Table 1-3 Logged Actions
Category Action
User Authentication Log in to STRM User Authentication Log out of STRM Administrator Authentication Log in to the STRM Administration Consol e Administrator Authentication Log out of the STRM Administration Console Root Login Log in to STRM, as root
Log out of STRM, as root
Rules Adding a rule
Deleting a rule Editing a rule
Sentry Adding a sentry
Editing a sentry Deleting a sentry Editing a sentry package Editing sentry logic
User Accounts Adding an account
Editing an account Deleting an account
User Roles Adding a role
Editing a role Deleting a role
Sensor Devices Adding a sensor device
Editing a sensor device Deleting a sensor device Adding a sensor device group Editing a sensor device group Deleting a sensor device group
Sensor Device Extension Adding an sensor device extension
Editing the sensor device extension Deleting a sensor device extension Uploading a sensor device extension Uploading a sensor device extension
successfully Downloading a sensor device extension Reporting a sensor device extension Modifying a sensor devices association to a
device or device type.
STRM Administration Guide
Viewing STRM Audit Logs 7
Table 1-3 Logged Actions
Category Action
Protocol Configuration Adding a protocol configuration
Deleting a protocol configuration Editing a protocol configuration
Flow Sources Adding a flow source
Editing a flow source Deleting a flow source
Offense Manager Hiding an offense
Closing an offense Closing all offenses
TNC Recommendations Creating a recommendation
Editing a recommendation Deleting a recommendation
Syslog Forwarding Adding a syslog forwarding
Deleting a syslog forwarding Editing a syslog forwarding
Reports Adding a template
Deleting a template Editing a template Executing a template Deleting a report
Groups Adding a group
Deleting a group Editing a group
Backup and Recovery Editing the configuration
Initiating the backup Completing the backup Failing the backup Deleting the backup Synchronizing the backup Cancelling the backup Initiating the restore Uploading a backup Uploading an invalid backup Deleting the backup
STRM Administration Guide
8 OVERVIEW
Table 1-3 Logged Actions
Category Action
Scanner Adding a scanner
Scanner Schedule Adding a schedule
Asset Deleting all assets License Adding a license key.
Viewing the Log File To view the audit logs:
Step 1 Log in to STRM as root. Step 2 Go to the following directory:
/var/log/audit
Deleting a scanner Editing a scanner
Editing a schedule Deleting a schedule
Editing a license key.
Step 3 Open the desired audit log file.
Each entry in the log file displays using the following format:
Note: The maximum size of any audit message (not including date, time, and host name) is 1024 characters.
<date_time> <host name> <user>@<IP address> (thread ID) [<category>] [<sub-category>] [<action>] <payload>
Where:
<date_time> is the date and time of the activity in the format: Month Date
HH:MM:SS.
<host name> is the host name of the Console where this activity was logged. <user> is the name of the user that performed the action. <IP address> is the IP address of the user that performed the action. (thread ID) is the identifier of the Java thread that logged this activity. <category> is the high-level category of this activity. <sub-category> is the low-level category of this activity. <action> is the activity that occurred. <payload> is the complete record that has changed, if any. This may include a
user record or an event rule. For example:
Nov 6 12:22:31 localhost.localdomain admin@10.100.100.15 (Session) [Authentication] [User] [Login]
STRM Administration Guide
Viewing STRM Audit Logs 9
Nov 6 12:22:31 localhost.localdomain jsam@10.100.100.15 (0) [Configuration] [User Account] [Account Modified] username=james, password=/oJDuXP7YXUYQ, networks=ALL, email=sam@q1labs.com, userrole=Admin
Nov 13 10:14:44 localhost.localdomain admin@10.100.45.61 (0) [Configuration] [FlowSource] [FlowSourceModified] Flowsource( name="tim", enabled="true", deployed="false", asymmetrical="false", targetQflow=DeployedComponent(id=3), flowsourceType=FlowsourceType(id=6), flowsourceConfig=FlowsourceConfig(id=1))
STRM Administration Guide
MANAGING USERS
2
This chapter provides information on managing STRM users including:
Managing Roles
Managing User Accounts
Authenticating Users
You can add or remove user accounts for all users that you wish to access STRM. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM. You can also restrict or allow access to areas of the network.
