Juniper NETWORK AND SECURITY MANAGER 2010.3 Скачать руководство пользователя страница 553 | Manualshive

Страница: 553 / 1016

background image

NOTE:

We highly recommend that you validate a policy before installing it. A security

policy that has internal problems can leave your network vulnerable.

Rule Duplication

Rule duplication occurs when an administrator configures the same rule in a rulebase
more than once. Rule duplication can also occur during the rule validation process for
devices running ScreenOS 5.0 and later. NSM treats each element of the rule as a separate
rule. For example, when a rule with two service objects (AOL and DNS) is sent to the
device, NSM sends it as two rules, one rule with AOL and another with DNS.

NOTE:

For ScreenOS 5.0 and later, NSM sends rules with multiple objects or elements.

For example, NSM can send a rule with two or more service objects as one rule.

You should delete all duplicate rules to maintain policy lookup efficiency.

A ScreenOS 5.0 and later device passes the policy validation process for HTTP; however,
Rule 2 is not needed. To correct this problem, you should delete Rule 2.

Rule Shadowing

Rule shadowing occurs when an administrator selects or configures a policy in such as
way that the next rules have no effect on traffic. Rule shadowing can introduce system
vulnerabilities and packet dropping. Policy validation identifies rule shadowing. You
should modify or delete all rules that overshadow others.

When a packet comes in, a security device compares it to the first rule in the policy. If a
match occurs, the device executes the action associated with the rule. If no match occurs,
the rule has no effect. Then, the device compares the packet to the next rule in the policy
(unless the prior rule was a “ terminal” rule.) So, each packet gets compared to every
rule in the policy until a match occurs or a terminal rule ends the match process.

For example, if Rule 1 is a terminal rule, and a packet matches Rule 1, then the device will
never compare the packet to the next rules. Or, if Rule 1 causes the packet to be dropped,
and Rule 2 adds a diffserv marking, the diffserv marking will never be added.

In Table 47 on page 503 Rule 1 shadows Rule 2. Rule 1 allows any service to a web server,
but Rule 2 denies the service HTTP. When the security device receives a packet requesting
HTTP service with the web server, Rule 1 allows the traffic. Rule 2 which denies HTTP is
never checked.

Table 47: Rule Shadowing Example

Action

Service

Destination

To Zone

Source

From Zone

Rule

Allow

Any

Web server

DMZ

Any

Untrust

1

Deny

HTTP

Web server

DMZ

Any

Untrust

2

503

Copyright © 2010, Juniper Networks, Inc.

Chapter 9: Configuring Security Policies

«
...
551
552
553
554
555
...
»

Содержание NETWORK AND SECURITY MANAGER 2010.3

Страница 1: ...Juniper Networks Network and Security Manager Administration Guide Release 2010 3 Published 2010 08 17 Revision 1 Copyright 2010 Juniper Networks Inc...

Страница 2: ...f the University of California All rights reserved Portions of the GateD software copyright 1991 D L S Associates This product includes software developed by Maker Communications Inc copyright 1996 19...

Страница 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Страница 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Страница 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Страница 6: ...Copyright 2010 Juniper Networks Inc vi...

Страница 7: ...Device Configuration 5 Device Management 6 Importing Devices 6 Device Modeling 6 Rapid Deployment 6 Policy Based Management 6 Error Prevention Recovery and Auditing 7 Device Configuration Validation...

Страница 8: ...n and Data Origination Icons 32 Working with Other NSM Administrators 33 Searching in the User Interface 33 Contains String C Search Mode 34 Starts With S Search Mode 34 Regular Expression R Search Mo...

Страница 9: ...ation Banner 60 Chapter 3 Configuring Role Based Administration 61 Role Based Administration 61 Domains 61 About Roles 62 Using Role Based Administration Effectively 63 Enterprise Organizations 63 Geo...

Страница 10: ...iple Devices 103 Specifying the OS and Version 104 Determining Port Mode ScreenOS Devices Only 104 Trust Untrust Port Mode 105 Home Work Port Mode 105 Dual Untrust Port Mode 106 Combined Port Mode 106...

Страница 11: ...lects Two Devices to Update with the Delta Option But Has no Admin Privileges 146 Adding Vsys Devices 146 Placing the Root Device in a Global Domain or a Subdomain 147 Importing Vsys Devices 147 Model...

Страница 12: ...id Deployment 177 Modeling and Activating Many Devices with Configlets 178 Activating Many Devices with Configlets 179 Adding Device Groups 179 Example Creating a Device Group 180 Setting Up NSM to Wo...

Страница 13: ...211 Identifying Ordered List Entries That Do Not Match the Template or Configuration Group Order 214 Using the Template Operations Directive 215 Select OS Name Section 216 Select Devices Section 216...

Страница 14: ...Configuration File 238 Automatic Import of Configuration Files 238 Chapter 6 Updating Devices 239 About Updating 239 How the Update Process Works 240 About Atomic Configuration ScreenOS Devices 241 Ab...

Страница 15: ...Page Shared Object 275 Importing Antivirus Live Update Settings 275 Uploading Live Update Settings 275 275 Linking to a Live Update File Shared Object 276 Importing Endpoint Security Assessment Plug i...

Страница 16: ...292 Scheduling Security Updates 292 Example Update Attack Objects and Push to Connected Devices 294 Scheduling the Update 294 Example Using Crontab to Schedule Attack Updates 295 Viewing Scheduled Sec...

Страница 17: ...dress Object 324 Editing and Deleting Address Objects 325 Replacing Address Objects 325 Adding an Address Object Group 325 Adding a Multicast Group Address Object 326 Adding Static DNS Host Addresses...

Страница 18: ...354 Configuring Compound Attack Members 355 Configuring the Direction Filter 357 Creating Custom DI Attack Groups 357 Creating Custom IDP Attack Groups 357 Creating Static Attack Groups 358 Creating D...

Страница 19: ...ervice Objects 382 Viewing Predefined Services 382 Creating Custom Services 384 Service Object Groups 385 Example Creating a Custom Service and Group 386 Example Creating a Custom Sun RPC Service 387...

Страница 20: ...418 Configuring CRLs 419 Configuring Extranet Policies 419 Configuring Binary Data Objects 420 Adding Binary Data Objects 420 Viewing Editing and Deleting Binary Data Objects 421 Configuring Protecte...

Страница 21: ...and Destination Addresses for Firewall Rules 444 Support for Any IPv6 as a Source Address 445 Configuring Services for Firewall Rules 446 Defining Actions for Firewall Rules 446 Selecting Devices for...

Страница 22: ...Rules 474 Entering Comments for IDP Rules 474 Configuring multiple IDP policies for an MX Series Router 475 Configuring Application Policy Enforcement APE Rules 476 Adding the APE Rulebase Using the...

Страница 23: ...tting an Alert 490 Logging Packets 490 Setting Severity 490 Specifying VLANs 490 Setting Target Devices 490 Entering Comments 491 Configuring SYN Protector Rules 491 The TCP Handshake 491 SYN Floods 4...

Страница 24: ...e Options 500 Setting Notification 500 Setting Logging 500 Setting an Alert 500 Logging Packets 500 Setting Severity 501 Specifying VLANs 501 Setting Target Devices 501 Entering Comments 501 Installin...

Страница 25: ...prerules and postrules 521 Managing prerules and postrules 521 Add prerules and postrules 521 Push prerules and postrules to Regional Server 521 Modify prerules and postrules 522 Delete prerules and p...

Страница 26: ...Protecting Data in the VPN 548 Using IPSec 548 Using L2TP 550 Choosing a VPN Tunnel Type 550 About Policy Based VPNs 550 About Route Based VPNs 551 VPN Checklist 551 Define Members and Topology 551 D...

Страница 27: ...ing Users 577 Editing the VPN Configuration 577 Editing VPN Overrides 577 VPN Manager Examples 577 Example Configuring an Autokey IKE Policy Based Site to Site VPN 578 Example Configuring an Autokey I...

Страница 28: ...t Mode 621 Using Central Manager 621 Adding a Regional Server Object 621 Deleting a Regional Server Object 622 Logging into a Regional Server 622 Installing Global Policy to a Regional Server 622 Prer...

Страница 29: ...figuration Conflicts with the Infranet Controller in the UAC Manager 643 Enabling 802 1X on Enforcement Point Ports in the UAC Manager 644 Disabling 802 1X on Enforcement Point Ports in the UAC Manage...

Страница 30: ...ng Server Status 690 Viewing Additional Server Status Details 692 Viewing Process Status 693 Using Management System Utilities 695 Using Schema Information 696 Viewing Device Schema 697 Chapter 18 Ana...

Страница 31: ...able Components 718 Stopping Worms and Trojans 719 Example SQL Worm 719 Example Blaster Worm 720 Accessing Data in the Profiler Database 720 About Security Explorer 721 Security Explorer Main Graph 72...

Страница 32: ...rends Server 743 Managing Packet Data in Logs 743 Using the Log Viewer 746 Using Log Views 747 About Predefined Log Views 747 Creating Custom Views and Folders 749 Creating Per Session Views 750 Log V...

Страница 33: ...it Log Table 779 Managing the Audit Log Table 780 Target View and Device View 782 Setting a Start Time for Audit Log Entries 782 Managing Log Volume 782 Automatic Device Log Cleanup 783 Archiving Logs...

Страница 34: ...IDP Reports 802 Screen Reports 803 Administrative Reports 804 UAC Reports 804 Profiler Reports 805 AVT Reports 805 SSL VPN Reports 805 EX Series Switches Report 806 My Reports 806 Shared Reports 806...

Страница 35: ...ttack Trends 818 Example Using DI Reports to Detect Application Attacks 819 Using the Watch List 819 Part 5 Appendixes Appendix A Glossary 823 Network and Security Manager NSM Term Definitions 823 App...

Страница 36: ...Copyright 2010 Juniper Networks Inc xxxvi Network and Security Manager Administration Guide...

Страница 37: ...gure 15 User in Domain global with a Predefined Role 71 Figure 16 User in Domain global with Custom Role r1 71 Figure 17 User in Subdomain d1 With a Predefined Role 72 Figure 18 User in Subdomain d1 W...

Страница 38: ...IP Based Session Limit 207 Figure 53 View DoS Value for SYN ACK ACK Proxy Protection Setting 207 Figure 54 View Default SYN ACK ACK Proxy Protection Setting 207 Figure 55 Up and Down Arrows for Chang...

Страница 39: ...for AutoKey IKE VPN 581 Figure 91 Add Chicago Protected Resource for AutoKey IKE RAS VPN 583 Figure 92 Add New Local User for AutoKey IKE RAS VPN 583 Figure 93 Configure Security for AutoKey IKE RAS...

Страница 40: ...vestigator Results 775 Figure 114 Audit Log Viewer UI Overview 779 Chapter 20 Reporting 799 Figure 115 Generating A Quick Report 815 Figure 116 Logs by User Set Flag Report 816 Figure 117 Top FW VPN R...

Страница 41: ...ts 21 Table 13 Validation Status for Devices 31 Table 14 Validation Icons 32 Chapter 3 Configuring Role Based Administration 61 Table 15 How to Authenticate Users 68 Table 16 Predefined NSM Administra...

Страница 42: ...ce NAT Configuration Options 412 Table 42 Destination NAT Configuration Options 415 Chapter 9 Configuring Security Policies 429 Table 43 IDP Rule Actions 467 Table 44 Severity Levels Recommended Actio...

Страница 43: ...ata 707 Table 86 Network Profiler Data 708 Table 87 Applciation Profiler Data 711 Table 88 Detailed Network Information Data 715 Table 89 Transitional Graphs 726 Chapter 19 Logging 729 Table 90 Event...

Страница 44: ...ppendix A Glossary 823 Table 119 CIDR Translation 827 Appendix B Unmanaged ScreenOS Commands 849 Table 120 Unmanaged Commands for Firewall VPN Devices 849 Appendix C SurfControl Web Categories 851 Tab...

Страница 45: ...s a technical overview of the management system architecture It also explains how to configure basic and advanced NSM functionality including adding new devices deploying new device configurations upd...

Страница 46: ...rts you to the risk of personal injury from a laser Laser warning Table 2 on page xlvi defines text conventions used in this guide Table 2 Text Conventions Examples Description Convention Issue the cl...

Страница 47: ...tional or required Words separated by the pipe symbol internal external Represent optional keywords or variables Words enclosed in brackets level 1 level 2 11 Represent optional keywords or variables...

Страница 48: ...Devices Guide Provides procedures for basic tasks in the NSM user interface It also includes a brief overview of the NSM system and a description of the GUI elements Network and Security Manager Onlin...

Страница 49: ...al pdf resource guides 7100059 en pdf Product warranties For product warranty information visit http www juniper net support warranty JTAC Hours of Operation The JTAC centers have resources available...

Страница 50: ...AC on the Web or by telephone Use the Case Management tool in the CSC at http www juniper net cm Call 1 888 314 JTAC 1 888 314 5822 toll free in the USA Canada and Mexico For international or direct d...

Страница 51: ...he management system and describe how to prepare to integrate your existing network security structure using NSM role based administration tools Part 1 contains the following chapters Introduction to...

Страница 52: ...Copyright 2010 Juniper Networks Inc 2 Network and Security Manager Administration Guide...

Страница 53: ...anaging all device parameters for devices NSM works with networks of all sizes and complexity You can add a single device or create device templates to help you deploy multiple devices You can create...

Страница 54: ...stinct systems or to control administrative access to individual systems With multiple domains you can create objects policies and templates in the global domain and then create subdomains that automa...

Страница 55: ...n groups In Junos devices configuration groups allow you to create a group containing configuration statements and to direct the inheritance of that group s statements in the rest of the configuration...

Страница 56: ...your devices with a single update You can implement a new routing protocol across your network design and deploy a new security policy with traffic shaping or create a new VPN tunnel that connects a b...

Страница 57: ...Configuration Validation NSM alerts you to configuration errors while you work in the UI Each field that has incorrect or incomplete data displays an error icon Move your cursor over the icon to see d...

Страница 58: ...M provides the tools and features you need to manage your devices as a complete system as well as individual networks and devices To manage an individual device create a single device configuration de...

Страница 59: ...devices in the Device Monitor Configuration and connection status of your managed devices Individual device details such as memory usage and active sessions Device statistics View the status of each i...

Страница 60: ...urity Manager Installation Guide Architecture NSM is a three tier management system made up of a user interface UI management system and managed devices The devices process your network traffic and ar...

Страница 61: ...gement system is made up of two components GUI Server Device Server See Figure 2 on page 11 Figure 2 NSM System Architecture GUI Server The GUI Server manages the system resources and data that drive...

Страница 62: ...tion data to the NSM UI for viewing or to the local data store for later retrieval guiSvrMasterController GUI Server License Manager is responsible for license storage retrieval and validation guiSvrL...

Страница 63: ...ogWalker Device Server Database Server devSvrDBServer Device Server Profiler Manager devSvrProfilerMgr Managed Devices In addition to dedicated security devices such as firewalls and IDP sensors your...

Страница 64: ...en 204 ScreenOS 5 0 5 0 FIPS 5 1 5 2 5 3 5 3 TMAV 5 4 5 4 FIPS Juniper Networks NetScreen 208 ScreenOS 5 0 5 0 FIPS 5 0 NSGP 5 0 GPRS 5 1 5 1 GPRS 5 1 shotglass 5 2 5 3 5 3 TMAV 5 4 5 4 FIPS Juniper N...

Страница 65: ...enOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 320M ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350 ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350M ScreenOS 5 1 SSG...

Страница 66: ...outage and a longer upgrade time SSG 5 SB replaces NetScreen 5GT SSG 5 SB is a 10 user variant of SSG 5 similar to the existing 10 user variant of NS 5GT Devices Running Junos OS Devices running Juno...

Страница 67: ...per Networks J4350 Services Router with IDP Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update Juniper Networks J6350 Services Router Junos OS Release 9 5 9 6 10 0 10 1 Juniper Networks...

Страница 68: ...0 2 via schema update Juniper Networks M10i Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update Juniper Networks M40e Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update Ju...

Страница 69: ...10 1 10 2 via schema update Juniper Networks EX2200 48P Junos OS Release 10 1 10 2 via schema update Juniper Networks EX2200 48T Junos OS Release 9 2 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update J...

Страница 70: ...Secure Access products and operating system versions supported by NSM 2010 3 Table 11 Secure Access Products NSM Supports Versions of SA Software NSM Supports Security Device SA Release 6 3 6 4 6 5 Ju...

Страница 71: ...configuration data for all objects in a specific domain When you use the UI to interface with your managed devices the ADM and DMs work together When you update a device configuration the GUI Server t...

Страница 72: ...Devices on page 13 for lists of specific models of these products that support management through NSM Unlike schemas for ScreenOS and IDP devices schemas for these devices can be updated asynchronousl...

Страница 73: ...n Attempts The NSM UI blocks hosts that fail to login after 10 attempts by default Use the Tools Preferences System Properties option to change the number of attempts Use the Tools Manage Blocked Host...

Страница 74: ...cies VPNs and other objects Administer panel Provides NSM modules with tree structures for managing the NSM servers ongoing jobs and other actions For details about each module see NSM Modules on page...

Страница 75: ...re Modules on page 27 Administer Modules on page 31 Investigate Modules The Investigate panel includes the following top level modules Log Viewer on page 25 Report Manager on page 26 Log Investigator...

Страница 76: ...X Series devices NSM does not support report management for SRX Series devices M Series devices and MX Series devices Log Investigator The Log Investigator contains tools for analyzing your log entrie...

Страница 77: ...page 29 Device Manager The Device Manager contains the device objects that represent your managed devices You can create or modify ScreenOS security devices and IDP sensors The devices you use to ena...

Страница 78: ...tiple devices Delete policies If the device configurations that you import from your security devices contain policies the Policy Manager displays those imported policies For details on editing those...

Страница 79: ...owing objects in NSM Access Profiles An access profile consists of a set of attributes that defines access to a device You can create access profile objects and share them across security policies tha...

Страница 80: ...eated Regional Servers Represent NSM servers managed by a Central Manager Zone objects Represent zones in a Central Manager or Regional Server Schedule objects Represent specific dates and times You c...

Страница 81: ...ctives that NSM sends to your managed devices You can view summaries or details for active jobs and completed jobs For more details on Job Manager see Tracking Device Updates on page 254 Action Manage...

Страница 82: ...4 on page 32 Table 14 Validation Icons Priority Meaning Message Type Icon Highest Indicates that a configuration or parameter is not configured correctly in the NSM UI Updating a device with this mode...

Страница 83: ...ed enabling other administrators to edit it However because the UI does not immediately refresh the object values you must manually refresh the UI to view the most recent versions When you attempt to...

Страница 84: ...ey to end the search operation and close the window The following sections provide examples of each search mode Contains String C Search Mode Use to locate a pattern anywhere in a string For example t...

Страница 85: ...bjects that detect denial of service attacks 1 In the main navigation tree select Object Manager Attack Objects DI Objects and then select the Predefined Attacks tab 2 Select the first entry in the co...

Страница 86: ...ess Table tab 2 Select the first entry in the column IP Domain Name and then press the backslash key to display the search mode window 3 Enter I and then enter 5 5 5 The UI automatically highlights th...

Страница 87: ...ing bbbb 1 In the main navigation tree select Object Manager Address Objects then select the Address Table tab 2 Select any entry in the Namecolumn and then press the backslash key to display the sear...

Страница 88: ...lated information If you select Name you must enter the name of the object in the Name field You can then specify whether you want the search to be a Case Sensitive or Regular Expression type of searc...

Страница 89: ...button to execute the search The Search Results appear at the bottom of the dialog box The applicable search category is listed to the left and the matching search objects are listed to the right 5 U...

Страница 90: ...Copyright 2010 Juniper Networks Inc 40 Network and Security Manager Administration Guide...

Страница 91: ...e 45 Simplifying Management on page 54 Creating an Information Banner on page 57 Configuring Devices Overview To manage Juniper Networks devices that already exist on your network you can import their...

Страница 92: ...imports the existing device configuration it automatically creates all objects and policies in the configuration NOTE NSM does not import IDP rulebases in a security policy when importing the device c...

Страница 93: ...nfigurations for similar devices For ScreenOS 5 x and later devices you can use Rapid Deployment RD to deploy multiple devices in nontechnical locations Use RD to stage and configure devices quickly a...

Страница 94: ...ion to a device see Updating Devices on page 239 7 Create VPN rules Create Protected Resources Create user objects and User Groups for RAS VPNs Use VPN Manager to select VPN members and then automatic...

Страница 95: ...etScreen IDP 4 x The NSM system consists of the Device Server and the GUI Server the NSM User Interface is a client application used to access information stored in the NSM system Guidance for Intende...

Страница 96: ...configuring and managing IDP on the ISG2000 and ISG1000 devices Although you can use the ScreenOS CLI or Web UI to configure the firewall VPN capabilities of the security device you must use the NSM U...

Страница 97: ...xisting ISG2000 or ISG1000 device that is currently managed by NSM then upgrade the device firmware to ScreenOS 5 0 0 IDP1 NOTE After you have upgraded the firmware you must reimport the device config...

Страница 98: ...tack object database on the selected managed devices Adding Objects Optional Create address objects for the network components you want to protect with IDP These components can be routers servers work...

Страница 99: ...have configured basic security device settings such as assigning interfaces to zones setting the administrative password and configuring default routes For details about configuring these settings see...

Страница 100: ...a rule in the IDP rulebase the security module attempts to match the traffic against the Exempt rulebase before performing the specified action or creating a log record for the event Add the Exempt r...

Страница 101: ...n the left side of the Security Policy window click the Add icon to open a default rule For rules in the IDP rulebase you define the type of network traffic to monitor the attacks to detect the action...

Страница 102: ...viewing the security policy in Expanded Mode To change the view mode of a policy from the menu bar select View Show Expanded Mode View Show Compact Mode or View Show Custom Mode Configure Notificatio...

Страница 103: ...ve enabled IDP on the device and installed a security policy that uses the IDP detection and prevention functionality IDP logs begin to appear in the NSM Log Viewer assuming you enabled IDP logging fo...

Страница 104: ...ally has all IDP related permissions A custom role for IDP administrators might include the following permissions Attack Update Create View Edit Delete Policies Create View Edit Delete Backdoor and ID...

Страница 105: ...generic NetScreen 5GT device template that you can use each time you add a device of that type Or you can apply multiple templates to the same device You can map a maximum of 63 templates to the same...

Страница 106: ...y understood by your users and administrators and that still has room to grow For example you might use the naming convention city name with a naming theme of Greek mythology figures some sample devic...

Страница 107: ...example Wendy Parker working in Texas on a Windows 2000 Pro laptop would see her machine name as tx_wparker_m_2kpro Creating an Information Banner Central Manager administrators and regional server s...

Страница 108: ...ant to add the banner server wide and click the Edit icon as shown in Figure 11 on page 58 Figure 11 Selecting the GUI Server in Central Manager 3 Enter the customized text in the Log In Warning Messa...

