background image

2  | Juniper Networks, Inc.

Customer Support

Toll Free: 800-638-8296, [email protected]

Copyright Notice

Copyright © 2005 Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen 

logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, 

NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, 

NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, 

NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, 

GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and 

registered trademarks are the property of their respective companies.
Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for 

any purpose, without receiving written permission from: 
Juniper Networks, Inc.

ATTN:  General Counsel

1194 N. Mathilda Ave.

Sunnyvale, CA 94089-1206

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to 

comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to 

provide reasonable protection against harmful interference when the equipment is operated in a commercial 

environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in 

accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this 

equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct 

the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual 

generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation 

instructions, it may cause interference with radio and television reception. This equipment has been tested and found 

to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. 

These specifications are designed to provide reasonable protection against such interference in a residential 

installation. However, there is no guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can be determined by turning 

the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following 

measures:

•   Reorient or relocate the receiving antenna.
•   Increase the separation between the equipment and receiver.
•   Consult the dealer or an experienced radio/TV technician for help.
•   Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution:

 Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET 

FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED 

HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED 

WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Enterprise Security Profiler

Use of the Enterprise Security Profiler may subject users in certain countries to obligations under applicable laws and 

regulations, including data protection laws.  Juniper Networks makes no representation or warranty that your use of 

this feature will comply with all applicable laws and regulations and you are encouraged to seek advice of counsel to 

understand your obligations, if any, under applicable laws and regulations.

Summary of Contents for NetScreen-IDP 3.0

Page 1: ...QUICKSTART GUIDE NetScreen IDP 3 0 V N 3 0 P N 093 1509 000 Rev B...

Page 2: ...The following information is for FCC compliance of Class B devices The equipment described in this manual generates and may radiate radio frequency energy If it is not installed in accordance with Ne...

Page 3: ...GEMENT SERVER 11 CONNECT TO THE IDP APPLIANCE 14 CONFIGURE THE IDP SENSOR 17 CONNECT IDP TO YOUR NETWORK 20 CONNECT THE NS IDP BYP OPTIONAL 22 BSMI WARNING 25 INSTALL THE USER INTERFACE 26 ADD NETWORK...

Page 4: ...s please contact customer support IDP Sensor Package Contents Each NetScreen IDP Sensor package contains An IDP appliance A bezel An accessory box containing 1 North American power cable 2 Ethernet ca...

Page 5: ...p you connect the IDP Bypass Unit to your network and to the IDP appliance 7 Install the User Interface In this step you install the User Interface UI 8 Add Network Components In this step you add the...

Page 6: ...s take full advantage of IDP attack prevention capabilities and MultiMethod Detection mechanisms Choose bridge proxy ARP transparent or router mode Passive Sniffer To use IDP as a passive IDS system w...

Page 7: ...ust use a hub or the span port of a switch Cannot use NS IDP BYP for fail open protection IDP Firewall Hub or Switch Protected Network Eth2 IP 2 2 2 7 Management Network Hub or Switch straight through...

Page 8: ...ch Eth0 192 168 0 1 Forw arding Interface D efault G W 192 168 0 2 E th1 1 1 1 1 Forw arding Interface P rotected N etw ork Eth2 2 2 2 7 M anagem ent Interface M anagem ent N etw ork H ub or S w itch...

Page 9: ...ction Can forward non IP traffic transparent mode only IDP Firewall Hub or Switch Eth2 2 2 2 7 Management Interface Management Network Hub or Switch 2 2 2 1 Client1 IP 2 2 2 2 Client2 IP 2 2 2 3 Clien...

Page 10: ...ntries Cannot use NS IDP BYP for fail open protection IDP Firewall Hub or Switch Eth0 1 1 1 254 Forwarding Interface Eth1 1 1 1 5 Forwarding Interface Protected Network Eth2 2 2 2 7 Management Interfa...

Page 11: ...software This is installed by default on RedHat systems For Solaris systems you can download the gzip package for your processor and OS version from http www sunfreeware com Once you have downloaded...

