Juniper Networks IDP250 User Manual

IDP Series Intrusion Detection and Prevention Appliances

IDP250 Installation Guide

Release

5.x

Published: 2012-08-16

Part Number: 530-029729-01, Revision 03

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This productincludes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

IDP Series Intrusion Detection and Prevention Appliances IDP250 Installation Guide

Revision History April 2011—03

The information in this document is current as of the date on the title page.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions

of that EULA.

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Part 1 Hardware and Software Overview

Chapter 1 Hardware Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

IDP250 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Fans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

USB Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Serial Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Management Interface Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

High Availability Interface Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Traffic Interface Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Copper Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Fiber Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Traffic Interface Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Deployment Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Layer 2 Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Internal Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

External Bypass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

NICs Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Peer Port Modulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 2 Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

On-Box Software Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Centralized Management with NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

J-Security Center Updates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

IDP250 Installation Guide

Part 2 Performing the Installation

Chapter 3 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4 Installing the Appliance to Your Equipment Rack and Connecting

Chapter 5 Performing the Initial Network Configuration and Licensing Tasks . . . . . . . 27

Chapter 6 Connecting the IDP Traffic Interfacesto Your Network and Verifying Traffic

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Basic Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Rack Mounting Kits and Required Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Mounting to Midmount Brackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Mounting to Rack Rails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Connecting Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Getting Started with the EasyConfig Wizard (Serial Console Port) . . . . . . . . . . . . 29

Getting Started with the QuickStart Wizard (Management Port) . . . . . . . . . . . . . 30

Getting Started with the ACM Wizard (Management Port) . . . . . . . . . . . . . . . . . . 31

Installing the Product License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Guidelines for Connecting IDP Series Interfaces to Your Network Devices . . . . . . 33

Choosing Cables for Traffic Interfaces (Copper Ports) . . . . . . . . . . . . . . . . . . . . . . 34

Connecting Devices That Support Auto-MDIX . . . . . . . . . . . . . . . . . . . . . . . . 35

Connecting Devices That Do Not Support Auto-MDIX . . . . . . . . . . . . . . . . . . 35

Connecting Devices to Support Internal Bypass . . . . . . . . . . . . . . . . . . . . . . . 35

Connecting and Disconnecting Fiber Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Verifying Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Part 3 Adding the IDP Appliance to NSM

Chapter 7 Adding the IDP Appliance to NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Reviewing Compatibility with NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Adding a Reachable IDP Series Device to NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Part 4 Upgrading Software and Installing Field Replaceable Units

Chapter 8 Upgrading Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Updating Software (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Upgrading Software (CLI Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Chapter 9 Installing Field Replaceable Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Replacing a Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Chapter 10 Reimaging the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Reimaging and Relicensing an Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Part 5 Technical Specifications and Compliance Statements

Chapter 11 Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

IDP250 Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table of Contents

Chapter 12 Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Part 6 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

IDP250 Installation Guide

Preface

This preface includes the following topics:

•

Objectives on page vii

•

Audience on page vii

•

Documentation Conventions on page vii

•

Objectives

This guide explains how to install, configure, update, and service an IDP Series Intrusion Detection and Prevention appliance.

Audience

This guide is intended for experienced system and network specialists.

Documentation Conventions

Table 1: Notice Icons

This section provides all the documentation conventions that are followed in this guide.

Table 1 on page vii defines notice icons used in this guide.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

IDP250 Installation Guide

Table 2 on page viii defines text conventions used in this guide.

Table 2: Text Conventions

ExamplesDescriptionConvention

Bold typeface like this

fixed-width font

Keynames linkedwith a plus (+)sign

Italics

The angle bracket (>)

Table 3 on page viii defines syntax conventions used in this guide.

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 3: Syntax Conventions

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

variable to the left or right of this symbol. The keywordor variable canbe optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in |out } { clusterId | ipAddress }

Requesting Technical Support

Technical productsupport is available through the Juniper NetworksTechnical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.

Describes how to configure and manage IDP devices using NSM. This guide also helps in understanding of how to configure basic and advanced NSM functionality, including adding new devices, deploying new device configurations, updating device firmware, viewing log information, and monitoring the status of IDP devices.

Describes how to use and configure key management features in the NSM. It provides conceptual information, suggested workflows, and examples where applicable. This guide is best used in conjunction with the NSM Online Help, which provides step-by-step instructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall andVPN administrators,and network security operation center administrators.