Страница 109: ...available to NSM users connected to the server as shown in Figure 13 on page 59 Figure 13 Information Banner Login into Central Manager The NSM user must click Yes to access the GUI server 59 Copyrig...

Страница 110: ...iately available to all NSM users server wide Deleting an Information Banner This procedure assumes that a Central Manager administrator is logged onto a Central Manager client or a super user is logg...

Страница 111: ...egy and how to prepare your network for NSM NSM includes many features specifically designed for managing multiple Juniper Networks devices such as device groups and templates This chapter contains th...

Страница 112: ...tant if you plan to use VPNs in your network Because you can create VPNs only between devices in the same domain be sure to add the devices you want to connect with a VPN to the same domain About Role...

Страница 113: ...se multiple domains to segregate large geographically distant networks into locally managed sections Permission Structure Use multiple domains to segregate critical devices and systems from less impor...

Страница 114: ...ed with security policies Administrator Types Many organizations have different types of administrators for different roles within the company Each organization has a unique vision for the granularity...

Страница 115: ...ive Management A management administrator creates administrators and manages their permissions The super administrator creates a management administrator to delegate administrator management For examp...

Страница 116: ...more customer subdomains enabling the customer administrator to handle multiple customer networks without access to the CNM internal network Additionally the super administrator can create a role str...

Страница 117: ...dministrator permissions in only one subdomain create the administrator in that subdomain Configuring General Settings To create an NSM administrator account click the Add icon in the Administrator ta...

Страница 118: ...ooks at the local database to find the user and then if no match is found to the RADIUS server You can also define the role assignment for each user directly from the RADIUS server NOTE You must confi...

Страница 119: ...S vendor specific attribute VSA is available to allow vendors to support their own extended attributes If you use a RADIUS server other than Steel Belted RADIUS you must enter the following NSM attrib...

Страница 120: ...dministrator Read Only System Administrator System Administrator Predefined roles do not belong to any domain The format for predefined roles is DomainName1 predefined role name DomainName1 is the dom...

Страница 121: ...must configure the role mapping list for each user on the RADIUS server Figure 15 on page 71 through Figure 21 on page 73 show examples of assigning predefined and custom roles through RADIUS All exam...

Страница 122: ...d1 With a Custom Role r1 Create the custom role r1 in the subdomain d1 Figure 19 Assigning Multiple Roles to a User in Global Domain Roles r1 and r2 are the custom roles assigned to the user Copyrigh...

Страница 123: ...1 Assigning Roles Defined in Domain global The user role r1 is defined in global domain but the user has access to only a subdomain d1 and therefore gets a the global role r1 Figure22 AssigningRolesDe...

Страница 124: ...or or to create administrators when your organization s existing permission structure maps closely to the permissions defined in the default role All roles default and custom are created from activiti...

Страница 125: ...ss profiles across security policies that are assigned to J Series Services Routers and SRX Series Services Gateways managed by NSM View Create Edit Delete Access Profile Objects An admin role defines...

Страница 126: ...s on your network The information stored in an authentication server determines the privileges of each administrator Create Delete Edit View Authentication Server Updates the pattern file on the devic...

Страница 127: ...vice troubleshooting commands debug exec and get Edit View Custom Troubleshoot Commands Known targets and sources of attacks or suspected targets and sources of attacks can be added to source or desti...

Страница 128: ...sical device and the modeled device configuration in NSM View Device Delta Config The device firmware is the software image used on the managed device Update Device Firmware A device log comment is a...

Страница 129: ...mation such as networking settings interface settings or DNS settings View Create Edit Delete Devices Device Groups and Templates Deep Inspection DI attack objects contain attack patterns and protocol...

Страница 130: ...Edit View Group Expressions GPRS Tunneling Protocol GTP objects applied to a security policy rule enable a security device to manage GTP traffic If a GTP packet matches the rule the device attempts t...

Страница 131: ...ative Log Reports This activity allows an administrator to manage IP pools An IP pool object contains IP ranges a range of IP addresses within the same subnet You use IP Pool objects to assign IP addr...

Страница 132: ...tics you must enable NSRP Monitor in the NSRP properties for each cluster device View NSRP Monitor Allows an administrator to manage permitted objects You configure permitted objects in Profiler consi...

Страница 133: ...defines the DNS and WINS servers that are assigned to L2TP RAS users after they have connected to the L2TP tunnel You can use remote settings objects in an L2TP VPN and when configuring a local user o...

Страница 134: ...objects represent the IP traffic types for existing protocol standards Create Delete Edit View Service Objects A shared historical log report is a user defined historical log report that is available...

Страница 135: ...ined by SurfControl Update System UrlCategory Allows an administrator to perform template operations N A Template Operations Allows an administrator to manage threats to the network through the creati...

Страница 136: ...ables a system administrator to configure the resource limits for a vsys device by creating or editing a vsys profile and assigning it to the vsys device Create Delete Edit View VSYS Profile Objects A...

Страница 137: ...run the Import Admin directive A new role Export Import Device Config to File has been created to allow permission to run the Export Device Config To File and Import Device Config From File directive...

Страница 138: ...istrator the activity or role is not visible in the list of available activities or roles Within a domain you can view only the custom roles that you have created or that have been assigned to you You...

Страница 139: ...tion includes the following columns Home Domain The name of the domain in which the administrator was created Admin Name The name of the administrator who is logged in Status Whether a user has been a...

Страница 140: ...log out from his own session Server resources such as the GUI Server connection to a client and a port are freed In a central or a regional server setup forced logout applies only to a server The admi...

Страница 141: ...the co location facility and provide read only permission for customers to view log entries and generate reports No VPNs are used To configure this domain structure use the following process Create th...

Страница 142: ...ries and generate reports for devices in their subdomain 1 Using the domain menu at the top of the navigation tree select the first subdomain MA_company1 NSM loads the subdomain 2 From the Menu bar cl...

Страница 143: ...enables all functionality for the domain However the domain menu at the top of the navigation tree displays only the current domain restricting the domain administrator to that domain Repeat for each...

Страница 144: ...Copyright 2010 Juniper Networks Inc 94 Network and Security Manager Administration Guide...

Страница 145: ...PART 2 Integrating Adding Devices on page 97 Configuring Devices on page 185 Updating Devices on page 239 Managing Devices on page 261 95 Copyright 2010 Juniper Networks Inc...

Страница 146: ...Copyright 2010 Juniper Networks Inc 96 Network and Security Manager Administration Guide...

Страница 147: ...eenOS releases 5 0r11 5 1r4 5 2r3 5 3r10 5 4r11 6 0r2 6 1r4 6 2 and 6 3 Before you can manage a device with NSM you must add the device to the management system NSM supports adding individual devices...

Страница 148: ...lowing types of devices Physical devices Importing Devices on page 112 and Modeling Devices on page 130 later in this chapter provide details on how to add an existing or new device into NSM These dev...

Страница 149: ...ice you must verify the device configuration Determine Device Status How you add your devices to the management system depends on the network status of the device You can import deployed devices or yo...

Страница 150: ...ice This summary is known as a Get Running Config summary Managing the Device After adding a device you can manage its configuration objects and security policies in the UI You can also view traffic l...

Страница 151: ...e device into NSM a new policy is automatically created using the following naming syntax device_1 Each new policy increments the name Devices are not assigned to the new policy If you reimport a devi...

Страница 152: ...es NSM includes a global domain by default You can also create additional domains called subdomains that exist within the global domain Before you add the device you must select the domain that contai...

Страница 153: ...use the Activate Device wizard You can import or model device configurations from a device running ScreenOS 5 0 x or later except 6 0r1 IDP 4 0 or later Junos 9 0 or later SA 6 2 or later or IC 2 2 o...

Страница 154: ...SM no longer supports devices running 4 x or earlier versions of ScreenOS If you are not running a supported version you must upgrade your devices before adding them into the management system Contact...

Страница 155: ...ch is bound to the Trust security zone Home Work Port Mode Home Work mode binds interfaces to the Untrust security zone and to Home and Work security zones The Home and Work zones enable you to segreg...

Страница 156: ...primary interface See Figure 27 on page 106 for port interface and zone bindings Figure 27 Dual Untrust Port Mode Bindings This mode provides the following bindings Binds the Untrusted Ethernet port t...

Страница 157: ...y interface to the Untrust security zone Binds the Ethernet ports 3 and 2 to the ethernet2 interface which is bound to the Home zone Binds Ethernet port 1 to the ethernet1 interface which is bound to...

Страница 158: ...serial interface which you can bind as a backup interface to the Untrust security zone Trust Untrust DMZ Extended Mode Trust Untrust DMZ Extended mode binds interfaces to the Untrust Trust and DMZ se...

Страница 159: ...ScreenOS 5 1 and later See Figure 31 on page 109 for port interface and zone bindings Figure 31 DMZ Dual Untrust Port Mode This mode provides the following bindings Binds the Ethernet ports 1 and 2 to...

Страница 160: ...ome Work Mode Trust Untrust Mode Port Zone Interface Zone Interface Zone Interface Untrust ethernet3 Untrust ethernet3 Untrust Untrust Untrusted Trust ethernet1 Work ethernet1 Trust Trust 1 Trust ethe...

Страница 161: ...Supported Add Device Workflows by Device Family Table 22 on page 111 summarizes the methods or workflows you can use to add devices from each supported device family Table 22 Supported Add Device Work...

Страница 162: ...0 or later SA 6 2 or later or IC 2 2 or later When importing from a device the management system connects to the device and imports Data Model DM information that contains details of the device config...

Страница 163: ...NACN The device must be operating in the desired port mode You cannot change the operational mode after importing the device into NSM Port modes apply only to some ScreenOS devices Adding and Importi...

Страница 164: ...ected device name within the device from its config editor page in NSM and select Update device If you modified the device host name through the Junos OS CLI SNMP or J Web interface you can modify the...

Страница 165: ...n the Add Device wizard 4 Select Device Is Reachable default 5 Click Next The Specify Connection Settings dialog box opens 6 Enter the following connection information Enter the IP Address of the Sens...

Страница 166: ...ted Device Configurations on page 127 for details Junos Devices You can add any device running Junos OS an EX Series virtual chassis or an SRX virtual chassis to NSM using the static IP address method...

Страница 167: ...nager to view the imported configuration To check the device configuration status mouse over the device in Device Manager or check the configuration status in Device Monitor The device status displays...

Страница 168: ...ith Dynamic IP Addresses A dynamic IP address is an IP address that changes To add a device that uses a dynamic IP address the device must support NACN ScreenOS Devices To import a ScreenOS device wit...

Страница 169: ...connection to the physicaldevice pastethecommands andexecutethemtoenableNSMmanagement of the device 11 To check the device configuration status mouse over the device in Device Manager or check in Dev...

Страница 170: ...n on the Specify Name Color OS Name Version and Platform screen Enter a name and select a color to represent the device in the UI From the OS Name list select ScreenOS IDP From the Platform Name list...

Страница 171: ...s to verify the imported configuration using the Device Monitor or the Device Manager See Verifying Imported Device Configurations on page 127 for details Adding and Importing an Infranet Controller o...

Страница 172: ...and create a new NSM agent administrator realm for the NSM agent on the device Use role mapping to associate the NSM agent role and realm Do not apply any role or realm restrictions for the NSM agent...

Страница 173: ...he device Make a note of this password The device administrator will need it to configure the connectivity with NSM NOTE All passwords handled by NSM are case sensitive d Click Finish to complete the...

Страница 174: ...ged OS version when adding the device into NSM Delete the device from NSM and add it again using the correct managed OS version 2 Import the device configuration a Right click the device in the Device...

Страница 175: ...latform screen Enter a name and select a color to represent the device in the UI From the OS Name list select Junos The Junos OS Type list appears Select the Junos OS type for the device you want to a...

Страница 176: ...ible and has the connection status Never connected 8 Give the unique external ID and the one time password to the device manager Configure and Activate Connectivity on a Junos Device The device admini...

Страница 177: ...List verify the connection status of the newly added device The status changes from Never connected to Up If the configuration status is device platform mismatch you selected the wrong device platfor...

Страница 178: ...g a NetScreen 500 5000 series or ISG series security device you must manually configure the network module slot before the imported physical interfaces appear in the NSM UI For details on defining the...

Страница 179: ...ou the differences between the configuration you see in the NSM UI and the configuration on the physical device To get a delta configuration summary from the Device Manager launchpad click Summarize D...

Страница 180: ...evices Using CSV Files on page 168 Requirements To model a device you must know the device type and OS name and version that is running on the device To activate a device You must have the device conn...

Страница 181: ...es select the appropriate port mode from the Device subtype list after you select the device type NSM automatically sets the license mode to Extended 8 Enable transparent mode if desired ScreenOS devi...

Страница 182: ...address 1 Check the device configuration state by holding your mouse cursor over the device in Device Manager or by checking the configuration status in Device Monitor The device configuration state s...

Страница 183: ...device configurationstatus shoulddisplay Modeled indicating that the management system is waiting for the device to be activated 2 Right click the device and select Activate Device to display the Act...

Страница 184: ...words handled by NSM are case sensitive 5 Click Next The Verify Device Authenticity dialog box opens The device wizard displays the RSA Key FingerPrint information To prevent man in the middle attacks...

Страница 185: ...ent and set the management IP address to the Device Server IP address enable the Management Agent set the Unique External ID and set the device OTP Copy and paste these commands into a text file and t...

Страница 186: ...ive rights 2 Activate the device in NSM a In Device Manager right click the device and then select Activate Device from the list b In the Activate Device dialog box select Device is deployed but not r...

Страница 187: ...g services netconf device id external id from nsm nsm device server ip port 7804 For example set system services outbound ssh client nsm wei secret 123456789 services netconf device id abcdef 10 150 4...

Страница 188: ...e When the job status displays successful completion click Close Using Rapid Deployment ScreenOS Only Rapid Deployment RD enables deployment of multiple security devices in a large network environment...

Страница 189: ...has successfully connected to the management system the NSM administrator installs the modeled device configuration on the physical device The onsite administrator works locally at the physical devic...

Страница 190: ...age 143 Updating the Device Configuration on page 145 Creating the Configlet After you have created a device configuration for the undeployed device you are ready to activate the device and create the...

Страница 191: ...rcuit Logical Link Control LLC carries several protocols to be carried on the same ATM virtual circuit This option is the default for the ADSL1 interface on the NetScreen 5GTADSL security device RFC14...

Страница 192: ...e configlet 11 Click Finish to close the Activate Device wizard 12 Send the configlet to the onsite administrator using email CD or another out of band method The onsite administrator must complete th...

Страница 193: ...ernet cable to connect to the device 3 Change the IP address of the standalone computer to 192 168 1 2 and the default gateway to 192 168 1 1 To change an IP address see your computer s operating syst...

Страница 194: ...IP via PPPoE Enter the username and password for your PPPoE account If your firewall device uses a static IP address select Using ISP supplied Settings Static IP and enter the IP address Netmask and...

Страница 195: ...fig on a device before you update the device You can cancel the Update Device directive as well as save the SummarizeConfig output The UpdateDevice has the following two phases Summarize Delta Config...

Страница 196: ...d devices 3 Select two devices you want to update 4 Deselect Run Summarize Delta Config if selected and then click Apply Changes NSM displays the updated device job results for both devices Example Us...

Страница 197: ...devices in the global domain and one or more subdomains add the root device to the global domain To add vsys devices in a single subdomain add the root device to that subdomain An example is shown in...

Страница 198: ...matically imports the selected vsys configurations and the new vsys devices appear in the Device Manager list 7 To check the device configuration status mouse over the vsys in Device Manager or check...

Страница 199: ...ice The name can contain letters and numbers and can be no longer than 20 characters In the Domain field select the domain in which to model the device The wizard automatically completes the device ty...

Страница 200: ...oot system When modeling an L2V root ensure that the ScreenOS version is set to 5 0L2V and the operating mode is set to Transparent By default the root system is modeled as a neutral vsys enabling you...

Страница 201: ...tion settings enabling a device to handle traffic for another if one device fails Adding a cluster is a two stage process 1 Add the cluster device object 2 Add the members of the cluster to the cluste...

Страница 202: ...ter members have been added to the cluster device object before configuring the cluster By default the cluster propagates settings made in one device member to the other device member However the foll...

Страница 203: ...franet Controller cluster nodes can be recognized by NSM Nodes from this cluster that subsequently contact NSM will be represented by fully functional member icons in the Cluster Manager Cluster membe...

Страница 204: ...h NSM 5 Import the cluster In the Device Manager open the cluster icon right click on one cluster member and select Import Device from the list You do this only once and for the entire cluster because...

Страница 205: ...o import the configuration only once because both members share the same configuration file Similarly to update the configuration on the cluster you need to push the configuration to only the primary...

Страница 206: ...SRX Series as the Junos OS Type Provide the platform and managed OS version The Junos OS type platform and OS version must match those on the physical devices 3 In NSM add each cluster member Right c...

Страница 207: ...one Junos device except that you must specify a member ID and you also have the option of adding a second modeled cluster member within the same workflow You can add the second cluster members later i...

Страница 208: ...of three major steps Adding the Cluster on page 158 Adding the Cluster Members on page 159 Importing the Cluster configuration on page 160 Adding the Cluster Add a new cluster to NSM as follows 1 Sel...

Страница 209: ...need it to connect the device to NSM h Check the Keep Adding Cluster Members box to add another cluster member The Finish button changes to the Next button i Click Next and repeat the process for the...

Страница 210: ...ce from the list NSM starts a job to import the configuration A job window reports the progress of the job When the job finishes the configuration status for each cluster member changes from Import Ne...

Страница 211: ...mber ID as 0 Figure 35 Adding the First Member to a J Series Cluster 4 Click Next to finish adding the first member A plus sign appears next to the cluster icon in the Device Manager indicating that t...

Страница 212: ...M administrator 2 In NSM activate each cluster member as follows a Expand J Cluster in the Device Manager to show the icons for each of the cluster members b Right click the cluster member icon J 1 in...

Страница 213: ...and later versions of the operating system use the following command syntax set system services outbound ssh client name secret secret string services netconf device id external id from nsm nsm device...

Страница 214: ...anaged Adding a Vsys Cluster and Vsys Cluster Members A vsys cluster is a vsys device that has a cluster as its root device Adding a vsys cluster is a three stage process 1 Add a vsys device that uses...

Страница 215: ...A and OfficeB as shown in Figure 38 on page 165 As you add each cluster member NSM automatically creates both the cluster member and the vsys cluster member Figure 38 Configuring Cluster Members for P...

Страница 216: ...main Click Next to continue d Configure the vrouter for the vsys as the Default Vrouter and then click Next to continue e Click Finish to add the new vsys cluster device In the security device tree th...

Страница 217: ...evices when they are added into NSM For example when a device at IP address 10 204 32 155 is added to NSM its name will be USA_10 204 32 155 Check the Use Host Name if Available checkbox if you want t...

Страница 218: ...ices at a time to a single domain you cannot add multiple devices to different domains at one time Additionally for some types of ScreenOS devices you can create configlets to activate rapidly your ne...

Страница 219: ...separate CSV file for the following devices Devices with static IP addresses In this CSV file you define the device parameters required to add and import the device configurations from all supported...

Страница 220: ...e bulkadd_ipreachable sample csv or bulkadd_ipreachable DMIDMI sample csv from the C Program Files Network and Security Manager utils directory 2 Using one row for each device you want to add enter th...

Страница 221: ...t ns5GTadsl Extended ns5XP ns5GTadslwlan Extended ns5GTadslwlan Home Work ns5Gtadslwlan Trust Untrust ns5Gtwlan Extended ns5Gtwlan Dmz Dual Untrust ns5Gtwlan Combined ns5Gtwlan Home Work ns5Gtwlan Dua...

Страница 222: ...name IC IC 4000 IC 4500 IC 6000 IC 6500 yes String Platform continued Set to none yes String Device subtype With OS name ScreenOS see Table 7 on page 13 for a list of OS versions that apply to each S...

Страница 223: ...if desired 3 Save the file to a location on your local drive Example Using a Text File to Add Multiple Dynamic IP Devices To add four devices that use dynamic IP addresses create a text file with the...

Страница 224: ...ction type is static String Device IP Address 8 24 28 32 Any valid netmask in CIDR format yes when connection type is static String Device Netmask yes when connection type is static String Device Gate...

Страница 225: ...2 off Save the file as a csv file Validating the CSV File When you add the device NSM validates the configuration information in the csv file and creates a Validation Report The report lists any incor...

Страница 226: ...dd Many Devices process Select Add Valid Devices to begin adding the devices for which you have provided valid device configurations The Add Device wizard adds the valid devices and automatically impo...

Страница 227: ...ce wizard Select Model Device Specify the location of the CSV file 5 Click Next The Add Device wizard validates the CSV file and provides a Validation Report Select Cancel to quit the Add Many Devices...

Страница 228: ...UI 5 Send the cfg file to the onsite administrator for the corresponding device After the onsite administrator installs the configlet on the physical security device the device automatically contacts...

Страница 229: ...in any configlet file run the Activate Many Device wizard to regenerate the configlet 5 Send the cfg file to the onsite administrator for the corresponding device After the onsite administrator insta...

Страница 230: ...late to a device group You must apply templates to individual devices in a device group If you need to apply the same set of templates to multiple devices you can create a single template that include...

Страница 231: ...Authorization Server Object on page 181 Avoiding NACN Password Conflicts on page 183 Avoiding Naming Conflicts of the Authorization Server Object To avoid naming conflicts with the authorization serv...

Страница 232: ...devices b Right click each Infranet Enforcer firewall device in turn and select Delete from the list 5 On NSM delete the infranet instances from the Object Manager a Select Object Manager Authenticati...

Страница 233: ...to add and import the device e Repeat steps b through d for each Infranet Enforcer device Avoiding NACN Password Conflicts When you need to manage the Infranet Enforcers reimport the configuration eac...

Страница 234: ...Copyright 2010 Juniper Networks Inc 184 Network and Security Manager Administration Guide...

Страница 235: ...he managed device for your changes to take effect For details on updating devices see Updating Devices on page 239 Use security policies to configure the rules that control traffic on your network For...

Страница 236: ...overview of each of these device families and lists of supported platforms and operating system versions Most devices can be configured using the following interfaces Native Web UI Native CLI NSM UI...

Страница 237: ...29 Configuration Features You can edit the device object configuration through the device editor or you can use templates or configuration files to simplify configuration NOTE These features edit only...

Страница 238: ...ration Groups Configuration groups are similar to device templates in that you define configuration data to be used multiple times In configuration groups the configuration data is used within the sam...

Страница 239: ...and Configuration Tabs The Device Info tab contains information maintained in NSM This information can neither be imported from the device nor is it ever pushed to the device by an Update Device dire...

Страница 240: ...device families Figure 41 on page 190 shows an example Figure 41 ScreenOS and IDP Device Configuration Information Validation and Data Origination Icons The device editor might display some of the ic...

