manualshive.com logo in svg

Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1, Administration Manual

The Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMINISTRATION GUIDE REV1 is an essential manual for those looking to effectively manage and secure their network. This comprehensive admininstration manual can be downloaded for free from manualshive.com, providing users with all the necessary information to successfully navigate the platform.

Share
Download
background image

Table 124: Deep Inspection Alarm Log Entries

(continued)

Versions

Severity

Attack Description

Attack Name

sos5.1.0

info

This signature detects attempts to login to the MSN network
using an MSN Messenger client.

CHAT:MSN:LOGIN-ATTEMPT

sos5.1.0

high

This signature detects buffer overflow attempts against the
SQLXML-ASAPI Extension in Microsoft SQL Server 2000.
The SQLXML-ASAPI extension handles data queries over
HTTP (SQLXML HTTP); attackers may connect to the target
host and submit maliciously crafted data to create a buffer
overflow.

DB:MS-SQL:SQLXML-ISAPI-OF

sos5.1.0

info

This protocol anomaly is a DNS request/reply in which the
question/resource address class is not IN (Internet Address).
Although allowed by the RFC, this should happen only in
rare circumstances and may indicate an exploit attempt.

DNS:AUDIT:CLASS-NON-IN

sos5.1.0

info

This protocol anomaly is a DNS reply with a resource
specifying a CLASS ID reserved for queries only (QCLASS).
This may indicate an exploit attempt.

DNS:AUDIT:QCLASS-UNEXP

sos5.1.0

info

This protocol anomaly is a DNS reply with a resource
specifying a TYPE ID reserved for queries only (QTYPE). This
may indicate an exploit attempt.

DNS:AUDIT:REP-QTYPE-UNEXPECTED

sos5.1.0

info

This protocol anomaly is a DNS reply with a query/reply bit
(QR) that is unset (indicating a query). This may indicate an
exploit attempt.

DNS:AUDIT:REP-S2C-QUERY

sos5.1.0

info

This protocol anomaly is a DNS request with a query/reply
bit (QR) set (indicating a reply). This may indicate an exploit
attempt.

DNS:AUDIT:REQ-C2S-RESPONSE

sos5.1.0

info

This protocol anomaly is a client-to-server DNS message
with the recursion-available bit (RA) set. This may indicate
an exploit attempt.

DNS:AUDIT:REQ-INVALID-HDR-RA

sos5.1.0

info

This protocol anomaly is a DNS request with request type
set to "ANY".

DNS:AUDIT:TYPE-ANY

sos5.0.0,
sos5.1.0

high

This protocol anomaly is an empty DNS UDP message. This
may indicate an exploit attempt.

DNS:EXPLOIT:EMPTY-UDP-MSG

sos5.0.0,
sos5.1.0

high

This protocol anomaly is an rdataset parameter to the
dns_message_findtype() function in message.c that is not
NULL. In BIND 9 (up to 9.2.0), attackers may cause a
shutdown on an assertion failure. Note: Common queries in
routine operations (such as SMTP queries) may trigger this
anomaly.

DNS:EXPLOIT:EXPLOIT-BIND9-RT

sos5.0.0,
sos5.1.0

high

This protocol anomaly is a DNS message with a set of DNS
pointers that form a loop. This may indicate a
denial-of-service (DoS) attempt.

DNS:EXPLOIT:POINTER-LOOP

Copyright © 2010, Juniper Networks, Inc.

876

Network and Security Manager Administration Guide

Summary of Contents for NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1

Page 1: ...Juniper Networks Network and Security Manager Administration Guide Release 2010 4 Published 2010 11 17 Revision 1 Copyright 2010 Juniper Networks Inc...

Page 2: ...e GateD software copyright 1988 Regents of the University of California All rights reserved Portions of the GateD software copyright 1991 D L S Associates This product includes software developed by M...

Page 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Page 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Page 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Page 6: ...Copyright 2010 Juniper Networks Inc vi...

Page 7: ...Device Configuration 5 Device Management 5 Importing Devices 6 Device Modeling 6 Rapid Deployment 6 Policy Based Management 6 Error Prevention Recovery and Auditing 7 Device Configuration Validation...

Page 8: ...Administrators 33 Searching in the User Interface 33 Contains String C Search Mode 34 Starts With S Search Mode 34 Regular Expression R Search Mode 35 IP I Search Mode 36 Search for an Exact Match E...

Page 9: ...les 62 Using Role Based Administration Effectively 63 Enterprise Organizations 63 Geographical Divisions 64 NOC and SOC 64 Administrator Types 64 Service Providers 65 Internal Network 66 Managed Secur...

Page 10: ...ntrust Port Mode 105 Home Work Port Mode 105 Dual Untrust Port Mode 106 Combined Port Mode 106 Trust Untrust DMZ Port Mode 107 Trust Untrust DMZ Extended Mode 108 DMZ Dual Untrust Port Mode 109 Port M...

Page 11: ...147 Adding Vsys Devices 147 Placing the Root Device in a Global Domain or a Subdomain 147 Importing Vsys Devices 148 Modeling Vsys Devices 149 Adding L2V Root Systems 150 Adding an Extranet Device 151...

Page 12: ...deling and Activating Many Devices with Configlets 180 Activating Many Devices with Configlets 181 Adding Device Groups 181 Example Creating a Device Group 182 Setting Up NSM to Work With Infranet Con...

Page 13: ...213 Identifying Ordered List Entries That Do Not Match the Template or Configuration Group Order 216 Using the Template Operations Directive 217 Select OS Name Section 218 Select Devices Section 218...

Page 14: ...Configuration File 240 Automatic Import of Configuration Files 241 Chapter 6 Updating Devices 243 About Updating 243 How the Update Process Works 244 About Atomic Configuration ScreenOS Devices 245 Ab...

Page 15: ...Page Shared Object 279 Importing Antivirus Live Update Settings 280 Uploading Live Update Settings 280 280 Linking to a Live Update File Shared Object 280 Importing Endpoint Security Assessment Plug i...

Page 16: ...296 Scheduling Security Updates 296 Example Update Attack Objects and Push to Connected Devices 298 Scheduling the Update 298 Example Using Crontab to Schedule Attack Updates 299 Viewing Scheduled Sec...

Page 17: ...dress Object 328 Editing and Deleting Address Objects 329 Replacing Address Objects 329 Adding an Address Object Group 329 Adding a Multicast Group Address Object 330 Adding Static DNS Host Addresses...

Page 18: ...360 Configuring Compound Attack Members 360 Configuring the Direction Filter 362 Creating Custom DI Attack Groups 362 Creating Custom IDP Attack Groups 363 Creating Static Attack Groups 363 Creating D...

Page 19: ...ervice Objects 387 Viewing Predefined Services 387 Creating Custom Services 389 Service Object Groups 390 Example Creating a Custom Service and Group 391 Example Creating a Custom Sun RPC Service 392...

Page 20: ...jects 424 Using CRLs 424 Configuring CRLs 425 Configuring Extranet Policies 425 Configuring Binary Data Objects 426 Adding Binary Data Objects 426 Viewing Editing and Deleting Binary Data Objects 427...

Page 21: ...and Destination Addresses for Firewall Rules 450 Support for Any IPv6 as a Source Address 451 Configuring Services for Firewall Rules 452 Defining Actions for Firewall Rules 452 Selecting Devices for...

Page 22: ...Rules 481 Entering Comments for IDP Rules 481 Configuring multiple IDP policies for an MX Series Router 481 Configuring Application Policy Enforcement APE Rules 483 Adding the APE Rulebase Using the...

Page 23: ...tting an Alert 497 Logging Packets 497 Setting Severity 497 Specifying VLANs 498 Setting Target Devices 498 Entering Comments 498 Configuring SYN Protector Rules 498 The TCP Handshake 498 SYN Floods 4...

Page 24: ...e Options 507 Setting Notification 507 Setting Logging 507 Setting an Alert 508 Logging Packets 508 Setting Severity 508 Specifying VLANs 508 Setting Target Devices 508 Entering Comments 508 Installin...

Page 25: ...prerules and postrules 528 Managing prerules and postrules 529 Add prerules and postrules 529 Push prerules and postrules to Regional Server 529 Modify prerules and postrules 529 Delete prerules and p...

Page 26: ...Protecting Data in the VPN 556 Using IPSec 556 Using L2TP 558 Choosing a VPN Tunnel Type 558 About Policy Based VPNs 559 About Route Based VPNs 559 VPN Checklist 559 Define Members and Topology 559 D...

Page 27: ...ing Users 585 Editing the VPN Configuration 586 Editing VPN Overrides 586 VPN Manager Examples 586 Example Configuring an Autokey IKE Policy Based Site to Site VPN 586 Example Configuring an Autokey I...

Page 28: ...t Mode 631 Using Central Manager 631 Adding a Regional Server Object 631 Deleting a Regional Server Object 632 Logging into a Regional Server 632 Installing Global Policy to a Regional Server 632 Prer...

Page 29: ...figuration Conflicts with the Infranet Controller in the UAC Manager 653 Enabling 802 1X on Enforcement Point Ports in the UAC Manager 654 Disabling 802 1X on Enforcement Point Ports in the UAC Manage...

Page 30: ...ng Server Status 701 Viewing Additional Server Status Details 702 Viewing Process Status 703 Using Management System Utilities 705 Using Schema Information 706 Viewing Device Schema 707 Chapter 18 Ana...

Page 31: ...able Components 728 Stopping Worms and Trojans 729 Example SQL Worm 729 Example Blaster Worm 730 Accessing Data in the Profiler Database 730 About Security Explorer 731 Security Explorer Main Graph 73...

Page 32: ...rends Server 753 Managing Packet Data in Logs 753 Using the Log Viewer 756 Using Log Views 757 About Predefined Log Views 757 Creating Custom Views and Folders 759 Creating Per Session Views 760 Log V...

Page 33: ...it Log Table 789 Managing the Audit Log Table 790 Target View and Device View 792 Setting a Start Time for Audit Log Entries 792 Managing Log Volume 793 Automatic Device Log Cleanup 793 Archiving Logs...

Page 34: ...IDP Reports 812 Screen Reports 813 Administrative Reports 814 UAC Reports 814 Profiler Reports 815 AVT Reports 815 SSL VPN Reports 815 EX Series Switches Report 816 My Reports 816 Shared Reports 816...

Page 35: ...ttack Trends 829 Example Using DI Reports to Detect Application Attacks 829 Using the Watch List 829 Part 5 Appendixes Appendix A Glossary 833 Network and Security Manager NSM Term Definitions 833 App...

Page 36: ...Copyright 2010 Juniper Networks Inc xxxvi Network and Security Manager Administration Guide...

Page 37: ...gure 15 User in Domain global with a Predefined Role 71 Figure 16 User in Domain global with Custom Role r1 72 Figure 17 User in Subdomain d1 With a Predefined Role 72 Figure 18 User in Subdomain d1 W...

Page 38: ...IP Based Session Limit 209 Figure 53 View DoS Value for SYN ACK ACK Proxy Protection Setting 209 Figure 54 View Default SYN ACK ACK Proxy Protection Setting 209 Figure 55 Up and Down Arrows for Chang...

Page 39: ...for AutoKey IKE VPN 590 Figure 91 Add Chicago Protected Resource for AutoKey IKE RAS VPN 592 Figure 92 Add New Local User for AutoKey IKE RAS VPN 592 Figure 93 Configure Security for AutoKey IKE RAS...

Page 40: ...vestigator Results 785 Figure 114 Audit Log Viewer UI Overview 789 Chapter 20 Reporting 809 Figure 115 Generating A Quick Report 825 Figure 116 Logs by User Set Flag Report 826 Figure 117 Top FW VPN R...

Page 41: ...ts 21 Table 13 Validation Status for Devices 32 Table 14 Validation Icons 32 Chapter 3 Configuring Role Based Administration 61 Table 15 How to Authenticate Users 69 Table 16 Predefined NSM Administra...

Page 42: ...ce NAT Configuration Options 418 Table 42 Destination NAT Configuration Options 420 Chapter 9 Configuring Security Policies 435 Table 43 IDP Rule Actions 473 Table 44 Severity Levels Recommended Actio...

Page 43: ...ata 717 Table 86 Network Profiler Data 718 Table 87 Applciation Profiler Data 721 Table 88 Detailed Network Information Data 725 Table 89 Transitional Graphs 736 Chapter 19 Logging 739 Table 90 Event...

Page 44: ...ppendix A Glossary 833 Table 119 CIDR Translation 837 Appendix B Unmanaged ScreenOS Commands 859 Table 120 Unmanaged Commands for Firewall VPN Devices 859 Appendix C SurfControl Web Categories 861 Tab...

Page 45: ...s a technical overview of the management system architecture It also explains how to configure basic and advanced NSM functionality including adding new devices deploying new device configurations upd...

Page 46: ...rts you to the risk of personal injury from a laser Laser warning Table 2 on page xlvi defines text conventions used in this guide Table 2 Text Conventions Examples Description Convention Issue the cl...

Page 47: ...tional or required Words separated by the pipe symbol internal external Represent optional keywords or variables Words enclosed in brackets level 1 level 2 11 Represent optional keywords or variables...

Page 48: ...Devices Guide Provides procedures for basic tasks in the NSM user interface It also includes a brief overview of the NSM system and a description of the GUI elements Network and Security Manager Onlin...

Page 49: ...ww juniper net us en local pdf resource guides 7100059 en pdf Product warranties For product warranty information visit http www juniper net support warranty JTAC Hours of Operation The JTAC centers h...

Page 50: ...AC on the Web or by telephone Use the Case Management tool in the CSC at http www juniper net cm Call 1 888 314 JTAC 1 888 314 5822 toll free in the USA Canada and Mexico For international or direct d...

Page 51: ...he management system and describe how to prepare to integrate your existing network security structure using NSM role based administration tools Part 1 contains the following chapters Introduction to...

Page 52: ...Copyright 2010 Juniper Networks Inc 2 Network and Security Manager Administration Guide...

Page 53: ...works of all sizes and complexity You can add a single device or create device templates to help you deploy multiple devices You can create new policies or edit existing policies for security devices...

Page 54: ...he global domain and then create subdomains that automatically inherit these definitions from the global domain Role Based Administration Control access to management with NSM Define strategic roles f...

Page 55: ...guration The same group can be applied to different sections of the configuration and different sections of one group s configuration statements can be inherited in different places in the configurati...

Page 56: ...work design and deploy a new security policy with traffic shaping or create a new VPN tunnel that connects a branch office to your corporate network Rapid Deployment Rapid Deployment RD enables deploy...

Page 57: ...Configuration Validation NSM alerts you to configuration errors while you work in the UI Each field that has incorrect or incomplete data displays an error icon Move your cursor over the icon to see d...

Page 58: ...M provides the tools and features you need to manage your devices as a complete system as well as individual networks and devices To manage an individual device create a single device configuration de...

Page 59: ...nformation about your managed devices in the Device Monitor Configuration and connection status of your managed devices Individual device details such as memory usage and active sessions Device statis...

Page 60: ...system see the Network and Security Manager Installation Guide Architecture NSM is a three tier management system made up of a user interface UI management system and managed devices The devices proce...

Page 61: ...gement system is made up of two components GUI Server Device Server See Figure 2 on page 11 Figure 2 NSM System Architecture GUI Server The GUI Server manages the system resources and data that drive...

Page 62: ...tion data to the NSM UI for viewing or to the local data store for later retrieval guiSvrMasterController GUI Server License Manager is responsible for license storage retrieval and validation guiSvrL...

Page 63: ...Walker Device Server Database Server devSvrDBServer Device Server Profiler Manager devSvrProfilerMgr Managed Devices In addition to dedicated security devices such as firewalls and IDP sensors your ma...

Page 64: ...NetScreen 204 ScreenOS 4 0 5 0 5 0 FIPS 5 1 5 2 5 3 5 3 TMAV 5 4 5 4 FIPS Juniper Networks NetScreen 208 ScreenOS 4 0 5 0 5 0 FIPS 5 0 NSGP 5 0 GPRS 5 1 5 1 GPRS 5 1 shotglass 5 2 5 3 5 3 TMAV 5 4 5...

Page 65: ...r2 and later 6 1 6 2 6 3 Juniper Networks SSG 320M ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350 ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350M ScreenOS 5 1 SSG 5 4 5 4...

Page 66: ...service outage and a longer upgrade time SSG 5 SB replaces NetScreen 5GT SSG 5 SB is a 10 user variant of SSG 5 similar to the existing 10 user variant of NS 5GT Devices Running Junos OS Devices runn...

Page 67: ...se 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks J6350 Services Router Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks J6350 Services Router with IDP Junos OS Release 9 5...

Page 68: ...40e Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks M120 Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks M320 Junos OS Release 10 2 10 3 Juniper Networks MX...

Page 69: ...os OS Release 9 2 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks EX3200 24P Junos OS Release 9 2 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks EX3200 24T Junos OS Release 9 2 9 3 9 4 9 5...

Page 70: ...Versions of SA Software NSM Supports Security Device SA Release 6 3 6 4 6 5 7 0 Juniper Networks Secure Access 2000 SA Release 6 3 6 4 6 5 7 0 Juniper Networks Secure Access 2500 SA Release 6 3 6 4 6...

Page 71: ...is described by a unique Data Model DM that contains all the configuration data for that individual device The Abstract Data Model ADM contains configuration data for all objects in a specific domain...

Page 72: ...SRX Series Services Gateways M Series Multiservice Edge Routers and MX Series Ethernet Services Routers EX Series Ethernet Switches Secure Access products Infranet Controller products See Managed Dev...

Page 73: ...e following characters are not supported for NSM administrator names and passwords Period Number sign Dollar sign Asterisk Ampersand Circumflex NOTE Passwords in the NSM UI are case sensitive Managing...

Page 74: ...hows a sample UI screen Figure 3 Overview of the User Interface Navigation Tree The navigation tree provides three panels Investigate panel Provides NSM modules with tree structures for monitoring you...

Page 75: ...the Network and Security Manager Online Help Toolbar The toolbar contains buttons for common tasks The buttons displayed in the toolbar are determined by the selected module Status Bar The status bar...

Page 76: ...Report Manager contains summary graphs and charts that describe specific security events that occur on your network NSM generates reports to show the information contained in your log entries You can...

Page 77: ...more details see Analyzing Your Network on page 709 The Security Monitor applies to ScreenOS devices and IDP sensors It does not apply to J Series SRX Series Secure Access Infranet Controller M Serie...

Page 78: ...ges security policies that contain the firewall multicast and VPN rules that control traffic on your network for devices that support centralized policy management Using a graphical easy to use rule b...

Page 79: ...list of associated ICs and their port details You can use this feature to resolve configuration conflicts and enable or disable 802 1X ports on enforcement points Object Manager The Object Manager con...

Page 80: ...ce is a collection of routing tables interfaces contained in these routing tables and routing option configurations A routing instance object configured in Object Manager can be included in the RADIUS...

Page 81: ...epresent your management system components Servers Manage the individual server processes that make up your NSM system Server Monitor Monitors the status of your NSM servers Schema Information Allows...

Page 82: ...messages Each has its own icon and text color in the tool tips as shown in Table 14 on page 32 Table 14 Validation Icons Priority Meaning Message Type Icon Highest Indicates that a configuration or p...

Page 83: ...ed enabling other administrators to edit it However because the UI does not immediately refresh the object values you must manually refresh the UI to view the most recent versions When you attempt to...

Page 84: ...ey to end the search operation and close the window The following sections provide examples of each search mode Contains String C Search Mode Use to locate a pattern anywhere in a string For example t...

Page 85: ...bjects that detect denial of service attacks 1 In the main navigation tree select Object Manager Attack Objects DI Objects and then select the Predefined Attacks tab 2 Select the first entry in the co...

Page 86: ...ess Table tab 2 Select the first entry in the column IP Domain Name and then press the backslash key to display the search mode window 3 Enter I and then enter 5 5 5 The UI automatically highlights th...

Page 87: ...ing bbbb 1 In the main navigation tree select Object Manager Address Objects then select the Address Table tab 2 Select any entry in the Namecolumn and then press the backslash key to display the sear...

Page 88: ...lated information If you select Name you must enter the name of the object in the Name field You can then specify whether you want the search to be a Case Sensitive or Regular Expression type of searc...

Page 89: ...f devices appears in the Install On box 4 Click the Search button to execute the search The SearchResults appear at the bottom of the dialog box The applicable search category is listed to the left an...

Page 90: ...Copyright 2010 Juniper Networks Inc 40 Network and Security Manager Administration Guide...

Page 91: ...Devices Overview on page 41 Configuring IDP Capable Devices Overview on page 45 Simplifying Management on page 55 Creating an Information Banner on page 58 Configuring Devices Overview To manage Juni...

Page 92: ...vice and import your device configuration a In the NSM main navigation tree select Device Manager Devices b In the main display area click the Add icon and select Device Follow the instructions in the...

Page 93: ...heir permission level by creating and assigning roles See Configuring Role Based Administration on page 61 for details 3 Add your devices and model their device configurations in NSM Use templates to...

Page 94: ...that all device parameters are correct Check progress in Job Manager For details about pushing a configuration to a device see Updating Devices on page 243 7 Create VPN rules Create Protected Resourc...

Page 95: ...etScreen IDP 4 x The NSM system consists of the Device Server and the GUI Server the NSM User Interface is a client application used to access information stored in the NSM system Guidance for Intende...

Page 96: ...configuring and managing IDP on the ISG2000 and ISG1000 devices Although you can use the ScreenOS CLI or Web UI to configure the firewall VPN capabilities of the security device you must use the NSM U...

Page 97: ...xisting ISG2000 or ISG1000 device that is currently managed by NSM then upgrade the device firmware to ScreenOS 5 0 0 IDP1 NOTE After you have upgraded the firmware you must reimport the device config...

Page 98: ...ck wizard 2 Follow the directions in the Change Device Sigpack wizard to update the attack object database on the selected managed devices Adding Objects Optional Create address objects for the networ...

Page 99: ...000 device as a dedicated IDP system configure a single firewall rule that directs all traffic to the IDP rules By default the firewall denies all traffic NOTE When operating the security device in a...

Page 100: ...etect specific malicious or anomalous activity in your network traffic For an overview of creating rules in the IDP rulebase see Configuring a Security Policy for IDP on page 48 For details see Config...

Page 101: ...dow and select Add Backdoor Rulebase to open the selected rulebase tab Configure IDP Rules IDP detection and prevention capabilities work against attacks by dropping connections during the attack dete...

Page 102: ...the current and future connections to or from the same IP address You configure IDP actions in the Action column of an IDP rule For details see Defining Actions For IDP Rules on page 473 You configur...

Page 103: ...policy installation NSM installs the entire security policy including the firewall and IDP rules on the security devices you selected in the Install On column of each rule To install a policy a In th...

Page 104: ...recommend that you perform frequent updates to the attack object database and to the IDP detection engine described in Managing the Attack Object Database on page 289 Creating IDP Only Administrators...

Page 105: ...vice group Create reports using the log information from the entire device group Using Device Templates A template is a predefined device configuration that helps you reuse common information A domain...

