Juniper SECURITY THREAT RESPONSE MANAGER - SOFTWARE INSTALLATION REV 1, STRM Installation Manual
Security Threat Response Manager
STRM Software Installation Guide
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-025619-01, Revision 1
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publicati on without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. Thes e
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
STRM Installation Guide
Release 2008.2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
June 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
2
CONTENTS
ABOUT THIS GUIDE
Conventions 3
Technical Documentation 3
Documentation Feedback 3
Requesting Support 4
1 PREPARING FOR YOUR INSTALLATION
Deploying STRM 6
Additional Hardware Requirements 7
Additional Software Requirements 7
Browser Support 7
Preparing Your Network Hierarchy 7
Identifying Network Settings 8
Identifying Security Monitoring Devices and Flow Data Sources 9
Identifying Network Assets 10
2 INSTALLING STRM
Setting Up Appliances 13
Installing STRM Using Red Hat Enterprise 4.6 18
Installing Japanese Support 23
Accessing STRM 24
A SETTING UP RED HAT ENTERPRISE
Before You Begin 25
Configuring Network Parameters 26
Configuring Firewall Configuration 26
Configuring Disk Partitions 26
Installing Red Hat Enterprise 4
Update 6 27
Customizing Red Hat Upgrades 28
INDEX
ABOUT THIS GUIDE
The STRM Installation Guide provides you with information on setting up STRM.
This guide assumes a working knowledge of networking and Linux systems.
Conventions Table 1 lists conventions that are used throughout this guide.
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
Technical
Documentation
Documentation
Feedback
You can access technical documentation, technical notes, and release notes
directly from the Juniper networks Support Web site at
www.juniper.net/support/.
http://
We encourage you to provide feedback, comments, and suggestions so that we
can improve the documentation. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be
sure to include the following information with your comments:
• Document name
• Document part number
• Page number
• Software release version
STRM Installation Guide
4 ABOUT THIS GUIDE
Requesting
Support
• Open a support case using the Case Management link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,
Canada, or Mexico) or 1-408-745-9500 (from elsewher e).
STRM Installation Guide
1
PREPARING FOR YOUR
I
NSTALLATION
This chapter provides information for when planning your STRM deployment
including:
• Deploying STRM
• Additional Hardware Requirements
• Additional Software Requirements
• Browser Support
• Preparing Your Network Hierarchy
• Identifying Network Settings
• Identifying Security Monitoring Devices and Flow Data Sources
• Identifying Network Assets
Your STRM deployment may consist of STRM installed on one or multiple
systems. You can use the STRM three-tier architecture to install any or all
components on a single server for small enterprises or distributed across multiple
servers for maximum performance and scalability in large enterprise
environments.
To ensure a successful STRM deployment, adhere to the recommendations in this
document.
STRM Installation Guide
6 PREPARING FOR YOUR INSTALLATION
Deploying STRM Y ou can deploy STRM using STRM appliances or STRM software installed on your
own hardware. This section provides information on deploying STRM including:
• STRM Components
A STRM appliance includes STRM software and a CentOS-4 operating system.
For further information on STRM appliances, see the Hardware Installation Guide.
STRM Components STRM components that may exist in your deployment include:
Note: For more information on each STRM component, see the STRM
Administration Guide.
• Flow Collector - Passively collects traffic flows from your network through span
ports or network taps. The Flow Collector also supports the collection of
external flow-based data sources, such as NetFlow. You can install a Flow
Collector on your own hardware or use one of the QFlow appliances.
• Flow Processor - Normalizes flows sent from one or more Flow Collector(s) by
consolidating, aggregating, and removing duplicate flows. The Flow Collector
can also create superflows (aggregate flows) before the flows reach the
Classification Engine.
• Classification Engine - Analyzes flows to classify and identify all traffic in the
enterprise network into multiple objects.
• Console - Provides the interface for STRM. The Console provides real time
views, reports, alerts, and in-depth flow views of network traffic and security
threats. This Console is also used to manage distributed STRM deployments.
The Console is accessed from a standard web browser. When you access the
system, a prompt appears for a user name and password, which must be
configured during the installation process. You must also have Java installed.