Страница 241: ...guration group Changes to the configuration group are also shown in the device editor Configuration Group Values Lowest A value is set for a field in a template or configuration group definition This...

Страница 242: ...our changes and continue making changes Click Cancel to discard all changes and close the device configuration To reset a device feature to its default value right click on the feature name in the dev...

Страница 243: ...s Guide and IDP ACM Help for more information Configuring functions that require device administrator intervention such as Secure Command Shell SCS and Secure Shell SSH client operation Executing debu...

Страница 244: ...nterfaces In this example the view is of the Network Settings screen Figure 43 Secure Access Device Object For details about configuring Secure Access devices see the Configuring Secure Access Devices...

Страница 245: ...ly as shared objects and then link to those objects from the stubs in the device configuration See Managing Large Binary Data Files Secure Access and Infranet Controller Devices Only on page 271 for d...

Страница 246: ...configuration information across multiple devices In a template you need define only those configuration parameters that you want to set you do not need to specify a complete device configuration Temp...

Страница 247: ...hich enhances the usability of the template If template categories are not selected the default display is a full tree view You can also view the associated template categories in the Device Template...

Страница 248: ...er Device Templates 2 Click the Add icon in the Device Template Tree or the Device Template List and select ScreenOS IDP Template from the list The New Device Template dialog box displays the template...

Страница 249: ...h as device platform or release version Applying the Template Apply the template as follows 1 Ensure that the device you want to apply the template to has been added or modeled in the management syste...

Страница 250: ...d values override values inherited from the template so that the effective device object configuration matches the device The live relationship with the template is preserved however so that reverting...

Страница 251: ...dden value a tool tip message appears showing the name of the template whose value has been overridden Figure 46 Template Override Icon For values inherited from the template the message From template...

Страница 252: ...sage appears If the template specifies a field that the device supports but the value is outside the permitted range for the device a validation message appears in the Device dialog box A template val...

Страница 253: ...configuration screen appears d Click the Add icon in the Zone configuration screen and select Pre Defined Security Zone trust untrust dmz global The Predefined Zone dialog box appears NOTE Because the...

Страница 254: ...g box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 48 on page 204 Figure 48 View Denial of Service Defense Values from DoS Templat...

Страница 255: ...een 208 device a In the navigation tree select Device Manager Devices Double click the NetScreen 208 device icon to open the Device dialog box b Select Info Templates in the device navigation tree Cli...

Страница 256: ...e untrust Predefined Zone dialog box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 51 on page 206 Although both the DoS and DoS2 te...

Страница 257: ...ot a template by moving the cursor over the field name The message From object appears as shown in Figure 54 on page 207 Figure 54 View Default SYN ACK ACK Proxy Protection Setting Template Limitation...

Страница 258: ...When creating or editing predefined interfaces in a template you must use the exact name for each interface When adding an entity in a template ensure that the menu option you select is appropriate fo...

Страница 259: ...is not significant to you To specify a sequence in which the list or table entry order matters select the entry in the template and then use the up and down arrows at the top of the dialog box The up...

Страница 260: ...e are reversed D1 D2 T2 T1 Now consider what happens when you reimport the configuration from the device To preserve the relationship between the template and the device object the T1 and T2 entries m...

Страница 261: ...applies the new template order for the subsequence to the device Entries added in a template are placed in the same sequence in the device that is an entry follows the entry in the device that precede...

Страница 262: ...e 3 The following example shows entries inserted into the list on the device such that there is no matching subsequence The user then reorders the entries in the template C B A Template Sequence C 2 B...

Страница 263: ...nd The same rule still applies After D C B A Template Sequence 2 1 D C B A Device Sequence Example 2 In the following example the device has reordered the entries that it inherited from the template T...

Страница 264: ...reen highlights in the first data column indicate that entries in the regular configuration are not in the order specified in the template NSM finds the longest common subsequence between the template...

Страница 265: ...er of its neighbors in the template NOTE If multiple subsequences tie for the longest common subsequence then NSM picks either one but not both NSM recomputes the longest common subsequence each time...

Страница 266: ...mine which set of templates and devices to show Select Devices Section In this section select one or more devices for template operations Select Template Section Select one or more templates to apply...

Страница 267: ...an templates previously assigned to the device Values in these templates will override values applied by lower priority templates Remove templates Removes all selected templates from each selected dev...

Страница 268: ...orts any errors Template Operations Box Recommended Workflow The Template Operations dialog box can be used in many ways This section describes one recommended workflow Step 1 Look at the Effect of Pl...

Страница 269: ...nerated in Step 1 Resolve any conflicts missing assignments or other errors as desired Repeat steps 1 and 2 until you are satisfied with your planned changes Step 3 Apply Templates and Clear Overrides...

Страница 270: ...1 From the Device Manager launch pad select Export Import and then select Export Device Template to File 2 In the Export Config to File dialog box select the template you want to export and then clic...

Страница 271: ...up mechanism is separate from the grouping mechanisms used elsewhere in the Junos configuration such as Border Gateway Protocol BGP groups Configuration groups provide a generic mechanism that can be...

Страница 272: ...evice Manager and select the Configuration tab 2 In the configuration tree select Config Groups List 3 Click the Add icon and select Regular The New dialog box appears It looks like the device configu...

Страница 273: ...223 Mouse over the icons to see a summary of what has been set and where the information came from Figure 60 Adding a Configuration Group 6 Click OK to save the configuration group The new configurati...

Страница 274: ...Consider a configuration group containing the following list of interface definitions specified in the order shown For each list item the first entry is the interface name and the second an assigned...

Страница 275: ...roup in the list has the highest priority This convention is the reverse of the ordering for templates where the last template in the list has the highest priority Figure 62 Configuration Group Applie...

Страница 276: ...ups After you apply the configuration group tooltip icons identify where configuration groups have affected the configuration You can mouse over these items to display information about them When you...

Страница 277: ...d Consider two configuration groups J and K Configuration group J contains the following list items in the stated order c a b Configuration group K contains the following list items in the stated orde...

Страница 278: ...roup data For simplicity we recommend that you use either templates or configuration groups for each part of the configuration but not both Avoid applying a configuration group in a device object to p...

Страница 279: ...n and select Junos Template c From the Junos Product Series list select Junos J Series to create a new template for J Series devices d Click Next and then Finish to create a new template for J Series...

Страница 280: ...to 0 the port range to 0 1 and click OK The new interfaces show in the Interface List for the template d Set the MTU for fe 0 0 0 to 6K i Click on the fe 0 0 0 interface in the Interface List and cli...

Страница 281: ...to the device 7 Check the device object configuration a Select the Configuration tab b Expand Interfaces if necessary and click Interface List c fe 0 0 0 has an MTU of 5120 because the regular config...

Страница 282: ...ber you can view its configuration In the Info tab of the open cluster select Members Icons representing the members of the cluster appear in the main display area Select the cluster member you want t...

Страница 283: ...ase of management we recommend placing all your member specific configuration data in one configuration group for each member You can apply multiple configuration groups to each member NOTE Imported c...

Страница 284: ...Features configured in these special Routing Engine configuration groups appear only in the Routing Engine configuration to which they were applied They do not appear in the global configuration regar...

Страница 285: ...ct Device Manager Devices 2 In the Device Tree double click the Junos router with redundant Routing Engines 3 In the Info tab of the device editor select Routing Engine Configuration 4 Double click on...

Страница 286: ...thers are backups If the master fails one of the backup routers becomes the new master providing a virtual default router and ensuring that traffic on the LAN is continuously routed The NSM implementa...

Страница 287: ...terface follows the naming conventions of the NSRP VSI interface and is defined as interface group id You must select a group id between 1 and 7 To enable VRRP from the Physical Interface screen of th...

Страница 288: ...he confirmation prompts NSM launches a job that updates the device with the selected configuration file Importing or Viewing the Current Version of the Configuration File Select Config File Management...

Страница 289: ...tion to the management server This chapter contains the following sections About Updating on page 239 Knowing When to Update on page 244 Using Preview Tools on page 248 Performing an Update on page 25...

Страница 290: ...essful update These tools include Audit Log Viewer This NSM module records changes made to a device configuration The audit log entry also identifies the administrator who performed the change shows w...

Страница 291: ...o differences between the new configuration and the old configuration on the device you have successfully updated the running configuration About Atomic Configuration ScreenOS Devices NSM uses atomic...

Страница 292: ...n is enhanced Atomic updating also enables the device to temporarily lose connection to NSM during the update process If the management connection is down when the device has finished executing the co...

Страница 293: ...to reconnect are unsuccessful for two hours the update timer expires and the device automatically resets The device unlocks the active configuration and restores the saved active configuration the dev...

Страница 294: ...NSM To synchronize the configuration data NSM imports the configuration after the update If an Update Device directive causes implicit configuration changes on one or more devices each device reports...

Страница 295: ...tor displays the current status of the device Up status The device is connected to the Device Server and is running properly Before you can update a device it must be in the Up state Down status An ev...

Страница 296: ...sical device configuration the configuration on the physical device is newer than the modeled configuration To synchronize the two configurations import the configuration from the physical device Mana...

Страница 297: ...evice type and OS version IP address domain the Attack Db version if it is a Firewall IDP device and the connection and configuration states To manually verify the configuration status for devices For...

Страница 298: ...ger to determine when you are receiving too many attacks of a certain type and order them by an IP address For example if you determine that the current device configuration and security policy cannot...

Страница 299: ...ommands run a configuration summary 1 From the launchpad select Devices Config Options Summarize Config The launchpad displays the Summarize Config dialog box 2 Select the devices or device groups for...

Страница 300: ...h the modeled configuration you might want to identify and verify the configuration you are installing on the device After updating Ensure that the device received the configuration as you expected an...

Страница 301: ...251 Figure 66 Delta Configuration Summary Example Occasionally the delta configuration report might display discrepancies that do not actually exist between the running configuration and the modeled...

Страница 302: ...evices vsys devices clusters virtual chassis or device groups using the same process Before updating Ensure that you have configured the device correctly created and assigned a policy to the device an...

Страница 303: ...ing any out of band changes made enable the option Do not Update If Device Has Changed Configuring Update Options You can configure device update and retry options on a systemwide basis in the UI pref...

Страница 304: ...e Manager and select Update Attacks When disabled the update options dialog box does not appear for single device updates initiated from the Device Manager Alternatively to disable from within the per...

Страница 305: ...ns in the NSM UI including the Devices and Tools menus in the NSM toolbar to access the Update directive from the File menu select Devices Configuration Update Device Configuration The Job Manager mod...

Страница 306: ...d on a single device For multiple device updates Job Manager tracks the progress of each job on each device in addition to the overall progress for all devices To view the Job status for an individual...

Страница 307: ...Passwords By default only the super administrator has this assigned activity Device States During Update During an update the managed device changes device state You can view the current device state...

Страница 308: ...plays the Job Status as Failed You can also check the Connection Status and Configuration Status columns for the device in the Realtime Monitor to determine whether the device is running After a devic...

Страница 309: ...ation Generated 5 Delta Config CLI Commands Specifically the update could not set the command pppoe name untrust clear on disconnect The delta configuration summary correctly detected a difference bet...

Страница 310: ...Copyright 2010 Juniper Networks Inc 260 Network and Security Manager Administration Guide...

Страница 311: ...e added to NSM without the need to upgrade NSM This feature applies only to devices with XML based schemas This chapter contains the following sections Managing Device Software Versions on page 262 Ma...

Страница 312: ...er from the menu bar The Software Manager lists all software image files in the repository To add the one you just downloaded click the Add icon navigate to the software image file you just downloaded...

Страница 313: ...8 a NetScreen 50 and a NetScreen 5XP at the same time but the image files for each device type must exist on the Device Server and must be the same OS version When a new version of Junos is installed...

Страница 314: ...e NSM If the software version of a device is upgraded outside NSM through the device CLI or Web UI NSM behaves differently depending on whether the upgraded software version is published and whether i...

Страница 315: ...upgrade by NSM See Upgrading the Device Software Version on page 262 To reconcile the OS versions right click a device and select Adjust OS Version to display the Adjust OS Version Wizard Follow the...

Страница 316: ...ice support The directive performs the following actions Performs an Adjust OS Version from the previously known ScreenOS version to the new version of ScreenOS running on the selected devices Optiona...

Страница 317: ...ickly view all license keys installed on a device and the features and capacities available on the device To import or view license key information 1 In the main navigation tree right click the device...

Страница 318: ...is upgraded through the Web UI or CLI new software packages are installed or a new license key is installed on the device then the inventory on the device is no longer synchronized with the NSM datab...

Страница 319: ...le how many VPNs a license supports how many licensed units are already in use and how many more are needed The license details include the key name or ID of the license the date the license was creat...

Страница 320: ...ry changes to Out of Sync in the Device List the Device Monitor and the device tooltip and the Reconcile button in the Device Inventory window becomes active 4 When you have finished viewing the diffe...

Страница 321: ...d Infranet Controller devices are handled differently from the remainder of the configuration in NSM The size of some of these binary files could make configurations large enough to overload resources...

Страница 322: ...ata file and linking that file into the Secure Access or Infranet Controller device configuration tree Subsequent sections provide details about each type of large binary data file To upload and link...

Страница 323: ...evice to open the device editor and then select the Configuration tab b Navigate to the node in the configuration where you want to load the binary file For example to load an ESAP package expand Auth...

Страница 324: ...ry data list by clicking the Add icon The Binary Data dialog box appears as in step 3 d Click OK to save the newly configured links Importing Custom Sign In Pages The customized sign in pages feature...

Страница 325: ...gn in Pages and then click the Add icon in the right pane 6 Enter a name for the access page 7 Select Custom Sign in Pages 8 Select a shared binary data object from the Custom Pages Zip File list 9 Cl...

Страница 326: ...In the Device Manager double click the Secure Access or Infranet Controller device to open the device editor and then select the Configuration tab 2 Expand Authentication 3 Select Endpoint Security 4...

Страница 327: ...the link and again to save the configuration Importing Third Party Host Checker Policies For Windows clients you can create global Host Checker policies that take a third party J E D I DLL that you up...

Страница 328: ...ow these steps 1 In the Device Manager double click the Secure Access or Infranet Controller device to open the device editor and then select the Configuration tab 2 Expand Authentication 3 Select End...

Страница 329: ...files to NSM shared objects Archive files can contain Java applets and files referenced by the applets Within the zip cab or tar file the Java applet must reside at the top level of the archive To ens...

Страница 330: ...ole Options tab select a shared binary data object from the Citrix Client CAB File list 6 Click OK to save the configuration Backing up and Restoring SA and IC Devices NSM allows you to create multipl...

Страница 331: ...ces to which you want to restore the backup version and click OK Backing up multiple SA or IC Devices To create backup versions of the data in multiple IC or SA devices 1 Select Devices Configuration...

Страница 332: ...e the backed up version from the NSM database NOTE The backup and restore feature is available in the NSM UI on root clusters but not on cluster members However when the backup restore operation is pe...

Страница 333: ...IP is not reachable 1 Click Next The Specify the connections settings dialog box opens 2 Specify the First Connection One Time Password OTP that authenticates the device 3 Edit the Device Server Conne...

Страница 334: ...2 User Name text box to enter user name search string By default this will be You can specify any regular expression string here 3 Sort on drop down list box to select the name of the field to sort o...

Страница 335: ...ly paid subscription To register your product go to www juniper net support After you have registered your product you can retrieve the service subscription To obtain the subscription for a service 1...

Страница 336: ...nload new attack objects from the server To update a managed device with new DI attack objects you must first obtain a DI subscription for your device For details see Activating Subscription Services...

Страница 337: ...P zip Download the file to your local disk Do not change the filename 4 Put both files in a local directory on the NSM GUI Server or on an internal Web server that is reachable by the NSM GUI Server 5...

Страница 338: ...oaded manually To load the attack object database update to your managed devices 1 From the Device Manager launchpad select Security Updates Update Device Attack Database or from Devices in the menu b...

Страница 339: ...IDP rules for the device from the GUI Server to the device For a security policy that uses DI attack objects NSM pushes all updated signatures from the GUI Server to the device Verifying the Attack O...

Страница 340: ...en you update the device configuration on a device you must also update the database on the managed device to match the version of the database on the GUI Server if the version on the GUI Server is mo...

Страница 341: ...eries devices Automatic updates to the IDP engine occur when you Upgrade security device firmware The upgraded firmware includes the most recent version of the IDP engine as well as a new version of S...

Страница 342: ...mary 3 Click Cancel to exit the Attack Update Manager Scheduling Security Updates For security devices running ScreenOS 5 0 0 IDP1 5 1 and later and IDP 4 0 and later J Series devices SRX Series devic...

Страница 343: ...ng unexpected changes To handle unconnected devices during the update you must also specify additional post action options shown in Table 30 on page 293 Table 30 Scheduled Security Update SSU Command...

Страница 344: ...tils guiSvrCli sh update attacks post action update devices skip Scheduling the Update You can perform a one time security update using guiSvrCli sh directly or you can use crontab or another scheduli...

Страница 345: ...ing the update the guiSvrCli utility updates its the attack object database then performs the post actions After updating and executing actions the system generates an exit status code of 0 no errors...

Страница 346: ...Admin Name Domain The administrator name for security update is guiSvrCli and the domain is Global entry appears as guiSvrCli Global Action The action appears as Scheduled Attack and Device Update To...

Страница 347: ...ecurity device you want to contact SurfControl 2 In the Device Manager launchpad select Security Updates Update System Categories This option updates the NSM management system predefined categories fr...

Страница 348: ...fied by the device and not by NSM Invoking the Launch Telnet menu item causes the Telnet window to appear even if the Telnet service is not enabled in the device The Launch Telnet menu is disabled if...

Страница 349: ...ries it connects to the previously configured DNS server to perform a lookup of each entry in its table To direct one or more devices to refresh their DNS table entries 1 From the Device Manager launc...

Страница 350: ...forms asset recovery Sets the device to FIPS mode Resets the device to its default settings Updates the OS Loads configuration files After you change the root administrator login and password only per...

Страница 351: ...to send a device back to the factory and replace it with a new device you can set the device to the RMA state This state allows NSM to retain the device configuration without a serial number or connec...

Страница 352: ...ws you to upgrade the firmware version in the physical device before RMA After upgrading NSM puts the device in the Update needed state NOTE The current OS version of the device is also stored in the...

Страница 353: ...wireless security device during the device update process NOTE When using an authentication server for wireless authentication if you enable 802 1X support on that server you must also reactive the W...

Страница 354: ...When you create update or import a device the GUI Server edits the ADM to reflect the changes then translates that information to the DM Data Model Schema The structure of the ADM and DM is determined...

Страница 355: ...arranged similarly to objects in the management console each item VPN policy device device group and so on is represented by an object In the DM each item is a property of a single device During the d...

Страница 356: ...s interfaces routing tables users and VPN rules in the DM for each device The DM contains only the VPN information that relates to the specific device not the entire VPN During the device model update...

Страница 357: ...objects and object attributes in the ADM domain When you import a device configuration using the management console the device sends CLI commands to the Device Server which translates the CLI commands...

Страница 358: ...es the CLI commands into a DM with device configuration information The GUI Server translates the device configuration in the DM into objects and object attributes in the ADM The GUI Server then reads...

Страница 359: ...vers For details on stopping starting and restarting processes on the management system refer to the Network and Security Manager Installation Guide Archiving Logs and Configuration Data To archive lo...

Страница 360: ...up and restore procedures To restore log and configuration data 1 Stop Device Server and GUI Server processes 2 Use the mv command to transfer data from the var directories to a safe location This pre...

Страница 361: ...nistrator role has all the permissions necessary to manage schemas Alternatively you can define a custom role for schema management Three activities are relevant to defining such a role View Schema De...

Страница 362: ...the server Choose File to retrieve the schema from an intermediary file 4 Click Next to display information about the latest schema on the source Juniper Update Server or file along with current schem...

Страница 363: ...affected by the change Compare the version numbers to tell whether the staged schema is more recent than the currently running schema Check the information about the schema to determine whether you w...

Страница 364: ...Copyright 2010 Juniper Networks Inc 314 Network and Security Manager Administration Guide...

Страница 365: ...Configuring Voice Policies on page 527 Configuring Junos NAT Policies on page 531 Configuring VPNs on page 543 Central Manager on page 619 Topology Manager on page 625 Role based Port Templates on pa...

Страница 366: ...Copyright 2010 Juniper Networks Inc 316 Network and Security Manager Administration Guide...

Страница 367: ...on page 318 Configuring Address Objects on page 322 Configuring Application Objects on page 328 Configuring Schedule Objects on page 330 Configuring Access Profile Objects on page 330 Configuring Qual...

Страница 368: ...evice configuration NSM automatically imports all objects defined in that configuration The Object Manager displays objects created in the current domain only When you work in the global domain all cu...

Страница 369: ...affic AV Profiles define the server that contains your virus definitions and antivirus software Web Filtering Profiles define the URLs the Web categories and the action you want a security device to t...

Страница 370: ...n VPN You cannot use a subdomain user object in a global domain VPN When creating a subdomain protected resource you can include a subdomain address object and a global domain service object but you c...

Страница 371: ...h by unchecking unnecessary categories Right click on a shared object node for example Address Objects and select Search Unused Objects 2 Select the search categories and click Next The Unused Shared...

Страница 372: ...to delete NSM displays a message that the selected objects will be deleted and a warning that the operation cannot be reversed NOTE When you select a group of duplicate objects such as an address grou...

Страница 373: ...k As you add address objects they appear in the tree and table tabs Creating Address Objects You can create the following address objects Host Represents devices such as workstations or servers connec...

Страница 374: ...address it displays the same address under the domain name This is an indication that a name is not configured for this address 6 Click OK to add the address object The new host address object immedi...

Страница 375: ...permission to view global domain objects for the objects you are replacing then all objects for the selected category in the current domain and the global domain are displayed in the Replace With wiza...

Страница 376: ...address objects into and out of address groups from the main address tree 8 Click OK to add the group You can create address object groups with existing users or create empty address object groups an...

Страница 377: ...firewall policy the device will resolve the address object s hostname to the correct IP for that device as defined by its static host entry 1 In the navigation tree select Object Manager Address Objec...

Страница 378: ...e either a TCP or UDP field while optionally you can configure both Port Range The type of application predefined or custom type Port Binding is required for a custom type application while it is not...

Страница 379: ...pplication Type Select a predefined or custom application type from the drop down list This is a mandatory field TCP Port Binding Specify comma separated ports A range of ports is not allowed You must...

Страница 380: ...day Sunday Combine a one time and recurrent schedule to define a repeated time interval Creating Schedule Objects To add a schedule object 1 In the NSM GUI navigation tree Schedule Objects The schedul...

Страница 381: ...Configuring Quality of Service Profiles On SSG Series Secure Services Gateways running ScreenOS 6 3 and later you can define Quality of Service QoS profiles as objects under the Object Manager These p...

Страница 382: ...0 Guaranteed bandwidth in kbps 0 1000000 in Kbit per sec The default setting is 0 5 Click OK After creating a QoS profile you can add it to a policy You cannot however delete a QoS profile after it h...

Страница 383: ...can use in a DI Profile to match traffic against known and unknown attacks NOTE NSM displays a superset of all predefined DI attack objects Based on the platform and ScreenOS firmware version security...

Страница 384: ...e edit or delete predefined DI attack objects or groups but you can update the attack object database with new attack objects created by Juniper Networks Updates can include New descriptions or severi...

Страница 385: ...ecurity device drops a matching packet before it can reach its destination but does not close the connection Use this action to drop packets for attacks in traffic that is prone to spoofing such as UD...

Страница 386: ...get definition for the period of time specified in the timeout setting and sends a Reset RST for TCP traffic to the source and destination addresses IP Close The security device logs the event but doe...

Страница 387: ...ack Groups The Predefined Attack Group tab displays the following predefined attack groups All a list of all attack objects organized in the categories described below Recommended a list of all attack...

Страница 388: ...efined attack objects and groups on a regular basis with newly discovered attack patterns You can update the attack object database on your security devices by downloading the new attacks and groups t...

Страница 389: ...attack object information fields Attack Version information After you have selected the target platforms you must supply information about the attack version including the protocol and context used t...

Страница 390: ...n can help you remember important information about the attack Severity Select the severity that matches the lethality of this attack on your network Severity categories in order of increasing lethali...

Страница 391: ...mation you are ready to enter the external references Configuring External References In the External References tab enter the external references such as links to the security community s official de...

Страница 392: ...objects A signature attack object uses a stateful attack signature a pattern that always exists within a specific section of the attack to detect known attacks Stateful signature attack objects also i...

Страница 393: ...and count that determine when a traffic abnormality is identified as an attack The following sections detail the attack version general properties Configuring False Positives Select a false positive s...

Страница 394: ...6 43 ROUTING 44 FRAGMENT 46 RSVP 47 GRE 50 ESP 51 AH 58 ICMPV6 59 NONE 60 DSTOPTS 92 MTP 98 ENCAP 103 PIM 108 COMP 255 RAW ICMP TCP and UDP Attacks that do not use a specific service might use a speci...

Страница 395: ...cted to general attack contexts packet first packet stream stream 256 or line context To detect these attacks configure the service binding to match the attack service See Table 35 on page 345 Table 3...

Страница 396: ...Remote Authentication Dial In User Service RADIUS Rexec rexec TCP 513 rlogin rlogin rsh rsh rtsp rtsp Server Message Block SMB TCP 25 UDP 25 Simple Mail Transfer Protocol SMTP TCP 161 UDP 161 Simple N...

Страница 397: ...Protocol Anomaly Segment Out of Window is harmless and is occasionally seen on networks Thousands of these anomalies between given peers however is suspicious If you bind the attack object to multipl...

Страница 398: ...y the PCRE library package which is open source software written by Philip Hazel and copyright by the University of Cambridge England Table 37 on page 348 lists some example syntax matches Table 37 At...

Страница 399: ...ervice but are unsure of the specific service context select Other then select one of the following general contexts NOTE If you select a line stream stream 256 or a service context you cannot specify...

Страница 400: ...detects the attack only in client to server traffic Server to Client detects the attack only in server to client traffic Any detects the attack in either direction Configuring Attack Flows Select the...

Страница 401: ...bled attacks are supported only on ISG1000 with SM and ISG2000 with SM devices Type of Service Specify an operand none and a decimal value for the service type Common service types are 0000 Default 00...

Страница 402: ...r Specify an operand none and a decimal value for the ACK number of the packet This number identifies the next sequence number the ACK flag must be set to activate this field Header Length Specify an...

Страница 403: ...pe Specify an operand none and a decimal value for the primary code that identifies the function of the request reply ICMP Code Specify an operand none and a decimal value for the secondary code that...

Страница 404: ...device identifies traffic as an attack NSM 2006 1 and later releases also support Boolean expressions for standalone IDP signatures NOTE Compound attack objects are supported by IDP capable security...

Страница 405: ...all signatures and anomalies within the compound attack object before the device considers the traffic as an attack To be explicit about the events in an attack you can also specify the order in which...

Страница 406: ...all members but the attack pattern or protocol anomalies can appear in the attack in random order To configure an ordered match enable Ordered Match and use the arrow keys to reorder members Or use th...

Страница 407: ...do not change To add or delete an attack object from the group you must manually edit the group members A custom attack object group can contain custom attack objects and other custom attack object g...

Страница 408: ...ed static groups BSD Linux Solaris and Windows The BSD group contains the predefined dynamic group BSD Services Critical to which attack objects can be added during an attack database update To create...

Страница 409: ...d on their last modification date Add Recommended Filter to include only attacks designated to be the most serious threats to the dynamic group In the future Juniper Networks will designate only attac...

Страница 410: ...a Add a Products filter to add attack objects that detect attacks against all Microsoft Windows operating systems b Add a Severity filter to add attack objects that have a severity level of critical...

Страница 411: ...group criteria The update also reviews updated attack objects to determine if they now meet any other dynamic group criteria and adds them to those groups if necessary For all deleted attack objects...

Страница 412: ...ellaneous UTM Features on page 366 ScreenOS Threat Management Features on page 368 Creating UTM Profiles A UTM profile can define more than one UTM feature You can have more than one custom feature pr...

Страница 413: ...content size Mouse over the field to see a tool tip with the allowed values The allowed range is 20 20000 Set a time out period The allowed range is 1 1800 Set the decompression limit in the range of...

Страница 414: ...e and edit custom profiles 3 Select in the Custom UTM AS Profiles table The New Anti Spam Profile window opens 4 Enter a name for the profile 5 Enter a comment or description 6 Select a color from the...

Страница 415: ...indow opens 3 Enter a name for the profile 4 Enter a comment or description 5 Select a color from the drop down list 6 Select the engine type If you select Surf control Integrated set the following De...

Страница 416: ...ermitted or denied by creating profiles The maximum number of characters allowed in a MIME name are 29 in a MIME entry 40 and a MIME list 1023 The maximum of user defined MIME lists is system dependen...

Страница 417: ...Enter a name for the profile 4 Enter a comment or description 5 Select a color from the drop down list 6 Enter the extension types for the profile 7 Select OK Command Lists A command list defines var...

Страница 418: ...rvers Configuring Antivirus Objects on page 368 Configuring External AV Profiles on page 369 Configuring Internal AV Profiles on page 370 Configuring ICAP AV Servers and Profiles on page 371 Configuri...

Страница 419: ...ecify the IP address and port number of the external antivirus server that contains your virus definitions Protocols and Timeouts You must specify the protocols HTTP and SMTP that the external AV serv...

Страница 420: ...llowing settings for each enabled protocol Scan Mode All Intelligent or by File Extension If you select Scan by File Extension you must populate the Ext List Include field Scanning Timeout Scans that...

Страница 421: ...sign some or all of them to server groups You can then assign this server object or server group to an AV profile then assign that profile to a security policy To specify a server you will need the fo...

Страница 422: ...the MIME list that will be used for comparison See Multipurpose Internet Mail Extension MIME Lists on page 366 for information on creating MIME lists SMTP tab SMTP Enable Selecting this check box in...

Страница 423: ...es Custom Lists and Predefined Categories Custom Lists You can group URLs and create custom lists specific to your needs You can include up to 20 URLs in each list When you create a list you can add e...

Страница 424: ...r filtering mechanism for the information reduces data redundancy in the case where all rules need to have the same e mail address associated with them and provides multiple properties for user s need...

Страница 425: ...ity policy rules and will ask you for confirmation of the command Once you confirm that you want to delete the object NSM will remove all usages of the object you are deleting from the security policy...

Страница 426: ...you can configure a security policy that enables a device to control GTP traffic differently based on source and destination zones and addresses action and so on You configure GTP objects in the Objec...

Страница 427: ...ng the GPRS Tunneling Protocol GTP Because GSNs have a limited capacity for GTP tunnels you might want to configure the security device to limit the number of GTP tunnels created To limit GTP tunnels...

Страница 428: ...PP networks enable Remove r6 IE Inspecting Tunnel Endpoint IDs You can configure the security device to perform Deep Inspection on the tunnel endpoint IDs TEID in G PDU data messages To perform Deep I...

Страница 429: ...y for every two messages above the set rate limit To view GTP traffic log entries use the Log Viewer Configuring IMSI Prefix and APN Filtering You can use the IMSI Prefix and APN to restrict access to...

Страница 430: ...nd that the HLR did not verify the user s subscription to the network Verified MS or Network provided APN subscription verified This Selection Mode indicates that the MS or the network provided the AP...

Страница 431: ...configure the following Set Subscribers Set the number of number of subscribers that the security device actively traces concurrently The default number of simultaneous active traces is three 3 Specif...

Страница 432: ...protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined service objects for most standard services You can also create custom service obje...

Страница 433: ...service timeout value you can view the following service settings For Non ICMP services the service object displays the protocol ID source port range and destination port range For ICMP services the G...

Страница 434: ...at service object Creating Custom Services You can create custom service objects to represent protocols that are not included in the predefined services or to meet the unique needs of your network NOT...

Страница 435: ...different ports Service Object Groups You can group services together as a service object group then use that group in security policies and VPNs to simplify administration Each service object can be...

Страница 436: ...ervices Entries area click the Add icon and select TCP The New Service Entry dialog box appears Configure the following a For Source Port select Range b For Source Port Range enter 0 to 65535 c For De...

Страница 437: ...ontains these two numbers The ALG maps the program numbers into dynamically negotiated TCP UDP ports and permits or denies the service based on a policy you configure To create the Sun RPC service 1 I...

Страница 438: ...them you create an ms exchange info store service object that contains these four UUIDs The ALG maps the program numbers into dynamically negotiated TCP UDP ports based on these four UUIDs and permit...

Страница 439: ...t with a service group object that contains the replaced service object You cannot undo or roll back a Replace With operation NOTE Replacing service objects only applies to those objects in the domain...

Страница 440: ...rators and remote access services RAS users on your network The information stored in an authentication server determines the privileges of each administrator When the security device receives a conne...

Страница 441: ...at the authentication period never times out Admin user If the length of idle time reaches the timeout threshold the security device terminates the administrator session To continue managing the devic...

Страница 442: ...is not required to configure a RADIUS authentication server However you might need to configure this setting when implementing a new RADIUS server with an existing network and established usernames To...

Страница 443: ...sends authentication requests The default port number is 1645 RADIUS Secret The secret password shared between a security device and the RADIUS server The RADIUS server uses the shared secret to gener...

Страница 444: ...You can separate the authentication and accounting functions by specifying different RADIUS Authentication and Accounting servers In ScreenOS devices running 6 2 and later you can enable or disable th...

Страница 445: ...ictionary files one for Funk Software RADIUS servers and one for Cisco RADIUS servers For Funk Software RADIUS server dictionary file go to http www juniper net customers csc research netscreen_kb dow...

Страница 446: ...that it can support queries for the following vendor specific attributes VSAs user groups administrator privileges remote L2TP and XAuth settings 1 In the main navigation tree select Object Manager A...

Страница 447: ...between the security device and the SecurID ACE server SDI or DES Client Retries The number of times that the SecurID client the security device tries to establish communication with the SecurID ACE...

Страница 448: ...inguished Name dn The path used by the LDAP server before using the common name identifier to search for a specific entry For example c us o juniper where c stands for country and o for organization S...

Страница 449: ...represent the user account on your security devices To add a local user object 1 In the navigation tree double click the Object Manager select User Objects then select Local Users In the main display...

Страница 450: ...rnal user is included in a security policy under Authentication rule options the security device uses the external server to authenticate that user To configure an external user 1 In the navigation tr...

Страница 451: ...TP tunnel that users in the group use to connect to the device 5 Click OK to save the new group Using Radius with User Groups In this example you configure an external RADIUS auth server named radius1...

Страница 452: ...ckup Server enter IP 10 20 1 110 for Secondary Backup Server enter IP 10 20 1 120 c For timeout enter 30 d Select For Firewall Auth Users e For Server Type select RADIUS then configure the RADIUS serv...

Страница 453: ...For a single VLAN tag specify the tag For a range of VLAN tags specify the lowest and highest values in the range Configuring IP Pools An IP pool object contains IP ranges a range of IP addresses wit...

Страница 454: ...you configure an IP pool with the ranges 1 1 1 1 1 1 1 10 and 2 2 2 2 2 2 2 20 1 In the navigation tree select Object Manager IP Pools 2 In the main display area click the Add icon The New IP Pool di...

Страница 455: ...y policy defines authentication for a AND a member of group b the security device authenticates the user only if those two conditions are met AND If the security policy defines authentication for any...

Страница 456: ...Select the operator you want to use in the expression OR AND NOT and then configure the operands For NOT expressions use Operand 1 to select the user object group or expression that cannot be present...

Страница 457: ...device see Network and Security Manager Configuring ScreenOS and IDP Devices Guide Security devices incorporate DNS domain name server and WINS support to permit the use of domain names as well as IP...

Страница 458: ...routing instance object in the Object Manager You can also perform a Find Usages operation and view the version history of a routing instance object For more information on configuring routing instanc...

Страница 459: ...y NAT Objects A global NAT object contains references to device specific NAT configurations enabling multiple devices to share a single object Use the Device Manager to configure NAT for each device t...

Страница 460: ...name color IP version IPv4 or IPv6 and comment for the object then click the Add icon to specify the device specific MIP Device Select the security device that includes the MIP Interface Select the in...

Страница 461: ...user defined address pool and is used during source address translation You can use this object while configuring a rule so that when the rule is matched the source IP address of the packet is transl...

Страница 462: ...he pool Descriptive name for the pool Name General Select the routing instance name The values are listed only if you have added them previously To add a new routing instance to a device select Object...

Страница 463: ...The JunosSource NAT dialog box appears 4 Select the device to edit 5 Select the Edit icon The Junos Source NAT dialog box appears 6 Edit the values of the source NAT object 7 Click OK Deleting a Sour...

Страница 464: ...e parameters for the new destination NAT object The New Junos Destination NAT dialog box appears Here you must select the device that performs the translation and define the address pool 3 Select a de...

Страница 465: ...x enter the name of the interface To navigate to this dialog box see steps 1 to 4 of Adding a Destination NAT Object on page 414 2 Specify the hosts range of IP addresses whose ARP requests this devic...

Страница 466: ...for those devices Generate a local and CA certificate in one click using SCEP Use OCSP to automatically check for revoked certificates ScreenOS 5 0 or later devices only Use a certificate chain that i...

Страница 467: ...back to the root Partial Use partial validation to validate the certificate path only part of the way to the root Revocation Check Check for revocation Select this option to enable revocation checking...

Страница 468: ...icate CA IDENT Enter the name of the certificate authority to confirm certificate ownership Challenge Enter the challenge words sent to you by the CA that confirm the security device identity to the C...

Страница 469: ...our rule in an Extranet Policy object To create an Extranet Policy object 1 In the Object Manager select Extranet Policies The New ExtranetPolicyObject window appears 2 Enter the name of the Extranet...

Страница 470: ...Third party host checker policies Secure virtual workspace wallpaper images Hosted Java applets Custom Citrix client CAB files See Managing Large Binary Data Files Secure Access and Infranet Controlle...

Страница 471: ...es consist of the following elements IP Address The address represents the computer network or range of addresses to be considered part of this protected resource The address can be an individual host...

Страница 472: ...eway to the protected resource You can add multiple security gateways to provide redundant access for the protected resource Editing Protected Resources You can edit protected resources to accommodate...

Страница 473: ...proposals from VPN Manager select IKE Phase1 Proposals or IKE Phase2 Proposals Creating Custom IKE Phase1 Proposals Create a custom proposals for a specific combination of authentication and encryptio...

Страница 474: ...ault value is 28800 seconds 8 hours Click OK to add the custom IKE object to the management system Creating Custom IKE Phase 2 Proposals Create a custom proposals for a specific combination of authent...

Страница 475: ...n only then select the desired algorithm NOTE We strongly recommend that you do not use null AH with ESP Click OK to add the custom IKE object to the management system Configuring Dial in Objects Nets...

Страница 476: ...vice a gateway in the device and a service point in the gateway BSG Admission Controllers BSG Admission Controllers control Session Initiation Protocol SIP dialogs and transactions You can define the...

Страница 477: ...ported in Junos OS Release 9 5 and later When updating devices running under earlier versions of Junos OS the admission controller setting is dropped 427 Copyright 2010 Juniper Networks Inc Chapter 8...

Страница 478: ...Copyright 2010 Juniper Networks Inc 428 Network and Security Manager Administration Guide...

Страница 479: ...ll as how that traffic is treated while inside A security policy can contain firewall rules in the Zone and Global rulebases multicast rules in the Multicast rulebase and IDP rules in the Application...

Страница 480: ...signing a policy to a device see Assigning a Security Policy to a Device on page 501 Viewing Rulebase Columns for a Security Policy By default each rulebase displays a subset of available columns for...

Страница 481: ...x Viewing and Editing Custom Policy Fields NSM allows you to create multiple fields under Rule Options You can customize this fields to save metadata and you can edit and filter the values in each of...

Страница 482: ...rulebase when you need to control traffic between specific zones The zone specific rulebase can contain firewall rules and VPN rules and links Global Contains rules that are valid across all zones Cre...

Страница 483: ...s by ensuring that the three way handshake is performed successfully for specified TCP traffic If you know that your network is vulnerable to a SYN flood use the SYN Protector rulebase to prevent it T...

Страница 484: ...rk traffic flowing from one zone to another zone After you have added a device in NSM you can create rules in the firewall rulebases of your security policy You can build multiple firewall rules in bo...

Страница 485: ...You can install the same rule on multiple devices To begin configuring firewall rules for your managed devices see Configuring Firewall Rules on page 442 VPN Links and Rules The rules for your rule ba...

Страница 486: ...t group address in an internal zone to a different address on the outgoing interface specify both the original multicast address and the translated multicast group address in a multicast rule When you...

Страница 487: ...n detect and block attacks For example you can deploy the device with integrated Firewall VPN IDP capabilities between the Internet and an enterprise LAN WAN or special zones such as DMZ This is the d...

Страница 488: ...y and so on Validate a security policy before installing it on your managed devices Merge multiple security policies into a single policy for easier management For example after importing or re import...

Страница 489: ...You can apply the same object column value to a selection of policy rules Rule groups must be in an expanded state to apply the same object to the rules of a rule group Columns that disallow duplicate...

Страница 490: ...l filter conditions for different attributes The filter only applies to the current selected rulebase The filter results are displayed in the same rulebase Rules that do not match filter conditions ar...

Страница 491: ...ssociated with the attack object severity and protocol groups You should customize these templates to work on your network by selecting your own address objects as the Destination IP and choosing IDP...

Страница 492: ...s Security policies start with a minimum of rules and rulebases You can add additional rules to the rulebases as needed To add a rulebase 1 In the main navigation tree select Policies then double clic...

Страница 493: ...on addresses using the Select Address Dialog box In this dialog box you can populate hosts networks group addresses and polymorphic objects based on the context of the IP version selected The policy f...

Страница 494: ...ts of a rule right click in the Source or Destination column of a rule and select Add Address Next click the Add icon at the top of the New Source Addresses or New Destination Addresses dialog box and...

Страница 495: ...ress group object that represents your Marketing servers and the destination address to the address group object that represents your Engineering servers The more specific you are in defining the sour...

Страница 496: ...TP HTTP IMCP ANY and TELNET service objects You can create your own service objects to use in rules using the Object Editor such as service objects for protocols that use nonstandard ports If you use...

Страница 497: ...o enable or disable DI IDP and Application Services To use this feature 1 Select a zone based firewall policy and right click on the Rule Options column 2 When the DI Enable IDP Appl Srvcs dialog box...

Страница 498: ...on page 456 Configuring a DI Profile Enable IDP for Firewall Rules on page 457 Configuring the Session Close Notification Rule on page 458 To quickly configure all rule options right click the Rule O...

Страница 499: ...Series devices you can configure a NAT for a policy rule as one of the following An interface A pool of a specific device interface A PoolSet defined under the source NAT setting for a device collect...

Страница 500: ...r security device passes permitted traffic according to the priority level specified in the matching rule The higher the priority level of the rule the faster the matching traffic for that rule passes...

Страница 501: ...NSM to provide additional notification when a rule is matched such as an alert in the log entry An alert is a notification icon that appears in a log entry in the Log Viewer When you enable alerts in...

Страница 502: ...s script must be located in the usr netscreen DevSvr var scripts global directory In the event that the script fails you can also configure the system to retry or skip running the script again You can...

Страница 503: ...security device you can view that rule by logging in locally to the device with the WebUI or CLI where the rule appears as an individual policy The individual policy on the device has the same ID as t...

Страница 504: ...HTTP request to the categories in the profile in the following sequence Black List White List Custom URL Lists Predefined Web categories If no custom profile is bound to the firewall rule the securit...

Страница 505: ...ile as an authentication option from the Access Profile drop down list box Web Authentication Use for RAS users using HTTP to connect to the protected network Infranet Authentication Use this option t...

Страница 506: ...destination address To authentication RAS users with Web Authentication you must include HTTP service object in the Service column of the rule To make a connection to the destination address in the ru...

Страница 507: ...ected in permitted traffic You can configure one DI Profile for each rule When the device detects a match between the permitted network traffic and an attack object within the selected DI Profile the...

Страница 508: ...When the sessions reach the threshold limit the system drops all subsequent sessions If you enable the alarm without drop packet option the packet is not dropped but an alarm message is raised If you...

Страница 509: ...Options Session Close Notification A Session Close Notification window opens 2 Check the option Notify both ends if TCP session isn t normally terminated 3 Click OK configure the Session Close Notifi...

Страница 510: ...optionally the multicast group address on the outgoing interface Specify the access list that identifies the permitted multicast groups Select any to accept traffic for all multicast groups Configurin...

Страница 511: ...s Rules Antivirus settings are stored in a profile To assign an antivirus profile to a policy do the following 1 Double click the Rule Options cell in a rule 2 In the Configure Options dialog click th...

Страница 512: ...ll matches are executed You can specify that a rule is terminal if IDP encounters a match for the source destination and service specified in a terminal rule it does not examine any subsequent rules f...

Страница 513: ...you can select source and destination zones includes the predefined and custom zones that have been configured for all devices managed by NSM Therefore you should only select zones that are applicable...

Страница 514: ...ies Select a device policy and add an IDP rulebase Right click on the User Role column You can then Select Filter or Edit user roles If you select user roles the Select User Roles dialog box opens Sel...

Страница 515: ...n you select an attack object in the Attack column the service associated with that attack object becomes the default service for the rule To see the exact service view the attack object details Selec...

Страница 516: ...ntly leave your network open to attacks by creating an inappropriate terminal rule Remember that traffic matching the source destination and service of a terminal rule is not compared to subsequent ru...