Page 106: ...e individual policy in the Security Policies list To simplify policy management and maintenance you can merge two policies into a single policy For details on merging policies see Configuring Security...

Page 107: ...ides Function Some common functional abbreviations SV Server WS Workstation IIS Web Server MSX Mail Server SQL SQL Server SMS SMS Server APP Application Server Service Abbreviated name of the main ser...

Page 108: ...into the NSM UI until they accept the message to continue If this banner is used users are required to accept the message each time they log in You can add an information banner from Central Manager o...

Page 109: ...Setting Up an Information Banner The message is immediately available to NSM users connected to the server as shown in Figure 13 on page 59 Figure 13 Information Banner Login into Central Manager The...

Page 110: ...iately available to all NSM users server wide Deleting an Information Banner This procedure assumes that a Central Manager administrator is logged onto a Central Manager client or a super user is logg...

Page 111: ...egy and how to prepare your network for NSM NSM includes many features specifically designed for managing multiple Juniper Networks devices such as device groups and templates This chapter contains th...

Page 112: ...tant if you plan to use VPNs in your network Because you can create VPNs only between devices in the same domain be sure to add the devices you want to connect with a VPN to the same domain About Role...

Page 113: ...both your existing network structure and your desired permission structure Network Structure Use multiple domains to segregate large geographically distant networks into locally managed sections Perm...

Page 114: ...typically the same location for small organizations but might be physically separate for larger more complex organizations Whether combined or separate NOC and SOC administrators perform distinct role...

Page 115: ...ws reports for one or more domains A regional reporting administrator has a role with activities for viewing reports for their regional subdomain a corporate reporting administrator has a role with ac...

Page 116: ...he super administrator creates The internal network of the CNM A subdomain for each customer The customer subdomain contains the devices and objects that belong to the customer network Because the cus...

Page 117: ...assign new subdomains to the super administrator However to assign a subdomain to another administrator you must first create the administrator and specify their permissions within a selected subdoma...

Page 118: ...functionality we recommend that you consider the security of the super administrator password appropriately If you forget or lose the super administrator password please contact the Juniper Technical...

Page 119: ...ping assignments and domain names in NSM If you use Steel Belted RADIUS you can copy the NSM RADIUS dictionary to your RADIUS server This file netscreen dct is available in the NSM If you installed NS...

Page 120: ...ows an example Figure 14 Creating Custom Domain In Figure 14 on page 70 users belong to domain d1 and role r1 is defined in domain1 Therefore the domain name is global d1 and the role is global d1 glo...

Page 121: ...tically inherited into the subdomain and can be assigned to a subdomain user NOTE A role defined in a subdomain belongs only to that subdomain Assigning Roles If a user is defined in the local databas...

Page 122: ...ed in the NSM in global domain Figure 17 User in Subdomain d1 With a Predefined Role Figure 18 User in Subdomain d1 With a Custom Role r1 Create the custom role r1 in the subdomain d1 Copyright 2010 J...

Page 123: ...Roles r1 and r2 are the custom roles assigned to the user Figure 20 Assigning Multiple Roles to a User in Subdomain Both r1 and r2 are the custom roles assigned to the user 73 Copyright 2010 Juniper...

Page 124: ...s tab and choose a role for the new administrator When you assign a role to an NSM administrator the administrator can perform the predefined system activities specified in that role You can select a...

Page 125: ...then switch to a subdomain using the domain menu For details on creating a subdomain see Creating Subdomains on page 91 Creating Custom Roles For more complex and diverse permissions requirements cre...

Page 126: ...ect Create Delete Edit View Address Objects Pre rules and post rules are ordered lists of rules that are defined from the Central Manager at the global domain and subdomain levels as well as on region...

Page 127: ...Create Edit View Backdoor Rulebase Allows an administrator to view a list of IP addresses blocked because of repeated failed attempts to log in to the server View Blocked IP A CA object represents a...

Page 128: ...and managed devices Create Delete Edit View Database Versions Deep Inspection is a mechanism for filtering traffic that a security device permits You can enable Deep Inspection in firewall rules to e...

Page 129: ...nt that occurred on a security device View Hide and Unhide Purge Archive Retrieve Device Logs This activity enables an administrator to view device passwords in configuration summaries and Job Manager...

Page 130: ...u to configure and manage third party routers Create Delete Edit View Extranet Policy Objects Use Dial in objects to dial in and manage a device as a console You can create and edit lists of allowed n...

Page 131: ...ator can also view shared historical log reports and their definitions View Historical Log Reports An ICAP object defines a server or server group to act as an ICAP AV server Create Delete Edit View I...

Page 132: ...those logs from the management system Purge Job Status Logs A job is a task that NSM performs such as updating a device generating a device certificate request or importing a device View Cancel active...

Page 133: ...custom IKE phase 1 and phase 2 proposals Create Delete Edit View Phase1 Phase2 Proposal Allows an administrator to manage custom objects added to a Policy table Create Delete Edit View Policy Custom...

Page 134: ...c object similar to zone objects that maintains the mapping between the actual routing instance and the device in which it is created Create Delete Edit View Routing Instance Object A rulebase in a se...

Page 135: ...t from Shared Reports to My Reports Create Edit Delete Shared Historical Log Report A subdomain is a separate unique representation of other networks that exist within your larger network View Create...

Page 136: ...get command Troubleshoot Devices Allows an administrator to remove IP addresses from a list of IP addresses blocked because of repeated failed attempts to log in to the server N A Unblock IP Allows a...

Page 137: ...ions granted to some activities have changed across releases which can cause behaviors to change following migration Permissions Changes in Release 2008 1 In Release 2008 1 the Create Device Device Gr...

Page 138: ...4 x device only Set Admin Ports 4 x device only Set Admin SSH Enable Disable 4 x device only Edit Device Admin Failover Failover Device Modify BGP Peer Session BGP Refresh Route BGP Update Route on P...

Page 139: ...y configuration of EX Series switches in the device itself Firewall Rulebase Configuration for Junos devices that support central policy management Allows editing of the policy configuration of J Seri...

Page 140: ...e predefined system administrator role Forcing an Administrator to Log Out As of Release 2007 3 the system administrator can forcibly log out an administrator To log out an administrator forcibly 1 Fr...

Page 141: ...for the currently selected domain subdomains appear only when you view the global domain You can designate a default RADIUS authentication server for the global domain and for each subdomain The defau...

Page 142: ...on tree select the first subdomain MA_company1 NSM loads the subdomain 2 From the Menu bar click Tools Manage Administrators and Domains 3 In the Administrators tab click the Add icon to create the pr...

Page 143: ...urn to the Administrators tab which now displays the following administrators Figure 23 Manage Administrators and Domains Administrators Tab 7 Click OK to save your changes 8 Repeat step 1 through ste...

Page 144: ...P address Click OK to log in The NSM navigation tree and main display area appear Because the customer administrator account has permission only for viewing and reports the UI displays only the module...

Page 145: ...PART 2 Integrating Adding Devices on page 97 Configuring Devices on page 187 Updating Devices on page 243 Managing Devices on page 265 95 Copyright 2010 Juniper Networks Inc...

Page 146: ...Copyright 2010 Juniper Networks Inc 96 Network and Security Manager Administration Guide...

Page 147: ...ScreenOS releases 5 0r11 5 1r4 5 2r3 5 3r10 5 4r11 6 0r2 6 1r4 6 2 and 6 3 Before you can manage a device with NSM you must add the device to the management system NSM supports adding individual devic...

Page 148: ...lowing types of devices Physical devices Importing Devices on page 112 and Modeling Devices on page 130 later in this chapter provide details on how to add an existing or new device into NSM These dev...

Page 149: ...the device status After adding the device you must verify the device configuration Determine Device Status How you add your devices to the management system depends on the network status of the devic...

Page 150: ...of the device configuration running on the physical device This summary is known as a Get Running Config summary Managing the Device After adding a device you can manage its configuration objects and...

Page 151: ...If you modify a device that supports centralized policy management and import or reimport the device into NSM a new policy is automatically created using the following naming syntax device_1 Each new...

Page 152: ...e process Selecting the Domain Determine the domain in which you want to place the device A domain is a logical grouping of devices device security policies and device access privileges NSM includes a...

Page 153: ...adding a single security device use the Add Device wizard to create the device object in NSM To activate a modeled device or create a configlet use the Activate Device wizard You can import or model...

Page 154: ...e adding to NSM are running a supported version of the OS For example NSM no longer supports devices running 4 x or earlier versions of ScreenOS If you are not running a supported version you must upg...

Page 155: ...ough 4 to the Trust interface which is bound to the Trust security zone Home Work Port Mode Home Work mode binds interfaces to the Untrust security zone and to Home and Work security zones The Home an...

Page 156: ...primary interface See Figure 27 on page 106 for port interface and zone bindings Figure 27 Dual Untrust Port Mode Bindings This mode provides the following bindings Binds the Untrusted Ethernet port t...

Page 157: ...y interface to the Untrust security zone Binds the Ethernet ports 3 and 2 to the ethernet2 interface which is bound to the Home zone Binds Ethernet port 1 to the ethernet1 interface which is bound to...

Page 158: ...serial interface which you can bind as a backup interface to the Untrust security zone Trust Untrust DMZ Extended Mode Trust Untrust DMZ Extended mode binds interfaces to the Untrust Trust and DMZ se...

Page 159: ...ScreenOS 5 1 and later See Figure 31 on page 109 for port interface and zone bindings Figure 31 DMZ Dual Untrust Port Mode This mode provides the following bindings Binds the Ethernet ports 1 and 2 to...

Page 160: ...ome Work Mode Trust Untrust Mode Port Zone Interface Zone Interface Zone Interface Untrust ethernet3 Untrust ethernet3 Untrust Untrust Untrusted Trust ethernet1 Work ethernet1 Trust Trust 1 Trust ethe...

Page 161: ...Supported Add Device Workflows by Device Family Table 22 on page 111 summarizes the methods or workflows you can use to add devices from each supported device family Table 22 Supported Add Device Work...

Page 162: ...0 or later Junos 9 0 or later SA 6 2 or later or IC 2 2 or later When importing from a device the management system connects to the device and imports Data Model DM information that contains details o...

Page 163: ...e interface that has an IP address Devices that use a dynamically assigned IP address must also support NACN The device must be operating in the desired port mode You cannot change the operational mod...

Page 164: ...formation verify that the device type ScreenOS version and the device serial number are correct NSM autodetects the hostname configured on the device and uses it as the device name You can also change...

Page 165: ...s with it Refer to the IDP NetScreen Security Manager Migration Guide for more information You need to upgrade unmanaged Sensors to 4 0 or later before adding them to NSM See the IDP Installer s Guide...

Page 166: ...atus mouse over the device in Device Manager you can also check configuration status in Device Monitor The device status displays as Managed indicating that the device has connected and the management...

Page 167: ...evice name or can enter a new name in the text box provided 10 Click Next to add the device to NSM 11 After the device is added click Next to import the device configuration 12 Click Finish to complet...

Page 168: ...tected device information verify that the device type OS version and the device serial number are correct The wizard also detects the hostname configured on the device You can either use the hostname...

Page 169: ...be executed on the device to connect to NSM The commands enable management and set the management IP address to the Device Server IP address enable the Management Agent set the Unique External ID and...

Page 170: ...e the IDP Installer s Guide for more information To import an IDP 4 0 device with an unknown IP address follow these steps 1 From the domain menu select the domain in which to import the device 2 In D...

Page 171: ...mported configuration To check the device configuration status mouse over the device in Device Manager you can also check configuration status in Device Monitor The device status displays as Managed i...

Page 172: ...interface settings DNS settings and password 2 Select Authentication Auth Servers and enter the username and password of the NSM administrator in the applicable authentication server NOTE Onlypassword...

Page 173: ...rm the following tasks on the Specify Device Admin User Name Password and One Time Password screen a Make a note of the unique external ID The device administrator will need it to configure connectivi...

Page 174: ...in SSH transport layer interactions to set up an encrypted tunnel NSM authenticates itself to the device based on user name and password Confirm Connectivity and Import the Device Configuration into N...

Page 175: ...ps 1 Connect the device to the network and configure one of the interfaces so that the device can reach the NSM device server 2 Add a user for NSM that has full administrative rights For complete deta...

Page 176: ...rator user name and password for the SSH connection This name and password must match the name and password already configured on the device c Specify the First Connection One Time Password OTP that a...

Page 177: ...g the commit operation ensures that NSM connects to the backup Routing Engine following failover of the master Routing Engine The device software initiates the TCP connection to NSM and identifies its...

Page 178: ...ce check the status of that device in Device Monitor located in Realtime Monitor The imported device should display a configured status of Managed and a Connection status of Up indicating that the dev...

Page 179: ...tion summaries to help you manage device configurations and prevent accidental misconfiguration Use configuration summaries after you import a device to ensure that the management system imported the...

Page 180: ...To get the Running Config summary from the Device Manager launchpad click Device Config Options Get Running Config You see a list of devices to which you have access Select the device you just importe...

Page 181: ...odel Device and then click Next 5 In the Specify Name Color OS Name Version and Platform screen enter the following information Enter a name and select a color to represent the device in the UI In the...

Page 182: ...aces that is available for import You can create a configuration for the device object in NSM and then install that configuration on the device NOTE When modeling a NetScreen 500 5000 series or ISG se...

Page 183: ...out of band method 5 After NSM autodetects the device click Next to activate the device in NSM 6 Click Update Now to update the configuration on the device with the settings from the modelled device...

Page 184: ...update is complete the device status displays as Managed indicating that the device has connected and the management system has successfully pushed the device configuration Junos Devices To activate a...

Page 185: ...plays as Managed indicating that the device has connected and the management system has successfully pushed the device configuration Devices with Dynamic IP Addresses A dynamic IP address is an IP add...

Page 186: ...has not pushed the device configuration yet 10 Update the device configuration by right clicking the device and selecting Update Device The Job Information box displays the job type and status for th...

Page 187: ...ord The device administrator will need it to configure the connectivity between the device and NSM NOTE All passwords handled by NSM are case sensitive d Click Finish to complete the Add Device wizard...

Page 188: ...and password d In the Device List verify the connection status of the newly added device The status changes from Never connected to Up If the configuration status is platform mismatch you selected th...

Page 189: ...trust nsHSC Home Work nsHSC Trust Untrust ns204 ns208 ns25 ns50 ns5GT Combined ns5GT Dmz Dual Untrust ns5GT Dual Untrust ns5GT Extended ns5GT Home Work ns5GT Trust Untrust ns5GTadsl Extended ns5GTadsl...

Page 190: ...like any other security device in NSM NOTE If you delete the security device from the NSM system and then add the device again you must also re create the configlet and install it on the physical devi...

Page 191: ...tically selects the interface on the device that will connect to the NSM management system This interface is determined by the device platform and cannot be changed Select the Device Server connection...

Page 192: ...a private virtual circuit the service provider assigns a static IP address for the ADSL interface Routed PDUs enable the NetScreen 5GT ADSL device to exchange routing information with another router t...

Page 193: ...nt Getting Started Guide This guide provides step by step instructions for connecting a security device to the network preparing the device to use a configlet and installing and running the configlet...

Page 194: ...the WebUI cannot load the configlet To restore the factory defaults on the firewall device see the user s guide that came with your security device 5 Ensure that the Status LED on firewall device dis...

Page 195: ...your PPPoA account 6 Click Next to initiate the connection to NSM The security device connects to the NSM Device Server During this first connection the device and the NSM Device Server exchange authe...

Page 196: ...uring this combined operation both results Delta Config and Update Device are available to you by selecting View Device Delta Config if you have the appropriate administrator rights Otherwise you can...

Page 197: ...eges 1 In the main navigation tree select Device Manager Devices 2 From the Device Manager launchpad select Update Device to open the Update Device s dialog box listing all connected and managed devic...

Page 198: ...orting vsys devices is a two stage process Import the root device To import the root device use the Add Device wizard to add the root device to the appropriate domain For details see Importing Devices...

Page 199: ...eck the configuration status in Device Monitor The device status displays as Managed indicating that the vsys has connected and the management system has successfully imported the vsys configuration M...

Page 200: ...device status Check the configuration status by holding your mouse cursor over the device in Device Manager or by checking the configuration status in Device Monitor Ensure that the configuration stat...

Page 201: ...0 and later For details on configuring these vsys modes see Network and Security Manager Configuring ScreenOS and IDP Devices Guide Adding an Extranet Device An extranet device is a firewall or VPN de...

Page 202: ...at identifies the family of devices d Platform Select the device platform for all cluster members e Some ScreenOS devices only Mode Select the Port mode See Determining Port Mode ScreenOS Devices Only...

Page 203: ...with no configuration or security policy you should 1 Create the cluster 2 Add the existing device by importing The Add Device Wizard automatically imports the device configuration 3 Add the new devic...

Page 204: ...IP addresses NSM does not support importing Secure Access or Infranet Controller cluster members with static IP addresses NOTE Adding a cluster and adding a cluster member have no effect on the cluste...

Page 205: ...the rest of the configuration A stub is placed in the device configuration tree instead If you need to manage these files in NSM you must import them later as shared objects and then create links to t...

Page 206: ...stem J Series as the Junos OS Type a platform name and managed OS version You add cluster members one at a time in a similar manner to adding standalone devices You can add and import devices with dyn...

Page 207: ...ers into a cluster ensure that you add the secondary member before you add the primary member 4 On each cluster member device configure and activate the NSM agent and establish an SSH session with NSM...

Page 208: ...Use the configuration group mechanism to configure any member specific data See Configuring Devices on page 187 for details about configuring clusters and configuration groups Activating and Updating...

Page 209: ...Cluster Members on page 160 Importing the Cluster configuration on page 161 Adding the Cluster Add a new cluster to NSM as follows 1 Select Device Manager Devices and then click the Add icon and sele...

Page 210: ...ice administrator will need it to connect the device to NSM h Check the Keep Adding Cluster Members box to add another cluster member The Finish button changes to the Next button i Click Next and repe...

Page 211: ...s 2 Right click SA Cluster the cluster name and select Import Device from the list NSM starts a job to import the configuration A job window reports the progress of the job When the job finishes the c...

Page 212: ...2 In the New Cluster Member dialog box enter a name and color for the cluster member and select the Model Device radio button 3 Check the Keep Adding Other Cluster Members box and leave the Member ID...

Page 213: ...ce 6 Leave the Keep Adding Other Cluster Members box unchecked 7 Set the Member ID to 1 Figure 36 Adding the Second Member to a J Series Cluster 8 Click Finish If you expand the cluster icon in the De...

Page 214: ...figure and activate the connectivity with NSM a Log on to the J Series router b At the command line prompt identify the management system by device name device ID and HMAC For devices running the or 9...

Page 215: ...iguration 5 Repeat Step 4 for the second cluster member J 2 Updating the Cluster After you have modeled the cluster configuration you can push the new configuration to the physical cluster using the U...

Page 216: ...the following information For Name enter Paris Cluster For OS Name select ScreenOS IDP For Platform select ns5400 For OS Version select 5 1 d Click OK to save the new cluster object 2 Add cluster memb...

Page 217: ...fault Vrouter and then click Next to continue e Click Finish to add the new vsys cluster device 4 Add the second vsys cluster device a Click the Add icon and select Vsys Device The new vsys device dia...

Page 218: ...tings which you also configure as part of the rule Devices that match the rules for discovery also present an SSH key for your verification before the device is added to NSM Adding a Device Discovery...

Page 219: ...onfigure pane of the NSM navigation tree click Device Discovery Rules 2 Select the rule you want to run 3 Click the Run icon in the discovery rules toolbar The device discovery Progress dialog box app...

Page 220: ...atic IP addresses the device configuration is automatically imported during the Add Many Devices workflow When importing devices with dynamic IP addresses you must manually import the device configura...

Page 221: ...tored the program files for the UI client for example C Program Files Network and Security Manager utils For each CSV file each row defines a single device s values for each parameter For text files c...

Page 222: ...add four security devices that use static IP addresses create a text file with the following text Chicago green 10 100 31 78 netscreen netscreen ssh_v2 any Memphis orange 10 100 20 236 netscreen netsc...

Page 223: ...twlan Dmz Dual Untrust ns5Gtwlan Combined ns5Gtwlan Home Work ns5Gtwlan Dual Untrust ns5Gtwlan Trust Untrust ns5Gtwlan Dual Dmz ns5XT Combined ns5XT Dual Untrust ns5XT Trust Untrust ns5XT Home Work ns...

Page 224: ...name IC IC 4000 IC 4500 IC 6000 IC 6500 yes String Platform continued Set to none yes String Device subtype With OS name ScreenOS see Table 7 on page 13 for a list of OS versions that apply to each S...

Page 225: ...if desired 3 Save the file to a location on your local drive Example Using a Text File to Add Multiple Dynamic IP Devices To add four devices that use dynamic IP addresses create a text file with the...

Page 226: ...ction type is static String Device IP Address 8 24 28 32 Any valid netmask in CIDR format yes when connection type is static String Device Netmask yes when connection type is static String Device Gate...

Page 227: ...e 5 0 off advanced netscreen123 dhcp 2netscreen netscreen2 off Save the file as a csv file Validating the CSV File When you add the device NSM validates the configuration information in the csv file a...

Page 228: ...y the location of the CSV file 5 Click Next The Add Device wizard validates the CSV file and provides a Validation Report Select Cancel to quit the Add Many Devices process Select Add Valid Devices to...

Page 229: ...menu select the domain in which to import the device 2 In Device Manager select Devices 3 Click the Add icon and then select Many Devices The Add Device wizard appears 4 In the Add Device wizard Sele...

Page 230: ...cel to quit the Add Many Devices process Select Add Valid Devices to begin adding the devices for which you have provided valid device configurations The Add Device wizard adds the valid devices to th...

Page 231: ...Server directory usr netscreen GuiSvr var ManyDevicesOutput inputFile_YYYYMMDDHHMM NOTE For security you cannot edit a configlet file directly To make changes to the information in any configlet file...

Page 232: ...n group devices before configuring them You can add a device to more than one device group You can also add a device group to another device group NOTE You cannot apply a template to a device group Yo...

Page 233: ...vice update to it The following procedures prevent these conflicts between NSM and the Infranet Controller Avoiding Naming Conflicts of the Authorization Server Object on page 183 Avoiding NACN Passwo...

Page 234: ...ger Devices to list all the devices b Right click each Infranet Enforcer firewall device in turn and select Delete from the list 5 On NSM delete the infranet instances from the Object Manager a Select...

Page 235: ...to add and import the device e Repeat steps b through d for each Infranet Enforcer device Avoiding NACN Password Conflicts When you need to manage the Infranet Enforcers reimport the configuration eac...

Page 236: ...Copyright 2010 Juniper Networks Inc 186 Network and Security Manager Administration Guide...

Page 237: ...he managed device for your changes to take effect For details on updating devices see Updating Devices on page 243 Use security policies to configure the rules that control traffic on your network For...

Page 238: ...overview of each of these device families and lists of supported platforms and operating system versions Most devices can be configured using the following interfaces Native Web UI Native CLI NSM UI...