Managing Roles You must create a role before you can create user accounts. By default, STRM
provides a default administrative role, which provides access to all areas of STRM. A user that has been assigned administrative privileges (including the default administrative role) cannot edit their own account. Another administrative user must make any desired changes.
Using the Administration Console, you can:
Create a role. See Creating a Role.
Edit a role. See Editing a Role
Creating a Role To create a role:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage User Roles window appears.
Step 3 Click Create Role.
STRM Administration Guide
12 MANAGING USERS
Step 4 Enter values for the parameters. You must select at least one permission to
proceed.
Table 2-1 Create Roles Parameters
Parameter Description
Role Name Specify the name of the role. The name can be up to 15
characters in length and must only contain integers and letters.
Administrator Select the check box if you wish to grant this user
administrative access to the STRM interface. Within the administrator role, you can grant additional access to the following:
System Administrator - Select this check box if you wish
to allow users access to all areas of STRM except Views. Also users with this access are not able to edit other administrator accounts.
Administrator Manager - Select this check box if you
wish to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected.
Views Administrator - Select this check box if you wish
to allow users the ability to create, edit, or delete Views. For example, the Application View and the Ports View.
STRM Administration Guide
Managing Roles 13
Table 2-1 Create Roles Parameters (continued)
Parameter Description
Offense Management Select the check box if you wish to grant this user access to
Offense Manager functionality. Within the Offense Manager functionality, you can grant additional access to the following:
Assign Offenses to Users - Select the check box if you
wish to allow users to assign offenses to other users.
Customized Rule Creation - Select the check box if you
wish to allow users to create custom rules.
For more information on the Offense Manager, see the STRM Users Guide.
Event Viewer Select the check box if you wish this user to have access to
the Event Viewer. Within the Event Viewer, you can also grant users additional access to the following:
Event Search Restrictions Override - Select the check
box if you wish to allow users the ability to override event search restrictions.
Customized Rule Creation functionality - Select the
check box if you wish to allow users to create rules using the Event Viewer.
For more information on the Event Viewer, see the STRM Users Guide.
Asset Management Select the check box if you wish to grant this user access to
Asset Management functionality. Within the Asset Management functionality, you can grant additional access to the following:
Server Discovery - Select the check box if you wish to
allow users the ability to discover servers.
View VA Data - Select the check box if you wish to allow
users access to vulnerability assessment data.
Perform VA Scans - Select the check box if you wish to
allows users to perform vulnerability assessment scans.
STRM Administration Guide
14 MANAGING USERS
Table 2-1 Create Roles Parameters (continued)
Parameter Description
Network Surveillance Select the check box if you wish to grant this user access to
Network Surveillance functionality. Within the Network Surveillance functionality, you can grant additional access to the following:
View Flows - Select the check box if you wish to allow
users access to content captured using the View Flows function.
View Flow Content - Select the check box if you wish to
allow users access to data accessed through the View Flow box.
View Flows Restrictions Override - Select the check
box if you wish to allow users the ability to override sentry restrictions.
Sentry Modification - Select the check box if you wish to
allows users to modify existing sentries.
For more information, see the STRM Users Guide.
Reporting Select the check box if you wish to grant this user access to
Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following:
Distribute Reports via Email - Select the check box if
you wish to allow users to distribute reports throug h e-mail.
Maintain Templates - Select the check box if you wish to
allow users to maintain reporting templates.
For more information, see the STRM Users Guide.
Step 5 Click Save. Step 6 Click Return. Step 7 Close the Manage Roles window.
The STRM Administration Console appears.
Step 8 From the menu, select Configurations > Deploy configuration changes.
Editing a Role To edit a role:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage Role window appears.
Step 3 For the role you wish to edit, click the edit icon.
The Permissions for Role window appears.
Step 4 Update the permissions (see Table 2-1), as necessary.
STRM Administration Guide
Managing User Accounts 15
Step 5 Click Return. Step 6 Click Save. Step 7 Close the Manage User Roles window.
The STRM Administration Console appears.
Step 8 From the menu, select Configurations > Deploy configuration changes.
Managing User Accounts
Creating a User
Account
You can create a STRM user account, which allows a user access to selected network components using the STRM interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges.
You can create and edit user accounts to access STRM including:
Creating a User Account
Editing a User Account
Disabling a User Account
To create an account for a STRM user:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Users icon.