Страница 517: ...tion IDP causes the firewall to drop the session upon detection of an attack However it cannot prevent the attack packet from reaching its destination because in the inline tap mode the IDP only recei...

Страница 518: ...inline tap mode the session is dropped but the attack packet would have been let through If using TCP in the inline mode the IDP drops the connection In the inline tap mode the IDP drops the connecti...

Страница 519: ...can Add all attack objects select All Attacks Consider carefully before selecting this option using all attack objects in a rule can severely impact performance on the security device Add one or more...

Страница 520: ...ommended Action Cause Severity Logging Alert Drop Packet Attacks attempt to evade an IDS crash a machine or gain system level privileges Critical Logging Alert Drop Packet Drop Connection Attacks atte...

Страница 521: ...an action to detect and prevent current malicious connections from reaching your address objects Then right click in the IP Action column of the rule and select Configure The Configure IP Action dial...

Страница 522: ...k information that you can view real time in the Log Viewer For more critical attacks you can also set an alert flag to appear in the log record To log an attack for a rule right click the Notificatio...

Страница 523: ...oose to apply rules to traffic on certain VLANs only Normally for a rule to take effect it must match the packet source destination service and attack objects If the VLAN cell is populated with a valu...

Страница 524: ...1024 characters in the Comments field You can deploy an ISG2000 or ISG1000 gateway as a standalone IDP security system protecting critical segments of your private network For example you might alread...

Страница 525: ...ow 3 Click Add in the Policies panel 4 Enter a name for the policy and comments if desired in the pop up menu and click OK The new IDP policy is added to the Policies panel To add rules to the IDP pol...

Страница 526: ...you want IDP to monitor for applications such as source destination zones source destination address objects and the application layer protocols services supported by the destination address object Y...

Страница 527: ...APE rule the APE rulebase is automatically created NOTE If you do not have appropriate access control permission and you attempt to create APE rules the wizard returns an error message stating that y...

Страница 528: ...can create custom zones for some security devices The list of zones from which you can select source and destination zones includes the predefined and custom zones that have been configured for all de...

Страница 529: ...role right click the User Role column of a rule and select Select User Role 2 From the Select User Roles dialog box select a device from the Device drop down menu 3 Use the Add or Remove button to add...

Страница 530: ...perform actions against the connection Remember that the device can drop traffic only when IDP is enabled in inline mode when IDP is enabled in inline tap sniffer mode it cannot perform drop or close...

Страница 531: ...olicy in Expanded Mode To change the security policy view from Compact Mode to Expanded Mode from the menu bar select View Expanded Mode If the current network traffic matches a rule the security devi...

Страница 532: ...e no logging options set Setting Timeout Options You can set the number of seconds that you want the IP action to remain in effect after a traffic match For permanent IP actions leave the timeout at 0...

Страница 533: ...with packet capture enabled match the same attack the security device captures the maximum specified number of packets For example you configure Rule 1 to capture 10 packets before and after the attac...

Страница 534: ...NOTE If you delete the IDP rulebase the Exempt rulebase is also deleted You might want to use an exempt rule when an IDP rule uses an attack object group that contains one or more attack objects that...

Страница 535: ...ve been configured for all devices managed by NSM Therefore you should only select zones that are applicable for the device on which you will install the security policy Configuring Source and Destina...

Страница 536: ...ight want to use this method to quickly eliminate rules that generate false positive log records To create an exempt rule from the Log Viewer 1 View the IDP DI logs in the Log Viewer 2 Right click a l...

Страница 537: ...tor To detect incoming interactive traffic set the Source to any and the Destination to the IP address of network device you want to protect To detect outgoing interactive traffic set the Source to th...

Страница 538: ...ddress Objects In NSM address objects are used to represent components on your network hosts networks servers and so on Typically a server or other device on your network is the destination IP for inc...

Страница 539: ...to the client Close Server Setting Notification You can choose to log an attack and create log records with attack information that you can view real time in the Log Viewer For more critical attacks y...

Страница 540: ...the packets after the attack If multiple rules with packet capture enabled match the same attack IDP captures the maximum specified number of packets For example you configure Rule 1 to capture 10 pac...

Страница 541: ...that attackers can use to disable the system a SYN flood Most systems allocate a large but finite number of resources to a connection table that is used to manage potential connections While the conne...

Страница 542: ...window or click the policy name and then select the Edit icon 2 Click the Add icon in the upper right corner of the Security Policy window and select Add SYN Protector Rulebase to open the SYN Protec...

Страница 543: ...ction timer expires IDP resets the connection to free resources on the server Setting Notification You can choose to log an attack and create log records with attack information that you can view real...

Страница 544: ...th rules match the same attack IDP attempts to capture 10 packets before and after the attack NOTE Packet captures are restricted to 256 packets before and after the attack Setting Severity You can ov...

Страница 545: ...Detecting TCP and UDP Port Scans To detect TCP and UDP port scans set a port count number of ports scanned and the time threshold the time period that ports are counted in seconds Example Traffic Anom...

Страница 546: ...t the source IP to your Internal Network and the configure the session count as 200 session sec To block traffic that exceeds the session limit set an IP action of IDP Block and chose Source Protocol...

Страница 547: ...pted to log all attacks and let the policy run indefinitely Don t do this Some attack objects are informational only and others can generate false positives and redundant logs If you become overloaded...

Страница 548: ...fter the attack NOTE Packet captures are restricted to 256 packets before and after the attack Setting Severity You can override the inherent attack severity on a per rule basis within the SYN Protect...

Страница 549: ...to add the Network Honeypot rulebase to a security policy 1 In the main navigation tree select Policies Open a security policy by double clicking the policy name in the Security Policies window or cl...

Страница 550: ...you can view real time in the Log Viewer For more critical attacks however you might want to be notified immediately by e mail have IDP run a script in response to the attack or set an alarm flag to...

Страница 551: ...Entering Comments You can enter notations about the rule in the Comments column Anything you enter in the Comments column is not pushed to the target devices To enter a comment right click the Comment...

Страница 552: ...vice Validating Security Policies You should validate a security policy to identify potential problems before you install it NSM contains a Policy Validation tool to help you locate common problems su...

Страница 553: ...stem vulnerabilities and packet dropping Policy validation identifies rule shadowing You should modify or delete all rules that overshadow others When a packet comes in a security device compares it t...

Страница 554: ...policy to the devices you want to use that policy Assigning a policy to a device links the device to that policy enabling NSM to install the policy on that device Selected the correct devices for the...

Страница 555: ...400000 The setting is measured in milliseconds 1000 s of a second So 2400000 milliseconds is equal to 40 minutes Updating Existing Security Policies To install a new or modified policy on a managed de...

Страница 556: ...ical device without resetting the policy NSM must reset the policy when the security policy you are installing already exists on the physical device but an object within the policy has changed in NSM...

Страница 557: ...device in one policy The Policies navigation tree lists security policies alphabetically You can create or import an unlimited number of security policies Each security policy contains a default firew...

Страница 558: ...e rule unique this is especially useful for rules that contain detailed rule options such as attack protection NOTE When you cut and paste a rule your preferred ID is retained However when you copy an...

Страница 559: ...Policy pane to easily select and add shared objects including address service Global MIP Global VIP attack device VLAN and custom field objects to your security policies Select the object and drag it...

Страница 560: ...ules you want to include in the group then right click and select create rule group Enter a name and description for the rule group then click OK Combining rules into a rule group can help you better...

Страница 561: ...y and a target policy The source policy contains the rules that you want to merge into another policy in the UI this is the From Policy The target policy receives the rules from the source policy in t...

Страница 562: ...12 Figure 84 Security Policy A Rules Before Policy Merge Policy B contains the rules as shown in Figure 85 on page 512 Figure 85 Security Policy B Rules Before Policy Merge To merge Policy A from poli...

Страница 563: ...pand rule groups Show expanded view Print filter condition Link all shared object details Run in background Click the Browse button to select a default export directory for all future exports Click Ex...

Страница 564: ...s how to use the GUI to make NSM default to automatic policy versioning To set the NSM default to policy versioning 1 In the NSM GUI select Tools Preferences 2 Under Object Versioning check Policy NOT...

Страница 565: ...M GUI right click on a policy 2 In the popup menu select View Versions The Version History window appears 3 In the window select the version and click Filter Search The Version Filter Definition dialo...

Страница 566: ...are two versions 1 In the NSM GUI right click on a policy 2 In the popup menu select View Versions The Version History window appears 3 Select two versions in the window 4 Click Compare to view the di...

Страница 567: ...g Database Version Filters enter appropriate values in the fields listed below Click OK to set the filter You can search for existing filter settings by viewing the current settings in the Filter Sear...

Страница 568: ...etwork and Security Manager on page 3 and the Network and Security Manager Configuring ScreenOS and IDP Devices Guide 5 When you are finished reviewing data about the different versions click Close on...

Страница 569: ...are two sets of rules of any rulebase type that can be created for any domain Configuration of pre post rules are located in the main navigational tree under Policy Manager called Central Manager Pol...

Страница 570: ...rules the device uses Subdomain postrules Global domain postrules Central Manager postrules ScreenOS Devices ScreenOS devices require rules to have unique IDs Rules pushed to devices are the merged r...

Страница 571: ...main navigation tree select Policy Manager Central Manager Policies 2 Select either Central Manager Pre Rules or Central Manager Post Rules 3 Click the Add icon in the toolbar and select Add Rule 4 S...

Страница 572: ...Policy Manager Central Manager Policies 2 Select either Central Manager Pre Rules or Central Manager Post Rules 3 Right click the rule you want to modify and select Delete Associated shared objects if...

Страница 573: ...es Change name color and other attributes Yes Yes if not referenced by central rules Yes Delete Validation of Polymorphic Object When an administrator first creates a polymorphic object the customizat...

Страница 574: ...a Polymorphic Object This procedure assumes that a Central Manager administrator is logged onto a Central Manager client To create a polymorphic object 1 In the main navigation tree select Object Mana...

Страница 575: ...to the selected regional servers 3 In the main navigation tree of the regional server select Object Manager Address Object to show the polymorphic address objects pushed to this regional server 4 Doub...

Страница 576: ...Copyright 2010 Juniper Networks Inc 526 Network and Security Manager Administration Guide...

Страница 577: ...these shared objects into the transaction rule Juniper Networks M Series and MX Series routers running Junos 9 5 and later can be managed in two modes Central Policy management CPM and In Device manag...

Страница 578: ...est source Enter a regular expression Contacts Enter a regular expression 7 Select the desired action for the rule under the Then header The actions are Accept Accept the traffic and send it to its de...

Страница 579: ...from log reports Admission controller settings are dropped from the policies pushed to devices running Junos OS Releases earlier than 9 5 NOTE NSM 2009 1 and later releases support BSG transactions in...

Страница 580: ...Copyright 2010 Juniper Networks Inc 530 Network and Security Manager Administration Guide...

Страница 581: ...t to this NAT rulebase A rule set consists of a general set of matching conditions for traffic If the traffic matches these conditions then that traffic is selected for NAT A rule set can contain mult...

Страница 582: ...Rule Set to the Source NAT Rulebase To add a rule set to the source NAT rulebase 1 Click at the upper left corner of the Source NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set di...

Страница 583: ...ing a Rule to a Source NAT Rule Set To add a new rule to a rule set 1 From the Source NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Source NAT t...

Страница 584: ...tions to perform Under the Name header Add Rule Enables you to add rules to the rule set from the New Rule dialog box Specify the values and click OK Add Source Enables you to view and modify the sour...

Страница 585: ...t All requests from a specific internal IP address and port are mapped to the same reflexive transport address Target host port All requests from a specific internal IP address and port are mapped to...

Страница 586: ...set to the destination NAT rulebase 1 Click at the upper left corner of the Destination NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set dialog box appears Here you must specify a...

Страница 587: ...le to a Destination NAT Rule Set To add a new rule to a rule set 1 From the Destination NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Destinatio...

Страница 588: ...e source that you set previously Under the Match header Src Address Edit Enables you to cut copy and paste the values that are within this field Add Src address Enables you to add additional sources E...

Страница 589: ...is rulebase For more information on adding a static NAT rule sets to the rulebase see Adding a Rule Set to a Static NAT Rulebase on page 539 Adding a Rule Set to a Static NAT Rulebase To add a rule se...

Страница 590: ...name gets created and is displayed in the Security Policy window The next step is to add rules to the rule set For more information see Adding a Rule to a Static NAT Rule Set on page 540 Adding a Rule...

Страница 591: ...are satisfied with the values click OK Add Source Enables you to view and modify the source that you set previously Under the Zone RJ Interface header View Modify Source Enables you to view and modify...

Страница 592: ...Copyright 2010 Juniper Networks Inc 542 Network and Security Manager Administration Guide...

Страница 593: ...appear as a single wide area network WAN VPNs replace costly Point to Point Protocol PPP and Frame Relay connections that require dedicated lines and sometimes even satellites between your private net...

Страница 594: ...single device Creating System Level VPNs with VPN Manager For AutoKey IKE and L2TP VPNs create the VPN at the system level using VPN Manager VPN Manager supports AutoKey IKE VPNs In policy based or ro...

Страница 595: ...or policy based VPNs or to control traffic through the tunnel for route based VPNs You can also create AutoKey IKE L2TP and L2TP over AutoKey IKE VPNs at the device level Supported VPN Configurations...

Страница 596: ...termination points are the end points of the tunnel traffic enters and departs the VPN tunnel through these end points Each tunnel has two termination points a source and destination which are the sou...

Страница 597: ...through a VPN member that does not contain protected resources Dual Hubs and Spokes In VPNs running ScreenOS 6 3 and later you can use Next Hop Resolution Protocol NHRP combined with IPSEC to establis...

Страница 598: ...ore IPSec services to establish the tunnel and protect your data Typically VPNs use encryption and authentication services to enable basic security between devices however for critical data paths usin...

Страница 599: ...ire before it can be broken By also exchanging authentication algorithms IKE can confirm that the communication in the VPN tunnel is secure Because all security parameters are dynamically assigned VPN...

Страница 600: ...ets for encryption authentication or other data protection services you must further encapsulate the L2TP packet using AutoKey IKE Choosing a VPN Tunnel Type You can configure three types of VPN tunne...

Страница 601: ...Because the tunnel is an always on connection between two network points the security device views the tunnel as a static network resource through which to route traffic To create the termination poi...

Страница 602: ...te a Manual Key VPN You must also decide if you want to use certificates to authenticate communication between the VPN members Define Method VPN Manager or Device Level How do want to create the tunne...

Страница 603: ...etween RAS users and protected resources An L2TP RAS VPN supports Policy based VPNs AH Authentication PPP or other non IP traffic Remote access users L2TP over Autokey IKE RAS VPN Use to authenticate...

Страница 604: ...ting VPNs see the NSM Online Help topic VPNs Preparing Basic VPN Components To create any type of VPN ensure that all security devices you want to use in the VPN are managed by NSM and configured corr...

Страница 605: ...igure each device to be a part of the VPN To manage different services for the same network component create multiple protected resource objects that use the same address object and security device bu...

Страница 606: ...oKey IKE groups that use a shared Group IKE ID NOTE We strongly recommend that you do not use null AH with ESP L2TP Uses Password Authentication Protocol PAP and Challenge Handshake Authentication Pro...

Страница 607: ...y one value per identity field for example ou eng or ou sw but not ou eng ou sw The ordering of the identity fields in the two ASN1 DN strings are inconsequential In this IKE ID matching part we need...

Страница 608: ...VPN you can link A single VPN tunnel to multiple tunnel interfaces Multiple VPN tunnels to a single tunnel interface For details on tunnel interfaces and tunnel zones see the Network and Security Mana...

Страница 609: ...ember receiving it The CA also issues certificates often with a set time limit If you do not renew the certificate before the time limit is reached the CA considers the certificate inactive A VPN memb...

Страница 610: ...guring CRL Objects A Certificate Revocation List CRL identifies invalid certificates You can obtain a CRL file crl from the CA that issued the local certification and CA certificate for the device the...

Страница 611: ...E RAS VPN Use to connect L2TP RAS users and protected resources An L2TP over AutoKey IKE RAS VPN supports policy based VPNs and L2TP RAS users but does not support routing based or mixed mode VPNs 2 E...

Страница 612: ...do not use NAT on your network you do not need to configure NAT for the VPN The following sections detail how to configure NAT and L2TP Configuring NAT Below the Protected Resources window select NAT...

Страница 613: ...se for the interface Global VIP Select the global VIP object that represents the virtual IP address you want to use for the interface Global DIP Outgoing You can enable the security device to use a Dy...

Страница 614: ...S users to the VPN When configuring an AutoKey IKE VPN this area does not appear Click the Users link to display the user selection dialog box then click the Edit icon to select the predefined RAS use...

Страница 615: ...ies in the Next Hop Tunnel Binding NHTB table enable Generate NHTB entries for 5 x devices When this option is selected VPN Manager autogenerates NHTB entries for each VPN tunnel NOTE If you are using...

Страница 616: ...or another main When configuring a VPN that uses multiple mains you can select to mesh all mains all mains can communicate with each other or disable all main meshing Branch A branch can connect to a...

Страница 617: ...mmary Edit Router Dynamic Routing Protocol NHRP Redistribution Rules Add the NHRP option to the OSPF BGP and RIP redistribution rules You can make these settings from VPN Manager VPNs AutoKey IKE VPN...

Страница 618: ...the device Configuring Gateways To configure the gateways for VPN click the Gateway Parameters link Configuring Gateway Properties In the Properties tab specify the following gateway values Selecting...

Страница 619: ...e the traffic To use NAT T enable NAT Traversal and specify UDP Checksum A 2 byte value calculated from the UDP header footer and other UDP message fields that verifies packet integrity You must enabl...

Страница 620: ...negotiations You can use a preshared key or certificates for authentication Preshared Key Certificate For Phase 1 select a Preshared Key Information or PKI Information Preshared Key Use if your VPN in...

Страница 621: ...IKE ID to authenticate the VPN member VPN Manager automatically creates the default IKE ID for you based on the policy or route based members and RAS users so you do not need to configure this option...

Страница 622: ...cket in the payload of another IP packet and attaches a new IP header This new IP packet can be authenticated encrypted or both Use transport mode for L2TP over AutoKey IKE VPNs NSM does not encapsula...

Страница 623: ...sed VPN at the Phase2 configuration level devices running ScreenOS 6 1 and later allow you to on both ASIC and non ASIC platforms ScreenOS 6 1 and later support the DSCP value configuration for tunnel...

Страница 624: ...VPN After you have inserted the VPN link into a security policy you can install that policy on your devices using the Updated directive Create static or dynamic routes for route based VPNs To autogen...

Страница 625: ...mixed mode VPNs this displays the tunnel interfaces and virtual routers configured on the VPN member To override the general properties and dynamic routing protocols for each tunnel interface right c...

Страница 626: ...ed device However the security policy does not display the VPN You can manually add a VPN link to your security policy a VPN link creates a link between the security policy and VPN the link points to...

Страница 627: ...Remote User Make your changes then click OK to save your changes Editing the VPN Configuration To add or delete a member edit any VPN parameter or reconfigure the VPN topology select the VPN and clic...

Страница 628: ...Trust zone Ethernet3 is the Untrust IP 2 2 2 2 24 in the Untrust zone 2 Create the address objects that you will use to create Protected Resources for details on creating or editing address objects I...

Страница 629: ...e Paris Protected Resource Object for AutoKey IKE VPN 5 Create the VPN In the navigation tree double click VPN Manager then right click VPNs and select AutoKey IKE VPN The New AutoKey IKE VPN dialog b...

Страница 630: ...Hub and Supernet leave the default of none Enable Mesh Main s In the Mains window select the Paris and Tokyo security devices c Click OK to return to the Topology dialog box then click OK to return to...

Страница 631: ...y policy and the VPN Manager autogenerated rules You create this link by inserting a VPN link in the zone rulebase this links points to the VPN rules that exist in the VPN Manager In Security Policies...

Страница 632: ...the Untrust zone 2 Create the address objects that you will use to create Protected Resources for details on creating or editing address objects a Add the Chicago Corporate Trusted LAN 10 1 1 0 24 as...

Страница 633: ...User Objects In the main display area click the Add icon and select Local Configure then click OK Figure 92 Add New Local User for AutoKey IKE RAS VPN 6 Create the VPN In the navigation tree double cl...

Страница 634: ...porate to use ethernet3 as the termination point this is the Untrust interface then click OK to return to the main display area 9 Configure the remote users for the VPN a In the Remote Users section c...

Страница 635: ...at the top of the policy but you can move the VPN link anywhere in the policy just as you would a firewall rule Example Configuring an Autokey IKE Route Based Site to Site VPN In this example an AutoK...

Страница 636: ...dress Netmask enter 10 2 2 0 24 For Color select magenta For Comment enter Paris Trust Zone Create the VPN In the navigation tree double click VPN Manager Right click VPNs and select AutoKeyIKEVPN The...

Страница 637: ...it icon to add the pre g2 3des sha proposal 11 Click Save to save your configuration changes to the VPN Because this VPN is route based no rules are autogenerated However you can view the device tunne...

Страница 638: ...face 5 Click OK to save your changes to the virtual router then click OK to save your changes to the Tokyo device 6 Configure the route on the Paris security device 7 In Device Manager double click th...

Страница 639: ...oading the dictionary file onto a RADIUS server refer to the RADIUS server documentation If you are using a Microsoft IAS RADIUS server there is no dictionary file to load Instead define the correct v...

Страница 640: ...r Comment enter Reseller VPN XAuth RADIUS For color enter green Add jhansen as a member 5 Add a Network address object to represent the network used by Reseller group In the Object Manager select Addr...

Страница 641: ...ler Remote Access VPN appears in the main display area 1 Configure the policy based members In the main display area select the Protected Resources link In the Protected Resources list select the rsl...

Страница 642: ...teway The autogenerated gateway for the Bozeman appears in the main display area Right click the autogenerated gateway and select Edit The Properties tab appears In the IKE IDs XAuth tab configure the...

Страница 643: ...VPNs do not support RAS users L2TP VPNs support transport mode and can be policy based Creating AutoKey IKE VPNs Creating device level AutoKey IKE VPNs is a four stage process Configure Gateway Confi...

Страница 644: ...vice Each security device member has a remote gateway that it sends and receives VPN traffic to and from To configure a gateway for a VPN member you need to define the local gateway the interface on t...

Страница 645: ...ateways that are users select the User object or User Group object that represents the RAS user Dynamic IP Address For remote gateways that use a dynamic IP address select dynamic IP address Outgoing...

Страница 646: ...stract Syntax Notation version 1 is a data representation format that is non platform specific Distinguished Name is the name of the computer Use ASN1 DN to create a Group ID that enables multiple RAS...

Страница 647: ...l CHAP for authentication password is sent in the clear User Name and Password Enter the user name and password that the RAS user must provide for authentication NOTE All passwords handled by NSM are...