Page 239: ...onfiguring Security Policies on page 435 Configuration Features You can edit the device object configuration through the device editor or you can use templates or configuration files to simplify confi...

Page 240: ...g Device Templates on page 198 About Configuration Groups Configuration groups are similar to device templates in that you define configuration data to be used multiple times In configuration groups t...

Page 241: ...and Configuration Tabs The Device Info tab contains information maintained in NSM This information can neither be imported from the device nor is it ever pushed to the device by an Update Device dire...

Page 242: ...device families Figure 41 on page 192 shows an example Figure 41 ScreenOS and IDP Device Configuration Information Validation and Data Origination Icons The device editor might display some of the ic...

Page 243: ...guration group Changes to the configuration group are also shown in the device editor Configuration Group Values Lowest A value is set for a field in a template or configuration group definition This...

Page 244: ...our changes and continue making changes Click Cancel to discard all changes and close the device configuration To reset a device feature to its default value right click on the feature name in the dev...

Page 245: ...s Guide and IDP ACM Help for more information Configuring functions that require device administrator intervention such as Secure Command Shell SCS and Secure Shell SSH client operation Executing debu...

Page 246: ...nterfaces In this example the view is of the Network Settings screen Figure 43 Secure Access Device Object For details about configuring Secure Access devices see the Configuring Secure Access Devices...

Page 247: ...ly as shared objects and then link to those objects from the stubs in the device configuration See Managing Large Binary Data Files Secure Access and Infranet Controller Devices Only on page 275 for d...

Page 248: ...configuration information across multiple devices In a template you need define only those configuration parameters that you want to set you do not need to specify a complete device configuration Temp...

Page 249: ...enhances the usability of the template If template categories are not selected the default display is a full tree view You can also view the associated template categories in the Device Template tabl...

Page 250: ...er Device Templates 2 Click the Add icon in the Device Template Tree or the Device Template List and select ScreenOS IDP Template from the list The New Device Template dialog box displays the template...

Page 251: ...h as device platform or release version Applying the Template Apply the template as follows 1 Ensure that the device you want to apply the template to has been added or modeled in the management syste...

Page 252: ...en those values are also stored by NSM Where field keys match imported values override values inherited from the template so that the effective device object configuration matches the device The live...

Page 253: ...he effect of moving the mouse cursor over the field name of an overridden value a tool tip message appears showing the name of the template whose value has been overridden Figure 46 Template Override...

Page 254: ...sage appears If the template specifies a field that the device supports but the value is outside the permitted range for the device a validation message appears in the Device dialog box A template val...

Page 255: ...Zone configuration screen appears d Click the Add icon in the Zone configuration screen and select Pre Defined Security Zone trust untrust dmz global The Predefined Zone dialog box appears NOTE Becaus...

Page 256: ...g box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 48 on page 206 Figure 48 View Denial of Service Defense Values from DoS Templat...

Page 257: ...een 208 device a In the navigation tree select Device Manager Devices Double click the NetScreen 208 device icon to open the Device dialog box b Select Info Templates in the device navigation tree Cli...

Page 258: ...e untrust Predefined Zone dialog box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 51 on page 208 Although both the DoS and DoS2 te...

Page 259: ...d from the device configuration itself and not a template by moving the cursor over the field name The message From object appears as shown in Figure 54 on page 209 Figure 54 View Default SYN ACK ACK...

Page 260: ...elect Predefined Interface The Physical Interface dialog box appears 3 For Name enter ethernet1 NOTE When creating or editing predefined interfaces in a template you must use the exact name for each i...

Page 261: ...one NOTE The ordering of list entries is a detailed point and of low significance to most users Skip this section if ordering of list entries is not significant to you To specify a sequence in which...

Page 262: ...push the configuration to the device and then connect to the Web UI of the device and reorder the list entries such that the list entries that came from the template are reversed D1 D2 T2 T1 Now consi...

Page 263: ...e of parameters in the template matches a contiguous subsequence of parameters in the device then NSM applies the new template order for the subsequence to the device Entries added in a template are p...

Page 264: ...a matching subsequence the new sequence is transferred to the device After C A B Template Sequence 2 C 1 A B Device Sequence Example 3 The following example shows entries inserted into the list on the...

Page 265: ...atching Subsequence Change Now add an entry to the template The new entry is added to the device in the same sequence as it was added in the template That is the new entry follows entry C in the templ...

Page 266: ...as it was added in the template In this case however entry C has been deleted from the device so the inserted entry follows entry B After D C B A Template Sequence D B A 2 1 Device Sequence Identifyi...

Page 267: ...s green highlight because they represent a common subsequence though not the longest c has a single entry out of order mark because it is adjacent to neither of its neighbors in the template NOTE If m...

Page 268: ...Name Section Select a device family from the Select OS Name list to determine which set of templates and devices to show Select Devices Section In this section select one or more devices for template...

Page 269: ...an templates previously assigned to the device Values in these templates will override values applied by lower priority templates Remove templates Removes all selected templates from each selected dev...

Page 270: ...orts any errors Template Operations Box Recommended Workflow The Template Operations dialog box can be used in many ways This section describes one recommended workflow Step 1 Look at the Effect of Pl...

Page 271: ...es generated in Step 1 Resolve any conflicts missing assignments or other errors as desired Repeat steps 1 and 2 until you are satisfied with your planned changes Step 3 Apply Templates and Clear Over...

Page 272: ...1 From the Device Manager launch pad select Export Import and then select Export Device Template to File 2 In the Export Config to File dialog box select the template you want to export and then clic...

Page 273: ...up mechanism is separate from the grouping mechanisms used elsewhere in the Junos configuration such as Border Gateway Protocol BGP groups Configuration groups provide a generic mechanism that can be...

Page 274: ...ces to 1 Gbps by using a wildcard mechanism 1 Double click the device in the Device Manager and select the Configuration tab 2 In the configuration tree select Config Groups List 3 Click the Add icon...

Page 275: ...field set the speed to 1g and click OK The configuration group icon appears next to the two interface entries in the group and next to each element in the tree above the interface entries See Figure 6...

Page 276: ...the up and down arrows at the top of the main display area The order of lists is significant because configuration group wildcard matching is done starting from the first configuration group entry and...

Page 277: ...n click Add The Available Config Groups list includes all configuration groups created in the device object The configuration group and icon move to the Applied Config Groups list 4 Click OK to apply...

Page 278: ...ig Groups list select the configuration groups you want to exclude and then click Add The selected configuration group names move to the Excluded list 3 Click OK to exclude those groups from that part...

Page 279: ...ed lists in the device object appear in a specific order determined by Junos convention By default entries from templates appear first followed by regular configuration data followed by entries create...

Page 280: ...tch the Template or Configuration Group Order on page 216 for details and examples Using Configuration Groups with Templates If a field in a device object can inherit from both a template and a config...

Page 281: ...faces To create this configuration follow these steps 1 Create a template containing a configuration group that will apply an MTU value of 3K to all devices to which the configuration group is applied...

Page 282: ...e Add icon and select fe Physical Interfaces from the list c In the Set Slot Configuration dialog box set the slot range to 0 the PIC range to 0 the port range to 0 1 and click OK The new interfaces s...

Page 283: ...of the device and click Templates b Click the Edit icon to display the Edit Templates dialog box c Check the box next to the template you just created and click OK to apply the template to the device...

Page 284: ...rs use a special implementation of the configuration group mechanism to maintain differences between the members but within the same configuration file Although you cannot edit the configuration of a...

Page 285: ...e 230 for details Configuring Member Level Data in a Junos Cluster To provide configuration data for a specific cluster member such as the node name NSM implements a special form of the wildcard mecha...

Page 286: ...ting Engines differs from configuring a device with a single Routing Engine in that you can configure features for a specific Routing Engine Two special configuration groups are used for this purpose...

Page 287: ...Figure 64 Configuring Routing Engine Specific Parameters Viewing a Routing Engine Configuration The following example shows how to display the hostname assigned to a specific Routing Engine See Figure...

Page 288: ...ature allows you to use redundant routers on a LAN by configuring a single default route on the host All VRRP routers share the IP address corresponding to the configured default route One of the VRRP...

Page 289: ...00M2 SPM2 Vsys devices Activating VRRP on a Device Interface You can enable VRRP on an Ethernet Interface only if VRRP has already been activated on the device You can only enable VRRP on a regular in...

Page 290: ...d in the NSM database and a comment Click on an entry in the table to view the contents of a specific version The text file appears in the main part of the display You can edit the comment that appear...

Page 291: ...The default is 25 versions The Config File Manager can automatically import config files from managed Junos OS based devices when configuration changes are committed on these devices enabling NSM to h...

Page 292: ...Copyright 2010 Juniper Networks Inc 242 Network and Security Manager Administration Guide...

Page 293: ...tion to the management server This chapter contains the following sections About Updating on page 243 Knowing When to Update on page 248 Using Preview Tools on page 252 Performing an Update on page 25...

Page 294: ...essful update These tools include Audit Log Viewer This NSM module records changes made to a device configuration The audit log entry also identifies the administrator who performed the change shows w...

Page 295: ...a Configuration Summary reveals no differences between the new configuration and the old configuration on the device you have successfully updated the running configuration About Atomic Configuration...

Page 296: ...rformance of the management connection is enhanced Atomic updating also enables the device to temporarily lose connection to NSM during the update process If the management connection is down when the...

Page 297: ...econnect are unsuccessful for two hours the update timer expires and the device automatically resets The device unlocks the active configuration and restores the saved active configuration the device...

Page 298: ...NSM To synchronize the configuration data NSM imports the configuration after the update If an Update Device directive causes implicit configuration changes on one or more devices each device reports...

Page 299: ...tor displays the current status of the device Up status The device is connected to the Device Server and is running properly Before you can update a device it must be in the Up state Down status An ev...

Page 300: ...sical device configuration the configuration on the physical device is newer than the modeled configuration To synchronize the two configurations import the configuration from the physical device Mana...

Page 301: ...evice type and OS version IP address domain the Attack Db version if it is a Firewall IDP device and the connection and configuration states To manually verify the configuration status for devices For...

Page 302: ...ger to determine when you are receiving too many attacks of a certain type and order them by an IP address For example if you determine that the current device configuration and security policy cannot...

Page 303: ...ommands run a configuration summary 1 From the launchpad select Devices Config Options Summarize Config The launchpad displays the Summarize Config dialog box 2 Select the devices or device groups for...

Page 304: ...h the modeled configuration you might want to identify and verify the configuration you are installing on the device After updating Ensure that the device received the configuration as you expected an...

Page 305: ...255 Figure 66 Delta Configuration Summary Example Occasionally the delta configuration report might display discrepancies that do not actually exist between the running configuration and the modeled...

Page 306: ...evices vsys devices clusters virtual chassis or device groups using the same process Before updating Ensure that you have configured the device correctly created and assigned a policy to the device an...

Page 307: ...ing any out of band changes made enable the option Do not Update If Device Has Changed Configuring Update Options You can configure device update and retry options on a systemwide basis in the UI pref...

Page 308: ...e Manager and select Update Attacks When disabled the update options dialog box does not appear for single device updates initiated from the Device Manager Alternatively to disable from within the per...

Page 309: ...ns in the NSM UI including the Devices and Tools menus in the NSM toolbar to access the Update directive from the File menu select Devices Configuration Update Device Configuration The Job Manager mod...

Page 310: ...d on a single device For multiple device updates Job Manager tracks the progress of each job on each device in addition to the overall progress for all devices To view the Job status for an individual...

Page 311: ...Passwords By default only the super administrator has this assigned activity Device States During Update During an update the managed device changes device state You can view the current device state...

Page 312: ...plays the Job Status as Failed You can also check the Connection Status and Configuration Status columns for the device in the Realtime Monitor to determine whether the device is running After a devic...

Page 313: ...ation Generated 5 Delta Config CLI Commands Specifically the update could not set the command pppoe name untrust clear on disconnect The delta configuration summary correctly detected a difference bet...

Page 314: ...Copyright 2010 Juniper Networks Inc 264 Network and Security Manager Administration Guide...

Page 315: ...e added to NSM without the need to upgrade NSM This feature applies only to devices with XML based schemas This chapter contains the following sections Managing Device Software Versions on page 266 Ma...

Page 316: ...er from the menu bar The Software Manager lists all software image files in the repository To add the one you just downloaded click the Add icon navigate to the software image file you just downloaded...

Page 317: ...8 a NetScreen 50 and a NetScreen 5XP at the same time but the image files for each device type must exist on the Device Server and must be the same OS version When a new version of Junos is installed...

Page 318: ...e NSM If the software version of a device is upgraded outside NSM through the device CLI or Web UI NSM behaves differently depending on whether the upgraded software version is published and whether i...

Page 319: ...upgrade by NSM See Upgrading the Device Software Version on page 266 To reconcile the OS versions right click a device and select Adjust OS Version to display the Adjust OS Version Wizard Follow the...

Page 320: ...ice support The directive performs the following actions Performs an Adjust OS Version from the previously known ScreenOS version to the new version of ScreenOS running on the selected devices Optiona...

Page 321: ...ickly view all license keys installed on a device and the features and capacities available on the device To import or view license key information 1 In the main navigation tree right click the device...

Page 322: ...is upgraded through the Web UI or CLI new software packages are installed or a new license key is installed on the device then the inventory on the device is no longer synchronized with the NSM datab...

Page 323: ...le how many VPNs a license supports how many licensed units are already in use and how many more are needed The license details include the key name or ID of the license the date the license was creat...

Page 324: ...ry changes to Out of Sync in the Device List the Device Monitor and the device tooltip and the Reconcile button in the Device Inventory window becomes active 4 When you have finished viewing the diffe...

Page 325: ...d Infranet Controller devices are handled differently from the remainder of the configuration in NSM The size of some of these binary files could make configurations large enough to overload resources...

Page 326: ...ata file and linking that file into the Secure Access or Infranet Controller device configuration tree Subsequent sections provide details about each type of large binary data file To upload and link...

Page 327: ...evice to open the device editor and then select the Configuration tab b Navigate to the node in the configuration where you want to load the binary file For example to load an ESAP package expand Auth...

Page 328: ...ry data list by clicking the Add icon The Binary Data dialog box appears as in step 3 d Click OK to save the newly configured links Importing Custom Sign In Pages The customized sign in pages feature...

Page 329: ...tion 3 Expand Signing In 4 Expand Sign in Pages 5 Select Users Administrator Sign in Pages and then click the Add icon in the right pane 6 Enter a name for the access page 7 Select Custom Sign in Page...

Page 330: ...nfiguration To create a link from a Secure Access or Infranet Controller configuration tree to a shared object containing an AV patch live update file follow these steps 1 In the Device Manager double...

Page 331: ...umber 6 Select a shared binary object from the Path to Package list 7 Click OK once to save the link and again to save the configuration Importing Third Party Host Checker Policies For Windows clients...

Page 332: ...r policy follow these steps 1 In the Device Manager double click the Secure Access or Infranet Controller device to open the device editor and then select the Configuration tab 2 Expand Authentication...

Page 333: ...t the Java applets You can upload individual jar and cab files or zip cab or tar archive files to NSM shared objects Archive files can contain Java applets and files referenced by the applets Within t...

Page 334: ...les 4 Select the Global Role Options tab 5 In the Global Terminal Services Role Options tab select a shared binary data object from the Citrix Client CAB File list 6 Click OK to save the configuration...

Page 335: ...x appears 3 Select the device or devices to which you want to restore the backup version and click OK Backing up multiple SA or IC Devices To create backup versions of the data in multiple IC or SA de...

Page 336: ...p version and click Delete to delete the backed up version from the NSM database NOTE The backup and restore feature is available in the NSM UI on root clusters but not on cluster members However when...

Page 337: ...not reachable 1 Click Next The Specify the connections settings dialog box opens 2 Specify the First Connection One Time Password OTP that authenticates the device 3 Edit the Device Server Connection...

Page 338: ...2 User Name text box to enter user name search string By default this will be You can specify any regular expression string here 3 Sort on drop down list box to select the name of the field to sort o...

Page 339: ...ly paid subscription To register your product go to www juniper net support After you have registered your product you can retrieve the service subscription To obtain the subscription for a service 1...

Page 340: ...nload new attack objects from the server To update a managed device with new DI attack objects you must first obtain a DI subscription for your device For details see Activating Subscription Services...

Page 341: ...P zip Download the file to your local disk Do not change the filename 4 Put both files in a local directory on the NSM GUI Server or on an internal Web server that is reachable by the NSM GUI Server 5...

Page 342: ...loaded manually To load the attack object database update to your managed devices 1 From the Device Manager launchpad select SecurityUpdates UpdateDeviceAttack Database or from Devices in the menu ba...

Page 343: ...IDP rules for the device from the GUI Server to the device For a security policy that uses DI attack objects NSM pushes all updated signatures from the GUI Server to the device Verifying the Attack O...

Page 344: ...when you update the device configuration on a device you must also update the database on the managed device to match the version of the database on the GUI Server if the version on the GUI Server is...

Page 345: ...liances J Series devices SRX Series devices and MX Series devices Automatic updates to the IDP engine occur when you Upgrade security device firmware The upgraded firmware includes the most recent ver...

Page 346: ...ee Figure 74 on page 296 Figure 74 Attack Update Summary 3 Click Cancel to exit the Attack Update Manager Scheduling Security Updates For security devices running ScreenOS 5 0 0 IDP1 5 1 and later and...

Page 347: ...ng unexpected changes To handle unconnected devices during the update you must also specify additional post action options shown in Table 30 on page 297 Table 30 Scheduled Security Update SSU Command...

Page 348: ...tils guiSvrCli sh update attacks post action update devices skip Scheduling the Update You can perform a one time security update using guiSvrCli sh directly or you can use crontab or another scheduli...

Page 349: ...ing the update the guiSvrCli utility updates its the attack object database then performs the post actions After updating and executing actions the system generates an exit status code of 0 no errors...

Page 350: ...Admin Name Domain The administrator name for security update is guiSvrCli and the domain is Global entry appears as guiSvrCli Global Action The action appears as Scheduled Attack and Device Update To...

Page 351: ...ecurity device you want to contact SurfControl 2 In the Device Manager launchpad select Security Updates Update System Categories This option updates the NSM management system predefined categories fr...

Page 352: ...fied by the device and not by NSM Invoking the Launch Telnet menu item causes the Telnet window to appear even if the Telnet service is not enabled in the device The Launch Telnet menu is disabled if...

Page 353: ...ries it connects to the previously configured DNS server to perform a lookup of each entry in its table To direct one or more devices to refresh their DNS table entries 1 From the Device Manager launc...

Page 354: ...forms asset recovery Sets the device to FIPS mode Resets the device to its default settings Updates the OS Loads configuration files After you change the root administrator login and password only per...

Page 355: ...to send a device back to the factory and replace it with a new device you can set the device to the RMA state This state allows NSM to retain the device configuration without a serial number or connec...

Page 356: ...ftware Manager allows you to upgrade the firmware version in the physical device before RMA After upgrading NSM puts the device in the Update needed state NOTE The current OS version of the device is...

Page 357: ...subsystem within the wireless security device during the device update process NOTE When using an authentication server for wireless authentication if you enable 802 1X support on that server you must...

Page 358: ...When you create update or import a device the GUI Server edits the ADM to reflect the changes then translates that information to the DM Data Model Schema The structure of the ADM and DM is determined...

Page 359: ...arranged similarly to objects in the management console each item VPN policy device device group and so on is represented by an object In the DM each item is a property of a single device During the d...

Page 360: ...s interfaces routing tables users and VPN rules in the DM for each device The DM contains only the VPN information that relates to the specific device not the entire VPN During the device model update...

Page 361: ...objects and object attributes in the ADM domain When you import a device configuration using the management console the device sends CLI commands to the Device Server which translates the CLI commands...

Page 362: ...es the CLI commands into a DM with device configuration information The GUI Server translates the device configuration in the DM into objects and object attributes in the ADM The GUI Server then reads...

Page 363: ...vers For details on stopping starting and restarting processes on the management system refer to the Network and Security Manager Installation Guide Archiving Logs and Configuration Data To archive lo...

Page 364: ...up and restore procedures To restore log and configuration data 1 Stop Device Server and GUI Server processes 2 Use the mv command to transfer data from the var directories to a safe location This pre...

Page 365: ...nistrator role has all the permissions necessary to manage schemas Alternatively you can define a custom role for schema management Three activities are relevant to defining such a role View Schema De...

Page 366: ...the server Choose File to retrieve the schema from an intermediary file 4 Click Next to display information about the latest schema on the source Juniper Update Server or file along with current schem...

Page 367: ...of files affected by the change Compare the version numbers to tell whether the staged schema is more recent than the currently running schema Check the information about the schema to determine wheth...

Page 368: ...Copyright 2010 Juniper Networks Inc 318 Network and Security Manager Administration Guide...

Page 369: ...Configuring Voice Policies on page 535 Configuring Junos NAT Policies on page 539 Configuring VPNs on page 551 Central Manager on page 629 Topology Manager on page 635 Role based Port Templates on pa...

Page 370: ...Copyright 2010 Juniper Networks Inc 320 Network and Security Manager Administration Guide...

Page 371: ...on page 322 Configuring Address Objects on page 326 Configuring Application Objects on page 332 Configuring Schedule Objects on page 334 Configuring Access Profile Objects on page 335 Configuring Qual...

Page 372: ...evice configuration NSM automatically imports all objects defined in that configuration The Object Manager displays objects created in the current domain only When you work in the global domain all cu...

Page 373: ...affic AV Profiles define the server that contains your virus definitions and antivirus software Web Filtering Profiles define the URLs the Web categories and the action you want a security device to t...

Page 374: ...n VPN You cannot use a subdomain user object in a global domain VPN When creating a subdomain protected resource you can include a subdomain address object and a global domain service object but you c...

Page 375: ...h by unchecking unnecessary categories Right click on a shared object node for example Address Objects and select Search Unused Objects 2 Select the search categories and click Next The Unused Shared...

Page 376: ...to delete NSM displays a message that the selected objects will be deleted and a warning that the operation cannot be reversed NOTE When you select a group of duplicate objects such as an address grou...

Page 377: ...k As you add address objects they appear in the tree and table tabs Creating Address Objects You can create the following address objects Host Represents devices such as workstations or servers connec...

Page 378: ...address it displays the same address under the domain name This is an indication that a name is not configured for this address 6 Click OK to add the address object The new host address object immedia...

Page 379: ...permission to view global domain objects for the objects you are replacing then all objects for the selected category in the current domain and the global domain are displayed in the Replace With wiza...

Page 380: ...lobal and subdomain address objects appear in the Non members list NOTE You can drag address objects into and out of address groups from the main address tree 8 Click OK to add the group You can creat...

Page 381: ...dresses to share a single firewall policy For example each site might have a Web server each with a different IP address If you define an address object using the hostname webserver and then using tha...

Page 382: ...ication Table Tab Information Description Field The name of the application object Name The hierarchical category to which the application belongs Application Category The TCP UDP port ranges to be ma...