For information on software requirements, see Additional Software
Requirements.
• Update Daemon - St ores the database and TopN data. Typically, the Update
Daemon is installed on the Console.
• Flow Writer - Stores the flow and asset profile data.
• Offense Resolution - Offense Resolution is a module that provides
enterprise-wide intrusion prevention for your network and includes Resolvers,
Resolutions and Resolver Agents.
• Event Collector - The Event Collector gathers events from local and remote
device sources. The Event Collector normalizes events and sends the
information to the Event Processor. Before being sent to the Event Processor,
the Event Collector bundles identical events to conserve system usage. During
this process, Magistrate risk factors map the events to the STRM Identification
System, and creates the bundles.
• Event Processor - Processes events collected from one or more Event
Collector(s). Once received, the Event Processor correlates the information
STRM Installation Guide
Additional Hardware Requirements 7
from STRM and distributes to the appropriate area, depending on the type of
event. The Event Processor also includes information gathered by STRM to
indicate any behavioral changes or policy violations for the event. Rules are
applied to the events that allow the Event Processor to process according to the
configured rules. Once complete, the Event Processor sends the events to the
Magistrate.
• Magistrate - Provides the core processing components. You can add one
Magistrate component for each deployment. The Magistrate provides views,
reports, alerts, and analysis of network traffic and security events. The
Magistrate processes the event against the defined custom rules to create an
offense. If no custom rules exist, the Magistrate uses the default rules to
process the event. An offense is an event that has been processed through
STRM using multiple inputs, individual events, and events combined with
analyzed behavior and vulnerabilities. Magistrate prioritizes the offenses and
assigns a magnitude value based on several factors, including number of
events, severity, relevance, and credibility.
Additional
Hardware
Requirements
Additional Software
Requirements
Before installing your STRM systems, make sure you have access to the additional
hardware components:
• Monitor and keyboard or a serial console
• To make sure that your STRM data is preserved during a power failure, we
highly recommend that all STRM appliances or systems running STRM
software storing data (such as, Consoles, Event Processors, or Flow
Processors) be equipped with a Uninterrupted Power Supply (UPS).
Before installing STRM, make sure you have Java Runtime Environment installed
on your system. You can download Java version 1.5.0_12 at the following web
site: http://java.com/.
Browser Support You must have a browser installed on your client system to access the STRM
interface. STRM supports the following web browsers:
- Microsoft Internet Explorer 6.0/7.0
- Firefox 2.0
Preparing Your
Network Hierarchy
STRM uses the network hierarchy to understand your network traffic and provide
you with the ability to view network activity for your entire deployment. STRM
supports any network hierarchy that can be defined by a range of IP addresses.
You can create your network based on many different variables, including
geographical or business units. For example, your network hierarchy may include
corporate IP address ranges (internal or external), physical departments or areas,
mails servers, and web servers.
STRM Installation Guide
8 PREPARING FOR YOUR INSTALLATION
Once you define the components you wish to add to your network hierarchy and
install STRM, you can then configure the network hierarchy using the STR M
interface. For each component you wish to add to your network hierarchy, use the
following table to indicate each component in your network map.
At a minimum, we recommend that you define objects in the network hierarchy for:
• Internal/external Demilitarized zone (DMZ)
• VPN
• All internal IP address space (for example, 0.0.0.0/8)
• Proxy servers
• Network Address Translation (NAT) IP address range
• Server Network subnets
• Voice over IP (Vo IP) su bnets
Table 1-1 Network Hierarchy
Description Name IP/CIDR Value Weight
Identifying Network
Settings
For more information, see the STRM Administration Guide - Setting Up STRM,
Creating Your Network Hierarchy.
Before you install STRM, you must have the following information for each system
you wish to install:
• Hostname
• IP address
• Network Mask address
• Subnet Mask
• Default Gateway
• Primary DNS Server
• Secondary DNS Server (Optional)
• Public IP address for networks using Network Address Translation (NAT)
• E-mail Server
• NTP Server (Console only) or Time server
STRM Installation Guide
Loading...