Страница 648: ...and ensure compatibility Configuring Routes Route based only For a routing based VPN member you must configure Tunnel zone or tunnel interfaces on the member Static or dynamic routes from the member t...

Страница 649: ...ransport mode for L2TP over IPSec NSM does not encapsulate the IP packet meaning that the original IP header must remain in plaintext However the original IP packet can be authenticated and the payloa...

Страница 650: ...one on the security device to bind the VPN tunnel directly to the tunnel zone The tunnel zone must include one or more numbered tunnel interfaces when the security device routes VPN traffic to the tun...

Страница 651: ...when multiple VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitoring behavior as follows Considers incoming traffic in the VPN tunnel as ICMP...

Страница 652: ...rom the member to other VPN members VPN traffic flows through the tunnel zones or tunnel interfaces on the security device and uses static or dynamic routes to reach other VPN members You must create...

Страница 653: ...nnel interface or tunnel zone to increase the number of available interfaces in the security device To use a tunnel interface and or tunnel zone in your VPN you must first create the tunnel interface...

Страница 654: ...e next hop tunnel binding table NHTB table and the route table when multiple VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitoring behavior...

Страница 655: ...NS information assigned by the user s ISP However when the L2TP RAS user sends VPN traffic through the tunnel the security device assigns a new IP address and WINS DNS information that enables the tra...

Страница 656: ...g L2TP on page 605 3 Configure Peer Gateway see Configuring Gateways on page 594 4 Configure Routes Route based only see Configuring Routes Route based only on page 598 5 Add VPN to Device see Configu...

Страница 657: ...member that contains the termination interface for the VPN tunnel To Zone Select the zone on the destination VPN member that contains the termination interface for the VPN tunnel Service column Select...

Страница 658: ...and Paris security devices 2 Configure the Tokyo device with the following interfaces Ethernet1 is the Trust IP 10 1 1 1 24 in the Trust zone Ethernet3 is the Untrust IP 1 1 1 1 24 in the Untrust zone...

Страница 659: ...erties tab as shown below For Name enter Tokyo_Paris For Gateway enter 2 2 2 2 For Local SP enter 3020 For Remote SPI enter 3030 For Outgoing Interface select ethernet3 For ESP AH select ESP CBC For E...

Страница 660: ...gure a route from the untrust interface to the gateway and then click OK Figure 95 Configure Tokyo Route for RB Site to Site VPN MK 17 Configure route from the trust zone to the tunnel interface and t...

Страница 661: ...he General Properties screen appears 3 Configure the following then click OK For Zone select untrust For IP Options select Unnumbered For Source Interface select ethernet3 4 Create the Paris VPN In th...

Страница 662: ...tables ScreenOS 5 1 and later devices display destination based source based and source interface based routing tables 4 Configure a route from the untrust interface to the gateway then click OK 5 Con...

Страница 663: ...routes on each device Finally you create VPN rules in a security policy to create the VPN tunnel between the two sites Create VPN Components 1 Security Devices 2 Address Objects Create the Tokyo VPN...

Страница 664: ...n navigation tree select Policies Click the Add icon to display the new Security Policy dialog box 2 Configure the following then click OK For Security Policy Name enter Corporate Policy Based VPN Opt...

Страница 665: ...r Betty then click OK For Name enter Betty Select Enable then select L2TP Select Password then enter and confirm the password BviPsoJ1 3 Configure an L2TP user object for Carol then click OK For Name...

Страница 666: ...ises Each branch site spoke is connected to a central site hub The communication between spoke sites must go through the hub which does not scale as the number of spoke sites increases Using the auto...

Страница 667: ...ins pane select each device you want to be a main Main devices can communicate with every other device in the topology Click OK and then click the Save button to save the VPN configuration 4 Configure...

Страница 668: ...d then click Edit Virtual Router The Virtual Router dialog box appears Click Dynamic Routing Protocol NHRP Parameters Verify that the ACVPN Profile setting has been populated Click OK 9 For the spoke...

Страница 669: ...are used by Central Manager pre post rules are available in regional servers attack db and so on When you update pre post rules the Central Manager and regional server versions must match NOTE You can...

Страница 670: ...any of the regional servers managed by Central Manager and begin managing the servers using all assigned permissions No extra log on off steps are required for administrators to navigate from one reg...

Страница 671: ...r and the VPN manager NOTE You cannot switch a J Series or SRX Series device from central management mode to device management mode if the device has an assigned policy Using Central Manager This sect...

Страница 672: ...r administrators can log into regional servers directly from Central Manager The following procedure assumes that a Central Manager administrator is logged onto a Central Manager client and a regional...

Страница 673: ...pdated only if they are actually being used by the pre post rules on the Central Manager server All new shared objects are replicated inserted into the global domain of the regional server Objects tha...

Страница 674: ...added existing polymorphic object are kept and incoming global policy rules use existing polymorphic object Incoming polymorphic object with the same name are discarded Name conflict with a regional s...

Страница 675: ...networkcan include J Series M Series MX Series and EX Series devices as well as ScreenOS and IDP devices IP phones desktops printers and servers The Topology Manager also provides details about connec...

Страница 676: ...ws and not the different table views To add a device a Select the Manage Devices icon A dialog opens b Enter the SSH user name and password c Select OK Set Preferences Use this tool to set preferences...

Страница 677: ...all switches and switch ports as well as on all LLDP or LLDP MED enabled devices such as IP Phones Ensure that the included subnets specified in Topology Manager preferences are sufficient for all swi...

Страница 678: ...tween network and end point devices 9 Select Free Ports to view a list of EX Series switches and the available ports on these switches About the NSM Topology Map Views The NSM Topology Manager provide...

Страница 679: ...the right click menu in the topology map view Locate Devices Use this tool to locate a specific device within a particular topology view To find a device within a topology cloud 1 Expand a topology cl...

Страница 680: ...views of your network topology A tabular view of the topology lists all the network elements and devices connected to them A tabular view does not display information related to the links and the typ...

Страница 681: ...s device is indicated in the DeviceStatus column You can save the information in the table as comma separated values in a file You can right click on a free port listed in the topology tabular view an...

Страница 682: ...owed and denied subnets You must specify included subnets because topology discovery happens only for those included subnets that you configure Discovery does not take place if there are neither inclu...

Страница 683: ...e the changed configuration on the device View device details in the topology map You can view details of a managed device in the topology view View link details between devices in the topology map Yo...

Страница 684: ...Copyright 2010 Juniper Networks Inc 634 Network and Security Manager Administration Guide...

Страница 685: ...ethernet switching port mode is set to access RSTP is enabled with the edge option and port security parameters MAC limit 1 dynamic ARP Inspection and DHCP snooping enabled are set Layer 2 Uplink Port...

Страница 686: ...ion to resolve conflicts between the port template configuration and the actual configuration on the associated device See Detect and Resolve Configuration Conflicts on page 638for details Customize p...

Страница 687: ...save the changes and close the Manage Template Port Association screen To edit port template parameters 1 Select the port template from the list in the ManageTemplatePortAssociation screen 2 Click Edi...

Страница 688: ...administrator you can create port templates using the Customize Port Template feature 2 To modify the default template name type a name in the Template Name field 3 To modify the default description...

Страница 689: ...duler Map Name field 4 To edit scheduler settings click Edit Scheduler The Edit Scheduler screen is displayed Specify the following Scheduler name Transmit Rate Select one Unconfigured if you do not w...

Страница 690: ...Copyright 2010 Juniper Networks Inc 640 Network and Security Manager Administration Guide...

Страница 691: ...of Infranet Controllers IC and Enforcement Points EP The Infranet Controller View on page 641 The Enforcement Point View on page 642 The Infranet Controller View The NSM main display area is horizont...

Страница 692: ...n the selected IC Each EP can be associated with only one Location Group available in the IC 5 Enter the Infranet Controller port to which the EP should communicate The default port is 1812 6 Enter th...

Страница 693: ...ation Conflicts with the Infranet Controller in the UAC Manager Before you resolve configuration conflicts perform an Import Device to identify the actual conflicts in the configuration To ensure that...

Страница 694: ...tify these entries from the RADIUS client of the IC Enabling 802 1X on Enforcement Point Ports in the UAC Manager To enable 802 1X on ports on Enforcement Points EP 1 Select an EP on whose ports you w...

Страница 695: ...Resolving Configuration Conflicts Between Devices and 802 1X Ports in the UAC Manager The Resolve Configuration Conflict option allows you to detect any inconsistency between the device configuration...

Страница 696: ...Copyright 2010 Juniper Networks Inc 646 Network and Security Manager Administration Guide...

Страница 697: ...PART 4 Monitoring Realtime Monitoring on page 649 Analyzing Your Network on page 699 Logging on page 729 Reporting on page 799 647 Copyright 2010 Juniper Networks Inc...

Страница 698: ...Copyright 2010 Juniper Networks Inc 648 Network and Security Manager Administration Guide...

Страница 699: ...time Monitor on page 687 Monitoring the Management System on page 687 About the Realtime Monitor The Realtime Monitor module in NSM enables you to monitor real time status and statistics about all the...

Страница 700: ...sessions that have been implemented within the domain you are working in From the VPN Monitor you can determine if a VPN tunnel is up down or not monitored NSPR Monitor Displays status information ab...

Страница 701: ...ously detected in NSM This could happen in the event that the automatic adjustment option was cleared during a change device firmware directive or an Update Device directive was issued to an IDP devic...

Страница 702: ...device in NSM Up Device is currently connected to NSM Down Device is not currently connected to NSM but has connected in the past Never Connected Device has never connected to NSM The Device Server c...

Страница 703: ...The inventory information in the NSM database is synchronized with the licenses on the device Out Of Sync The inventory information in the NSM database is not synchronized with the licenses on the de...

Страница 704: ...formation appears in the Device Monitor in the Device Summary Interface Viewing Device Monitor Alarm Status Alarms refresh automatically through periodic polling To view the Alarm status and time 1 Fr...

Страница 705: ...tus Table 51 Device Detail Status Items Description Item ScreenOS firmware version running on the device OS Version Current operation mode of the device Network Address Translation NAT Transparent or...

Страница 706: ...ndow NOTE The information in the Device Statistics window appears slightly different for firewall VPN devices and IDP sensors Device Statistics Summary The Device Statistics Summary displays the follo...

Страница 707: ...from Greenwich Mean Time this is not displayed in the Vsys view GMT Time Offset Hours Whether you have enabled the security device to adjust time for daylight savings DayLight Saving Additional Devic...

Страница 708: ...ecurity device Enables you to view CPU Memory and Session Utilization trends Resource Statistics System View administrator and user activities active VPNs and authenticated users on a security device...

Страница 709: ...al number of data connections Total Connections The relative percentage of connections Connection Rel The total numerical difference between the current connection value and the previous connection va...

Страница 710: ...enabled for each security device You can view up to ten protocols A bar graph displays a percentage of the absolute number of bytes for the top 10 protocols by default Table 55 on page 660 describes...

Страница 711: ...and data depicted graphically in the same way that you adjust the Policy Distribution graphs You can also adjust the data types in the Protocol Distribution graph by Bytes In Bytes Out Packets In Pac...

Страница 712: ...fic over the tunnel such as bytes in out packets in out utilization Table 56 on page 662 describes all the information that is available from the VPN Monitor Table 56 VPN Monitor Table Description Ite...

Страница 713: ...outgoing packets handled by the protocol through the security device Packets Out Total numerical difference between the current packets out value and the previous packets out value Delta Packets Out...

Страница 714: ...ctive VPN Peer Address Monitoring capability status for the VPN ON or OFF Monitor IPSec IP security protocol for the active VPN AH Authentication Header or ESP Encapsulating Security Payload IPSec SPI...

Страница 715: ...curity devices DMZ interface available on NetScreen 25 NetScreen 50 and NetScreen 500 devices the NetScreen 5XP device has no DMZ interface HA interface and management interface available on NetScreen...

Страница 716: ...hrough the security device over the selected interface CRC Errors The number of Frame Checksum FCS errors Alignment Errors The number of frames that are not of the correct length ShortFrame The number...

Страница 717: ...ections that occurred for a given interface Connections The number of incoming packets dropped by a given interface Packets Dropped The number of incoming packets denied on the virtual interface by th...

Страница 718: ...lock any attempt of this nature and records such attempts as a Land attack Land Attack ICMP pings can overload a system with so many echo requests that the system expends all its resources responding...

Страница 719: ...ag TCP packet that does not have any bits set in the flags TCP no Flag The security device drops packets where the protocol field is set to 101 or greater These protocol types are reserved and undefin...

Страница 720: ...ckets that have both the SYN and FIN bits set in the flags field SYN n FIN TCP packet with a FIN set but no ACK set in the flags field FIN no ACK When you enable Malicious URL Detection the security d...

Страница 721: ...are fragmented No of Fragment Blocks The number of currently active sessions Active Sessions The number of allocated sessions Allocated Sessions The maximum sessions allowed Max Sessions Allowed The...

Страница 722: ...ts and protocol type about the active sessions on the security device by default You can also view extended information about the session such as session ID ICMP type if applicable total incoming byte...

Страница 723: ...fetch specific sessions on a security device that match specific criteria that you set The session filter defines the overall data set that you can view from the Active Sessions view After you config...

Страница 724: ...t number or Port Range 4 Click in the Translated tab to specify the sessions that you want to view according to Translated IP Address and Port number or Port Range 5 Click in the Protocol tab to speci...

Страница 725: ...5 describes all of the information that is available from the HA Statistics view Table 65 HA Statistics View Description Item The group ID that is associated with the VSD or RTO VSD Group ID The numbe...

Страница 726: ...d The sensor exists in NSM but a connection to the sensor has not yet been established RMA Equivalent to bringing the sensor into the Modeled state RMA results from an administrator selection in the U...

Страница 727: ...last time the sensor connected to the NSM Device Server Latest Connect The last time the sensor disconnected from the NSM Device Server Latest Disconnect Viewing IDP Device Detail and Statistics If a...

Страница 728: ...centage of used memory Mem Usage Total amount in megabytes of swap space Total Swap Amount in megabytes of used swap space Used Swap Percentage of used swap space Swap Usage Viewing IDP Process Status...

Страница 729: ...The Device Statistics Summary displays the following details Details describing the sensor for example firmware version and mode Packet and flow information Table69onpage679detailsadditionalinformati...

Страница 730: ...rity devices used in the VPN For example a root security device named NS5000 with an IP address of 1 1 1 1 appears as NS5000 1 1 1 1 For a Vsys 1 NS5000 1 1 1 1 1 appears FromHostname IP Vsys Domain i...

Страница 731: ...nclude all selected devices TIP In the Selected Devices Vsys area by default all devices or virtual systems are included in the filter To improve system performance you can remove devices or virtual s...

Страница 732: ...Active VPN Details Refer to Viewing Active VPN Information on page 663 for more information on the Active VPN Details table Viewing Device Specific VPN Information To view security device specific in...

Страница 733: ...ous ARPs No of Gratuitous arps The total number of Critical events that occurred Critical Events The total number of Major events that occurred Major Events The total number of Minor events that occur...

Страница 734: ...is available from the VSD counters view Table 73 VSD Counter Details Description Item The devices that are associated with the VSD or RTO Device The number of units associated with the VSD or RTO Numb...

Страница 735: ...ction of the RTO In or Out Direction The number of heartbeats not received from the RTOs peers Lost Heartbeat The number of times that the RTO was placed to Active Counter to Active The number of time...

Страница 736: ...ter on a given Ethernet segment retrieved from all nodes Cluster ID Whether the Cluster is in Hot standby or Load Sharing mode HA Mode Total number of IDP sensors that are associated with the cluster...

Страница 737: ...to temporarily indicate as DOWN The Device Monitor still indicates that the security device is DOWN You next try to ping the security device If you are successful in reaching the device you can send a...

Страница 738: ...ss The port open on the Device Server for security devices running ScreenOS 5 0 and later Read Only Device Server Manager Port The port open on the IDP Device Server for security devices IDP Device Se...

Страница 739: ...tics every 300 seconds by default If you wish to change this behavior you can edit the interval using the Device Polling tab High Availability HA To configure a secondary Device Server you need to spe...

Страница 740: ...have installed a primary and secondary GUI Server in a high availability configuration you can use the Server Monitor to monitor which GUI Server is currently active The Server Monitor provides two c...

Страница 741: ...ed on CPU or memory utilization OK Warning Critical Down Note By default the Status field for each server appears Green OK if the usage on either the CPU memory or disk is less than 90 It appears Yell...

Страница 742: ...itional Server Status Details If you are interested in monitoring additional details about your server s status you can view the Server Detail Status window by double clicking any of the servers that...

Страница 743: ...ew the status of all running server processes on the GUI Server or Device Server This view is useful for troubleshooting If you are having problems with the server you can quickly identify if a specif...

Страница 744: ...page 694 lists and describes the information that appears in the Process Status Table 82 Process Status Description Name Name of the GUI Server or Device Server process Name Displays if the process is...

Страница 745: ...lities Description Name Provides information on peak average logging rate total log database size and average log size This utility is located on the Device Server at usr netscreen DevSvr utils logcou...

Страница 746: ...xdbAuditLogConverter sh In NSM enhancements to the audit log exporter tool allow you to Invoke detailed help messages from the audit log exporter tool with xdbAuditLogConverter help Use showdiff to v...

Страница 747: ...es Viewing Device Schema To view current and running schema 1 In the User Interface click Administer 2 In the navigation tree select Server Manager Schema Information The main display area displays th...

Страница 748: ...Copyright 2010 Juniper Networks Inc 698 Network and Security Manager Administration Guide...

Страница 749: ...ime monitor of these watch lists and the top 10 attacks within the previous hour The interval at which these lists are updated ranges from 2 minutes default rate to 30 minutes The lists are updated au...

Страница 750: ...orate network while working in a conference room Normal Event Wendy holds a meeting every Tuesday at 4 00 PM in conference room A Every meeting she connects her laptop to the network and accesses docu...

Страница 751: ...ate and recover from any damage For details see Stopping Worms and Trojans on page 719 Detect violations of your corporate security policy The Profiler can help you confirm suspected violations such a...

Страница 752: ...ternal hosts Include Non tracked IP Profiles Maximum database size for the Profiler on each device By default the maximum database size is 3 GB db limit in MB Enables the Profiler to perform passive O...

Страница 753: ...icating to www yahoo com and www cnn com as one entry in the Profiler DB You can select unlimited internal network objects You can also use the Exclude List tab to select the network objects that repr...

Страница 754: ...e database size You can configure the maximum limit of the Profiler DB using the dbLimit parameter in the General tab of the Profiler Settings dialog box The default limit is the value that has been s...

Страница 755: ...click on any device from the Device Manager and select IDP Profiler Stop Profiler NOTE After you stop the Profiler for a specific device the Enable Protocol Profiler setting in the device is automati...

Страница 756: ...with the Source Destination IP and Source Destination MAC and Organizationally Unique Identifier OUI Use this view to quickly see which hosts are communicating with other hosts and what services are...

Страница 757: ...able recorded Context When you select a context the values that your devices recorded for a selected context Value Source MAC addresses of traffic profiled Src MAC Destination MAC addresses of traffic...

Страница 758: ...ongs Role All services of traffic profiled Service Type of the traffic profiled Access indicates a successful connection during which the device recorded valid requests and responses from the server t...

Страница 759: ...only those items that violate the criteria that you set Configuring Permitted Objects Permitted objects are shared objects specific to the Profiler They enable you to configure objects in the Profiler...

Страница 760: ...he traffic you do not want on your network take the appropriate security measures for example remove the unauthorized network components incorporate the components services into your existing corporat...

Страница 761: ...de the aggregate traffic volume information from the parent application group As you move up the root of the application hierarchy you can view the total network traffic volume The Application Profile...

Страница 762: ...ny of the columns that appear in the Filter Criteria A dialog box lets you add entries that match the column you selected as a criterion to filter the Profiler view The Profiler view automatically upd...

Страница 763: ...e First Seen timestamp as the last 2 days Use the Last Seen setting to define a last timestamp threshold If the device logged an event and the event timestamp is before the last timestamp the event ap...

Страница 764: ...Sort on any column except the Application column The Application column does not support sorting because application values are similar for each application group When you perform a sort on any other...

Страница 765: ...umn Details about the selected host IP including IP Address MAC Address OUI Organizationally unique identifier a mapping of the first three bytes of the MAC address and the organization that owns the...

Страница 766: ...menu to change these parameters To manually purge the Profiler DB of all records click Clear All DB This operation can take up to one minute During this time a message appears on all other connected...

Страница 767: ...e from a few hours to a few weeks Setting a Baseline When you are satisfied that the Profiler has detected each host protocol and port that you want to profile you have successfully created a network...

Страница 768: ...users change the default password immediately However for convenience some users leave the default configuration password unknowingly opening a security hole in the network The Profiler captures user...

Страница 769: ...rate security policy does not permit SQL servers on the internal network However during a regular Microsoft update SQL applications are installed on a network server without your knowledge Because you...

Страница 770: ...of the Blaster worm From the Profiler 1 Restart the Profiler 2 Select the Network Profiler to quickly see the source destination and service of traffic on your network 3 In the Service data table sel...

Страница 771: ...nables you to visualize and correlate network behavior based on data collected in the Profiler Log Viewer and Report Manager You can use the Security Explorer to perform the following tasks Get a dyna...

Страница 772: ...that displays the following nodes Host Displayed as an IP address Network Displayed using CIDR notation ip class 8 16 24 Protocol These include TCP ICMP and so on Attack Specific attack object name Se...

Страница 773: ...ver Profiles One host or network and the context for server related traffic Every context is connected to its host network related value for example on a host is an SSL server running version 3 1 The...

Страница 774: ...ve selected Reports Viewer Use the Reports tab to generate and view one of the following reports in Security Explorer Top Alarms Top Traffic Alarms Top Traffic Logs Top IDP DI Attacks Top Screen Attac...

Страница 775: ...n other activities you may want to use with Security Explorer you also may need proper administrative privileges to View Profiler View Device Logs View Historical Log Reports View Devices View Shared...

Страница 776: ...l information related to your point of reference Depending upon the type of icon that you select you can transition to another graph Table 89 on page 726 describes the graphs that you can transition t...

Страница 777: ...an also view additional data and graphs by adding and removing additional panels to Security Explorer Use the icon to add a Security Explorer panel The new panel appears as a new tab in the main graph...

Страница 778: ...Copyright 2010 Juniper Networks Inc 728 Network and Security Manager Administration Guide...

Страница 779: ...tive event such as the administrator name timestamp of the change and job details You can configure each managed device to generate and export specific log records to multiple formats and locations su...

Страница 780: ...for each event that matches that rule An event matches a predefined set of conditions configured on a managed device or the management system Some events generate log entries that appear in the Log V...

Страница 781: ...res immediate action Alert Log entries triggered when system encounters critical conditions Critical Log entries triggered when system becomes unusable Emergency Log entries triggered when system enco...