Page 383: ...ing parameters in the General tab Name This is a mandatory field Application Category This is a mandatory field Supported Platforms Use the Edit icon to select supported platforms You must select at l...

Page 384: ...to 6 00 PM December 5 Christmas Break Schedule 6 00 PM December 24 to 8 00 AM January 2 Use a recurring schedule to control access to a destination for a repeating time interval The schedule object d...

Page 385: ...ccess profiles configured in NSM Access profiles are listed in a table consisting of the following columns Name Name of the access profile Comment Description of the access profile You can create view...

Page 386: ...ed QoS parameters Each IP profile can have a maximum of 8 entries and each DSCP profile can have 64 entries In a QoS profile an existing entry can be overwritten with the same DSCP IP Precedence value...

Page 387: ...you add predefined attack object groups created by Juniper Networks and your own custom attack object groups to the Profile object After creating the DI Profile you add the Profile object in the Rule...

Page 388: ...of the Supported Platform links within an attack object dialog box Viewing Predefined DI Attack Object Groups To view predefined attack object groups in Object Manager select Attack Objects then sele...

Page 389: ...and you can add multiple profile members to the profile object Within each profile member Select the attack object groups you want to include in this profile member Configure the action you want the...

Page 390: ...e and Attack object and displays an alert in the Log Viewer Configure IP Action Enable this option to direct the device to take action against a brute force attack When enabled configure the following...

Page 391: ...at and includes the following information Name of the attack object Severity of the attack critical major minor warning or info Category displaying the type of application Keywords for the attack CVE...

Page 392: ...ts and Groups NSM lets you look at the details of predefined attack objects and groups Not all details are applicable to all attacks The Pattern field under the Details column in the General tab of th...

Page 393: ...on page 363 For information about creating a DI Profile object see Creating DI Profiles on page 338 To use a custom IDP attack object to protect your network you can add the attack object in an IDP r...

Page 394: ...ription and keywords which can make it easier for you to locate and maintain the attack object as you use it in your firewall rules Specifically the attack object wizard prompts you for the following...

Page 395: ...he extended attack information Configuring Extended Information In the Extended tab enter specific information about the attack Specifically the attack object wizard prompts you for the following Impa...

Page 396: ...the target platform and configure the attack version click the Add icon under Attack Versions to display the New Attack wizard On the Target Platform and Type page you must select the ScreenOS or IDP...

Page 397: ...re traffic is identified as an attack By combining and even specifying the order in which signatures or anomalies must match you can be very specific about the events that need to take place before th...

Page 398: ...the correct service select Any and DI attempts to match the signature in all services Because some attacks use multiple services to attack your network you might want to select the Any service binding...

Page 399: ...ly When a client makes a remote procedure call to an RPC server the server replies with a remote program each remote program uses a different program number To detect attacks that use RPC configure th...

Page 400: ...Control Message Protocol ICMP TCP 113 IDENT IDENT TCP 143 UDP 143 Internet Message Access Protocol IMAP Internet Relay Chat IRC Lightweight Directory Access Protocol LDAP Line Printer spooler lpr Mic...

Page 401: ...e time attributes for the custom attack object Time attributes control how the attack object identifies attacks that repeat for a certain number of times By configuring the scope and count of an attac...

Page 402: ...o After you finish entering the general attack properties for the attack type click Next to configure the attack detection properties Configuring Attack Detection Properties In the Attack Pattern scre...

Page 403: ...atches Example Matches This syntax 01 86 A5 00 00 the five specified bytes verbatim X01 86 A5 00 00 X hello world hello or world hello world helloworld world hello hellohello hello or world one or mor...

Page 404: ...ect and can improve performance Select first packet context to detect the attack in only the first packet of a stream When the flow direction for the attack object is set to any the security device ch...

Page 405: ...stead of Any improves performance reduces false positives and increases detection accuracy Client to Server Detects the attack only in client to server traffic Server to Client Detects the attack only...

Page 406: ...th existing TCP and UDP protocols IPv4 and IPv6 header matches cannot coexist in a single attack definition IPv6 enabled attacks are supported only on ISG1000 with SM and ISG2000 with SM devices Type...

Page 407: ...attack target Seq Number Specify an operand none and a decimal value for the sequence number of the packet This number identifies the location of the data in relation to the entire data sequence ACK...

Page 408: ...for the port number of the attack target Data Length Specify an operand none and a decimal value for the number of bytes in the data payload ICMP Headers For attacks that use ICMP and a packet context...

Page 409: ...For details see Configuring Time Binding on page 351 Configuring a Compound Attack Object A compound attack object combines multiple signatures and protocol anomalies into a single attack object forci...

Page 410: ...d protocol anomaly attack objects Additionally because the number of session transactions are not known for the service you cannot specify a scope in the Members tab To match a specific service select...

Page 411: ...ropriate for the Service you selected If you selected a service binding of any you are restricted to the IP based protocol anomaly attack objects Configuring an Attack Object Ordered Match Use the oAN...

Page 412: ...re active in the attack object By default the direction filter is automatically set to the direction of the most recently created or edited attack version Creating Custom DI Attack Groups You can crea...

Page 413: ...ttacks to which you know your network is vulnerable or to group custom attack objects For example you might want to create a group for a specific set of informational attack objects that keep you awar...

Page 414: ...icon and select one of the following Add Products Filter to add attack objects based on the application that is vulnerable to the attack Add Severity Filter to add attack objects based on the attack s...

Page 415: ...mic Group dialog box appears 2 Enter a name and description for the group Select a color for the group icon Figure 78 New Dynamic Group 3 In the Filters tab click the Add icon and add the filters that...

Page 416: ...r meet their dynamic group criteria The update also reviews updated attack objects to determine if they now meet any other dynamic group criteria and adds them to those groups if necessary For all del...

Page 417: ...e 370 Miscellaneous UTM Features on page 371 ScreenOS Threat Management Features on page 373 Creating UTM Profiles A UTM profile can define more than one UTM feature You can have more than one custom...

Page 418: ...es The allowed range is 20 20000 Set a time out period The allowed range is 1 1800 Set the decompression limit in the range of 1 4 Set the HTTP tricking time out in the range of 0 600 Set the scan mod...

Page 419: ...profile 5 Enter a comment or description 6 Select a color from the drop down list 7 Enable Use default SBL 8 Select an action Block Tag header Tag subject 9 Enter a tag string 10 Select OK Creating a...

Page 420: ...urf control Integrated set the following Default action Block or permit Timeout period In the range of 1 1800 Mouse over the field to see a tool tip with the allowed values Enter a deny message Set Fa...

Page 421: ...Select in the CustomUTMMimeListProfiles table The New Mime List Profile window opens 3 Enter a name for the profile 4 Enter a comment or description 5 Select a color from the drop down list 6 Enter th...

Page 422: ...eate and view URL patterns 1 Select Object Manager UTM Misc URL Patterns You can view all the URL patterns and create a new URL pattern 2 Select The New URL Pattern window opens 3 Enter a name for the...

Page 423: ...methods External AV scanning This method forwards traffic to a Trend Micro device for scanning This option is not supported by devices running ScreenOS 5 3 or higher The security device forwards all t...

Page 424: ...ust specify the protocols HTTP and SMTP that the external AV server scans for viruses The default protocol timeout is 180 seconds but you can edit this default to meet your networking requirements You...

Page 425: ...set the following settings for each enabled protocol Scan Mode All Intelligent or by File Extension If you select Scan by File Extension you must populate the Ext List Include field Scanning Timeout S...

Page 426: ...or all of them to server groups You can then assign this server object or server group to an AV profile then assign that profile to a security policy To specify a server you will need the following in...

Page 427: ...so specify the MIME list that will be used for comparison See Multipurpose Internet Mail Extension MIME Lists on page 371 for information on creating MIME lists SMTP tab SMTP Enable Selecting this che...

Page 428: ...s organized by content There are two types of categories Custom Lists and Predefined Categories Custom Lists You can group URLs and create custom lists specific to your needs You can include up to 20...

Page 429: ...ble to display multiple shared objects in each cell This allows for a better filtering mechanism for the information reduces data redundancy in the case where all rules need to have the same e mail ad...

Page 430: ...rules and will ask you for confirmation of the command Once you confirm that you want to delete the object NSM will remove all usages of the object you are deleting from the security policy rules tha...

Page 431: ...r example you can configure a security policy that enables a device to control GTP traffic differently based on source and destination zones and addresses action and so on You configure GTP objects in...

Page 432: ...S Tunneling Protocol GTP Because GSNs have a limited capacity for GTP tunnels you might want to configure the security device to limit the number of GTP tunnels created To limit GTP tunnels enable Lim...

Page 433: ...GPP and 2GPP networks enable Remove r6 IE Inspecting Tunnel Endpoint IDs You can configure the security device to perform Deep Inspection on the tunnel endpoint IDs TEID in G PDU data messages To perf...

Page 434: ...y two messages above the set rate limit To view GTP traffic log entries use the Log Viewer Configuring IMSI Prefix and APN Filtering You can use the IMSI Prefix and APN to restrict access to a specifi...

Page 435: ...cify one and that the HLR did not verify the user s subscription to the network Verified MS or Network provided APN subscription verified This Selection Mode indicates that the MS or the network provi...

Page 436: ...the following Set Subscribers Set the number of number of subscribers that the security device actively traces concurrently The default number of simultaneous active traces is three 3 Specify Log Byte...

Page 437: ...r existing protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined service objects for most standard services You can also create custom se...

Page 438: ...meout value you can view the following service settings For Non ICMP services the service object displays the protocol ID source port range and destination port range For ICMP services the General tab...

Page 439: ...it that service object Creating Custom Services You can create custom service objects to represent protocols that are not included in the predefined services or to meet the unique needs of your networ...

Page 440: ...ports Service Object Groups You can group services together as a service object group then use that group in security policies and VPNs to simplify administration Each service object can be referenced...

Page 441: ...Non ICMP Services Entries area click the Add icon and select TCP The New Service Entry dialog box appears Configure the following a For Source Port select Range b For Source Port Range enter 0 to 6553...

Page 442: ...ese two numbers The ALG maps the program numbers into dynamically negotiated TCP UDP ports and permits or denies the service based on a policy you configure To create the Sun RPC service 1 In the main...

Page 443: ...To permit them you create an ms exchange info store service object that contains these four UUIDs The ALG maps the program numbers into dynamically negotiated TCP UDP ports based on these four UUIDs...

Page 444: ...h a service group object that contains the replaced service object You cannot undo or roll back a Replace With operation NOTE Replacingserviceobjectsonlyappliestothoseobjectsinthedomain in which you a...

Page 445: ...M administrators and remote access services RAS users on your network The information stored in an authentication server determines the privileges of each administrator When the security device receiv...

Page 446: ...hentication period never times out Admin user If the length of idle time reaches the timeout threshold the security device terminates the administrator session To continue managing the device the admi...

Page 447: ...ional and is not required to configure a RADIUS authentication server However you might need to configure this setting when implementing a new RADIUS server with an existing network and established us...

Page 448: ...entication requests The default port number is 1645 RADIUS Secret The secret password shared between a security device and the RADIUS server The RADIUS server uses the shared secret to generate a key...

Page 449: ...provided You can separate the authentication and accounting functions by specifying different RADIUS Authentication and Accounting servers In ScreenOS devices running 6 2 and later you can enable or...

Page 450: ...etworks uses the standard RADIUS attribute for IP address assignments Juniper Networks provides two dictionary files one for Funk Software RADIUS servers and one for Cisco RADIUS servers For Funk Soft...

Page 451: ...its shared secret as A56htYY97kl You change the authentication timeout value from the default 10 minutes to 30 minutes and the RADIUS retry timeout from 3 seconds to 4 seconds You also assign its two...

Page 452: ...ut against value generated by the RSA ACE server algorithm If the values match the authentication is successful For a SecurID authentication server object you must configure the following Authenticati...

Page 453: ...olled by directory servers To create an LDAP authentication server object configure the following LDAP Server Port The port number on the LDAP server to which the security device sends authentication...

Page 454: ...or deny access to individuals or groups NSM supports two types of user objects Local Users Users with accounts that are managed by your security devices You can create local user groups that include m...

Page 455: ...t 1 In the navigation tree double click the Object Manager select User Objects then select LocalUsers In the main display area click the Add icon and select New Group to display the New Local User Gro...

Page 456: ...DN e mail address during phase 2 the device prompts the user for their U FQDN for authentication To add an external user group object 1 In the navigation tree select Object Manager User Objects Extern...

Page 457: ...the RADIUS server documentation If you are using a Microsoft IAS RADIUS server there is no dictionary file to load you must manually define the correct vendor specific attributes VSAs on the server 2...

Page 458: ...gs You can use more than one VLAN object in a rule VLAN objects have the following components Name What the object is called in the NSM UI Comment and Color Useful for organizing and explaining the ob...

Page 459: ...evice configuration or VPN for a device running ScreenOS 5 1 or earlier the device automatically uses the first IP range defined in the IP Pool object To modify or delete an IP range from an IP Pool o...

Page 460: ...in the group expressions must be external users that are stored on an external RADIUS server A RADIUS server enables a user to belong to more than one user group The operators have different meanings...

Page 461: ...hat match the description of group expression a AND group expression b the security device authenticates the user only if both group expressions reference that user AND If the security policy defines...

Page 462: ...you can use that object in the Authentication rule options In this example you configure a group expression to authenticate all users that belong to your Sales group and your Marketing group then add...

Page 463: ...imary DNS server DNS2 Enter the IP address of the secondary DNS server WINS1 Enter the IP address of the primary WINS server WINS2 Enter the IP address of the secondary WINS server Configuring Routing...

Page 464: ...t 4 Select a color to represent the routing instance object 5 Enter a comment or description about the routing instance object 6 In the New Routing Instance dialog box click the Add icon The New Routi...

Page 465: ...For SRX Series gateways NAT settings must be configured in the device For more information on DIP MIP and VIP objects see the following sections Configuring DIP Objects on page 415 Configuring MIP Obj...

Page 466: ...click the Add icon to specify the device specific VIP configuration Device Select the security device that includes the VIP Interface Select the interface on the device that uses the virtual IP addre...

Page 467: ...AT Object on page 419 Deleting a Source NAT Object on page 419 Adding a Source NAT Object To add a source NAT object 1 Select Object Manager Junos NAT Objects Source NAT The Source NAT dialog box appe...

Page 468: ...ress prefixes IP Address Ipaddr Address By default port translation is enabled Enter a port range Select the No Translation check box to disable port translation Specify whether port translation must...

Page 469: ...referenced this object then all referenced areas are displayed as links in this dialog box Click on a link to navigate to the area where this object is referenced You can proceed with or cancel the d...

Page 470: ...ect the IP address of the interface which accepts the ARP requests from the Proxy ARP drop down list If there are no values listed select to configure a new value The New Interface dialog box appears...

Page 471: ...addresses whose ARP requests this device must accept as follows Click Address and select to configure the start of the address range in the New dialog box Click To and configure the end of the address...

Page 472: ...for those devices Generate a local and CA certificate in one click using SCEP Use OCSP to automatically check for revoked certificates ScreenOS 5 0 or later devices only Use a certificate chain that i...

Page 473: ...back to the root Partial Use partial validation to validate the certificate path only part of the way to the root Revocation Check Check for revocation Select this option to enable revocation checking...

Page 474: ...icate CA IDENT Enter the name of the certificate authority to confirm certificate ownership Challenge Enter the challenge words sent to you by the CA that confirm the security device identity to the C...

Page 475: ...our rule in an Extranet Policy object To create an Extranet Policy object 1 In the Object Manager select Extranet Policies The New ExtranetPolicyObject window appears 2 Enter the name of the Extranet...

Page 476: ...Third party host checker policies Secure virtual workspace wallpaper images Hosted Java applets Custom Citrix client CAB files See Managing Large Binary Data Files Secure Access and Infranet Controlle...

Page 477: ...es consist of the following elements IP Address The address represents the computer network or range of addresses to be considered part of this protected resource The address can be an individual host...

Page 478: ...eway to the protected resource You can add multiple security gateways to provide redundant access for the protected resource Editing Protected Resources You can edit protected resources to accommodate...

Page 479: ...proposals from VPN Manager select IKE Phase1 Proposals or IKE Phase2 Proposals Creating Custom IKE Phase1 Proposals Create a custom proposals for a specific combination of authentication and encryptio...

Page 480: ...ault value is 28800 seconds 8 hours Click OK to add the custom IKE object to the management system Creating Custom IKE Phase 2 Proposals Create a custom proposals for a specific combination of authent...

Page 481: ...then select the desired algorithm NOTE We strongly recommend that you do not use null AH with ESP Click OK to add the custom IKE object to the management system Configuring Dial in Objects Netscreen...

Page 482: ...vice a gateway in the device and a service point in the gateway BSG Admission Controllers BSG Admission Controllers control Session Initiation Protocol SIP dialogs and transactions You can define the...

Page 483: ...ported in Junos OS Release 9 5 and later When updating devices running under earlier versions of Junos OS the admission controller setting is dropped 433 Copyright 2010 Juniper Networks Inc Chapter 8...

Page 484: ...Copyright 2010 Juniper Networks Inc 434 Network and Security Manager Administration Guide...

Page 485: ...ll as how that traffic is treated while inside A security policy can contain firewall rules in the Zone and Global rulebases multicast rules in the Multicast rulebase and IDP rules in the Application...

Page 486: ...signing a policy to a device see Assigning a Security Policy to a Device on page 509 Viewing Rulebase Columns for a Security Policy By default each rulebase displays a subset of available columns for...

Page 487: ...x Viewing and Editing Custom Policy Fields NSM allows you to create multiple fields under Rule Options You can customize this fields to save metadata and you can edit and filter the values in each of...

Page 488: ...rulebase when you need to control traffic between specific zones The zone specific rulebase can contain firewall rules and VPN rules and links Global Contains rules that are valid across all zones Cre...

Page 489: ...s by ensuring that the three way handshake is performed successfully for specified TCP traffic If you know that your network is vulnerable to a SYN flood use the SYN Protector rulebase to prevent it T...

Page 490: ...ks by permitting or denying specific network traffic flowing from one zone to another zone After you have added a device in NSM you can create rules in the firewall rulebases of your security policy Y...

Page 491: ...e on which the firewall rule is installed You can install the same rule on multiple devices To begin configuring firewall rules for your managed devices see Configuring Firewall Rules on page 448 VPN...

Page 492: ...t group address in an internal zone to a different address on the outgoing interface specify both the original multicast address and the translated multicast group address in a multicast rule When you...

Page 493: ...is directly in the path of traffic on your network and can detect and block attacks For example you can deploy the device with integrated Firewall VPN IDP capabilities between the Internet and an ente...

Page 494: ...hat rules are applied to network traffic by placing the rules in the desired sequential order disabling a rule negating source or destination addresses ScreenOS 5 x devices only and so on Validate a s...

Page 495: ...address objects DI profiles and Global MIPS no predefined objects exist before you can use one of these objects in a rule you must create the object in Object Manager Applying the Same Object to Multi...

Page 496: ...es a Policy Filter tool to filter policy rules based on one or more filter conditions specified for rule attributes One filter can contain several filter conditions for different attributes The filter...

Page 497: ...emplate contains rules that use the default actions associated with the attack object severity and protocol groups You should customize these templates to work on your network by selecting your own ad...

Page 498: ...s Security policies start with a minimum of rules and rulebases You can add additional rules to the rulebases as needed To add a rulebase 1 In the main navigation tree select Policies then double clic...

Page 499: ...on addresses using the Select Address Dialog box In this dialog box you can populate hosts networks group addresses and polymorphic objects based on the context of the IP version selected The policy f...

Page 500: ...are configuring the Source and Destination components of a rule right click in the Source or Destination column of a rule and select Add Address Next click the Add icon at the top of the New Source Ad...

Page 501: ...rvers to your Engineering Servers set the To Zone to Engineering and the From Zone to Marketing Set the source address as the address group object that represents your Marketing servers and the destin...

Page 502: ...ory To control FTP traffic from the Engineering Server in the trust zone to the corporate Web Server in the DMZ zone select the FTP HTTP IMCP ANY and TELNET service objects You can create your own ser...

Page 503: ...ofiles to detect and prevent attacks in permitted traffic For J Series and SRX Series devices you can also use the NSM GUI to enable or disable DI IDP and Application Services To use this feature 1 Se...

Page 504: ...for Firewall Rules on page 461 Configuring Antivirus for Firewall Rules on page 462 Configuring a DI Profile Enable IDP for Firewall Rules on page 463 Configuring the Session Close Notification Rule...

Page 505: ...ng Firewall VPN Devices For J Series devices you can configure a NAT for a policy rule as one of the following An interface A pool of a specific device interface A PoolSet defined under the source NAT...

Page 506: ...o pass through the ingress interface Priority You can set a priority for each firewall rule in your security policy Your security device passes permitted traffic according to the priority level specif...

Page 507: ...ches network traffic to the rule the device creates a traffic log entry that describes that event and NSM displays the traffic log entry in the Log Viewer You can enable logging when a session is init...

Page 508: ...ts the system to output logs to an e mail address in SMTP format You must specify the recipient e mail address es that receives the exported log records Running Scripts Selecting this option directs t...

Page 509: ...curity device correctly checks traffic ID The rule ID is a number that uniquely identifies a rule within the rulebase and security policy After you install a rule as part of a security policy on a sec...

Page 510: ...d to a firewall rule When a profile is bound to the firewall rule the security device matches the URL in the incoming HTTP request to the categories in the profile in the following sequence Black List...

Page 511: ...pecified RAS users to connect without authentication Authentication Use for RAS users that use HTTP FTP or Telnet services to connect to the protected network You can select an access profile as an au...

Page 512: ...et OR is located behind a NAT device that uses a single IP address for all NAT assignments only the first remote user from that source address must initiate and authenticate an HTTP FTP or Telnet conn...

Page 513: ...tect the attack itself NSM contains a database of predefined attack objects that detect known and unknown attacks against your network You can use these predefined attack objects and your own custom a...

Page 514: ...ther mode enables IDP for the firewall rule and configures the security device to forward all permitted traffic to the IDP rulebases for further processing Limiting Sessions per Policy from Source IPs...

Page 515: ...ult this option is disabled Before you can enable the Session Close Notification feature on NSM for a device you must first set the following options a From Device Advanced Packet flow Disable Skip TC...

Page 516: ...ination zone These zones must be available on the security devices on which you install the policy You can also select multiple zone exceptions for both source and destination zones A zone exception i...

Page 517: ...ast2 For Color select red For IP Address enter 232 1 1 2 For Netmask enter 16 NOTE NSM validation prevents you from setting a 32 bit netmask in multicast In the main navigation tree select Policies th...

Page 518: ...ination zones source destination address objects and the application layer protocols services supported by the destination address object You can also negate zones address objects or services Standalo...

Page 519: ...sections detail the Match columns of an IDP rule Configuring Source and Destination Zones for IDP Rules Does not apply to Standalone IDP Sensor rulebases You can select multiple zones for the source a...

Page 520: ...irewall Rule Options When it receives a packet the firewall verifies the role name of the user against the list of user roles and user role groups provided before forwarding the packet You can configu...