Provides task-oriented procedures describing how to perform basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verifyservice entitlement by productserial number, use our SerialNumber Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

Preface

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

IDP250 Installation Guide

PART 1

Hardware and Software Overview

•

Hardware Overview on page 3

•

Software Overview on page 15

IDP250 Installation Guide

CHAPTER 1

Hardware Overview

This chapter includes the following topics:

•

IDP250 Overview on page 3

•

Power Supply on page 4

•

Hard Drive on page 4

•

Fans on page 4

•

System Status LEDs on page 4

•

USB Port on page 5

•

Serial Console Port on page 5

•

Management Interface Port on page 5

•

High Availability Interface Port on page 6

•

Traffic Interface Ports on page 7

IDP250 Overview

Documentation

The IDP250 appliance is optimal for medium central sites or large branch offices. Figure

1 on page 3 shows the location of appliance LEDs and ports.

Figure 1: IDP250 Front Panel

System Status LEDs on page 4•

• USB Port on page 5

• Serial Console Port on page 5

• Management Interface Port on page 5

IDP250 Installation Guide

Power Supply

• High Availability Interface Port on page 6

• Traffic Interface Ports on page 7

• IDP250 Technical Specifications on page 59

The appliance has one power supply. It is a field replaceable unit (FRU). You can order a replacement part through your Juniper Networks sales contact. The part number for the IDP250 power supply FRU is UNIV-PS-300W-AC.

You can also order a power cord. The part number for the power cord is CBL-JX-PWR-Country (varies by country).

Documentation

Hard Drive

Fans

System Status LEDs

Replacing a Power Supply on page 53•

The appliance has one 80 GB hard drive. It is not a field replaceable unit (FRU).

When the system is cool, appliance fans spin at a slower speed to reduce noise and save energy. As the system heats up, the fans run at a faster speed. In the event of fan failure, the appliance fault LED blinks and the remaining fan or fans run at full speed until the failed fan is replaced.

The fans for this model are not field replaceable units (FRUs).

Table 6 on page 4 describes system status LED states.

Table 6: System Status LED States

DescriptionStatusLED

System is powered on.Solid greenPower

System is powered off.Off

Hard disk is active.Flashing amberHard Drives

Hard drive has no activity.Off

USB Port

Serial Console Port

Chapter 1: Hardware Overview

Table 6: System Status LED States (continued)

DescriptionStatusLED

Power failure.Slowly blinking redFault

Fan failure.Quickly blinking red

Overheating.Solid red

Heat and power are normal.Off

The appliance has a USB port you can use to reimage the appliance, if necessary. The part number is IDP-FLASH (IDP75, IDP250, IDP800) or IDP-FLASH-8200 (IDP8200).

The console serial port provides access, using an RJ-45 connector, to the command-line interface (CLI).

Management Interface Port

The management interface port is a10/100/1000 Mbps Ethernetport. Inthe configuration and logs, the port is eth0. Use this port as a dedicated management port, connecting the device to a switch accessible by your management subnet.

The IP address you assign the management port is the IP address you use to connect to the Appliance Configuration Manager (ACM) when you initially configure the device. It is also the address the Networkand Security Manager (NSM) uses toconnect to the device.

Figure 2 on page 5 shows the management interface port LEDs.

Figure 2: Management Interface Port LEDs

NOTE: Although both the console serial port and the management port use

RJ-45 connectors, do not plug the network cable into the console serial port.

Table 7 on page 6 describes the management interface port LED states.

IDP250 Installation Guide

Table 7: Management Port LEDs

DescriptionStateLED

Link is present.Glows greenLINK

Activity.Blinks green

No link is present.Off

Connection is 1000 Mbps.OrangeTX/RX

Connection is 100 Mbps.Green

High Availability Interface Port

The high availability interface port is a 10/100/1000 Mbps Ethernet port. In the configuration and logs, the port is eth1. The high availability interface is a dedicated interface used to share state information among IDP appliances in a high availability cluster.

NOTE: IDP OS 5.1 supports high availability. IDP OS 5.0 does not support

high availability.

Figure 3 on page 6 shows the management interface port LEDs.

Figure 3: High Availability Interface Port LEDs

Off

If LINK indicates activity, TX/RX off indicates connection is 10 Mbps.

If LINK indicates no activity, TX/RX off indicates no activity as well.

Table 8 on page 7 describes the high availability interface port LED states.