Страница 782: ...ng logs from ScreenOS andIDPdevicesaredisplayedasDevice_critical_logandDevice_warning_log Ifupgrading from an earlier release you may need to modify your action manager criteria to match the new conve...

Страница 783: ...re is not supported Log Investigator analysis can only be applied to those partially structured syslogs that provide the source address and destination address in related columns Log Viewer provides o...

Страница 784: ...estination except Firewall Options Table 93 Destinations of Log Entry Severities Severities Description Destination All severities The PC you use to view log entries in NSM Console Emergency Alert Cri...

Страница 785: ...was dropped or terminated at the device When negotiating an IKE key the VPN client communicates with the security device Log IKE Packets to Self Creates a log entry for an SNMP packet that was droppe...

Страница 786: ...ged device to report specific events to NSM Select the appropriate NSM Device Server then select the events that are logged on the device and reported to NSM The following sections detail each event N...

Страница 787: ...ribes the security event that triggered the alarm Traffic alarms generate log entries that appear in the Alarm category To receive traffic alarm log entries you must Enable the device to generate traf...

Страница 788: ...Inspection Alarm Log Entries on page 864 Severity Configuration Log Entries The device generates configuration log entries for events that change the configuration on the device Specifically any comm...

Страница 789: ...ou must Enable the device to generate self log entries for NSM in Report Settings NSM Enable the device to send specific self log entries to NSM in Report Settings General Firewall Options For details...

Страница 790: ...e 667 Ethernet Statistics The device forwards statistics for Ethernet activity on the device Ethernet statistics do not generate log entries the statistics are used by the Realtime Monitor module For...

Страница 791: ...s Use SNMP settings to configure the Simple Network Management Protocol SNMP agent for the managed device The SNMP agent provides a view of statistical data about the network and the devices on it and...

Страница 792: ...SNMPv1 SNMPv2c or both SNMP versions as required by the SNMP management stations For backward compatibility with earlier ScreenOS releases that only support SNMPv1 security devices support SNMPv1 by d...

Страница 793: ...ends dialog box Enter appropriate data into the following fields Table 97 WebTrends Settings for Log Entries Description Field Directs NSM to forward a log to the WebTrends server Enable WebTrends Mes...

Страница 794: ...s stored permanently on the NSM server until or unless it is purged by the user To store the packet data on the IDP sensor double click an IDP sensor select Report Settings in the navigation tree and...

Страница 795: ...Figure 103 View Packet Data in a Log Figure 104 on page 746 provides an example of packet data 745 Copyright 2010 Juniper Networks Inc Chapter 19 Logging...

Страница 796: ...ity Using Log Views on page 747 The Log Viewer includes several predefined views for critical severity attacks configuration log entries scans and other important activity This section describes how t...

Страница 797: ...Viewer Integration on page 766 This section describes how to use the Log Viewer integration to jump from a log entry directly to the responsible security policy or managed device configuration Identi...

Страница 798: ...pe Category Admin 13 Admin SUBCATEGORY SYS10061 SYS10062 Cluster Subcategory AUT23523 AUT23524 Dynamic Policy Evaluation Category Events 14 Events Subcategory SYS24013 SYS24014 SYS24015 ERR24016 SYS24...

Страница 799: ...te Exceeded UDP Port Scan UDP Port Scan In Progress Scans Creating Custom Views and Folders A custom view enables you to organize log entries in a format that is most helpful to you Because the custom...

Страница 800: ...lect Save As In the New View dialog box enter a name for the custom view enter a name for the folder that you want to save the view in and click OK The new view is displayed in the navigation tree in...

Страница 801: ...egory A category is either admin alarm config custom event implicit info predefined profiler screen self sensors traffic urlfiltering or user A subcategory is an attack type Default Category Subcatego...

Страница 802: ...since the beginning of the current session No Elapsed Secs Specifies if this log has associated packet data No Has Packet Data A destination port that has undergone NAT and is associated with the pack...

Страница 803: ...3 and later and Junos firewall devices The Policy ID column remains empty for older logs Log Viewer Detail Panes The Log Viewer contains additional panes that provide summary and detail information fo...

Страница 804: ...to top of log entry list Page up within log entry list Scroll up within log entry list Use the slider to move up or down within log entry list The farther you drag the slider from the center the faste...

Страница 805: ...pecific log entry immediately Typically you use a log ID search when you have previously viewed the log entry and need to find it again quickly A value search that searches for a log entry based on th...

Страница 806: ...use the Out and In buttons From left to right the time blocks are 14 days 7 days 3 days 1 day 12 hours 6 hours 3 hours 1 hour 30 minutes 1 minute Click the Out button to select the time block to the...

Страница 807: ...guration log entries from that device 3 Select Tailing Logs The view jumps to the bottom of the log entry list and remains there as new configuration log entries for the device arrive they appear at t...

Страница 808: ...ons Edit Use this option to set multiple filters for cell content at the same time Select to display the Filter dialog box for that column then select the columns you want to filter on To display only...

Страница 809: ...Filter Set Filter Select the flag types that you want to use as the filter criteria then click OK NSM applies the filter to all log entries and displays only the log entries that match the specified f...

Страница 810: ...hen applied this filter displays log entries for events that were generated or received before or at the specified end time To filter on a time period select From and To then enter the start and end d...

Страница 811: ...ytes only select From and enter a value When applied this filter displays log entries for events that received or transmitted more than or equal to the specified minimum number of bytes To filter on a...

Страница 812: ...e view The more columns you configure to appear in the Log Viewer the more information you can see at one time and the more you must scroll from side to side to view all columns setting fewer columns...

Страница 813: ...e columns to narrow your search To configure the column settings 1 In the navigation tree select the Log Viewer module 2 From the View menu select Choose Columns NSM displays the Column Settings dialo...

Страница 814: ...splayed 2 From the Filter Summary dialog box select a column on which you want to filter log entries 3 Select the filter settings you wish to apply for the specified column then click OK 4 To select a...

Страница 815: ...a Log Viewer column that was selected for filtering log entries 1 Select View Filter Summary The Filter Summary dialog box is displayed 2 To clear a single column Clear the column check box that you d...

Страница 816: ...ase snapshots also enable you to view previous object versions For details on database snapshots see Automatic Policy Versioning on page 514 Other options for archiving and restoring logs and configur...

Страница 817: ...network Use the information in Table 105 on page 767 to determine if the attack is relevant Table 105 Irrelevant Versus Relevant Attacks Relevant Attacks Irrelevant Attacks Attack attempts to exploit...

Страница 818: ...formation in table and chart format Configuring Log Investigator Options on page 770 Configure the criteria the Log Investigator uses to create the matrix including the time period Left and Top Axes s...

Страница 819: ...is setting which determines data set that is used for Top Axis setting Top Axis The controlled axis for log entry data the dependent axis The Log Investigator collects log entry data for the Left Axis...

Страница 820: ...nterface time to initially locate problems After you have identified the issues you want to investigate set a shorter time interval to eliminate irrelevant log entry data After you have determined the...

Страница 821: ...to the data type Top Sources After the Left Axis data set has been determined the Log Investigator searches that data set for data that matches the Top Axis setting By default the Top Axis is set to...

Страница 822: ...most popular source addresses are generating attacks against the most popular destinations Select the Left Axis the independent axis as Top Sources Select the Top Axis the dependant axis as Top Destin...

Страница 823: ...ria for log entries and the Log Investigator filters out log entries that do not match the filter criteria Using the Filter Summary dialog box you can select and apply multiple filters to the Log Inve...

Страница 824: ...level of a generated alarm User Flag Severity Alarm Filters Various Details Protocol Category Alert Roles User Application name Miscellaneous Filters NOTE For a complete list of log entry columns ava...

Страница 825: ...are ready to begin investigating your log entry data Using Rows and Columns Each row or column in the Log Entry matrix represents events for a single data type When selecting a row or column you are...

Страница 826: ...nternal trojan You probably need to get more details such as destination ports used and attack subcategories for the events before you can resolve the issue Table 107 on page 776 details the benefits...

Страница 827: ...f attacks received by that port number Because services are mapped to specific port numbers you can use the port number to identify the service used in the attack The right pane displays a chart using...

Страница 828: ...en investigating events that generate lower values To exclude a specific attack from the Log Investigator calculations right click the attack cell and select Exclude To help you keep track of excluded...

Страница 829: ...hich a user is allowed to view audit logs The values are empty Audit log entries created prior to this NSM release that do not have targeted objects or devices These logs can be viewed by all NSM user...

Страница 830: ...Log table The following sections describe these data management options Select Audit Log Table Use the Set Audited Activities option in the Edit menu to select read write or read only auditable activ...

Страница 831: ...ield filter right click a column field and select Filter to display the filter menu options Time based column filter To create a time based filter right click a field in the Time Generated column and...

Страница 832: ...hange Device View For a change made to the device itself such as adding the device autodetecting a device or rebooting a device select the audit log entry for that change in the Audit Log table then v...

Страница 833: ...of free disk space on the Device Server NOTE Use the Server Manager node in the NSM UI to configure e mail notification Refer to Configuring Servers on page 688 for more information storageManager mi...

Страница 834: ...ion indicating the day contained in the directory Do not attempt to archive the current day s files You can automate archival using cron To archive logs 1 Use scp to copy all directories in usr netscr...

Страница 835: ...The location of the archive is user configurable from the Disk and Log Management dialog box The options are Local and Remote Local To archive logs locally specify the directory location for file sto...

Страница 836: ...ault e mail address in the EMail section for the From e mail address 3 Click the Add icon to open the New Add Edit EMail Address dialog box 4 Enter the default To e mail address for all log actions in...

Страница 837: ...ou want to send qualified logs NSM uses the specified server when exporting qualified log entries to the system log To actually export logs to a system log server you must select Syslog Enable using t...

Страница 838: ...xporting qualified log entries to e mail These settings define the e mail and SMTP settings for the management system NOTE After editing your e mail settings you must restart the Device Server for you...

Страница 839: ...qualified log records to a script you must configure the following Script Enable Script To Run Select the script you want to run from the Script To Run list For a script to appear in the list the scr...

Страница 840: ...sing Filters The log2action utility generates data for a maximum of 100 000 logs NOTE If you want to generate more than 100 000 logs use the matches to return option to specify the number of logs that...

Страница 841: ...n path yes yes domain a b c d n a b c d Destination IP address yes yes dst ip 0 65535 0 65535 Destination port yes yes dst port yyyymmdd 0 MAX yyyymmdd 0 MAX From Log ID To Log ID no yes log id 1 4294...

Страница 842: ...mmon Filter with Multiple Entries To set a filter that displays all log entries for IDP and EX Series devices type devSvrCli sh log2action filter device family idp junos ex action csv file path tmp mo...

Страница 843: ...ic Filters You can use the following required and optional format specific filters for exporting to XML Meaning Required Multiple CSV Specifies where the system should direct the output For example my...

Страница 844: ...ain Version Policy Rulebase Rule Number Policy ID Action Severity Is Alert Details User App URI Elapsed Secs Bytes In Bytes Out Bytes Total Packets In Packets Out Packets Total Repeat Count Has Packet...

Страница 845: ...estination port nat dst ip nat dst port protocol rule domain rule domain version policy rulebase rulenumber action severity isalert details user str application str uri str elapsed secs bytes in bytes...

Страница 846: ...fy the receiving e mail address for the SMTP log records Yes Yes recipient Specify the sender e mail address No No sender Exporting to syslog The syslog action directs the system to output logs to a s...

Страница 847: ...tion name device family policy id Exporting to a Script The script action directs the system to execute a script use STDIN to pass log records formatted as XML to the script and report output status Y...

Страница 848: ...ts the system to try the action again for the same log When using this filter you must also specify retry interval Specifies the number of seconds until the action is tried again num retries Specifies...

Страница 849: ...ing The Report Manager module in NSM is a powerful and easy to use tool that enables you to generate reports summarizing key log and alarm data originating from the managed devices in your network The...

Страница 850: ...administrators and operations staff interested in tracking and analyzing specific types of information to work only within the group of reports that they need For details on each of the specific repo...

Страница 851: ...801 DI IDP Reports on page 802 Screen Reports on page 803 Administrative Reports on page 804 UAC Reports on page 804 Profiler Reports on page 805 AVT Reports on page 805 SSL VPN Reports on page 805 EX...

Страница 852: ...20 IP addresses that have most frequently been prevented from attacking the network during the last 24 hours Top 20 Attackers Prevented All Attacks last 24 hours 20 IP addresses that have most frequen...

Страница 853: ...s listed in the Profiler over the last 7 days Profiler New Ports last 7 days New Protocols listed in the Profiler over the last 7 days Profiler New Protocols last 7 days The total number of log entrie...

Страница 854: ...es generated by specific rules in your ScreenOS DI policies You can use the Top Rules report to identify those rules that are generating the most log events This enables you to better optimize your ru...

Страница 855: ...tracking Table 116 AVT Reports Description Report Ten applications with highest volume in bytes in the past 24 hours Top 10 Applications by Volume Ten application categories with highest volume in byt...

Страница 856: ...ibing each report refer to the Network and Security Manager Online Help My Reports Once you are comfortable using reports you can create your own custom reports to provide the exact information that y...

Страница 857: ...ecting the corporate DMZ network A Top Attacks report comes predefined in IDP but the report displays attacks on the entire network and you are interested only in the DMZ To create a custom report bas...

Страница 858: ...nd Security Manager Online Help Generating Reports Automatically You can generate scheduled log based reports automatically by using the guiSvrCli sh command line utility located on the NSM GUI Server...

Страница 859: ...iSvr lib scripts for your convenience To use these scripts we recommend that you first copy them to usr netscreen GuiSvr var scripts and then change the permissions on the scripts so that they are bot...

Страница 860: ...sendmail t Directory prefix for report directory my prefix usr netscreen GuiSvr var Report extension type my type html Mail output file Capture sent email in this file dev stdout for screen my mail_o...

Страница 861: ...system and shell for example export NSMPASSWD password c Specify a guiSvrCli command string usr netscreen GuiSvr utils guiSvrCli sh generate reports report global system Top Screen Attacks script ftp...

Страница 862: ...options in each report Report title Report type Columns for the report Time period Data point count Chart type You can also access the Set Report Options dialog by right clicking the chart on each rep...

Страница 863: ...t of log information available Configuring the Data Point Count Typically the top 50 occurrences of each data type are displayed in each report You can configure a report to display more or fewer data...

Страница 864: ...ences option in the Tools menu and select Reports In the New Preference Settings dialog box click in the Enable Warnings check box and use the up and down arrows to specify 1 000 000 as the number of...

Страница 865: ...reports in NSM Example Using Administrative Reports to Track Incidents In this example firewall administrators use the Log Viewer to monitor and investigate log events They are specifically interested...

Страница 866: ...ou are a security administrator responsible for implementing new rules to your firewall rulebase After you have updated the new security policy on the managed security devices in your network you want...

Страница 867: ...nd optimize the rulebases implemented in your security policies Example Using EX Switch Reports to Track Configuration Changes In this example you are a switch administrator responsible for configurin...

Страница 868: ...in the network operations center responsible for tracking potential network attacks You daily generate and track an Attacks By Severity report Over time you notice that the number of critical attacks...

Страница 869: ...ng and configuring these reports refer to the Network and Security Manager Online Help Using the Watch List NSM lets you create and configure both a destination and a source watch list The Destination...

Страница 870: ...Copyright 2010 Juniper Networks Inc 820 Network and Security Manager Administration Guide...

Страница 871: ...ixes Glossary on page 823 Unmanaged ScreenOS Commands on page 849 SurfControl Web Categories on page 851 Common Criteria EAL2 Compliance on page 859 Log Entries on page 861 821 Copyright 2010 Juniper...

Страница 872: ...Copyright 2010 Juniper Networks Inc 822 Network and Security Manager Administration Guide...

Страница 873: ...you through activating a modeled device in the NSM User Interface Add Device Wizard The Add Device wizard guides you through importing or modeling a new device to the NSM User Interface Address Objec...

Страница 874: ...the timeout process returns to normal Antivirus AV Scanning A mechanism for detecting and blocking viruses in File Transfer Protocol FTP Internet Message Access Protocol IMAP Simple Mail Transfer Prot...

Страница 875: ...connectivity to the management system the device rolls back to the last installed configuration This minimizes downtime and ensures that NSM always maintains a stable connection to the managed device...

Страница 876: ...d with the minimal software to support a single network service BGP Neighbor Also known as a BGP Peer BGP is a the Border Gateway Patrol dynamic routing protocol A BGP neighbor is another device on th...

Страница 877: ...m the World Wide Web to provide quicker access to content for users and to increase server security Classless Routing Support for interdomain routing regardless of the size or class of the network Net...

Страница 878: ...tween the configuration running on the physical device and the difference between the configuration in NSM are known as deltas Demilitarized Zone A DMZ is an area between two networks that are control...

Страница 879: ...chemas for configuration inventory management logging and status monitoring DMI schemas can be updated without the need to upgrade NSM DNS The Domain Name System maps domain names to IP addresses Doma...

Страница 880: ...P provides confidentiality to IP datagrams Ethernet Ethernet is a local area network LAN technology invented at the Xerox Corporation Palo Alto Research Center Ethernet is a best effort delivery syste...

Страница 881: ...interface between two GSNs located in different PLMNs GPRS General Packet Radio Service A packet based technology that enables high speed wireless Internet and other data communications GPRS provides...

Страница 882: ...pplication Layer Gateway ALG lets you to secure Voice over IP VoIP communication between terminal hosts such as IP phones and multimedia devices In such a telephony system gatekeeper devices manage ca...

Страница 883: ...the Device Editor on a specific device and not through the central NSM Policy Manager If you select this method to manage policies on a J Series or SRX Series device the NSM Policy Manager Object Mana...

Страница 884: ...networks See also DES CBC ESP AH IP Sweep An IP sweep is similar to a port scan attack Attackers perform IP sweeps by sending ICMP echo requests or pings to different destination addresses and wait f...

Страница 885: ...ead of relying on rumored information from directly connected neighbors as in distance vector protocols each router in a link state system maintains a complete topology of the network and computes SPF...

Страница 886: ...can deploy the GUI Server and Device Server on separate servers however the combination of the two servers is known as the management system Mapped IP Address A MIP is a direct one to one mapping of t...

Страница 887: ...guring a BGP network you need to establish a connection between the current device and a counterpart adjacent device known as a neighbor or peer While this counterpart device may seem like unneeded in...

Страница 888: ...routers do not track sessions except when doing NAT which tracks the session for NAT purposes PDP Packet Data Protocol PDP Context A user session on a GPRS network PDU Protocol Data Unit Peer See Nei...

Страница 889: ...ces in hopes that one port will respond If a remote host scans 10 ports in 0 3 seconds the security device flags this as a port scan attack and drops the connection Preference A value associated with...

Страница 890: ...at one program can use to request a service from a program located in another computer in a network Role Based Administration RBA Role based administration enables you to define strategic roles for yo...

Страница 891: ...s are session table entries ARP cache entries certificates DHCP leases and IPSec Phase 2 security associations SAs S Scheduled Object A schedule object defines a time interval that a firewall rule is...

Страница 892: ...m Service Object Service objects represent the IP traffic types for existing protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined servic...

Страница 893: ...tively predictable and where network design is relatively simple Status Bar The status bar is the lower section of the NSM UI The status bar displays supplemental information Subdomain A subdomain is...

Страница 894: ...cify a complete device configuration The software remembers static routes until you remove them However you can override static routes with dynamic routing information through judicious assignment of...

Страница 895: ...r that supports VPN tunneling the remote user as well as the organization knows that it is a secure connection All remote dial in users are authenticated by an authenticating server at the Internet Se...

Страница 896: ...ir location on a physical subnetwork but through the use of tags in the frame headers of their transmitted data VLANs are described in the IEEE 802 1Q standard Virtual Private Network VPN A VPN is an...

Страница 897: ...ou can configure the security device to scan any incoming Microsoft NetBIOS Session Service packets modify them and record the event as a WinNuke attack Worm A worm is a self replicating attack progra...

Страница 898: ...Copyright 2010 Juniper Networks Inc 848 Network and Security Manager Administration Guide...

Страница 899: ...t this command the security device displays an error message common criteria These commands define environment variables Security devices use environment variables to make special configurations at st...

Страница 900: ...trol MAC address for a security device interface set mac These commands display timer settings or configure a security device to automatically execute management or diagnosis at a specified time All t...

Страница 901: ...r sexually violent text or graphics Bondage fetishes genital piercing Nudist sites that feature nudity Erotic or fetish photography which depicts nudity NOTE We do not include sites regarding sexual h...

Страница 902: ...rugs or abuse of other legal substances Distributing alcohol illegal drugs or tobacco free or for a charge Displaying selling or detailing use of drug paraphernalia NOTE We do not include sites that d...

Страница 903: ...e Beauty and cosmetics Modeling information and agencies Glamour and Intimate Apparel Government services such as taxation armed forces customs bureaus emergency services Local government sites Politi...

Страница 904: ...the group Sets itself outside of society Hate General health such as fitness and wellbeing Medical information about ailments conditions and drugs Medical reference Medical procedures including electi...

Страница 905: ...buying or selling a home Real estate agents Home improvement and inspection sites Real Estate Personal professional or educational reference Online dictionaries maps and language translation sites Cen...

Страница 906: ...rist information Weather bureaus Car Rentals Travel Newsgroups Opinion or discussion forums Weblog blog sites Usenet News Forums Newsgroups Opinion or discussion forums Weblog blog sites Usenet News F...

Страница 907: ...on or poisonous substances Displaying or detailing the use of guns weapons ammunition or poisonous substances Clubs which offer training on machine guns automatics and other assault weapons and or sni...

Страница 908: ...Copyright 2010 Juniper Networks Inc 858 Network and Security Manager Administration Guide...

Страница 909: ...stalled on dedicated systems These dedicated systems must not contain user processes that are not required to operate the NSM software Guidance for Personnel There must be one or more competent indivi...

Страница 910: ...Copyright 2010 Juniper Networks Inc 860 Network and Security Manager Administration Guide...

Страница 911: ...larm Log Entries The Screen category contains the subcategories shown in Table 122 on page 861 Table 122 Screen Alarm Log Entries ScreenOS Message ID Attack Attacks Alert 00017 Address Sweep Attack At...

Страница 912: ...IP Spoof Attack Attacks Alert 00010 Land Attack Attacks Critical 00032 Malicious URL Protection Auth Alert 00003 Multiple Authentications Failed Attacks Emergency 00007 Ping of Death Attack Policies A...

Страница 913: ...30 CPU Usage High DHCP Alert 00029 DHCP Critical 00029 DHCP DNS Critical 00021 DNS Host Interface Critical 00090 Interface Failover Device Critical 00022 Hardware ARP Critical 00031 IP Conflict Loggin...