Page 521: ...ervices that use TCP UDP RPC and ICMP transport layer protocols Service objects represent the services running on your network NSM includes predefined service objects that are based on industry standa...

Page 522: ...ether or not the traffic matches the attack objects in the matching rule You can use a terminal rule for the following purposes To set different actions for different attacks for the same Source and D...

Page 523: ...against attacks that match rules in your security policy For each attack that matches a rule you can choose to either take action on the packet containing the attack permit or drop packet or take act...

Page 524: ...through Drop Packet IDP drops the connection without sending a RST packet to the sender preventing the traffic from reaching its destination Use this action to drop connections for traffic that is not...

Page 525: ...cks is a good option if you know the exact name of the attack you want to add to a rule To locate a specific word or string in the attack object name use the integrated search function in NSM Attack G...

Page 526: ...ects for several predefined operating systems to help you choose the attack objects that are the most dangerous to specific components on your network You can choose BSD Linux Solaris or Windows Addin...

Page 527: ...he rule Configuring IP Actions in IDP Rules This column only appears when you view the security policy in Expanded Mode To change the security policy view from Compact Mode to Expanded Mode from the m...

Page 528: ...l The security device blocks future traffic based on the source destination destination port and protocol of the attack traffic This is the default Source The security device blocks future traffic bas...

Page 529: ...important security events on your network NOTE J Series and SRX Series devices do not send packet data to NSM If your policy rules attempt to do so then NSM does not log the data Setting Logging In th...

Page 530: ...r a range of VLAN tag values Use VLAN objects to create individual VLAN tags or ranges of VLAN tags You can assign more than one VLAN object to a rule To assign a VLAN object to a rule or to set the V...

Page 531: ...ndalone IDP Sensors function in this mode by default and do not have to be specifically configured for it In this example you are deploying an ISG2000 device as a standalone IDP security system betwee...

Page 532: ...IDP policy NOTE If you select an IDP rule associated with multiple IDP policies from the IDP rule table in a Security Policy window the Policies panel displays the multiple IDP policies to which the r...

Page 533: ...lication objects You can specify the action you want the security device to perform against the current connection and future connections from the same source IP address see Choosing an IP Action Conf...

Page 534: ...e traffic flow row 4 Select Create Application Rules For Policies The New Application Rules dialog box is displayed NOTE If an APE rulebase is not already configured the rulebase is automatically conf...

Page 535: ...In the NSM system address objects are used to represent components on your network hosts networks servers and so on Typically a server or other device on your network is the destination IP for incomin...

Page 536: ...your network you can specify which services are supported by the destination IP to make your rule more efficient NOTE All services rely on a transport layer protocol to transmit data IDP includes ser...

Page 537: ...iption Action IDP takes no action against the connection If a rule that contains an action of None is matched the corresponding log record displays accept in the action column of the Log Viewer None I...

Page 538: ...in Expanded Mode To change the security policy view from Compact Mode to Expanded Mode from the menu bar select View Expanded Mode If the current network traffic matches a rule the security device ca...

Page 539: ...re are no logging options set Setting Timeout Options You can set the number of seconds that you want the IP action to remain in effect after a traffic match For permanent IP actions leave the timeout...

Page 540: ...packet capture enabled match the same attack the security device captures the maximum specified number of packets For example you configure Rule 1 to capture 10 packets before and after the attack and...

Page 541: ...rforming the specified action or creating a log record for the event NOTE If you delete the IDP rulebase the Exempt rulebase is also deleted You might want to use an exempt rule when an IDP rule uses...

Page 542: ...r network traffic originating or destined for any zone NOTE You can create custom zones for some security devices The list of zones from which you can select source and destination zones includes the...

Page 543: ...shed to the target devices To enter a comment right click the Comments column and select Edit Comments The Edit Comments dialog box appears You can enter up to 1024 characters in the Comments field Cr...

Page 544: ...can detect all backdoors both known and unknown If interactive traffic is detected IDP can perform IDP actions against the connection to prevent the attacker from further compromising your network Wh...

Page 545: ...OTE You can create custom zones for some security devices The list of zones from which you can select source and destination zones includes the predefined and custom zones that have been configured fo...

Page 546: ...spoofing Drop Connection IDP closes the interactive connection and sends a RST packet to both the client and the server If the IDP is in sniffer mode IDP sends a RST packet to both the client and ser...

Page 547: ...og record Logging Packets You can record the individual packets in the network traffic that matched a rule by capturing the packet data for the attack Viewing the packets used in an attack on your net...

Page 548: ...or rulebase to prevent it The TCP Handshake When a TCP connection is initiated a three way handshake takes place A client host sends a SYN packet to a specific port on the server to request a connecti...

Page 549: ...hold below which SYN Protector will be deactivated the default value is 1000 Upper SYN s per second threshold above which SYN Protector will be activated the default value is 20 Once the SYN Protector...

Page 550: ...ons are established promptly minimizing the use of server resources The timer IDP uses for the connection establishment is shorter than the timer the server uses for the connection queue IDP transfers...

Page 551: ...column of the Log Viewer for the matching log record Logging Packets You can record the individual packets in the network traffic that matched a rule by capturing the packet data for the attack Viewin...

Page 552: ...to connect to every port on a single machine port scanning or connect to multiple IP addresses on a network network scanning By determining which services are allowed and responding on your network at...

Page 553: ...an 50 IP addresses on your internal network within 120 seconds The same Source IP attempts to ping 50 IP addresses on your internal network within 120 seconds Session Limiting You can set a session li...

Page 554: ...monitor The values are measure in number of hits Port Count in a particular number of seconds Time Threshold Setting Response Options The IP Action column governs what action the IDP Sensor takes whe...

Page 555: ...column of the Log Viewer for the matching log record Logging Packets You can record the individual packets in the network traffic that matched a rule by capturing the packet data for the attack Viewin...

Page 556: ...tackers who are attempting to break into your network A counterfeit port can appear to offer notoriously vulnerable services to make the port attractive to attackers You create a counterfeit port in t...

Page 557: ...Configure your IP Action settings as appropriate for your network Setting Notification You can choose to log an attack and create log records with attack information that you can view real time in the...

Page 558: ...fter the attack NOTE Packet captures are restricted to 256 packets before and after the attack Setting Severity You can override the inherent attack severity on a per rule basis within the SYN Protect...

Page 559: ...you want to assign to the device Double click a device to open the device configuration In the Info tab under Policy for device select the policy you want to assign to the device You can use a single...

Page 560: ...l problems can leave your network vulnerable Rule Duplication Rule duplication occurs when an administrator configures the same rule in a rulebase more than once Rule duplication can also occur during...

Page 561: ...lso identify unsupported options in your security policy Because different security devices and system support different features and options policy validation checks the rules in the policy to ensure...

Page 562: ...olicy installation NSM installs the rules in the policy on the security devices you selected in the Install On column of each rule The install process occurs between the management system and your man...

Page 563: ...m the menu bar select Tools Preferences Device Update The system wide setting enabled or disabled becomes the default setting for all device updates but you can change the setting as needed for each i...

Page 564: ...pdate IDP Rulebase Only check box in the Update Device Options dialog box The IDP on ISG rulebases are as follows IDP Backdoor Exempt Managing Rules and Policies Managing rules and policies for multip...

Page 565: ...t disable an entire security policy or a rulebase You can however disable individual rules for details see Disabling a Rule on page 517 When you reimport a device that was previously managed by NSM yo...

Page 566: ...he field value you cut or copied is added in the field that received the paste operation If an element is pasted into a field that specifies any then any is deleted Cut copy and paste operations are n...

Page 567: ...alone IDP device into the Install On column for a zone based firewall rulebase Dragging and dropping objects is also not supported on any predefined IDP policy Deleting a Rule To delete a rule right c...

Page 568: ...reassign a policy to a reimported device For example if you reimport a previously managed security device you might want to first merge the imported policy with a more comprehensive policy then assig...

Page 569: ...and install on columns then collapses those rules into a single rule NSM does not collapse rules that contain different zones or rules that refer to unique VPNs By default NSM also updates the device...

Page 570: ...case of in device policy management In addition the inactive policies are not displayed on the UI when the device is in central policy manager mode All shared objects that are used in the inactive pol...

Page 571: ...ile Export Policy from the menu bar In the dialog box select Zone based Firewall Rules Select Show Expanded View Browse to an export directory and click Select Export Directory Click Export NSM create...

Page 572: ...ays the version history for the selected policy You can use this window to create a new version or work with existing versions When you set NSM up for automatic policy versioning a new version is crea...

Page 573: ...on This section explains how to edit comments for an existing policy version To edit comments for an existing version 1 In the NSM GUI right click on a policy 2 In the popup menu select View Versions...

Page 574: ...Select an earlier version in the window and click Next A Diff window appears comparing the old and current version 6 View the differences and click Next The Object Editor appears 7 Make any necessary...

Page 575: ...to decrement the final number default none Comments Contains You can enter partial text from the version comments in this field Create After Click the up arrow the increment the start date for the app...

Page 576: ...evices 2 Under the Device Tree tab right click on a listed device 3 In the popup menu select View Versions The Version History window appears 4 Select the older database version in the window and clic...

Page 577: ...omain hierarchy is used when applying pre post rules to subdomains Within any subdomain global domain pre rules take precedence over subdomain pre rules which take precedence over Security policy spec...

Page 578: ...dds a domain level pre post rule either from the regional server or from the Central Manager server pushing prerules and postrules to the regional server the regional server generates a server wide un...

Page 579: ...nd postrules to Regional Server This procedure assumes that a Central Manager administrator is logged onto a Central Manager client and a pre post rule has been added To push a pre post rule 1 In the...

Page 580: ...cts are objects that can be defined at the Central Manager or regional server level Polymorphic objects can be used as place holders for values that will be defined in a different context in a regiona...

Page 581: ...ect Categories Polymorphic objects are in the same category as concrete objects of the same nature The shared object type attribute includes a new value for polymorphic objects of a specific category...

Page 582: ...Address to open the Add Polymorphic Address dialog box 4 Enter the following information for the new polymorphic address then click OK Name Color optional IP version IPv4 or IPv6 Comment optional NSM...

Page 583: ...o show the polymorphic address objects pushed to this regional server 4 Double click the object you want to map to a real value 5 Click the Add icon in the toolbar to open the New Address Map Entry di...

Page 584: ...Copyright 2010 Juniper Networks Inc 534 Network and Security Manager Administration Guide...

Page 585: ...these shared objects into the transaction rule Juniper Networks M Series and MX Series routers running Junos 9 5 and later can be managed in two modes Central Policy management CPM and In Device manag...

Page 586: ...st source Enter a regular expression Contacts Enter a regular expression 7 Select the desired action for the rule under the Then header The actions are Accept Accept the traffic and send it to its des...

Page 587: ...from log reports Admission controller settings are dropped from the policies pushed to devices running Junos OS Releases earlier than 9 5 NOTE NSM 2009 1 and later releases support BSG transactions in...

Page 588: ...Copyright 2010 Juniper Networks Inc 538 Network and Security Manager Administration Guide...

Page 589: ...t to this NAT rulebase A rule set consists of a general set of matching conditions for traffic If the traffic matches these conditions then that traffic is selected for NAT A rule set can contain mult...

Page 590: ...Rule Set to the Source NAT Rulebase To add a rule set to the source NAT rulebase 1 Click at the upper left corner of the Source NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set di...

Page 591: ...ing a Rule to a Source NAT Rule Set To add a new rule to a rule set 1 From the Source NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Source NAT t...

Page 592: ...tions to perform Under the Name header Add Rule Enables you to add rules to the rule set from the New Rule dialog box Specify the values and click OK Add Source Enables you to view and modify the sour...

Page 593: ...t All requests from a specific internal IP address and port are mapped to the same reflexive transport address Target host port All requests from a specific internal IP address and port are mapped to...

Page 594: ...e set to the destination NAT rulebase 1 Click at the upper left corner of the Destination NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set dialog box appears Here you must specify...

Page 595: ...le to a Destination NAT Rule Set To add a new rule to a rule set 1 From the Destination NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Destinatio...

Page 596: ...e source that you set previously Under the Match header Src Address Edit Enables you to cut copy and paste the values that are within this field Add Src address Enables you to add additional sources E...

Page 597: ...is rulebase For more information on adding a static NAT rule sets to the rulebase see Adding a Rule Set to a Static NAT Rulebase on page 547 Adding a Rule Set to a Static NAT Rulebase To add a rule se...

Page 598: ...name gets created and is displayed in the Security Policy window The next step is to add rules to the rule set For more information see Adding a Rule to a Static NAT Rule Set on page 548 Adding a Rule...

Page 599: ...are satisfied with the values click OK Add Source Enables you to view and modify the source that you set previously Under the Zone RJ Interface header View Modify Source Enables you to view and modify...

Page 600: ...Copyright 2010 Juniper Networks Inc 550 Network and Security Manager Administration Guide...

Page 601: ...appear as a single wide area network WAN VPNs replace costly Point to Point Protocol PPP and Frame Relay connections that require dedicated lines and sometimes even satellites between your private net...

Page 602: ...single device Creating System Level VPNs with VPN Manager For AutoKey IKE and L2TP VPNs create the VPN at the system level using VPN Manager VPN Manager supports AutoKey IKE VPNs In policy based or ro...

Page 603: ...or policy based VPNs or to control traffic through the tunnel for route based VPNs You can also create AutoKey IKE L2TP and L2TP over AutoKey IKE VPNs at the device level Supported VPN Configurations...

Page 604: ...tunnel VPN tunnel termination points are the end points of the tunnel traffic enters and departs the VPN tunnel through these end points Each tunnel has two termination points a source and destination...

Page 605: ...l spokes if you do not include the hub the hub device routes traffic between spokes Use a hub and spoke topology when you want to route VPN traffic through a VPN member that does not contain protected...

Page 606: ...ata is encrypted at the source and remains encrypted until reaching its destination Intermediate systems that transmit the packet like routers and switches on the Internet do not need to decrypt the p...

Page 607: ...Key IKE VPN you can use the Internet Key Exchange IKE protocol to generate and distribute encryption keys and authentication algorithms to all VPN nodes IKE automatically generates new encryption keys...

Page 608: ...RADIUS servers However because PPP is not an IP protocol Internet routers and switches cannot route PPP packets To route PPP packets you use L2TP which encapsulates PPP packet inside an Internet rout...

Page 609: ...e Based VPNs Like a policy based VPN a route based VPN tunnels traffic between two security devices or between one security device and a remote user However a route based VPN automatically tunnels all...

Page 610: ...s Define Security Protocol Encryption and Authentication How do you want to protect the VPN traffic Autokey IKE L2TP L2TP over AutoKey IKE Manual Key you cannot use VPN Manager to create a Manual Key...

Page 611: ...and AH Authentication ESP AutoKey IKE Encryption IP traffic Remote access users L2TP RAS VPN Use to authenticate but not encrypt PPP or other non IP traffic between RAS users and protected resources A...

Page 612: ...ust configure all basic and required policy and route based components NOTE For step by step instructions on creating VPNs see the NSM Online Help topic VPNs Preparing Basic VPN Components To create a...

Page 613: ...that represent those network components to the protected resource object To protect a single network component that is accessible by multiple security devices add multiple devices to the protected res...

Page 614: ...IKE Uses IPSec ESP and AH for encryption and authentication AutoKey IKE users have a unique IKE ID that NSM uses to identify and authenticate the user during IKE Phase I negotiations To simplify RAS...

Page 615: ...DC in wildcard when using ASN1 DN to create IKE ID or a group of Wildcard ID NSM devices authenticate a RAS IKE user s ID if the values in the RAS IKE user s ASN1 DN identity fields match those in th...

Page 616: ...unnel interface borrows the IP address of the default interface of the security zone Tunnel Zones A tunnel zone is a logical construction that includes one or more numbered tunnel interfaces You must...

Page 617: ...t obtain and install a digital certificate on each VPN member A digital certificate is an electronic means for verifying identity through the word of a trusted third party known as a Certificate Autho...

Page 618: ...t CA You can also use SCEP to configure the device to automatically obtain a CA certificate at the same time it receives the local certificate Configuring CRL Objects A Certificate Revocation List CRL...

Page 619: ...not support routing based VPNs mixed mode VPNs or L2TP RAS users L2TP RAS VPN Use to connect L2TP RAS users and protected resources without encryption L2TP over AutoKey IKE RAS VPN Use to connect L2TP...

Page 620: ...gs For all protected resources you can configure policy based NAT Use policy based NAT to translate private source IP addresses to Internet routeable IP addresses Configuring NAT is optional if you do...

Page 621: ...MIP to use a mapped IP address for the interface Global MIP Select the global MIP object that represents the mapped IP address you want to use for the interface Global VIP Select the global VIP object...

Page 622: ...e settings object on a specific device in the VPN those settings override the settings defined in the VPN Adding RAS Users In the Remote User area you can add RAS users to the VPN When configuring an...

Page 623: ...table entry to a specific VPN tunnel in the NHTB table the device can use one tunnel interface for all VPN traffic through the device This option is enabled by default To create entries in the Next H...

Page 624: ...capabilities and the topology describes the logical connections between those nodes A node can be Hub A hub can connect to a branch or main Main A main can connect to a hub branch or another main Whe...

Page 625: ...already set as a Hub then you cannot set it as a Spoke or vice versa Assign NHRP redistribution rules You can make this setting from the VPN Manager VPNs AutoKey IKE VPN VPN Device Tunnel Summary Edit...

Page 626: ...automatically generates the termination point for the serial interface during VPN creation To override the default termination interface right click the VPN member select Edit and select a new termin...

Page 627: ...ts VPN performance you should only use NAT Traversal for remote users that must connect to the VPN over an external NAT device You do not need to enable NAT T for your internal security device nodes t...

Page 628: ...to authenticate Allowed Authentication Type Select Any or CHAP User Name and Password Enter the user name and password that the RAS user must provide for authentication NOTE All passwords handled by...

Page 629: ...uthenticationmethod to Preshared Key To use a user defined proposal select a single proposal from the list of predefined and custom IKE Phase 1 Proposals For details on custom IKE proposals If your VP...

Page 630: ...ully Qualified Domain Name when the gateway is a dynamic IP address such as a RAS user A U FQDN is an e mail address For example user1 mycompany com Configuring IKE To configure the IKE properties and...

Page 631: ...at the VPN monitoring status has changed the device triggers an SNMP trap the VPN Monitor in RealTime Monitor tracks these SNMP statistics for VPN traffic in the tunnel and displays the tunnel status...

Page 632: ...If your VPN includes extranet devices you should use multiple proposals to increase security and ensure compatibility Autogenerating VPN Rules When you have completed configuring the policy and route...

Page 633: ...ate NSM window using the same row and column format as in the Security Policies NOTE Policy rules do not appear for route based VPNs Changing Rule Position The position of the rules indicates the orde...

Page 634: ...oKey IKE VPN Settings For VPNs that use AutoKey IKE this displays the VPN name remote gateway and IPSec Mode for each tunnel in the VPN To override the general properties security binding proxyID and...

Page 635: ...rides the VPN link automatically updates to reflect those edits Editing VPNs To edit a VPN created with VPN Manager 1 In the navigation tree select VPNs A table listing all configured VPNs appears in...

Page 636: ...Manual Key VPN see Device Level VPN Examples on page 616 Example Configuring an Autokey IKE Policy Based Site to Site VPN An AutoKey IKE VPN connects protected resources using AutoKey IKE Use this VPN...

Page 637: ...t Network Configure the following then click OK For Name enter Tokyo Trust LAN For IP Address Netmask enter 10 1 1 0 24 For Color select magenta For Comment enter Tokyo Trust Zone b Add the Paris Trus...

Page 638: ...tected Resource Object for AutoKey IKE VPN 5 Create the VPN In the navigation tree double click VPN Manager then right click VPNs and select AutoKey IKE VPN The New AutoKey IKE VPN dialog box appears...

Page 639: ...lowing For Hub and Supernet leave the default of none Enable Mesh Main s In the Mains window select the Paris and Tokyo security devices c Click OK to return to the Topology dialog box then click OK t...

Page 640: ...d the VPN Manager autogenerated rules You create this link by inserting a VPN link in the zone rulebase this links points to the VPN rules that exist in the VPN Manager In Security Policies select an...

Page 641: ...1 1 1 24 in the Untrust zone 2 Create the address objects that you will use to create Protected Resources for details on creating or editing address objects a Add the Chicago Corporate Trusted LAN 10...

Page 642: ...s In the main display area click the Add icon and select Local Configure then click OK Figure 92 Add New Local User for AutoKey IKE RAS VPN 6 Create the VPN In the navigation tree double click VPN Man...

Page 643: ...Chicago Corporate to use ethernet3 as the termination point this is the Untrust interface then click OK to return to the main display area 9 Configure the remote users for the VPN a In the Remote User...

Page 644: ...of the policy but you can move the VPN link anywhere in the policy just as you would a firewall rule Example Configuring an Autokey IKE Route Based Site to Site VPN In this example an AutoKey IKE VPN...

Page 645: ...s Netmask enter 10 2 2 0 24 For Color select magenta For Comment enter Paris Trust Zone Create the VPN In the navigation tree double click VPN Manager Right click VPNs and select AutoKey IKE VPN The N...

Page 646: ...his VPN is route based no rules are autogenerated However you can view the device tunnel summary to see all autogenerated tunnels between each security device in the VPN Figure 94 View Tunnel Summary...

Page 647: ...Select Network Virtual Router to display the list of virtual routers on the device 8 Double click the trust vr route to open the vr for editing In the virtual router dialog box click Routing Table th...

Page 648: ...attributes VSAs on the server 2 Add the authentication server object In the main navigation tree select Object Manager Authentication Servers and click the Add icon Configure the following then click...

Page 649: ...Reseller group In the Object Manager select Address Objects then click the Add icon and select Network The New Network dialog box appears Configure the following then click OK For Name enter reseller...

Page 650: ...OK 2 Configure the termination points of the VPN Click the Termination Points link The Termination Points dialog box appears 3 Configure the Bozeman device to use ethernet3 as the termination point t...

Page 651: ...area Right click the autogenerated gateway and select Edit The Properties tab appears In the IKE IDs XAuth tab configure the XAuth area to authenticate only the Reseller external group For user select...

Page 652: ...t support RAS users L2TP VPNs support transport mode and can be policy based Creating AutoKey IKE VPNs Creating device level AutoKey IKE VPNs is a four stage process Configure Gateway Configure Routes...

Page 653: ...for that device Each security device member has a remote gateway that it sends and receives VPN traffic to and from To configure a gateway for a VPN member you need to define the local gateway the int...

Page 654: ...t are users select the User object or User Group object that represents the RAS user Dynamic IP Address For remote gateways that use a dynamic IP address select dynamic IP address Outgoing Interface T...

Page 655: ...ASN1 DN Abstract Syntax Notation version 1 is a data representation format that is non platform specific Distinguished Name is the name of the computer Use ASN1 DN to create a Group ID that enables m...

Page 656: ...authentication password is sent in the clear User Name and Password Enter the user name and password that the RAS user must provide for authentication NOTE All passwords handled by NSM are case sensit...

Page 657: ...urity and ensure compatibility Configuring Routes Route based only For a routing based VPN member you must configure Tunnel zone or tunnel interfaces on the member Static or dynamic routes from the me...

Page 658: ...de for L2TP over IPSec NSM does not encapsulate the IP packet meaning that the original IP header must remain in plaintext However the original IP packet can be authenticated and the payload can be en...

Page 659: ...ed tunnel zone on the security device to bind the VPN tunnel directly to the tunnel zone The tunnel zone must include one or more numbered tunnel interfaces when the security device routes VPN traffic...

Page 660: ...le VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitoring behavior as follows Considers incoming traffic in the VPN tunnel as ICMP echo repli...

Page 661: ...ic routes from the member to other VPN members VPN traffic flows through the tunnel zones or tunnel interfaces on the security device and uses static or dynamic routes to reach other VPN members You m...

Page 662: ...ace or tunnel zone to increase the number of available interfaces in the security device To use a tunnel interface and or tunnel zone in your VPN you must first create the tunnel interface or zone on...

Page 663: ...populate the next hop tunnel binding table NHTB table and the route table when multiple VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitorin...

Page 664: ...ion assigned by the user s ISP However when the L2TP RAS user sends VPN traffic through the tunnel the security device assigns a new IP address and WINS DNS information that enables the traffic to rea...

Page 665: ...4 2 Configure L2TP Settings see Configuring L2TP on page 614 3 Configure Peer Gateway see Configuring Gateways on page 603 4 Configure Routes Route based only see Configuring Routes Route based only o...

Page 666: ...e on the source VPN member that contains the termination interface for the VPN tunnel To Zone Select the zone on the destination VPN member that contains the termination interface for the VPN tunnel S...

Page 667: ...1 Add the Tokyo and Paris security devices 2 Configure the Tokyo device with the following interfaces Ethernet1 is the Trust IP 10 1 1 1 24 in the Trust zone Ethernet3 is the Untrust IP 1 1 1 1 24 in...

Page 668: ...as shown below For Name enter Tokyo_Paris For Gateway enter 2 2 2 2 For Local SP enter 3020 For Remote SPI enter 3030 For Outgoing Interface select ethernet3 For ESP AH select ESP CBC For Encryption A...

Page 669: ...tables 16 Configure a route from the untrust interface to the gateway and then click OK Figure 95 Configure Tokyo Route for RB Site to Site VPN MK 17 Configure route from the trust zone to the tunnel...

Page 670: ...Properties screen appears 3 Configure the following then click OK For Zone select untrust For IP Options select Unnumbered For Source Interface select ethernet3 4 Create the Paris VPN In the device na...

Page 671: ...ation based and source based routing tables ScreenOS 5 1 and later devices display destination based source based and source interface based routing tables 4 Configure a route from the untrust interfa...

Page 672: ...rity devices and the shared address objects Next you configure the VPN tunnel and add the necessary static routes on each device Finally you create VPN rules in a security policy to create the VPN tun...

Page 673: ...tication Algorithm select SHA 1 then select Generate Key by Password and enter the password PNas134a 4 Select the Binding tab Enable Tunnel Zone and select untrust tun 5 Click OK to save the new VPN 6...

Page 674: ...e settings objects 1 Configure an L2TP user object for Adam then click OK For Name enter Adam Select Enable then select L2TP Select Password then enter and confirm the password AJbioJ15 2 Configure an...

Page 675: ...lect Field Sales 4 Click OK to save your changes to the device 5 Configure a rule in the Zone Rulebase of a security policy Auto Connect Virtual Private Network Hub and spoke configurations are deploy...

Page 676: ...en select the devices to be included in the hub and spoke topology Click OK 3 Configure the topology In the general configuration area of the VPN Manager click the Topology link The New Topology dialo...

Page 677: ...ox appears Click Protocol NHRP Ensure that the Enable NHRP check box is selected Click OK 8 For the hub virtual router NHRP settings In the configuration area of this VPN click the Device Tunnel Summa...

Page 678: ...Copyright 2010 Juniper Networks Inc 628 Network and Security Manager Administration Guide...

Page 679: ...are used by Central Manager pre post rules are available in regional servers attack db and so on When you update pre post rules the Central Manager and regional server versions must match NOTE You can...

Page 680: ...any of the regional servers managed by Central Manager and begin managing the servers using all assigned permissions No extra log on off steps are required for administrators to navigate from one reg...

Page 681: ...object manager and the VPN manager NOTE You cannot switch a J Series or SRX Series device from central management mode to device management mode if the device has an assigned policy Using Central Mana...

Page 682: ...Central Manager administrators can log into regional servers directly from Central Manager The following procedure assumes that a Central Manager administrator is logged onto a Central Manager client...

Page 683: ...pdated only if they are actually being used by the pre post rules on the Central Manager server All new shared objects are replicated inserted into the global domain of the regional server Objects tha...

Page 684: ...added existing polymorphic object are kept and incoming global policy rules use existing polymorphic object Incoming polymorphic object with the same name are discarded Name conflict with a regional s...

Page 685: ...networkcan include J Series M Series MX Series and EX Series devices as well as ScreenOS and IDP devices IP phones desktops printers and servers The Topology Manager also provides details about connec...

Page 686: ...ws and not the different table views To add a device a Select the Manage Devices icon A dialog opens b Enter the SSH user name and password c Select OK Set Preferences Use this tool to set preferences...

Page 687: ...all switches and switch ports as well as on all LLDP or LLDP MED enabled devices such as IP Phones Ensure that the included subnets specified in Topology Manager preferences are sufficient for all swi...

Page 688: ...links among network devices in the topology both between network devices as well as between network and end point devices 9 Select Free Ports to view a list of EX Series switches and the available po...

Page 689: ...part of a Link Aggregation Group LAG are displayed as a single distinctive link between the interfaces Menu Options in the Topology Map View You can perform the following actions from the right click...

Page 690: ...only when the topology discovery is completed About the NSM Topology Table Views The NSM Topology Manager provides both graphical and tabular views of your network topology A tabular view of the topol...

Page 691: ...table lists all the free ports available on the devices discovered by the topology discovery engine If the administrative status of a device port is down it is considered a free port The managed statu...

Page 692: ...topology You can set a particular time of day or regular intervals The time of your initial discovery serves as the basis of calculation for future discoveries Preferred Subnets Tab This tab allows yo...

Page 693: ...u to open the configuration editor to view and edit a device s configuration Update device configuration You can use the Update menu to update the changed configuration on the device View device detai...

Page 694: ...Copyright 2010 Juniper Networks Inc 644 Network and Security Manager Administration Guide...

Page 695: ...ethernet switching port mode is set to access RSTP is enabled with the edge option and port security parameters MAC limit 1 dynamic ARP Inspection and DHCP snooping enabled are set Layer 2 Uplink Port...

Page 696: ...ion to resolve conflicts between the port template configuration and the actual configuration on the associated device See Detect and Resolve Configuration Conflicts on page 648for details Customize p...

Page 697: ...ave the changes and close the Manage Template Port Association screen To edit port template parameters 1 Select the port template from the list in the Manage Template Port Association screen 2 Click E...

Page 698: ...administrator you can create port templates using the Customize Port Template feature 2 To modify the default template name type a name in the Template Name field 3 To modify the default description t...

Page 699: ...duler Map Name field 4 To edit scheduler settings click Edit Scheduler The Edit Scheduler screen is displayed Specify the following Scheduler name Transmit Rate Select one Unconfigured if you do not w...

Page 700: ...Copyright 2010 Juniper Networks Inc 650 Network and Security Manager Administration Guide...

Page 701: ...of Infranet Controllers IC and Enforcement Points EP The Infranet Controller View on page 651 The Enforcement Point View on page 652 The Infranet Controller View The NSM main display area is horizont...

Page 702: ...n the selected IC Each EP can be associated with only one Location Group available in the IC 5 Enter the Infranet Controller port to which the EP should communicate The default port is 1812 6 Enter th...

Page 703: ...re removed from the IC Resolving Configuration Conflicts with the Infranet Controller in the UAC Manager Before you resolve configuration conflicts perform an Import Device to identify the actual conf...

Page 704: ...onfiguration Conflicts operation cannot identify these entries from the RADIUS client of the IC Enabling 802 1X on Enforcement Point Ports in the UAC Manager To enable 802 1X on ports on Enforcement P...

Page 705: ...Resolving Configuration Conflicts Between Devices and 802 1X Ports in the UAC Manager The Resolve Configuration Conflict option allows you to detect any inconsistency between the device configuration...

Page 706: ...Copyright 2010 Juniper Networks Inc 656 Network and Security Manager Administration Guide...

Page 707: ...PART 4 Monitoring Realtime Monitoring on page 659 Analyzing Your Network on page 709 Logging on page 739 Reporting on page 809 657 Copyright 2010 Juniper Networks Inc...

Page 708: ...Copyright 2010 Juniper Networks Inc 658 Network and Security Manager Administration Guide...

Page 709: ...time Monitor on page 697 Monitoring the Management System on page 698 About the Realtime Monitor The Realtime Monitor module in NSM enables you to monitor real time status and statistics about all the...

Page 710: ...sessions that have been implemented within the domain you are working in From the VPN Monitor you can determine if a VPN tunnel is up down or not monitored NSPR Monitor Displays status information ab...

Page 711: ...ously detected in NSM This could happen in the event that the automatic adjustment option was cleared during a change device firmware directive or an Update Device directive was issued to an IDP devic...

Page 712: ...device in NSM Up Device is currently connected to NSM Down Device is not currently connected to NSM but has connected in the past Never Connected Device has never connected to NSM The Device Server c...

Page 713: ...The inventory information in the NSM database is synchronized with the licenses on the device Out Of Sync The inventory information in the NSM database is not synchronized with the licenses on the de...

Page 714: ...formation appears in the Device Monitor in the Device Summary Interface Viewing Device Monitor Alarm Status Alarms refresh automatically through periodic polling To view the Alarm status and time 1 Fr...

Page 715: ...tus Table 51 Device Detail Status Items Description Item ScreenOS firmware version running on the device OS Version Current operation mode of the device Network Address Translation NAT Transparent or...

Page 716: ...ndow NOTE The information in the Device Statistics window appears slightly different for firewall VPN devices and IDP sensors Device Statistics Summary The Device Statistics Summary displays the follo...

Page 717: ...from Greenwich Mean Time this is not displayed in the Vsys view GMT Time Offset Hours Whether you have enabled the security device to adjust time for daylight savings DayLight Saving Additional Devic...

Page 718: ...ecurity device Enables you to view CPU Memory and Session Utilization trends Resource Statistics System View administrator and user activities active VPNs and authenticated users on a security device...

Page 719: ...al number of data connections Total Connections The relative percentage of connections Connection Rel The total numerical difference between the current connection value and the previous connection va...

Page 720: ...enabled for each security device You can view up to ten protocols A bar graph displays a percentage of the absolute number of bytes for the top 10 protocols by default Table 55 on page 670 describes...

Page 721: ...and data depicted graphically in the same way that you adjust the Policy Distribution graphs You can also adjust the data types in the Protocol Distribution graph by Bytes In Bytes Out Packets In Pac...

Page 722: ...rity Association SA information Traffic over the tunnel such as bytes in out packets in out utilization Table 56 on page 672 describes all the information that is available from the VPN Monitor Table...

Page 723: ...alue and the previous packets in value Delta Packets In The number of outgoing packets handled by the protocol through the security device Packets Out Total numerical difference between the current pa...

Page 724: ...IP address for the security device connected to the active VPN Peer Address Monitoring capability status for the VPN ON or OFF Monitor IPSec IP security protocol for the active VPN AH Authentication...

Page 725: ...ecific security device the following interfaces apply Trust and Untrust interfaces available on all security devices DMZ interface available on NetScreen 25 NetScreen 50 and NetScreen 500 devices the...

Page 726: ...ts processed through the security device over the selected interface Broadcast The number of packets generating a cyclic redundancy code error processed through the security device over the selected i...

Page 727: ...ual systems VLAN In The number of VLAN packets sent through the security device applies to virtual systems VLAN Out The number of connections that occurred for a given interface Connections The number...

Page 728: ...victim as both the destination and source IP address This creates an empty connection Flooding a system with such empty connections can overwhelm the system causing a Denial of Service Security device...

Page 729: ...for the remaining packets to arrive so it can reassemble them When a server or host is flooded with connections that cannot be completed the host s memory buffer eventually fills No further connectio...

Page 730: ...IP Stream When the protocol field indicates ICMP packets and the fragment flag is set to 1 or an offset is indicated ICMP Frag An ICMP packet with a length greater than 1024 Large ICMP Both the SYN a...

Page 731: ...ics Viewing System Statistics You can also view system related information for a security device Viewing Resource Statistics Click the Resource Statistics node to view the resources for a security dev...

Page 732: ...ns You can view a snapshot of ongoing active sessions on the security device You can view active sessions from the Active Statistics view When you click the Active Sessions tab a short view of the act...

Page 733: ...Bytes Out The total number of packets sent Total Packets The length in seconds of the connection session Duration The time that the session started Start Time Using the Session Filter You can control...

Page 734: ...w according to the Source IP Address and Port number or Port Range 3 Click in the Destination tab to specify the sessions that you want to view according to Destination IP Address and Port number or P...

Page 735: ...rity devices to be highly available you can view NSRP related statistics on the device by accessing the HA Statistics view Table 65 on page 685 describes all of the information that is available from...

Page 736: ...sensors in your network Viewing IDP Device Status Table 66 on page 686 lists and describes information about IDP sensors that you can view through the Device Monitor Table 66 Device Status Informatio...

Page 737: ...d by NSM Config Status Connection status of the sensor in NSM Up Sensor is currently connected to NSM Down Sensor is not currently connected to NSM but has connected in the past Never Connected Sensor...

Page 738: ...evice Detail Status Items Description Item IDP firmware version running on the sensor OS Version Current operation mode of the device Mode Percentage of the time the CPU was idle CPU Idle Percentage o...

Page 739: ...you can also access the Statistics view to access traffic and other system related information on the device To view statistics on a particular sensor right click the sensor in either the Device Moni...

Page 740: ...tunnel when configuring the tunnel for the device Viewing the VPN Status Summary The VPN Monitor lists a summary of all the VPN tunnels that have been implemented in your system It includes visual in...

Page 741: ...lter to control the information that is provided in the VPN Monitor You can view VPN information related to the type status or the specific security device or virtual system associated with the VPN tu...

Page 742: ...delete 4 Select the delete icon The selected filter is deleted Configuring a VPN Display Filter You can control the information that is provided in the VPN Monitor by configuring a VPN display filter...

Page 743: ...a summary of the top level information on the selected cluster From the NSRP Summary you can view the following details about a specific cluster Key details describing the cluster such as name number...

Page 744: ...Table 72 on page 694 describes the information available from the VSD RTO summary Table 72 VSD RTO Summary Description Item The name of the cluster associated with this VSD Cluster The name of this VS...

Page 745: ...n the master device Master Conflict The number of conflicts that occurred on the primary backup device Primary Backup Conflict The number of transmitted heartbeats on the devices Tx Heartbeat The numb...

Page 746: ...Name Status of the cluster OK Warning or Fail Status Domain in NSM in which the source IDP cluster is managed Domain Viewing IDP Cluster Summary Information Click IDP Cluster Monitor to view a summary...

Page 747: ...hat the master node goes down Backup Availability Number of active backup devices No of Backup Members Monitoring IDP Cluster Members Click any IDP cluster to view details of each member in the cluste...

Page 748: ...ovide you with context for events leading to the security device disconnection This will help you to determine the cause of the problem You notice several very suspicious log entries that indicate tha...

Page 749: ...Device Server Server Type Either Device Server or Device Server Cluster If you are installing the management system with HA enabled you need to configure the Device Server as part of an HA Cluster Af...

Page 750: ...ess of the GUI server IP Address IP address of the secondary server IP Address of secondary server You can configure the following parameters for the GUI Server Server Type Select GUI Server or GUI Se...

Page 751: ...Server or Device Server Viewing Server Status To view the status of any server in the management system select Server Manager in the navigation tree and then select Server Monitor Machine wide Info Fi...

Page 752: ...PU used CPU Usage State of the server s peer server only applicable if you have added a secondary server and configured it in an HA Cluster Peer Device Server State Whether the currently active server...

Page 753: ...f swap space Total Swap Amount in megabytes or gigabytes of used swap space Used Swap Percentage of used swap space Swap Usage Viewing Process Status From the Server Monitor you can also view the stat...

Page 754: ...page 704 lists and describes the information that appears in the Process Status Table 82 Process Status Description Name Name of the GUI Server or Device Server process Name Displays if the process is...

Page 755: ...lities Description Name Provides information on peak average logging rate total log database size and average log size This utility is located on the Device Server at usr netscreen DevSvr utils logcou...

Page 756: ...xdbAuditLogConverter sh In NSM enhancements to the audit log exporter tool allow you to Invoke detailed help messages from the audit log exporter tool with xdbAuditLogConverter help Use showdiff to v...

Page 757: ...es Viewing Device Schema To view current and running schema 1 In the User Interface click Administer 2 In the navigation tree select Server Manager Schema Information The main display area displays th...

Page 758: ...Copyright 2010 Juniper Networks Inc 708 Network and Security Manager Administration Guide...

Page 759: ...ime monitor of these watch lists and the top 10 attacks within the previous hour The interval at which these lists are updated ranges from 2 minutes default rate to 30 minutes The lists are updated au...

Page 760: ...orate network while working in a conference room Normal Event Wendy holds a meeting every Tuesday at 4 00 PM in conference room A Every meeting she connects her laptop to the network and accesses docu...

Page 761: ...nd recover from any damage For details see Stopping Worms and Trojans on page 729 Detect violations of your corporate security policy The Profiler can help you confirm suspected violations such as rog...

Page 762: ...ternal hosts Include Non tracked IP Profiles Maximum database size for the Profiler on each device By default the maximum database size is 3 GB db limit in MB Enables the Profiler to perform passive O...

Page 763: ...icating to www yahoo com and www cnn com as one entry in the Profiler DB You can select unlimited internal network objects You can also use the Exclude List tab to select the network objects that repr...

Page 764: ...xceeded alert to indicate when you have reached the maximum limit of the database size You can configure the maximum limit of the Profiler DB using the dbLimit parameter in the General tab of the Prof...

Page 765: ...dialog box select the appropriate devices then click OK or optionally right click on any device from the Device Manager and select IDP Profiler Stop Profiler NOTE After you stop the Profiler for a spe...

Page 766: ...along with the Source Destination IP and Source Destination MAC and Organizationally Unique Identifier OUI Use this view to quickly see which hosts are communicating with other hosts and what services...

Page 767: ...able recorded Context When you select a context the values that your devices recorded for a selected context Value Source MAC addresses of traffic profiled Src MAC Destination MAC addresses of traffic...

Page 768: ...ongs Role All services of traffic profiled Service Type of the traffic profiled Access indicates a successful connection during which the device recorded valid requests and responses from the server t...

Page 769: ...only those items that violate the criteria that you set Configuring Permitted Objects Permitted objects are shared objects specific to the Profiler They enable you to configure objects in the Profiler...

Page 770: ...he traffic you do not want on your network take the appropriate security measures for example remove the unauthorized network components incorporate the components services into your existing corporat...

Page 771: ...de the aggregate traffic volume information from the parent application group As you move up the root of the application hierarchy you can view the total network traffic volume The Application Profile...

Page 772: ...ny of the columns that appear in the Filter Criteria A dialog box lets you add entries that match the column you selected as a criterion to filter the Profiler view The Profiler view automatically upd...

Page 773: ...e First Seen timestamp as the last 2 days Use the Last Seen setting to define a last timestamp threshold If the device logged an event and the event timestamp is before the last timestamp the event ap...

Page 774: ...rting Sort on any column except the Application column The Application column does not support sorting because application values are similar for each application group When you perform a sort on any...

Page 775: ...umn Details about the selected host IP including IP Address MAC Address OUI Organizationally unique identifier a mapping of the first three bytes of the MAC address and the organization that owns the...

Page 776: ...Tools preferences menu to change these parameters To manually purge the Profiler DB of all records click Clear All DB This operation can take up to one minute During this time a message appears on al...

Page 777: ...s accurately depicting your normal traffic patterns Because all networks are different the learning phase can range from a few hours to a few weeks Setting a Baseline When you are satisfied that the P...

Page 778: ...e of their device Because these passwords can be guessed easily the vendor recommends that users change the default password immediately However for convenience some users leave the default configurat...

Page 779: ...rate security policy does not permit SQL servers on the internal network However during a regular Microsoft update SQL applications are installed on a network server without your knowledge Because you...

Page 780: ...of the Blaster worm From the Profiler 1 Restart the Profiler 2 Select the Network Profiler to quickly see the source destination and service of traffic on your network 3 In the Service data table sel...

Page 781: ...nables you to visualize and correlate network behavior based on data collected in the Profiler Log Viewer and Report Manager You can use the Security Explorer to perform the following tasks Get a dyna...

Page 782: ...that displays the following nodes Host Displayed as an IP address Network Displayed using CIDR notation ip class 8 16 24 Protocol These include TCP ICMP and so on Attack Specific attack object name Se...

Page 783: ...ver Profiles One host or network and the context for server related traffic Every context is connected to its host network related value for example on a host is an SSL server running version 3 1 The...

Page 784: ...ve selected Reports Viewer Use the Reports tab to generate and view one of the following reports in Security Explorer Top Alarms Top Traffic Alarms Top Traffic Logs Top IDP DI Attacks Top Screen Attac...

Page 785: ...n other activities you may want to use with Security Explorer you also may need proper administrative privileges to View Profiler View Device Logs View Historical Log Reports View Devices View Shared...

Page 786: ...phs Use the icons that appear in the main graph to quickly access additional information related to your point of reference Depending upon the type of icon that you select you can transition to anothe...

Page 787: ...ty Explorer with the latest data available Adding and Removing Panels You can also view additional data and graphs by adding and removing additional panels to Security Explorer Use the icon to add a S...

Page 788: ...Copyright 2010 Juniper Networks Inc 738 Network and Security Manager Administration Guide...

Page 789: ...tive event such as the administrator name timestamp of the change and job details You can configure each managed device to generate and export specific log records to multiple formats and locations su...

Page 790: ...for each event that matches that rule An event matches a predefined set of conditions configured on a managed device or the management system Some events generate log entries that appear in the Log V...

Page 791: ...res immediate action Alert Log entries triggered when system encounters critical conditions Critical Log entries triggered when system becomes unusable Emergency Log entries triggered when system enco...

Page 792: ...gs from ScreenOS and IDP devices are displayed as Device_critical_log and Device_warning_log If upgrading from an earlier release you may need to modify your action manager criteria to match the new c...

Page 793: ...re is not supported Log Investigator analysis can only be applied to those partially structured syslogs that provide the source address and destination address in related columns Log Viewer provides o...

Page 794: ...estination except Firewall Options Table 93 Destinations of Log Entry Severities Severities Description Destination All severities The PC you use to view log entries in NSM Console Emergency Alert Cri...

Page 795: ...was dropped or terminated at the device When negotiating an IKE key the VPN client communicates with the security device Log IKE Packets to Self Creates a log entry for an SNMP packet that was droppe...

Page 796: ...the managed device to report specific events to NSM Select the appropriate NSM Device Server then select the events that are logged on the device and reported to NSM The following sections detail each...

Page 797: ...larm threshold in a security policy rule The traffic alarm log entry which displays in the Log Viewer describes the security event that triggered the alarm Traffic alarms generate log entries that app...

Page 798: ...ng columns of information in the Log Viewer Source Address Destination Address Service Action Category Predefined or Custom Subcategory for details on Deep Inspection alarm subcategories see Deep Insp...

Page 799: ...page 951 Self Log Entries The device generates self log entries for any packet that terminates at the device Self log entries display information on traffic that was dropped by the device or that term...

Page 800: ...hat entered the device Attack statistics do not generate log entries the statistics are used by the Realtime Monitor module For details on how attack statistics are displayed in the Realtime Monitor s...

Page 801: ...ng options For details on Atomic Updating see About Atomic Updating ScreenOS Devices on page 246 Configuring SNMP Reporting Settings Use SNMP settings to configure the Simple Network Management Protoc...

Page 802: ...Defines the versions supported by the community SNMPv1 SNMPv2c or both SNMP versions as required by the SNMP management stations For backward compatibility with earlier ScreenOS releases that only su...

Page 803: ...ends dialog box Enter appropriate data into the following fields Table 97 WebTrends Settings for Log Entries Description Field Directs NSM to forward a log to the WebTrends server Enable WebTrends Mes...

Page 804: ...s stored permanently on the NSM server until or unless it is purged by the user To store the packet data on the IDP sensor double click an IDP sensor select Report Settings in the navigation tree and...

Page 805: ...Figure 103 View Packet Data in a Log Figure 104 on page 756 provides an example of packet data 755 Copyright 2010 Juniper Networks Inc Chapter 19 Logging...

Page 806: ...ity Using Log Views on page 757 The Log Viewer includes several predefined views for critical severity attacks configuration log entries scans and other important activity This section describes how t...

Page 807: ...Viewer Integration on page 776 This section describes how to use the Log Viewer integration to jump from a log entry directly to the responsible security policy or managed device configuration Identi...

Page 808: ...pe Category Admin 13 Admin SUBCATEGORY SYS10061 SYS10062 Cluster Subcategory AUT23523 AUT23524 Dynamic Policy Evaluation Category Events 14 Events Subcategory SYS24013 SYS24014 SYS24015 ERR24016 SYS24...

Page 809: ...te Exceeded UDP Port Scan UDP Port Scan In Progress Scans Creating Custom Views and Folders A custom view enables you to organize log entries in a format that is most helpful to you Because the custom...

Page 810: ...lect Save As In the New View dialog box enter a name for the custom view enter a name for the folder that you want to save the view in and click OK The new view is displayed in the navigation tree in...

Page 811: ...egory A category is either admin alarm config custom event implicit info predefined profiler screen self sensors traffic urlfiltering or user A subcategory is an attack type Default Category Subcatego...

Page 812: ...since the beginning of the current session No Elapsed Secs Specifies if this log has associated packet data No Has Packet Data A destination port that has undergone NAT and is associated with the pack...

Page 813: ...and later and Junos firewall devices The Policy ID column remains empty for older logs Log Viewer Detail Panes The Log Viewer contains additional panes that provide summary and detail information for...

Page 814: ...to top of log entry list Page up within log entry list Scroll up within log entry list Use the slider to move up or down within log entry list The farther you drag the slider from the center the faste...

Page 815: ...pecific log entry immediately Typically you use a log ID search when you have previously viewed the log entry and need to find it again quickly A value search that searches for a log entry based on th...

Page 816: ...use the Out and In buttons From left to right the time blocks are 14 days 7 days 3 days 1 day 12 hours 6 hours 3 hours 1 hour 30 minutes 1 minute Click the Out button to select the time block to the...

Page 817: ...configuration log entries from that device 3 Select Tailing Logs The view jumps to the bottom of the log entry list and remains there as new configuration log entries for the device arrive they appea...

Page 818: ...ons Edit Use this option to set multiple filters for cell content at the same time Select to display the Filter dialog box for that column then select the columns you want to filter on To display only...

Page 819: ...flag filter right click the Flag column header and select Filter Set Filter Select the flag types that you want to use as the filter criteria then click OK NSM applies the filter to all log entries an...

Page 820: ...n a specific end time select To and configure the end date and time When applied this filter displays log entries for events that were generated or received before or at the specified end time To filt...

Page 821: ...ilter on a minimum number of bytes only select From and enter a value When applied this filter displays log entries for events that received or transmitted more than or equal to the specified minimum...

Page 822: ...mn settings for the view The more columns you configure to appear in the Log Viewer the more information you can see at one time and the more you must scroll from side to side to view all columns sett...

Page 823: ...e columns to narrow your search To configure the column settings 1 In the navigation tree select the Log Viewer module 2 From the View menu select Choose Columns NSM displays the Column Settings dialo...

Page 824: ...splayed 2 From the Filter Summary dialog box select a column on which you want to filter log entries 3 Select the filter settings you wish to apply for the specified column then click OK 4 To select a...

Page 825: ...a Log Viewer column that was selected for filtering log entries 1 Select View Filter Summary The Filter Summary dialog box is displayed 2 To clear a single column Clear the column check box that you d...

Page 826: ...ase snapshots also enable you to view previous object versions For details on database snapshots see Automatic Policy Versioning on page 521 Other options for archiving and restoring logs and configur...

Page 827: ...network Use the information in Table 105 on page 777 to determine if the attack is relevant Table 105 Irrelevant Versus Relevant Attacks Relevant Attacks Irrelevant Attacks Attack attempts to exploit...

Page 828: ...formation in table and chart format Configuring Log Investigator Options on page 780 Configure the criteria the Log Investigator uses to create the matrix including the time period Left and Top Axes s...

Page 829: ...is setting which determines data set that is used for Top Axis setting Top Axis The controlled axis for log entry data the dependent axis The Log Investigator collects log entry data for the Left Axis...

Page 830: ...ur network activity Typically you use a longer interface time to initially locate problems After you have identified the issues you want to investigate set a shorter time interval to eliminate irrelev...

Page 831: ...log entry matrix By default the Left Axis is set to the data type Top Sources After the Left Axis data set has been determined the Log Investigator searches that data set for data that matches the Top...

Page 832: ...most popular source addresses are generating attacks against the most popular destinations Select the Left Axis the independent axis as Top Sources Select the Top Axis the dependant axis as Top Destin...

Page 833: ...ria for log entries and the Log Investigator filters out log entries that do not match the filter criteria Using the Filter Summary dialog box you can select and apply multiple filters to the Log Inve...

Page 834: ...level of a generated alarm User Flag Severity Alarm Filters Various Details Protocol Category Alert Roles User Application name Miscellaneous Filters NOTE For a complete list of log entry columns ava...

Page 835: ...are ready to begin investigating your log entry data Using Rows and Columns Each row or column in the Log Entry matrix represents events for a single data type When selecting a row or column you are...

Page 836: ...nternal trojan You probably need to get more details such as destination ports used and attack subcategories for the events before you can resolve the issue Table 107 on page 786 details the benefits...

Page 837: ...f attacks received by that port number Because services are mapped to specific port numbers you can use the port number to identify the service used in the attack The right pane displays a chart using...

Page 838: ...en investigating events that generate lower values To exclude a specific attack from the Log Investigator calculations right click the attack cell and select Exclude To help you keep track of excluded...

Page 839: ...hich a user is allowed to view audit logs The values are empty Audit log entries created prior to this NSM release that do not have targeted objects or devices These logs can be viewed by all NSM user...

Page 840: ...Log table The following sections describe these data management options Select Audit Log Table Use the Set Audited Activities option in the Edit menu to select read write or read only auditable activ...

Page 841: ...ield filter right click a column field and select Filter to display the filter menu options Time based column filter To create a time based filter right click a field in the Time Generated column and...

Page 842: ...ntry for that change in the Audit Log table then view the Target View to see details about that change Device View For a change made to the device itself such as adding the device autodetecting a devi...

Page 843: ...creen DevSvr var devSvr cfg file contains log cleanup parameters that you can use to manage log disk space storageManager alert If you configure this parameter the Device Server triggers a warning whe...

Page 844: ...do not need to stop the processes on the Device Server before archiving Log Archival Mechanism All managed device logs are stored in usr netscreen DevSvr var logs that contains logs and associated fil...

Page 845: ...s all the logs from the selected date Required Disk Space After you define the number of logs and the number of days you want archived NSM estimates the disk space required for storing the logs In cal...

Page 846: ...nd line utility located on the NSM Device Server NOTE You can also forward logs based on specific rules in a security policy See Configuring Firewall Rules on page 448 for more information Sending E m...

Page 847: ...xport qualified logs to the system log SNMP CSV XML or e mail configure the export settings for each format as detailed in the following sections For every log action criteria you can specify and edit...

Page 848: ...L you must select XML Enable from the Actions tab in the Device Log Action Criteria node Exporting to E mail For exporting to e mail configure the following e mail and SMTP settings SMTP Enable Enable...

Page 849: ...system to e mail qualified log records specify the From and To e mail addresses From Email Address The e mail address that the server uses to send e mail Some servers require a valid from e mail addr...

Page 850: ...t status code of 0 no errors or 1 errors The following sections detail common filters actions and required and optional format specific filters Using Filters The log2action utility generates data for...

Page 851: ...ype yes yes device family global subdomain name Domain path yes yes domain a b c d n a b c d Destination IP address yes yes dst ip 0 65535 0 65535 Destination port yes yes dst port yyyymmdd 0 MAX yyyy...

Page 852: ...mmon Filter with Multiple Entries To set a filter that displays all log entries for IDP and EX Series devices type devSvrCli sh log2action filter device family idp junos ex action csv file path tmp mo...

Page 853: ...n most Web browsers Using XML Required and Optional Format Specific Filters You can use the following required and optional format specific filters for exporting to XML Meaning Required Multiple CSV S...

Page 854: ...ort Dst Zone Dst Intf Dst Addr Dst Port NAT Dst Addr NAT Dst Port Protocol Policy Domain Policy Domain Version Policy Rulebase Rule Number Policy ID Action Severity Is Alert Details User App URI Elaps...

Page 855: ...urce port nat src ip nat src port destination zone destination interface destination ip destination port nat dst ip nat dst port protocol rule domain rule domain version policy rulebase rulenumber act...

Page 856: ...il Meaning Required Multiple E mail SMTP Specify the receiving e mail address for the SMTP log records Yes Yes recipient Specify the sender e mail address No No sender Exporting to syslog The syslog a...

Page 857: ...olicyname rulebase rule number policy id action severity is alert details user str application str uri str elapsed bytes in bytes out bytes total packet in packet out packet total repeatCount hasPacke...

Page 858: ...dling for the specified script When using this filter you must specify one of the following error handling filters skip Directs the system to skip any log for which the script had an error retry Direc...

Page 859: ...ing The Report Manager module in NSM is a powerful and easy to use tool that enables you to generate reports summarizing key log and alarm data originating from the managed devices in your network The...

Page 860: ...administrators and operations staff interested in tracking and analyzing specific types of information to work only within the group of reports that they need For details on each of the specific repo...

Page 861: ...811 DI IDP Reports on page 812 Screen Reports on page 813 Administrative Reports on page 814 UAC Reports on page 814 Profiler Reports on page 815 AVT Reports on page 815 SSL VPN Reports on page 815 EX...

Page 862: ...4 hours 20 IP addresses that have most frequently been prevented from attacking the network during the last 24 hours Top 20 Attackers Prevented All Attacks last 24 hours 20 IP addresses that have most...

Page 863: ...s listed in the Profiler over the last 7 days Profiler New Ports last 7 days New Protocols listed in the Profiler over the last 7 days Profiler New Protocols last 7 days The total number of log entrie...

Page 864: ...es generated by specific rules in your ScreenOS DI policies You can use the Top Rules report to identify those rules that are generating the most log events This enables you to better optimize your ru...

Page 865: ...tracking Table 116 AVT Reports Description Report Ten applications with highest volume in bytes in the past 24 hours Top 10 Applications by Volume Ten application categories with highest volume in byt...

Page 866: ...ibing each report refer to the Network and Security Manager Online Help My Reports Once you are comfortable using reports you can create your own custom reports to provide the exact information that y...

Page 867: ...ecting the corporate DMZ network A Top Attacks report comes predefined in IDP but the report displays attacks on the entire network and you are interested only in the DMZ To create a custom report bas...

Page 868: ...s folder For more information about editing and deleting a report folder refer to the Network and Security Manager Online Help Generating Reports Automatically You can generate scheduled log based rep...

Page 869: ...ectory that is run on completion of the report generation Creating and Editing Action Scripts NOTE Sample scripts enabling you to e mail and FTP the report results are available in usr netscreen GuiSv...

Page 870: ...mote user somewhere net Email server not required if sendmail is configured for mail transport my email_server everywhere net Subject my subject Reports are here Body text for emails with reports as a...

Page 871: ...Script In this example perform the following steps to generate a predefined report and FTP it to a server every Monday at 12 01 in the morning 1 Change to the utility directory by typing cd usr netscr...

Page 872: ...a available from the current day in a horizontal bar chart You can configure the duration number of data points and appearance of each report by using the Set Report Options selection in the View menu...

Page 873: ...on September 15 at 6 00 PM you could set the Starting At Time Period Duration report field in the options on a Top Screen Attacks report to that time then generate the report If you are not sure of th...

Page 874: ...port operation requires can have an adverse impact on your overall management performance To prevent extraordinarily lengthy report operations from impacting your overall system performance you can us...

Page 875: ...e in a later UI session Generating Quick Reports You can generate a Quick Report from data displayed in the Log Viewer or Log Investigator Use the Quick Report tab located at the bottom of the Log Vie...

Page 876: ...menu After completing their investigation they change the flag to either Closed or Assigned for further investigation During normal operations firewall administrators investigate over 200 log entries...

Page 877: ...or the top 100 rules that are generating log events Figure 117 on page 827 shows the Top FW VPN Rules report Figure 117 Top FW VPN Rules Report By identifying the new rules that you implemented in the...

Page 878: ...e undergone the most configuration changes committed during the past seven days Figure 118 on page 828 shows the Top Configuration Changes report Example Using SSL VPN Reports to Track Authentication...

Page 879: ...ers report for the last day The report indicates an IP address as the top attacker for all the DI attacks that you have been tracking You recognize the IP address as an external server that is running...

Page 880: ...ource Watch List from Tools Preferences For details about creating and configuring watch lists refer to the Network and Security Manager Online Help Copyright 2010 Juniper Networks Inc 830 Network and...

Page 881: ...ixes Glossary on page 833 Unmanaged ScreenOS Commands on page 859 SurfControl Web Categories on page 861 Common Criteria EAL2 Compliance on page 869 Log Entries on page 871 831 Copyright 2010 Juniper...

Page 882: ...Copyright 2010 Juniper Networks Inc 832 Network and Security Manager Administration Guide...

Page 883: ...you through activating a modeled device in the NSM User Interface Add Device Wizard The Add Device wizard guides you through importing or modeling a new device to the NSM User Interface Address Objec...

Page 884: ...the timeout process returns to normal Antivirus AV Scanning A mechanism for detecting and blocking viruses in File Transfer Protocol FTP Internet Message Access Protocol IMAP Simple Mail Transfer Prot...

Page 885: ...connectivity to the management system the device rolls back to the last installed configuration This minimizes downtime and ensures that NSM always maintains a stable connection to the managed device...

Page 886: ...d with the minimal software to support a single network service BGP Neighbor Also known as a BGP Peer BGP is a the Border Gateway Patrol dynamic routing protocol A BGP neighbor is another device on th...

Page 887: ...m the World Wide Web to provide quicker access to content for users and to increase server security Classless Routing Support for interdomain routing regardless of the size or class of the network Net...

Page 888: ...tween the configuration running on the physical device and the difference between the configuration in NSM are known as deltas Demilitarized Zone A DMZ is an area between two networks that are control...

Page 889: ...chemas for configuration inventory management logging and status monitoring DMI schemas can be updated without the need to upgrade NSM DNS The Domain Name System maps domain names to IP addresses Doma...

Page 890: ...P provides confidentiality to IP datagrams Ethernet Ethernet is a local area network LAN technology invented at the Xerox Corporation Palo Alto Research Center Ethernet is a best effort delivery syste...

Page 891: ...interface between two GSNs located in different PLMNs GPRS General Packet Radio Service A packet based technology that enables high speed wireless Internet and other data communications GPRS provides...

Page 892: ...pplication Layer Gateway ALG lets you to secure Voice over IP VoIP communication between terminal hosts such as IP phones and multimedia devices In such a telephony system gatekeeper devices manage ca...

Page 893: ...the Device Editor on a specific device and not through the central NSM Policy Manager If you select this method to manage policies on a J Series or SRX Series device the NSM Policy Manager Object Mana...

Page 894: ...networks See also DES CBC ESP AH IP Sweep An IP sweep is similar to a port scan attack Attackers perform IP sweeps by sending ICMP echo requests or pings to different destination addresses and wait f...

Page 895: ...ead of relying on rumored information from directly connected neighbors as in distance vector protocols each router in a link state system maintains a complete topology of the network and computes SPF...

Page 896: ...can deploy the GUI Server and Device Server on separate servers however the combination of the two servers is known as the management system Mapped IP Address A MIP is a direct one to one mapping of t...

Page 897: ...guring a BGP network you need to establish a connection between the current device and a counterpart adjacent device known as a neighbor or peer While this counterpart device may seem like unneeded in...

Page 898: ...routers do not track sessions except when doing NAT which tracks the session for NAT purposes PDP Packet Data Protocol PDP Context A user session on a GPRS network PDU Protocol Data Unit Peer See Nei...

Page 899: ...ces in hopes that one port will respond If a remote host scans 10 ports in 0 3 seconds the security device flags this as a port scan attack and drops the connection Preference A value associated with...

Page 900: ...at one program can use to request a service from a program located in another computer in a network Role Based Administration RBA Role based administration enables you to define strategic roles for yo...

Page 901: ...s are session table entries ARP cache entries certificates DHCP leases and IPSec Phase 2 security associations SAs S Scheduled Object A schedule object defines a time interval that a firewall rule is...

Page 902: ...m Service Object Service objects represent the IP traffic types for existing protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined servic...

Page 903: ...tively predictable and where network design is relatively simple Status Bar The status bar is the lower section of the NSM UI The status bar displays supplemental information Subdomain A subdomain is...

Page 904: ...cify a complete device configuration The software remembers static routes until you remove them However you can override static routes with dynamic routing information through judicious assignment of...

Page 905: ...r that supports VPN tunneling the remote user as well as the organization knows that it is a secure connection All remote dial in users are authenticated by an authenticating server at the Internet Se...

Page 906: ...ir location on a physical subnetwork but through the use of tags in the frame headers of their transmitted data VLANs are described in the IEEE 802 1Q standard Virtual Private Network VPN A VPN is an...

Page 907: ...ou can configure the security device to scan any incoming Microsoft NetBIOS Session Service packets modify them and record the event as a WinNuke attack Worm A worm is a self replicating attack progra...

Page 908: ...Copyright 2010 Juniper Networks Inc 858 Network and Security Manager Administration Guide...

Page 909: ...t this command the security device displays an error message common criteria These commands define environment variables Security devices use environment variables to make special configurations at st...

Page 910: ...trol MAC address for a security device interface set mac These commands display timer settings or configure a security device to automatically execute management or diagnosis at a specified time All t...

Page 911: ...r sexually violent text or graphics Bondage fetishes genital piercing Nudist sites that feature nudity Erotic or fetish photography which depicts nudity NOTE We do not include sites regarding sexual h...

Page 912: ...rugs or abuse of other legal substances Distributing alcohol illegal drugs or tobacco free or for a charge Displaying selling or detailing use of drug paraphernalia NOTE We do not include sites that d...

Page 913: ...e Beauty and cosmetics Modeling information and agencies Glamour and Intimate Apparel Government services such as taxation armed forces customs bureaus emergency services Local government sites Politi...

Page 914: ...the group Sets itself outside of society Hate General health such as fitness and wellbeing Medical information about ailments conditions and drugs Medical reference Medical procedures including electi...

Page 915: ...buying or selling a home Real estate agents Home improvement and inspection sites Real Estate Personal professional or educational reference Online dictionaries maps and language translation sites Cen...

Page 916: ...rist information Weather bureaus Car Rentals Travel Newsgroups Opinion or discussion forums Weblog blog sites Usenet News Forums Newsgroups Opinion or discussion forums Weblog blog sites Usenet News F...

Page 917: ...on or poisonous substances Displaying or detailing the use of guns weapons ammunition or poisonous substances Clubs which offer training on machine guns automatics and other assault weapons and or sni...

Page 918: ...Copyright 2010 Juniper Networks Inc 868 Network and Security Manager Administration Guide...

Page 919: ...stalled on dedicated systems These dedicated systems must not contain user processes that are not required to operate the NSM software Guidance for Personnel There must be one or more competent indivi...

Page 920: ...Copyright 2010 Juniper Networks Inc 870 Network and Security Manager Administration Guide...

Page 921: ...larm Log Entries The Screen category contains the subcategories shown in Table 122 on page 871 Table 122 Screen Alarm Log Entries ScreenOS Message ID Attack Attacks Alert 00017 Address Sweep Attack At...

Page 922: ...IP Spoof Attack Attacks Alert 00010 Land Attack Attacks Critical 00032 Malicious URL Protection Auth Alert 00003 Multiple Authentications Failed Attacks Emergency 00007 Ping of Death Attack Policies A...

Page 923: ...30 CPU Usage High DHCP Alert 00029 DHCP Critical 00029 DHCP DNS Critical 00021 DNS Host Interface Critical 00090 Interface Failover Device Critical 00022 Hardware ARP Critical 00031 IP Conflict Loggin...

Page 924: ...e High Availability Critical 00071 NSRP VSD Master High Availability Critical 00072 NSRP VSD Pbackup OSPF Critical 00206 OSPF Packet Flood RIP Critical 207 RIP Packet Flood OSPF Critical 200 Route add...

Page 925: ...ther user CHAT AUDIT YMSG FILE SEND sos5 1 0 info This protocol anomaly is a Yahoo Messenger e mail address that exceeds the user defined maximum A Yahoo Messenger server sends an e mail address as pa...

Page 926: ...EP QTYPE UNEXPECTED sos5 1 0 info This protocol anomaly is a DNS reply with a query reply bit QR that is unset indicating a query This may indicate an exploit attempt DNS AUDIT REP S2C QUERY sos5 1 0...

Page 927: ...protocol anomaly is a DNS name that exceeds 255 characters This may cause problems for some DNS servers DNS OVERFLOW NAME TOO LONG sos5 1 0 critical This protocol anomaly is a suspiciously large NXT...

Page 928: ...ignature detects attempts to exploit a vulnerability in a LinkSys Cable DSL router Attackers may submit an overly long sysPasswd parameter within a malicious HTTP request to crash a LinkSys Cable DSL...

Page 929: ...s users but relative to for users with accounts specifying the actual bin rather than ftp bin Attackers may establish an FTP account on the system and run the site exec command to gain access to the b...

Page 930: ...crash the service or execute arbitrary code FTP EXPLOIT WIN32 WFTPD BOF sos5 1 0 medium This signature detects an attempt by an attacker to exploit a directory traversal vulnerability in the SunFTP da...

Page 931: ...ay gain write access remotely create long pathnames and overflow the buffer to gain root access FTP OVERFLOW PATH LINUX X86 1 sos5 0 0 sos5 1 0 critical This signature detects attempts to exploit a re...

Page 932: ...ccounts using easily guessed passwords FTP PASSWORD COMMON PASSWD sos5 0 0 sos5 1 0 high This signature detects attempts to use the default rootkit password h0tb0x to access a FreeBSD rootkit account...

Page 933: ...he FTP daemon uses a vulnerable version of GNU ls attackers may send an oversized width parameter to GNU ls to cause the server CPU utilization to temporarily reach 100 and exhaust system memory This...

Page 934: ...NIX and Linux systems Wu ftpd versions 2 6 1 to 2 6 18 are vulnerable Attackers may send a maliciously crafted pathname in a CWD or LIST command to the FTP server to execute arbitrary commands as root...

Page 935: ...lear its logs Attackers may use spoofed IP address to send a log clear request without authenticating HTTP 3COM LOG CLEAN sos5 0 0 sos5 1 0 high This signature detects attempts to exploit a vulnerabil...

Page 936: ...ache HTTP daemon the daemon may require a manual restart HTTP APACHE PHP INVALID HDR sos5 1 0 low By submitting a malformed HTTP GET request to an Apache server using the default configuration supplie...

Page 937: ...ings in hex code ie 2e 2e 2f in a query to access the remote administration utility password and gain full remote administration abilities HTTP CGI ALTAVISTA TRAVERSAL sos5 1 0 sos5 1 0 high This sign...

Page 938: ...loit a vulnerability in IkonBoard a popular Web based discussion board Attackers may send a maliciously crafted cookie that contains illegal characters to IkonBoard to execute arbitrary code with Ikon...

Page 939: ...stem files HTTP CGI WEBSPIRS FILE DISCLSR sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the YaBB pl CGI script Attackers may view arbitrary files HTTP CGI YABB...

Page 940: ...ver Attackers may pass a semicolon character to JRun to expose the script source code and other sensitive files HTTP COLDFUSION JRUN SC PARSE sos5 1 0 high This signature detects attempts to exploit a...

Page 941: ...us Web site appears as the destination IP address HTTP EXPLOIT IE ZONE SPOOF sos5 0 0 sos5 1 0 medium This signature detects illegal characters in a Host header field of an HTTP 1 1 request Attackers...

Page 942: ...WD REQ sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the browse asp script supplied with Hosting Controller a tool that allows Microsoft Windows network admini...

Page 943: ...ects buffer overflow attempts against Microsoft ISAPI Indexing Service for IIS Index Server 2 0 and Indexing Service 2000 in IIS 6 0 beta and earlier versions are vulnerable Attackers may send a long...

Page 944: ...Microsoft IIS 5 0 Attackers may send malicious PROPFIND requests to the server to crash it HTTP IIS PROPFIND sos5 1 0 medium This signature detects the sadmind IIS worm attempting to infect Microsoft...

Page 945: ...e parameters on the same line as the request method This may indicate a poorly written Web application or HTTP tunneling HTTP INFO HTTPPOST GETSTYLE This signature detects attempts to bypass directory...

Page 946: ...his signature detects an attempt to gain unauthorized administrative access to an EmuLive Server4 daemon HTTP MISC EMULIVE ADMIN sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS a...

Page 947: ...his signature detects denial of service DoS attempts that exploit the Web Publishing REVLOG command in Netscape Enterprise Server 3 x HTTP NETSCAPE ENTERPRISE DOS sos5 0 0 sos5 1 0 medium This signatu...

Page 948: ...ength header HTTP OVERFLOW CONTENT LENGTH sos5 1 0 medium DI has detected a suspiciously long Content Location header HTTP OVERFLOW CONTENT LOCATION sos5 1 0 medium DI has detected a suspiciously long...

Page 949: ...D ROOT OF sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS attempts against Pi3Web Server Attackers may send a URL with more than 354 Slashes to crash the server HTTP OVERFLOW PI3...

Page 950: ...ttackers may bypass user authorization to gain administrative privileges HTTP PHP GALLERY EMBED AUTH sos5 1 0 high This signature detects attempts to exploit a vulnerability in Gallery a Web based pho...

Page 951: ...rative password of the board without user verification and access restricted files on the local system HTTP PHP PHORUM ADMIN PW CHG sos5 0 0 sos5 1 0 high This signature detects access to the vulnerab...

Page 952: ...m This signature detects attempts to exploit a vulnerability in PHP Nuke AttackersmayexecutearbitrarySQLcommands on a Web server HTTP PHP PHPNUKE CID SQL INJECT sos5 0 0 sos5 1 0 medium This signature...

Page 953: ...included with the VBulletin package Attackers may run the vbull c exploit to execute arbitrary commands with Web Server user permissions HTTP PHP VBULL CAL EXEC sos5 0 0 sos5 1 0 medium Any user on th...

Page 954: ...nerable Internet Explorer users may use these malicious URLs to evade web proxies and gain direct access to the internet HTTP PROXY DOUBLE AT AT sos5 0 0 sos5 1 0 medium This signature detects attempt...

Page 955: ...a SQL injection attack However it may be a false positive Some attempts at Cross Site Scripting attacks will also trigger this signature HTTP SQL INJECTION GENERIC sos5 0 0 sos5 1 0 medium This signat...

Page 956: ...e detects the download of a maliciously crafted WinAmp playlist file Using WinAmp to open this file may execute arbitrary code HTTP STC WINAMP CDDA OF2 sos5 1 0 medium This signature detects attempts...

Page 957: ...sion 1 0 and earlier are vulnerable Attackers may navigate to any directory on the server HTTP WASD DIR TRAV sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in Bea...

Page 958: ...e information such as usernames passwords credit card numbers social security numbers bank accounts etc HTTP XSS HTML SCRIPT IN URL PRM sos5 1 0 medium This signature detects cross site scripting atta...

Page 959: ...ly is an IMAP reference field that is too long This may indicate a buffer overflow attempt IMAP OVERFLOW REFERENCE sos5 0 0 sos5 1 0 high This protocol anomaly is an IMAP tag field that is too long Th...

Page 960: ...EPM WRONG RHS LEN sos5 1 0 high This protocol anomaly is an EPM message with a tower length that is inconsistent with message s LHS and RHS lengths MS RPC ERR EPM WRONG TOWER LEN sos5 1 0 medium This...

Page 961: ...This protocol anomaly is too many DCE RPC ISystemActivate requests Excessive requests can cause a denial of service DoS in the RPCSS module MS RPC MSRPC ISYSACTIVATE RACE sos5 1 0 medium This signatur...

Page 962: ...protocol anomaly is label for the second level encoding of a Netbios name that contains a pointer NETBIOS NBDS BAD_LABEL_FORMAT sos5 1 0 medium This protocol anomaly is an invalid first level encodin...

Page 963: ...TBIOS NBNS INVALID HDR Z sos5 1 0 high This protocol anomaly is a label for the second level encoding of a Netbios name that has a label length larger than 63 or the label is the first label and the l...

Page 964: ...protocol anomaly is a Gnutella message with a payload type that is not defined in the Gnutella RFC P2P AUDIT GNUTELLA MESSAGE sos5 1 0 info This protocol anomaly is a Gnutella message with a payload l...

Page 965: ...use of the Direct Connect Plus Plus DC file sharing client P2P DC DC PP ACTIVE sos5 1 0 info This signature detects version checks by eDonkey 2000 a peer to peer file sharing client The eDonkey clien...

Page 966: ...e vulnerable Attackers may send a maliciously crafted DELE or UIDL request to the POP3 daemon to crash the POP3 SMTP and IMAP services POP3 DOS MDAEMON POP DOS sos5 1 0 high This protocol anomaly is a...

Page 967: ...EXT DOT CMD sos5 1 0 medium This signature detects e mail attachments with the extension com received via POP3 This may indicate an incoming e mail virus COMs executable files contain one or more scr...

Page 968: ...ved using POP3 This may indicate an incoming e mail virus HTA files are HTML application files that can be executed by a web browser Generally HTA files are not sent via e mail As a general network se...

Page 969: ...s this may indicate an incoming e mail virus Attackers may create malicious scripts tricking users into executing the file and infecting the system POP3 EXT DOT MDB sos5 1 0 high This signature detect...

Page 970: ...ers may create malicious entries tricking users into executing the file and infecting the system POP3 EXT DOT REG sos5 1 0 high This signature detects e mail attachments with the extension scr sent vi...

Page 971: ...malicious scripts tricking the user into executing the file and infecting the system POP3 EXT DOT WSC sos5 1 0 high This signature detects e mail attachments with the extension wsf received via POP3 T...

Page 972: ...s POP3 OVERFLOW BOUNDARY_OVERFLOW sos5 0 0 sos5 1 0 high This protocol anomaly is a POP3 command that exceeds 4 bytes the standard length for a POP3 command This may indicate a nonstandard POP3 client...

Page 973: ...other attacks SCAN AMAP FTP ON HTTP sos5 1 0 low This signature detects the scanner tool AMAP made by The Hacker sChoice THC AttackersmayuseTHC AMAPduring their initial reconnaissance to determine se...

Page 974: ...s PACKETS for a HP UX PA RISC instruction sequence common in buffer overflow exploits You may want to apply this signature to all non TCP traffic to your HP UX servers SHELLCODE HP UX HP NOOP 2 PKT so...

Page 975: ...SMBFS implemented in the Linux kernel Kernels 2 4 and 2 6 are vulnerable Attackers may gain root access on the target host SMB EXPLOIT LINUX TRANS2 OF sos5 1 0 medium This protocol anomaly is an empty...

Page 976: ...NETBIOS names are 16 bytes and may encode to a maximum of 34 bytes SMB NETBIOS INV SNAME LEN sos5 1 0 medium This signature detects attempts to remotely access the Windows registry Attackers may use a...

Page 977: ...hich can lead to remote code execution SMTP EMAIL EUDORA SPOOF3 sos5 1 0 medium This signature detects attempts to spoof an e mail attachment Eudora Windows 6 2 0 7 and earlier versions are vulnerable...

Page 978: ...an e mail message with an empty charset value in the MIME header to cause a denial of service DoS SMTP EXCHANGE DOS sos5 1 0 high This protocol anomaly is a BDAT command that is not chunk size SMTP EX...

Page 979: ...ripts tricking users into executing the macros and infecting the system SMTP EXT DOT ADP sos5 1 0 medium This signature detects e mail attachments that have the extension bas and were sent via SMTP Be...

Page 980: ...nature detects GRP files sent over SMTP GRP files can contain Windows Program Group information and may be exploited by malicious users to deposit instructions or arbitrary code on a target s system U...

Page 981: ...infecting the system SMTP EXT DOT JSE sos5 1 0 medium This signature detects e mail attachments that have the extension lnk and were sent via SMTP Because LNKs Windows link files can point to any prog...

Page 982: ...TP EXT DOT PCD sos5 1 0 medium This signature detects e mail attachments with the extension pif sent via SMTP This may indicate an incoming e mail virus PIFs Program Information Files are standard Mic...

Page 983: ...cute arbitrary code SMTP EXT DOT WMF sos5 1 0 medium This signature detects e mail attachments with the extension wsc sent via SMTP This may indicate an incoming e mail virus WSCs Windows Script Compo...

Page 984: ...eds actual multipart data all data is processed but unfinished boundary delimiters exist SMTP INVALID UNFIN MULTIPART sos5 0 0 sos5 1 0 high This signature detects attempts to send shell commands via...

Page 985: ...of SQLsnake a MSSQL worm SQLsnake infects Microsoft SQL Servers that have SA administrative accounts without passwords The worm sends a password list and other system information via e mail to ixltd p...

Page 986: ...maliciously crafted SMTP messages to execute arbitrary code at the same privilege level as the target typically a user Note Systems that typically carry non English e mail messages should not include...

Page 987: ...thin specified mail to and or rcpt to e mail addresses to cause Sendmail to reroute data to another program attackers receive a 550 error message SMTP RESPONSE PIPE FAILED sos5 1 0 medium This signatu...

Page 988: ...nds spam from an infected host machine TROJAN PHATBOT FTP CONNECT sos5 0 0 sos5 1 0 high This signature detects the string nongmin_cn within an SMTP header from field sent from a remote system to loca...

Page 989: ...a upon reboot VIRUS POP3 FIX2001 sos5 1 0 high This signature detects e mail attachments named Link vbs sent via POP3 This may indicate the VBS Freelink e mail virus is attempting to enter the system...

Page 990: ...soft Outlook preview pane once triggered the CHM file runs myromeo exe in the background Myromeo exe obtains e mail addresses from the Microsoft Outlook database sends infected e mail messages to all...

Page 991: ...lated files Nimda then obtains e mail addresses and sends infected messages to all addresses found using its own SMTP server VIRUS POP3 NIMDA sos5 1 0 critical This signature detects e mail attachment...

Page 992: ...irus does not carry a payload and is apparent only through a video effect VIRUS POP3 SIMBIOSIS sos5 1 0 critical This signature detects e mail attachments named Suppl doc sent via POP3 This may indica...

Page 993: ...POP3 TOADIE sos5 1 0 high This signature detects e mail attachments named 666test vbs sent via POP3 This may indicate the e mail virus TripleSix is attempting to enter the system The executed file di...

Page 994: ...POP3 This may indicate the e mail virus Zelu is attempting to enter the system disguised as the utility ChipTec Y2K Freeware Version The executed file scans available directories corrupts writeable f...

Page 995: ...e mail virus Nail to enter the system When executed the virus assigns the Microsoft Word auto dot template to a template located on an attacker Web site enabling the attacker to upload new virus code...

Page 996: ...F SMTP sos5 0 0 sos5 1 0 high This signature detects the Berbew worm as it uploads keylogger information to a listening post Berew monitors user keystrokes for financial data and reports that informat...

Page 997: ...il attachments containing the W32 Sobig E worm sent via SMTP WORM EMAIL W32 SOBIG E sos5 1 0 high This signature detects the Mimail A worm attachment in SMTP traffic After infecting a Windows based ho...

Page 998: ...TTP WORM NIMDA MSADC ROOT sos5 1 0 medium This signature detects attempts to create EML files on the system a common sign of the NIMDA worm The worm browses remote directories and creates EML files th...

Page 999: ...ew targets for infection The source IP of this log is likely infected with a variant of Santy WORM SANTY GOOGLE SEARCH sos5 1 0 high This signature detects a machine infected with the Santy worm attem...

Page 1000: ...DIP DNS Notification 00004 DNS DNS Notification 00029 DNS REP System Notification 00023 Erase System Notification 00006 Hostname Interface Notification 00009 Interface MIP Notification 00021 MIP High...

Page 1001: ...tion 00026 SSH SSL Notification 00035 SSL Syslog and WebTrends Notification 00019 Syslog High Availability Notification 00050 Track IP WEB Filtering Notification 00013 URL User Notification 00014 User...

Page 1002: ...tion 00553 Configuration Size N A Device Connect N A Device Disconnect DHCP Information 00530 DHCP CLI DNS Information 00004 DHCP DNS System Information 00767 Generic VIP Notification 00533 VIP Svr Up...

Page 1003: ...ation 00533 VIP Server Status DHCP Information 00527 DHCP Server Status NOTE For security devices running ScreenOS 5 0 x or higher Network and Security Manager does not generate information logs for d...

Page 1004: ...warded prohibited state invalid rate limited or tunnel limited Interface vsys or vrouter name if applicable For log entries generated by GTP objects with Extended logging enabled you can view the foll...

Page 1005: ...PART 6 Index Index on page 957 955 Copyright 2010 Juniper Networks Inc...

Page 1006: ...Copyright 2010 Juniper Networks Inc 956 Network and Security Manager Administration Guide...

Page 1007: ...te 76 audit logs 77 auditable activities 76 authentication server 77 AV pattern 77 backdoor rulebase 77 blocked IP 77 CA 77 catalog objects 77 channel 77 CLI based reports 77 CLI based security update...

Page 1008: ...85 supplemental CLIs in devices and templates 85 SYNProtector rulebase 85 system status monitor view 85 system URL categories 85 template operations 86 traffic signature rulebase 86 troubleshoot devi...

Page 1009: ...ure service binding 348 custom signature stream 1K context 355 custom signature stream 256 context 354 custom signature stream 8K context 355 custom signature stream context 354 custom signature suppo...

Page 1010: ...Series 235 configuring Junos 235 configuring SRX Series 235 editing the configuration 234 IDP adding 153 Infranet Controller adding 153 Infranet Controller importing 154 J Series activating 158 J Seri...

Page 1011: ...ard using 709 Data Model defined 308 importing 311 updating 309 data model defined 839 data origination icons 192 data point count configuring 782 823 data types 781 Deep Inspection activating subscri...

Page 1012: ...132 adding multiple with CSV file 169 adding multiple with discovery rules 168 configuring 187 EX Series activating 134 136 EX Series importing 116 125 extranet adding 151 IDP sensors activating 135 I...

Page 1013: ...492 exempt rules configuring attacks 493 configuring from the Log Viewer 493 configuring match columns 492 configuring source and destination 492 entering comments 493 expanded VPN view 552 585 expor...

Page 1014: ...s 449 deleting 517 deny action 453 disabling 517 negating source or destination 450 permit action 453 reject action 453 reject action changed to deny 511 rule groups 517 using MIPs as source or destin...

Page 1015: ...ng notification 479 configuring services 471 configuring source and destination 470 IDP sensors activating with dynamic IP address 135 IKE proposals 428 IMSI prefix filter 385 information banner 58 in...

Page 1016: ...e 271 installing on device 271 obtaining 271 linking to a device from Log Viewer 776 list key parameters in templates 210 local attack object update 290 local user groups 404 local users 564 log actio...

Page 1017: ...s 776 filtering 760 768 find utility 768 flagging log events 767 generating a Quick Report 825 hiding and moving columns 772 integration with reports 824 linking to a device 776 log categories 768 log...

Page 1018: ...ewall rules 454 destination NAT 416 DIP global 415 in VPNs 563 Junos OS 417 MIP global 416 VIP global 416 NAT Traversal 577 navigation tree 24 negating source or destination in firewall rules 450 NetS...

Page 1019: ...ustom signature attacks attack pattern 352 custom signature attacks attack pattern syntax 352 custom signature attacks false positive setting 348 custom signature attacks first data packet context 354...

Page 1020: ...ules 459 prerules and postrules 526 preview tools 252 primary interface fail over 305 priority levels for traffic shaping 456 Profiler alerts 714 configuring 712 configuring permitted objects 719 cont...

Page 1021: ...VPN 811 Logs by User set Flag 814 826 naming 822 Profiler 815 Screen 813 SSL VPN 815 time based 823 Top Alarms 811 Top Attackers Screen 814 Top Attacks DI 812 Top Attacks Screen 813 Top Configuration...

Page 1022: ...ions 35 Secure Access clusters adding 153 importing 154 Secure Access devices adding clusters 153 configuring features of 196 importing clusters 154 importing with dynamic IP address 121 supported pla...

Page 1023: ...importing with dynamic IP address 125 importing with static IP address 116 modeling clusters 157 supported platforms 16 SSL VPN devices See Secure Access devices SSL UAC predefined log views 758 SSL V...

Page 1024: ...2 Top Rules report 814 Top Self Logs report 812 Top Targets Screen report 814 829 Top Traffic Alarms report 811 Top Traffic Log report 811 Traffic Anomalies Rulebase other scans 503 session limiting 5...

Page 1025: ...coming DIP 570 configuring NAT with MIP VIP and Outgoing DIP 571 configuring NAT with tunnel interface and zone 571 configuring overrides 583 configuring overrides device configuration 584 configuring...

Page 1026: ...s adding 165 vsys devices adding 147 importing 148 modeling 149 W warning icon 193 Web categories permission to update on device 80 updating on device 301 updating on system 301 Web filtering black li...

Reviews:

No comments

Related manuals for NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1

Xerox DocuPrint 115 System Manual preview
DocuPrint 115
Brand: Xerox Pages: 100
KAPERSKY ANTI-VIRUS BUSINESS OPTIMAL Manual preview
ANTI-VIRUS BUSINESS OPTIMAL
Brand: KAPERSKY Pages: 31
Red Hat NETWORK 3.6 - Reference Manual preview
NETWORK 3.6 -
Brand: Red Hat Pages: 198
Avermedia A16AR User Manual preview
A16AR
Brand: Avermedia Pages: 97
ArcSoft DV-6400 Quick Start Manual preview
DV-6400
Brand: ArcSoft Pages: 6
I.R.I.S. IRISPowerscan 9.5 User Manual preview
IRISPowerscan 9.5
Brand: I.R.I.S. Pages: 182
Access ATOMIZER Operator'S Manual preview
ATOMIZER
Brand: Access Pages: 16
GRASS VALLEY MEDIAEDGE-SVS4 Datasheet preview
MEDIAEDGE-SVS4
Brand: GRASS VALLEY Pages: 2
GRASS VALLEY EDIUS 6 Application Note preview
EDIUS 6
Brand: GRASS VALLEY Pages: 24
GRASS VALLEY AURORA INGEST - S AND UPGRADE INSTRUCTIONS V7.1 Upgrade Instructions preview
AURORA INGEST - S AND UPGRADE INSTRUCTIONS V7.1
Brand: GRASS VALLEY Pages: 66
National Instruments Order Analysis Toolset User Manual preview
Order Analysis Toolset
Brand: National Instruments Pages: 63
Xerox PAGIS PRO 2.0 User Manual preview
PAGIS PRO 2.0
Brand: Xerox Pages: 267
Waves Dynamics Processor MV2 User Manual preview
Dynamics Processor MV2
Brand: Waves Pages: 13
Blackberry CHALK PUSHCAST PLAYER User Manual preview
CHALK PUSHCAST PLAYER
Brand: Blackberry Pages: 27
LapLink Gold Corporate 5 User Manual preview
Gold Corporate 5
Brand: LapLink Pages: 166
Lenovo THINKPAD Z61P Setup Manual preview
THINKPAD Z61P
Brand: Lenovo Pages: 2
Lenovo ThinkStation C20 Specifications preview
ThinkStation C20
Brand: Lenovo Pages: 4
Lenovo ThinkPad Z61M Brochure preview
ThinkPad Z61M
Brand: Lenovo Pages: 4

Brands by name

Popular brands

Load more brands