Table 8: High Availability Port LEDs

DescriptionStateLED

Link is present.Glows greenLINK

Activity.Blinks green

No link is present.Off

Connection is 1000 Mbps.OrangeTX/RX

Connection is 100 Mbps.Green

Chapter 1: Hardware Overview

Traffic Interface Ports

You use the traffic interfaceports toconnect theappliance to your network. The interfaces receive and forward traffic. The type and capacity of interface ports vary by model.

The following topics describe features of traffic interface ports:

•

Copper Ports

Figure 4 on page 7 shows copper port LEDs.

Figure 4: Copper Port LEDs

Off

If LINK indicates activity, TX/RX off indicates connection is 10 Mbps.

If LINK indicates no activity, TX/RX off indicates no activity as well.

Copper Ports on page 7

Fiber Ports on page 8

Traffic Interface Features on page 9

NICs Off on page 12

Peer Port Modulation on page 13

Table 9 on page 8 describes copper port LED states.

IDP250 Installation Guide

Table 9: Copper Port LEDs

DescriptionStateLED

Link is present.Glows greenLINK ACT

Activity.Blinks green

No link present.Off

Connection is 100 Mbps.GreenLINK SPD

Connection is 1 Gbps.Yellow

Fiber Ports

Off

If LINK ACT is on, the connection is 10 Mbps. If LINK ACT is off, LINK SPD off indicates no link is present as well.

Interface is not in bypass mode.GreenBYP

Interface is in bypass mode.Yellow

Interface is turned off (NICs off state).Off

NOTE: For copper interface ports, if failure or shutdown triggers NICs off

state, LINK ACT and LINK SPD LEDs are turned off.

Figure 5 on page 8 shows fiber port LEDs.

Figure 5: Fiber Port LEDs

Table 10 on page 9 describes fiber port LED states.

Table 10: Fiber Port LEDs

Chapter 1: Hardware Overview

DescriptionStateLED

Link is present.Glows greenLINK ACT

Activity.Flashes green

No link present.Off

Connection is 100 Mbps.GreenLINK SPD

Connection is 1 Gbps.Yellow

Connection is 10 Gbps.Orange

Traffic Interface Features

Traffic interfaces are network interface cards (NICs). In the IDP Series configuration abstraction, a pair of traffic interfaces is called a virtual router. For example, virtual router vr1 comprises interfaceports eth2 and eth3. For each virtualrouter, you usethe Appliance ConfigurationManager (ACM) toconfigure the deploymentmode (snifferor transparent) and bypass options (internal, external, oroff). You also configure aglobal setting (affects traffic flow throughall interfaces) onhow to handle Layer 2 packets. The following topics describe these settings:

•

Deployment Mode on page 10

•

Layer 2 Bypass on page 10

•

Internal Bypass on page 10

•

External Bypass on page 12

For guidance on using ACM to configure virtual router settings, see the ACM online help.

Off

If LINK ACT is on, the connection is 10 Mbps. If LINK ACT is off, LINK SPD off indicates no link is present as well.

Interface is not in bypass mode.GreenBYP

Interface is in bypass mode.Yellow

Interface is turned off (NICs off state).Off

NOTE: For fiber interface ports, if failure or shutdown triggers NICs off state,

LINK ACT and LINK SPD LEDs remain lit.

IDP250 Installation Guide

Deployment Mode

You specify a deployment mode for each virtual router. You have two options:

•

Transparent—In an in-path, transparent mode deployment, traffic arrives in one interfaceand is forwarded through the other. The IDP Series appliance detects attacks and takes action according to your security policy rules. You connect the IDP Series traffic interfaces to firewalls or switches in the network path.

•

Sniffer—In an out-of-path, sniffer mode deployment, the IDP Series appliance can detect attacks but can take only limited action. You connect the IDP Series traffic interfaces to a mirrored port of a network hub or switch.

Layer 2 Bypass

You enable or disable Layer 2 bypass to determine how the IDP Series device handles Layer 2 packets.

When the IDP Series appliance is deployed in the path ofnetwork traffic, itcan take three types of actions on the packets it receives:

•

Drop it.

•

Pass it through.

•

Process it according to IDP OS rules to determine whether to drop it, forward it, rate limit, and so forth.

The IDP Series appliance processes Layer 2 traffic as follows:

•

Processes address resolution protocol (ARP) and Layer 2 packets related to internet protocol (IPv4) traffic.

•

Drops all other Layer 2 traffic, unless the Layer 2 bypass setting is enabled.

•

When Layer 2 bypass is enabled, the IDP Series device passes through Layer 2 packets related to bypass and high availability deployments (such as heartbeats or Bridge Protocol Data Unit (BPDU) packets), and non-IPv4 packets and packets related to switching and routing protocols, such as IPv6, internetwork packet exchange (IPX), Cisco Discovery Protocol (CDP), and interior gateway routing protocol (IGRP), and so forth.

The IDP Series appliance processes TCP/IP traffic according to implicit rules related to traffic anomaly detection and explicit rules specified in the security policy.

Internal Bypass

The Internal Bypass feature is intended for deployments where a network security policy privileges availability over security. In the event of failure or graceful shutdown, traffic bypasses the IDP processing engine and is passed through the IDP Series device uninspected.

The Internal Bypass feature operates through a timing mechanism. When enabled, the timer on traffic interfaces counts down to a bypass trigger point. When the IDP Series

Chapter 1: Hardware Overview

appliance is turned on and available, it sends a reset signal to the traffic interface timer so that it does not reach the bypass trigger point. If the IDP OS encounters failure, then it fails to send the reset signal, the timer counts down to the trigger point, and the traffic interfaces enter a bypass state. If the IDP Series appliance is shut down gracefully, the traffic interfaces immediately enter bypass.

With copper NICs, the bypass mechanism joins the interfaces mechanically to form a circuit that bypasses IDP processing. Packets traverse the IDP Series device as if the path from eth2 (receiving interface) to eth3 (transmiting interface) were a crossover cable. No packet inspection or processing occurs.

With fiber NICs, the bypass mechanism uses use optical relays instead of copper relays. During normal operations, the optical relays send light to thebuilt-in opticaltransceivers. When bypass is triggered, therelaysflip state, and the light signal isredirectedto optically connect the two external ports.

Figure 6 on page 11 compares the data path when Internal Bypass is enabled but not

activated with the data path when Internal Bypass is activated.

Figure 6: Internal Bypass

When the IDP OS resumes healthy operations, it sends a reset signal to the traffic interfaces, and the interfaces resume normal operation.

NOTE: All copper port traffic interfaces support internal bypass. Some, but

not all, fiber port traffic interfaces support internal bypass. Check with your sales contact for applicable part numbers.

NOTE: Bypass settingsare applicableonly for deploymentswhere the virtual

router is in the network path—transparent mode deployments.

IDP250 Installation Guide

NOTE: The bypass and PPM featuresare applied independently. The Internal

Bypass setting is related to the status of the IDP operating system. The peer

port modulation setting is related to the status of the link. It is possible to have a healthy operating system and a link with status down, or a failed operating system and a link with status up.

External Bypass

The External Bypass setting supports third-party external bypass units. Deployments with external bypass units depend on the functionality of the external bypass unit to check the status of the IDP Series appliance and make the determination whether to send packets through or around the IDP Series device. Most external bypass units test for availability by sending heartbeat packets through the device. If the packets reach the expected destination, the external bypass unit allows the traffic to continue through the IDP Series appliance. If the packets fail to reach the expected destination, the external bypass unit determines the IDP Series is unavailable, so it forwards traffic around the IDP Series device. The IDP Series supports external bypass solutions by allowing the heartbeat traffic to pass through the device regardless of the Layer 2 Bypass setting. In other words, if you disable Layer 2 Bypass and enable External Bypass, most Layer 2 traffic will be dropped but the heartbeat traffic used in the external bypass deployment will bepassed through. Figure 7 on page 12 comparesthe data path when ExternalBypass is enabled but not activated with the data path when External Bypass is activated.

NICs Off

Figure 7: External Bypass

The NICs Offsetting isintended to supportnetwork security policies that privilege security over availability—you want the network path to be unavailable if the IDP Series device

+ 54 hidden pages

Juniper Networks IDP250 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Preface

Objectives

Audience

Documentation Conventions

Related Documentation

Requesting Technical Support

Self-Help Online Tools and Resources

Opening a Case with JTAC

IDP250 Overview

Power Supply

Hard Drive

Fans

System Status LEDs

USB Port

Serial Console Port

Management Interface Port

High Availability Interface Port

Traffic Interface Ports

Copper Ports

Fiber Ports

Traffic Interface Features

Deployment Mode

Layer 2 Bypass

Internal Bypass

External Bypass

NICs Off