Page 12: ...ement Server 3 Log in to the computer as root If you are already logged in as a user other than root become root by typing su At the password prompt enter the root password for the computer 4 Create a...

Page 13: ...ver processes start automatically Management Server IP Address During the Sensor configuration process you must establish the communication between the Management Server and the Sensor by providing th...

Page 14: ...rd and monitor to the IDP appliance and configure Ethernet access by choosing an Ethernet port IP address and default route After you have configured Ethernet access you connect the IDP appliance to y...

Page 15: ...meters 8 N 1 9600 For Windows use HyperTerminal For Linux use minicom For keyboard and monitor connections connect a keyboard and monitor to the IDP appliance 2 Log in to the IDP appliance as root wit...

Page 16: ...to a hub or switch use a straight through cable 6 Using the computer that is on your network open a Web browser Enter the IP address you chose in the configuration script Because the ACM uses a secure...

Page 17: ...rts Mozilla 1 0 1 and IE 6 0 Web browsers If the font size is too small or difficult to read in your Mozilla Web browser increase the font size to 150 Note During the configuration process you choose...

Page 18: ...on the IDP appliance to these subnets Without these static routes incoming traffic to those subnets can be lost Alternatively you can create a static route from the IDP appliance to an internal gatew...

Page 19: ...nect the serial console keyboard and monitor or other standalone computer from the IDP appliance If you changed the IP address of a standalone computer to access the ACM be sure to change it back to i...

Page 20: ...igurations below display the Ethernet ports and their intended connections your configuration may differ to external network to external network to protected network to protected network eth1 Forwardi...

Page 21: ...a Bypass Unit proceed to Connect the NS IDP BYP optional on page 22 If you are not using a Bypass Unit proceed to Install the User Interface on page 26 to protected network eth0 eth1 1 2 to external n...

Page 22: ...nd eth3 If you have a quad card installed you can also use port pairs eth4 and eth5 eth6 and eth7 or eth8 and eth9 2 Connect NET IN to the untrusted switch 3 Connect NET OUT to the trusted switch The...

Page 23: ...ou must use the specified port pairs Enabling NSRP Frames The Bypass Unit passes NSRP frames However because other software applications also use NSRP layer 2 frames you must enable the Sensor to pass...

Page 24: ...0 100 Base T standard The following table displays media type and distance for these connectors Status LEDs The status LED indicates the operation of the NS IDP BYP device Temperature Operating Normal...

Page 25: ...e Juniper Networks NetScreen IDP 3 0 25 BSMI Warning The Bureau of Standards Metrology and Inspection BSMI is an agency of the government of China Taiwan which requires the following label on technolo...

Page 26: ...ine If Autoplay is enabled the installation starts automatically If not run the install application install exe from your CD ROM drive 3 Follow the directions in the dialog boxes to install the UI Ins...

Page 27: ...Choose your Web browser from the list and then click OK or In the Enter file name field enter the name of the Web browser and then click OK Opening the User Interface When you open the User Interface...

Page 28: ...ct Sensor and then click OK to display the Sensor Editor Enter the information about the Sensor including a unique name Use the VIN and One Time Password from Configure the IDP Sensor on page 17 If yo...

Page 29: ...y Policy template appears Customize the template to your network You must specify the Sensor that you want the Security Policy installed on 4 Choose Policy Install from the menu bar to install the new...

Page 30: ...ab select any individual objects you want the Profiler to exclude from the groups you selected on the Internal Hosts tab On the Profiles tab select Context Objects to profile all contexts Leave the se...

Page 31: ...wnloads new or modified Attack Objects From the menu bar of the User Interface select Tools Update Attacks and follow the instructions in the Attack Update Client wizard to update your Attack Object d...

Page 32: ...WS 3 or Solaris 8 9 Can also install on the Sensor IDP 10 100 500 1000 Required install on a separate computer running Red Hat 7 2 or 8 RHEL AS ES WS 3 or Solaris 8 9 Interfaces IP Addresses Manageme...

Reviews: