How it Works
Juniper
Loading...
P
Q
R
S
Loading...
Loading...
SECURITY THREAT RESPONSE MANAGER - APPLICATION CONFIGURATION GUIDE REV 1
Configuration Manual
36 pgs209.64 Kb0

Juniper SECURITY THREAT RESPONSE MANAGER - APPLICATION CONFIGURATION GUIDE REV 1, STRM Configuration Manual

Security Threat Response Manager
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000
www.juniper.net
Part Number: 530-025610-01, Revision 1
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to chang e without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publicati on without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
STRM Application Configuration Guide
Release 2008.2
Copyright © 2008, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History June 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
2
CONTENTS
ABOUT THIS GUIDE
Conventions 1 Technical Documentation 1 Documentation Feedback 1 Requesting Support 2
1 DEFINING APPLICATION MAPPINGS
About the STRM Applications View 1 Defining Application Mappings 2
Example of a Mapping File 4
2 DEFAULT APPLICATIONS
3 ICMP TYPE AND CODE IDS
Identifying Default ICMP Types 23 Identifying Default ICMP Codes 24
4 PROTOCOL IDS
5 PORT IDS
ABOUT THIS GUIDE
The STRM Application Configuration Guide provides you with information on how to investigate various types of security threats using th e Offense Manager, Event Viewer, or the Flow Viewer.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application, system, device, or network.
Warning Information that alerts you to potential personal
injury.
Technical Documentation
Documentation Feedback
You can access technical documentation, technical notes, and release notes directly from the Juniper networks Support Web site at
www.juniper.net/support/.
http://
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be
sure to include the following information with your comments:
Document name
Document part number
Page number
Software release version
STRM Default Application Configuration Guide
2 ABOUT THIS GUIDE
Requesting Support
Open a support case using the Case Management link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,
Canada, or Mexico) or 1-408-745-9500 (from elsewher e).
STRM Default Application Configuration Guide
1
DEFINING APPLICATION MAPPINGS
By default, STRM can classify many applications. When creating new or customized application mappings, you must:
Step 1 Update the Application Views in the STRM Administration interface, which
contains group and object information. For more information on updating the Applications Views, see the STRM Administration Guide.
Step 2 Configure the application mapping parameters in the Flow Collector parameters.
For more information, see the STRM Administration Guide.
Step 3 Update the mapping file, which contains user defined application mappings. This
file maps user defined applications with STRM’s Application Views.
Step 4 Deploy the changes to other systems through the Administration Console. For
more information, see the STRM Administration Guide. This chapter provides information on configuring and editing applications in STRM
including:
About the STRM Applications View
About the STRM Applications View
Defining Application Mappings
Once a flow is detected, STRM assigns an application ID to the flow based on the content of the flow, the protocol used for the flow, and the port. The particular application ID assigned to a flow depends on the values configured in the mapping files. This file also allows the application ID to be mapped to values defined in the Application View of your STRM interface, which also allows the classified data to be stored and displayed on the STRM graphs, based on the defined application ID.
Figure 1-1 shows an example of the Chat Application View in the STRM interface,
which shows the associated ID in the Values column.
STRM Default Application Configuration Guide
2 DEFINING APPLICATION MAPPINGS
Figure 1-1 Example of Application View
Y o u can edit the user defined mapping file to ensure specific traffic is appropriately classified in the STRM interf ace. Ho wever, STRM also includes default application IDs, which you can view in the Applications View of the STRM interface. For example, in Figure 1-1, the Chat group includes the default AOL group, which is defined in the default mapping file to ensure all AOL traffic is assigned a value of
3001. For more information on the default values, see Chapter 2 Default
Applications.
Note: For more information on enabling or disabling application detection, see the STRM Administration Guide.
Defining Application Mappings
To define application mappings:
Step 1 Using SSH, log in to STRM. Step 2 Open the following file:
/store/configservices/staging/globalconfig/user_application_ mapping.conf
Note: To edit the name of the user_application_mapping.conf file, you can edit the User Application Mapping parameter in the Flow Processor configuration window. For more information, see the STRM Administration Guide. If the user_application_mapping.conf does not exist in your system, create the file and place the empty in the above directory.
Step 3 Update the file, as necessary.
When updating the file, note the following:
Each line in the file indicates a new mapped application. You can specify
multiple mappings (each on a seperate line) for the same application.
You can specify a wildcard character * for any of the fields. The wildcard
character must be used alone and not part of a comma separated list. The wildcard character indicates that this field applies to all flows.
STRM Default Application Configuration Guide
Defining Application Mappings 3
Since it is possible for a flow to be associated with multiple mappings, a flow is
mapped to an application ID based on the order of the file. The first mapping that applies in the file is assigned to the flow.
When adding new application identification numbers, we recommend that you
apply numbers ranging between 15,000 to 20,000 . Contact Juniper Networks Customer Support for further information.
The format of the entry must resemble the following:
<New ID> <Old ID> <Source IP Address>:<Source Port> <Dest IP Address>:<Dest Port> <Name>
Where:
<New ID> specifies the application ID you wish to assign to the flow. A value of
1 indicates an unknown application. If the ID you wish to assign does not exist, you must create the ID using the Application View in the STRM interface. For more information, see the STRM Administration Guide.
<Old ID> specifies the default application ID of the flow, as assigned by
STRM. A value of * indicates a wildcard. For more information on the default values, see Chapter 2 Default Applications.
<Source IP Address> specifies the source IP address of the flow. This field
may contain either a comma separated list of addresses or CIDR values. A value of * indicates a wildcard, which means that this field applies to all flows.
<Source Port> specifies the associated port. This field may contain a comma
separated list of values or ranges specifies in the format: <lower port number>-<upper port number>. A value of * indicates a wildcard, which means that this field applies to all flows.
<Dest IP Address> specifies the destination IP address of the flow. This field
may contain either a comma separated list of addresses or CIDR values. A value of * indicates a wildcard, which means that this field applies to all flows.
<Dest Port> specifies the associated destination source port. This field may
contain a comma separated list of values or ranges specifies in the format: <lower port number>-<upper port number>. A value of * indicates a wildcard, which means that this field applies to all flows.
<Name> specifies a name you wish to assign to this mapping. This field is
optional.
For example, the below example maps all flows that match the IP addresses and ports for which the Flow Collector has assigned to the Old ID of 1010 and assign the new ID of 15000:
15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443
Step 4 Save and exit the file. Step 5 Log-in to STRM. Step 6 Click Config to access the Administration Console. Step 7 If necessary, edit your Application View.
STRM Default Application Configuration Guide
4 DEFINING APPLICATION MAPPINGS
Note: For information on creating or editing views, see the STRM Administration Guide.
Step 8 From the menu, select Configurations > Deploy configuration changes.
The Deploy configuration changes window appears:
Step 9 Click Close.
You have successfully deployed your changes.
Example of a Mapping File
15000 1010 10.100.100/24,10.100.50.10:* 172.14.33.33:80,443 AllowedWebTypeA 15000 1010 10.100.30/24:* 172.14.33.20:80 AllowedWebTypeA 15100 * *:33333 64.35.20/24,64.33/16,64.77.34.12:33333,33350-33400 GameX 15100 1,34803,34809 *:33333 *:33333,33350-33400 GameX
STRM Default Application Configuration Guide
2
DEFAULT APPLICATIONS
STRM includes default application IDs, which you can view in the Applications View of the STRM interface. This chapter provides the default application values as they appear in the Applications View. The default application values apply to all source and destination flows, however, the destination port is specific to the application.
For more information on the Application View, see the STRM Administration
Guide.
Table 2-1 provides the default Application values for STRM:
Table 2-1 Default Applications
Application View Group
Chat AOL-ICQ 3001 AOL Instant Messenger
Chat CUSeeMe 60016 CUSeeMe traffic. Chat Google 3006 Google IM traffic. Chat ICQ 3002 ICQ traffic. Chat Jabber 3004 Jabber protocol traffic. Chat Lotus-IM 60162 Lotus IM traffic. Chat MSN 3000 MSN traffic. Chat Misc_IM 3005 Misc IM traffic. Chat Windows-POPUP 60170 Windows Messenger Service
Chat Yahoo 1033 Yahoo traffic. Chat iChat 3008 iChat traffic. Chat IRC 3003 IRC traffic. Chat IRC 3003 IRC traffic. Chat IRC 5668 IRC traffic. Chat IRC 5669 IRC traffic. Chat IRC 5782 IRC traffic. Chat MSN 5672 MSN Traffic
Sub-Component Value Description
(AIM) traffic.
Pop-up.
STRM Default Application Configuration Guide
Loading...
+ 25 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use