The Manage Users window appears.
Step 3 In the Manage Users area, click Add.
The User Details window appears.
Step 4 Enter values for the following parameters:
Table 2-2 User Details Parameters
Parameter Description
Username Specify a username for the new user. The username must not
include spaces or special characters.
STRM Administration Guide
16 MANAGING USERS
Step 5 Click Next.
Table 2-2 User Details Parameters (continued)
Parameter Description
Password Specify a password for the user to gain access. The password
must be at least 5 characters in length. Confirm Password Re-enter the password for confirmation. Email Address Specify the user’s e-mail address. Role Using the drop-down list box, select the role you wish this user to
assume. For information on roles, see
Managing Roles. If you
select Admin, this process is complete.
The Selected Network Objects window appears.
Step 6 From the menu tree, select the network objects you wish this user to be able to
monitor. The selected network objects appear in the Selected Network Object panel.
Step 7 Choose one of the following options:
a Click Deploy Now to deploy new user information immediately. b Click Cancel to cancel all updates and return to the Manage Users window.
Step 8 Close the Manage Users window.
The STRM Administration Console appears.
STRM Administration Guide
Managing User Accounts 17
Editing a User
Account
Step 1 In the Administration Console, click the System Configuration tab.
Step 2 Click the Users icon.
Step 3 In the Manage Users area, click the user account you wish to edit.
Step 4 Update values (see Table 2-2), as necessary. Step 5 Click Next.
Step 6 From the menu tree, select the network objects you wish this user to access.
Step 7 For all network objects you wish to remove access, select the object from the
Step 8 Choose one of the following options:
To edit a user account:
The System Configuration panel appears.
The Manage Users window appears.
The User Details window appears.
If you are editing a non-administrative user account, the Selected Network Objects window appears. If you are editing an administrative user account, go to Step 9.
The selected network objects appear in the Selected Network Object panel.
Selected Network Objects panel and click Remove.
a Click Deploy Now to deploy new user information immediately.
Step 9 Close the Manage Users window.
Disabling a User
Account
Step 1 In the Administration Console, click the System Configuration tab.
Step 2 Click the Users icon.
Step 3 In the Manage Users area, click the user account you wish to disable.
Step 4 In the Role drop-down list box, select Disabled. Step 5 Click Next. Step 6 Close the Manage Users window.
b Click Cancel to return to cancel all updates and return to the Manage Users
window.
The STRM Administration Console appears.
To disable a user account:
The System Configuration panel appears.
The Manage Users window appears.
The User Details window appears.
The STRM Administration Console appears. This user no longer has access to the STRM interface. If this user attempts to log in to STRM, the following message appears: This account has been disabled.
STRM Administration Guide
18 MANAGING USERS
Authenticating Users
You can configure authentication to validate STRM users and passwords. STRM supports the following user authentication types:
System Authentication - Users are authenticated lo cally by STRM. This is the
default authentication type.
RADIUS Authentication - Users are authenticated by a Remote Authentication
Dial-in User Service (RADIUS) server. When a user attempts to login, STRM encrypts the password only, and forwards the username and password to the RADIUS server for authentication.
TACACS Authentication - Users are authenticated by a Terminal Access
Controller Access Control System (TACACS) server. When a user attempts to login, STRM encrypts the username and password, and forwards this information to the TACACS server for authentication.
LDAP/ Active Directory - Users are authenticated by a Lightweight Directory
Access Protocol (LDAP) server using Kerberos.
If you wish to configure RADIUS, TACACS, or LDAP/Active Directory as the authentication type, you must :
Configure the authentication server before you con figu re authentication in
STRM.
Make sure the server has the appropriate user accounts and privilege levels to
communicate with STRM. See your server documentation for more information.
Make sure the time of the authentication server is synchronized with the time of
the STRM server. For more information on setting STRM time, see Chapter 3
Setting Up STRM.
Make sure all users have appropriate user accounts and roles in STRM to allow
authentication with the third party servers.
Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. if the user attempts to access the sy st em multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring system settings for authentication, see Chapter 3 Setting Up STRM - Configuring the Console
Settings. An administrative user can always access STRM through a third party
authentication module or by using the local STRM Admin password. To configure authentication:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Authentication icon.
The Authentication window appears.
STRM Administration Guide
Authenticating Users 19
Step 3
From the Authentication Module drop-down list box, select the authentication type you wish to configure.
Step 4 Configure the selected authentication type:
a If you selected System Authentication, go to Step 5 b If you selected RADIUS Authentication, enter values for the following
parameters:
Table 2-3 RADIUS Parameters
Parameter Description
RADIUS Server Specify the hostname or IP address of the RADIUS server. RADIUS Port Specify the port of the RADIUS server. Authentication
Type
Specify the type of authentication you wish to perf or m . Th e options are:
CHAP (Challenge Handshake Authentication Protocol) -
Establishes a Point-to-Point Protocol (PPP) connection between the user and the server.
MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
ARAP (Apple Remote Access Protocol) - Establishes
authentication for AppleTalk network traffic.
ASCII
PAP (Password Authentication Protocol) - Sends clear text
between the user and the server.
Shared Secret Specify the shared secret that STRM uses to encrypt RADIUS
passwords for transmission to the RADIUS server.
c If you selected TACACS Authentication, enter values for the following
parameters:
Table 2-4 TACACS Parameters
Parameter Description
TACACS Server Specify the hostname or IP address of the TACACS server. TACACS Port Specify the port of the TACACS server.
STRM Administration Guide
20 MANAGING USERS
Table 2-4 TACACS Parameters (continued)
Parameter Description
Authentication Type
Specify the type of authentication you wish to perform. The
options are:
PAP (Password Authentication Protocol) - Sends clear text
between the user and the server.
CHAP (Challenge Handshake Authentication Protocol) -
Establishes a PPP connection between the user and the server.
MSCHAP (Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
MSCHAP2 - (Microsoft Challenge Handshake Authentication
Protocol version 2)- Authenticates remote Windows workstations using mutual authentication.
EAPMD5 (Extensible Authentication Protocol using MD5
Protocol) - Uses MD5 to establish a PPP connection.
Shared Secret Specify the shared secret that STRM uses to encrypt TACACS
passwords for transmission to the TACACS server.
d If you selected LDAP/ Active Directory, enter values for the following
parameters:
Table 2-5 LDAP/ Active Directory Parameters
Parameter Description
Server URL Specify the URL used to connect to the LDAP server. For
LDAP Context Specify the LDAP context you wish to use, for example,
LDAP Domain Specify the domain you wish to use, for example q1labs.inc
Step 5 Click Save.
example, ldap://<host>:<port>
DC=Q1LABS,DC=INC.
STRM Administration Guide
3
SETTING UP STRM
This chapter provides information on setting up STRM including:
Managing Your License Keys
Creating Your Network Hierarchy
Scheduling Automatic Updates
Configuring STRM Settings
Configuring System Notifications
Configuring the Console Settings
Starting and Stopping STRM
Resetting SIM
Accessing the Embedded SNMP Agent
Configuring Access Settings
Managing Your License Keys
For your STRM Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the System Management window in the STRM Administration Console. This interface prov ides the status of the license key for each system (host) in your deployment including:
Valid - The license key is valid.
Expired - The license key has expired. To update your license key, see
Updating your License Key.
Override Console License - This host is using the Console license key. You
can use the Console key or apply a license key for this system. If you wish to use the Console license for any system in your deployment, click Default License in the Manage License window . The license for that system will default to the Console license key.
This section provides information on managing your license keys including:
Updating your License Key
Exporting Your License Key Information
STRM Administration Guide
22 SETTING UP STRM
Updating your
License Key
Step 1 In the Administration Console, click the System Configuration tab.
Step 2 Click the System Management icon.
For your STRM Console, a default license key provides you access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:
For a new or updated license key, please contact your local sales
representative.
For all other technical issues, please contact Juniper Networks Customer
Support.
If you log in to STRM and your Console license key has expired, you are automatically directed to the System Management window. You must update the license key before you can continue. However, if one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the System Management window to update that license key.
To update your license key:
The System Configuration panel appears.
The System Management window appears providing a list of all hosts in your deployment.
Step 3 For the host that on which you wish to update the license key, click the value that
appears in the License column.
Note: If you update the license key for your Console, all systems in your deployment default to the Console license key at that time.
The Current License Details window appears.
Step 4 Click Browse beside the New License Key File and locate the license key.
STRM Administration Guide
Loading...
+ 340 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use