Страница 914: ...e High Availability Critical 00071 NSRP VSD Master High Availability Critical 00072 NSRP VSD Pbackup OSPF Critical 00206 OSPF Packet Flood RIP Critical 207 RIP Packet Flood OSPF Critical 200 Route add...

Страница 915: ...ther user CHAT AUDIT YMSG FILE SEND sos5 1 0 info This protocol anomaly is a Yahoo Messenger e mail address that exceeds the user defined maximum A Yahoo Messenger server sends an e mail address as pa...

Страница 916: ...EP QTYPE UNEXPECTED sos5 1 0 info This protocol anomaly is a DNS reply with a query reply bit QR that is unset indicating a query This may indicate an exploit attempt DNS AUDIT REP S2C QUERY sos5 1 0...

Страница 917: ...protocol anomaly is a DNS name that exceeds 255 characters This may cause problems for some DNS servers DNS OVERFLOW NAME TOO LONG sos5 1 0 critical This protocol anomaly is a suspiciously large NXT...

Страница 918: ...ignature detects attempts to exploit a vulnerability in a LinkSys Cable DSL router Attackers may submit an overly long sysPasswd parameter within a malicious HTTP request to crash a LinkSys Cable DSL...

Страница 919: ...s users but relative to for users with accounts specifying the actual bin rather than ftp bin Attackers may establish an FTP account on the system and run the site exec command to gain access to the b...

Страница 920: ...crash the service or execute arbitrary code FTP EXPLOIT WIN32 WFTPD BOF sos5 1 0 medium This signature detects an attempt by an attacker to exploit a directory traversal vulnerability in the SunFTP da...

Страница 921: ...ay gain write access remotely create long pathnames and overflow the buffer to gain root access FTP OVERFLOW PATH LINUX X86 1 sos5 0 0 sos5 1 0 critical This signature detects attempts to exploit a re...

Страница 922: ...ccounts using easily guessed passwords FTP PASSWORD COMMON PASSWD sos5 0 0 sos5 1 0 high This signature detects attempts to use the default rootkit password h0tb0x to access a FreeBSD rootkit account...

Страница 923: ...he FTP daemon uses a vulnerable version of GNU ls attackers may send an oversized width parameter to GNU ls to cause the server CPU utilization to temporarily reach 100 and exhaust system memory This...

Страница 924: ...NIX and Linux systems Wu ftpd versions 2 6 1 to 2 6 18 are vulnerable Attackers may send a maliciously crafted pathname in a CWD or LIST command to the FTP server to execute arbitrary commands as root...

Страница 925: ...lear its logs Attackers may use spoofed IP address to send a log clear request without authenticating HTTP 3COM LOG CLEAN sos5 0 0 sos5 1 0 high This signature detects attempts to exploit a vulnerabil...

Страница 926: ...ache HTTP daemon the daemon may require a manual restart HTTP APACHE PHP INVALID HDR sos5 1 0 low By submitting a malformed HTTP GET request to an Apache server using the default configuration supplie...

Страница 927: ...ings in hex code ie 2e 2e 2f in a query to access the remote administration utility password and gain full remote administration abilities HTTP CGI ALTAVISTA TRAVERSAL sos5 1 0 sos5 1 0 high This sign...

Страница 928: ...loit a vulnerability in IkonBoard a popular Web based discussion board Attackers may send a maliciously crafted cookie that contains illegal characters to IkonBoard to execute arbitrary code with Ikon...

Страница 929: ...stem files HTTP CGI WEBSPIRS FILE DISCLSR sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the YaBB pl CGI script Attackers may view arbitrary files HTTP CGI YABB...

Страница 930: ...ver Attackers may pass a semicolon character to JRun to expose the script source code and other sensitive files HTTP COLDFUSION JRUN SC PARSE sos5 1 0 high This signature detects attempts to exploit a...

Страница 931: ...us Web site appears as the destination IP address HTTP EXPLOIT IE ZONE SPOOF sos5 0 0 sos5 1 0 medium This signature detects illegal characters in a Host header field of an HTTP 1 1 request Attackers...

Страница 932: ...WD REQ sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the browse asp script supplied with Hosting Controller a tool that allows Microsoft Windows network admini...

Страница 933: ...ects buffer overflow attempts against Microsoft ISAPI Indexing Service for IIS Index Server 2 0 and Indexing Service 2000 in IIS 6 0 beta and earlier versions are vulnerable Attackers may send a long...

Страница 934: ...Microsoft IIS 5 0 Attackers may send malicious PROPFIND requests to the server to crash it HTTP IIS PROPFIND sos5 1 0 medium This signature detects the sadmind IIS worm attempting to infect Microsoft...

Страница 935: ...e parameters on the same line as the request method This may indicate a poorly written Web application or HTTP tunneling HTTP INFO HTTPPOST GETSTYLE This signature detects attempts to bypass directory...

Страница 936: ...his signature detects an attempt to gain unauthorized administrative access to an EmuLive Server4 daemon HTTP MISC EMULIVE ADMIN sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS a...

Страница 937: ...his signature detects denial of service DoS attempts that exploit the Web Publishing REVLOG command in Netscape Enterprise Server 3 x HTTP NETSCAPE ENTERPRISE DOS sos5 0 0 sos5 1 0 medium This signatu...

Страница 938: ...ength header HTTP OVERFLOW CONTENT LENGTH sos5 1 0 medium DI has detected a suspiciously long Content Location header HTTP OVERFLOW CONTENT LOCATION sos5 1 0 medium DI has detected a suspiciously long...

Страница 939: ...D ROOT OF sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS attempts against Pi3Web Server Attackers may send a URL with more than 354 Slashes to crash the server HTTP OVERFLOW PI3...

Страница 940: ...ttackers may bypass user authorization to gain administrative privileges HTTP PHP GALLERY EMBED AUTH sos5 1 0 high This signature detects attempts to exploit a vulnerability in Gallery a Web based pho...

Страница 941: ...rative password of the board without user verification and access restricted files on the local system HTTP PHP PHORUM ADMIN PW CHG sos5 0 0 sos5 1 0 high This signature detects access to the vulnerab...

Страница 942: ...m This signature detects attempts to exploit a vulnerability in PHP Nuke AttackersmayexecutearbitrarySQLcommands on a Web server HTTP PHP PHPNUKE CID SQL INJECT sos5 0 0 sos5 1 0 medium This signature...

Страница 943: ...included with the VBulletin package Attackers may run the vbull c exploit to execute arbitrary commands with Web Server user permissions HTTP PHP VBULL CAL EXEC sos5 0 0 sos5 1 0 medium Any user on th...

Страница 944: ...nerable Internet Explorer users may use these malicious URLs to evade web proxies and gain direct access to the internet HTTP PROXY DOUBLE AT AT sos5 0 0 sos5 1 0 medium This signature detects attempt...

Страница 945: ...a SQL injection attack However it may be a false positive Some attempts at Cross Site Scripting attacks will also trigger this signature HTTP SQL INJECTION GENERIC sos5 0 0 sos5 1 0 medium This signat...

Страница 946: ...e detects the download of a maliciously crafted WinAmp playlist file Using WinAmp to open this file may execute arbitrary code HTTP STC WINAMP CDDA OF2 sos5 1 0 medium This signature detects attempts...

Страница 947: ...sion 1 0 and earlier are vulnerable Attackers may navigate to any directory on the server HTTP WASD DIR TRAV sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in Bea...

Страница 948: ...e information such as usernames passwords credit card numbers social security numbers bank accounts etc HTTP XSS HTML SCRIPT IN URL PRM sos5 1 0 medium This signature detects cross site scripting atta...

Страница 949: ...ly is an IMAP reference field that is too long This may indicate a buffer overflow attempt IMAP OVERFLOW REFERENCE sos5 0 0 sos5 1 0 high This protocol anomaly is an IMAP tag field that is too long Th...

Страница 950: ...EPM WRONG RHS LEN sos5 1 0 high This protocol anomaly is an EPM message with a tower length that is inconsistent with message s LHS and RHS lengths MS RPC ERR EPM WRONG TOWER LEN sos5 1 0 medium This...

Страница 951: ...This protocol anomaly is too many DCE RPC ISystemActivate requests Excessive requests can cause a denial of service DoS in the RPCSS module MS RPC MSRPC ISYSACTIVATE RACE sos5 1 0 medium This signatur...

Страница 952: ...protocol anomaly is label for the second level encoding of a Netbios name that contains a pointer NETBIOS NBDS BAD_LABEL_FORMAT sos5 1 0 medium This protocol anomaly is an invalid first level encodin...

Страница 953: ...TBIOS NBNS INVALID HDR Z sos5 1 0 high This protocol anomaly is a label for the second level encoding of a Netbios name that has a label length larger than 63 or the label is the first label and the l...

Страница 954: ...protocol anomaly is a Gnutella message with a payload type that is not defined in the Gnutella RFC P2P AUDIT GNUTELLA MESSAGE sos5 1 0 info This protocol anomaly is a Gnutella message with a payload l...

Страница 955: ...use of the Direct Connect Plus Plus DC file sharing client P2P DC DC PP ACTIVE sos5 1 0 info This signature detects version checks by eDonkey 2000 a peer to peer file sharing client The eDonkey clien...

Страница 956: ...e vulnerable Attackers may send a maliciously crafted DELE or UIDL request to the POP3 daemon to crash the POP3 SMTP and IMAP services POP3 DOS MDAEMON POP DOS sos5 1 0 high This protocol anomaly is a...

Страница 957: ...EXT DOT CMD sos5 1 0 medium This signature detects e mail attachments with the extension com received via POP3 This may indicate an incoming e mail virus COMs executable files contain one or more scr...

Страница 958: ...ved using POP3 This may indicate an incoming e mail virus HTA files are HTML application files that can be executed by a web browser Generally HTA files are not sent via e mail As a general network se...

Страница 959: ...s this may indicate an incoming e mail virus Attackers may create malicious scripts tricking users into executing the file and infecting the system POP3 EXT DOT MDB sos5 1 0 high This signature detect...

Страница 960: ...ers may create malicious entries tricking users into executing the file and infecting the system POP3 EXT DOT REG sos5 1 0 high This signature detects e mail attachments with the extension scr sent vi...

Страница 961: ...malicious scripts tricking the user into executing the file and infecting the system POP3 EXT DOT WSC sos5 1 0 high This signature detects e mail attachments with the extension wsf received via POP3 T...

Страница 962: ...s POP3 OVERFLOW BOUNDARY_OVERFLOW sos5 0 0 sos5 1 0 high This protocol anomaly is a POP3 command that exceeds 4 bytes the standard length for a POP3 command This may indicate a nonstandard POP3 client...

Страница 963: ...other attacks SCAN AMAP FTP ON HTTP sos5 1 0 low This signature detects the scanner tool AMAP made by The Hacker sChoice THC AttackersmayuseTHC AMAPduring their initial reconnaissance to determine se...

Страница 964: ...s PACKETS for a HP UX PA RISC instruction sequence common in buffer overflow exploits You may want to apply this signature to all non TCP traffic to your HP UX servers SHELLCODE HP UX HP NOOP 2 PKT so...

Страница 965: ...SMBFS implemented in the Linux kernel Kernels 2 4 and 2 6 are vulnerable Attackers may gain root access on the target host SMB EXPLOIT LINUX TRANS2 OF sos5 1 0 medium This protocol anomaly is an empty...

Страница 966: ...NETBIOS names are 16 bytes and may encode to a maximum of 34 bytes SMB NETBIOS INV SNAME LEN sos5 1 0 medium This signature detects attempts to remotely access the Windows registry Attackers may use a...

Страница 967: ...hich can lead to remote code execution SMTP EMAIL EUDORA SPOOF3 sos5 1 0 medium This signature detects attempts to spoof an e mail attachment Eudora Windows 6 2 0 7 and earlier versions are vulnerable...

Страница 968: ...an e mail message with an empty charset value in the MIME header to cause a denial of service DoS SMTP EXCHANGE DOS sos5 1 0 high This protocol anomaly is a BDAT command that is not chunk size SMTP EX...

Страница 969: ...ripts tricking users into executing the macros and infecting the system SMTP EXT DOT ADP sos5 1 0 medium This signature detects e mail attachments that have the extension bas and were sent via SMTP Be...

Страница 970: ...nature detects GRP files sent over SMTP GRP files can contain Windows Program Group information and may be exploited by malicious users to deposit instructions or arbitrary code on a target s system U...

Страница 971: ...infecting the system SMTP EXT DOT JSE sos5 1 0 medium This signature detects e mail attachments that have the extension lnk and were sent via SMTP Because LNKs Windows link files can point to any prog...

Страница 972: ...TP EXT DOT PCD sos5 1 0 medium This signature detects e mail attachments with the extension pif sent via SMTP This may indicate an incoming e mail virus PIFs Program Information Files are standard Mic...

Страница 973: ...cute arbitrary code SMTP EXT DOT WMF sos5 1 0 medium This signature detects e mail attachments with the extension wsc sent via SMTP This may indicate an incoming e mail virus WSCs Windows Script Compo...

Страница 974: ...eds actual multipart data all data is processed but unfinished boundary delimiters exist SMTP INVALID UNFIN MULTIPART sos5 0 0 sos5 1 0 high This signature detects attempts to send shell commands via...

Страница 975: ...of SQLsnake a MSSQL worm SQLsnake infects Microsoft SQL Servers that have SA administrative accounts without passwords The worm sends a password list and other system information via e mail to ixltd p...

Страница 976: ...maliciously crafted SMTP messages to execute arbitrary code at the same privilege level as the target typically a user Note Systems that typically carry non English e mail messages should not include...

Страница 977: ...thin specified mail to and or rcpt to e mail addresses to cause Sendmail to reroute data to another program attackers receive a 550 error message SMTP RESPONSE PIPE FAILED sos5 1 0 medium This signatu...

Страница 978: ...nds spam from an infected host machine TROJAN PHATBOT FTP CONNECT sos5 0 0 sos5 1 0 high This signature detects the string nongmin_cn within an SMTP header from field sent from a remote system to loca...

Страница 979: ...a upon reboot VIRUS POP3 FIX2001 sos5 1 0 high This signature detects e mail attachments named Link vbs sent via POP3 This may indicate the VBS Freelink e mail virus is attempting to enter the system...

Страница 980: ...soft Outlook preview pane once triggered the CHM file runs myromeo exe in the background Myromeo exe obtains e mail addresses from the Microsoft Outlook database sends infected e mail messages to all...

Страница 981: ...lated files Nimda then obtains e mail addresses and sends infected messages to all addresses found using its own SMTP server VIRUS POP3 NIMDA sos5 1 0 critical This signature detects e mail attachment...

Страница 982: ...irus does not carry a payload and is apparent only through a video effect VIRUS POP3 SIMBIOSIS sos5 1 0 critical This signature detects e mail attachments named Suppl doc sent via POP3 This may indica...

Страница 983: ...POP3 TOADIE sos5 1 0 high This signature detects e mail attachments named 666test vbs sent via POP3 This may indicate the e mail virus TripleSix is attempting to enter the system The executed file di...

Страница 984: ...POP3 This may indicate the e mail virus Zelu is attempting to enter the system disguised as the utility ChipTec Y2K Freeware Version The executed file scans available directories corrupts writeable f...

Страница 985: ...e mail virus Nail to enter the system When executed the virus assigns the Microsoft Word auto dot template to a template located on an attacker Web site enabling the attacker to upload new virus code...

Страница 986: ...F SMTP sos5 0 0 sos5 1 0 high This signature detects the Berbew worm as it uploads keylogger information to a listening post Berew monitors user keystrokes for financial data and reports that informat...

Страница 987: ...il attachments containing the W32 Sobig E worm sent via SMTP WORM EMAIL W32 SOBIG E sos5 1 0 high This signature detects the Mimail A worm attachment in SMTP traffic After infecting a Windows based ho...

Страница 988: ...TTP WORM NIMDA MSADC ROOT sos5 1 0 medium This signature detects attempts to create EML files on the system a common sign of the NIMDA worm The worm browses remote directories and creates EML files th...

Страница 989: ...ew targets for infection The source IP of this log is likely infected with a variant of Santy WORM SANTY GOOGLE SEARCH sos5 1 0 high This signature detects a machine infected with the Santy worm attem...

Страница 990: ...DIP DNS Notification 00004 DNS DNS Notification 00029 DNS REP System Notification 00023 Erase System Notification 00006 Hostname Interface Notification 00009 Interface MIP Notification 00021 MIP High...

Страница 991: ...tion 00026 SSH SSL Notification 00035 SSL Syslog and WebTrends Notification 00019 Syslog High Availability Notification 00050 Track IP WEB Filtering Notification 00013 URL User Notification 00014 User...

Страница 992: ...tion 00553 Configuration Size N A Device Connect N A Device Disconnect DHCP Information 00530 DHCP CLI DNS Information 00004 DHCP DNS System Information 00767 Generic VIP Notification 00533 VIP Svr Up...

Страница 993: ...ation 00533 VIP Server Status DHCP Information 00527 DHCP Server Status NOTE For security devices running ScreenOS 5 0 x or higher Network and Security Manager does not generate information logs for d...

Страница 994: ...warded prohibited state invalid rate limited or tunnel limited Interface vsys or vrouter name if applicable For log entries generated by GTP objects with Extended logging enabled you can view the foll...

Страница 995: ...PART 6 Index Index on page 947 945 Copyright 2010 Juniper Networks Inc...

Страница 996: ...Copyright 2010 Juniper Networks Inc 946 Network and Security Manager Administration Guide...

Страница 997: ...te 76 audit logs 76 auditable activities 76 authentication server 76 AV pattern 76 backdoor rulebase 76 blocked IP 76 CA 76 catalog objects 76 channel 77 CLI based reports 77 CLI based security update...

Страница 998: ...84 supplemental CLIs in devices and templates 85 SYNProtector rulebase 85 system status monitor view 85 system URL categories 85 template operations 85 traffic signature rulebase 85 troubleshoot devi...

Страница 999: ...ntext 349 custom signature service binding 343 custom signature stream 256 context 350 custom signature stream context 350 custom signature supported services 345 custom signature TCP header matches 3...

Страница 1000: ...ing Junos 233 configuring SRX Series 233 editing the configuration 232 IDP adding 152 Infranet Controller adding 152 Infranet Controller importing 154 J Series activating 157 J Series adding 155 J Ser...

Страница 1001: ...ng 699 Data Model defined 304 importing 307 updating 305 data model defined 829 data origination icons 190 data point count configuring 772 813 data types 771 Deep Inspection activating subscription o...

Страница 1002: ...132 adding multiple with CSV file 168 adding multiple with discovery rules 166 configuring 185 EX Series activating 134 136 EX Series importing 116 124 extranet adding 150 IDP sensors activating 135 I...

Страница 1003: ...484 exempt rules configuring attacks 485 configuring from the Log Viewer 486 configuring match columns 485 configuring source and destination 485 entering comments 486 expanded VPN view 544 576 expor...

Страница 1004: ...ng 510 deny action 447 disabling 510 negating source or destination 444 permit action 446 reject action 447 reject action changed to deny 504 rule groups 510 using MIPs as source or destination 444 VP...

Страница 1005: ...ctivating with dynamic IP address 135 IKE proposals 422 IMSI prefix filter 380 information banner 57 information logs report 802 Infranet Controller clusters adding 152 importing 154 Infranet Controll...

Страница 1006: ...ice from Log Viewer 766 list key parameters in templates 208 local attack object update 286 local user groups 399 local users 556 log actions about 787 csv 787 e mail 788 SNMP 787 syslog 787 xml 788 l...

Страница 1007: ...7 generating a Quick Report 815 hiding and moving columns 762 integration with reports 814 linking to a device 766 log categories 758 log entry event details 753 log ID 758 log sub categories 758 pred...

Страница 1008: ...bal 410 NAT Traversal 569 navigation tree 24 negating source or destination in firewall rules 444 NetScreen Redundancy Protocol See NSRP network honeypot rules configuring services 499 NetworkProfiler...

Страница 1009: ...tack pattern syntax 348 custom signature attacks false positive setting 343 custom signature attacks first packet context 349 custom signature attacks IP header matches 351 custom signature attacks IP...

Страница 1010: ...t profiles 703 customizing preferences 705 data viewer 708 709 filtering and sorting 712 MAC view area 715 operations on devices without IDP rules 705 setting up 701 settings 702 starting 705 stopping...

Страница 1011: ...Logs 801 Top Information Logs 802 Top Rules 804 Top Self Logs 802 Top Targets Screen 804 Top Traffic Alarms 801 Top Traffic Log 801 Unified Access Control UAC 804 using to optimize rulebases 816 using...

Страница 1012: ...5 using 721 usingt 724 views 721 Security Monitor about 27 using 699 security policies 429 about 28 430 assigning to a device 501 changing rule order 508 cut copy paste 508 device policy pointers 511...

Страница 1013: ...tatic NAT policy 539 statistics Ethernet 740 flow 740 policy 740 status bar 25 storing log files 784 stream 256 context for custom attack object 350 stream context for custom attack object 350 sub cat...

Страница 1014: ...ce viewing 658 traffic log report 801 traffic shaping about 449 DSCP class selector 450 mode 450 troubleshooting sending commands to device 674 Trust Untrust port mode 105 Trust Untrust DMZ port mode...

Страница 1015: ...configuring topology 566 configuring topology full mesh 568 configuring topology hub and spoke 566 configuring topology main and branch 567 configuring topology site to site 568 configuring XAuth 569...

Страница 1016: ...all rules 454 create custom category 373 custom Web categories 454 permissions to update Web categories 79 predefined Web categories 374 454 SurfControl CPA Integrated in rules 454 SurfControl SCFP We...

Отзывы:

Нет отзывов

Похожие инструкции для NETWORK AND SECURITY MANAGER 2010.3

Бренд: Canon Страницы: 2

CLX 6210FX - Color Laser - All-in-One

Бренд: Samsung Страницы: 65

4116 - SCX B/W Laser

Бренд: Samsung Страницы: 16

Бренд: Halcro Страницы: 12

ADMINISTRATION KIT 6.0

Бренд: KAPERSKY Страницы: 115

Бренд: NAPCO Страницы: 1

Бренд: R&S Страницы: 262

DATA SYNCHRONIZER - UPDATE 1

Бренд: Novell Страницы: 9

AMIGOPOD 0.99.35

Бренд: AMIGOPOD Страницы: 23

Бренд: AMIGOPOD Страницы: 47

Бренд: FarmerGPS Страницы: 60

D:Scribe Standalone

Бренд: Sonifex Страницы: 32

AURORA INGEST 7

Бренд: GRASS VALLEY Страницы: 4

Бренд: GRASS VALLEY Страницы: 42

Бренд: GRASS VALLEY Страницы: 60

507B1-90A211-1301 - NavisWorks Manage 2010

Бренд: Autodesk Страницы: 472

Бренд: UMAX Technologies Страницы: 127

WISMO Quik Q2501

Бренд: Wavecom Страницы: 79

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды