background image

sos5.1.0

critical

This signature detects buffer overflow attempts against
Sendmail. Sendmail versions 8.8.0 and 8.8.1 are vulnerable.
Attackers may embed a maliciously crafted MIME header in
an e-mail to overflow a buffer in Sendmail and execute
arbitrary commands as root.

SMTP:OVERFLOW:SENDMAIL-MIME-OF

sos5.1.0

medium

This signature detects SMTP messages with Base-64
encoded headers. SquirrelMail 1.4.3a and earlier versions do
not correctly sanitize SMTP headers. Attackers may send
maliciously crafted SMTP messages to execute arbitrary
code at the same privilege level as the target (typically user).
Note: Systems that typically carry non-English e-mail
messages should not include this attack object in their
security policy.

SMTP:OVERFLOW:SQRLMAIL-HDR-INJ

sos5.0.0,
sos5.1.0

medium

This protocol anomaly is too many 'RCPT TO:' recipients in
an SMTP connection. This may indicate a very popular e-mail
message or a DoS/buffer overflow attempt.

SMTP:OVERFLOW:TOO-MANY-RCPT

sos5.1.0

medium

This protocol anomaly is an unparsed SMTP command line
or header line due to a missing ':'. This may indicate a
nonstandard e-mail client or server or a backdoor/exploit
attempt.

SMTP:REQERR:REQ-SYNTAX-ERROR

sos5.1.0

high

This signature detects SMTP server responses that are
generated when an unsuccessful attempt is made to send
shell commands via an SMTP e-mail message by exploiting
the pipe (|) passthrough vulnerability in SendMail. If the '|'
operator was used within specified "mail to" and/or "rcpt
to" e-mail addresses to cause Sendmail to reroute data to
another program, attackers receive a '550' error message.

SMTP:RESPONSE:PIPE-FAILED

sos5.1.0

medium

This signature detects character strings within an e-mail
message that are designed to exploit a vulnerability in
SpamAssasssin. SpamAssassin Project SpamAssassin 2.63
and earlier are vulnerable. SpamAssassin uses a weighting
system to determine when an e-mail message is spam.
Attackers may send a maliciously crafted e-mail with a
spoofed address to cause SpamAssassin to consider all
further e-mail from the spoofed address as spam, regardless
of the target's whitelist settings. After the malicious e-mail
has been received by the target, SpamAssassin blocks all
e-mails from the spoofed address.

SMTP:SAGTUBE-DOS

sos5.0.0,
sos5.1.0

high

This signature detects attempts to exploit a vulnerability in
Sendmail SMTP server versions prior to 8.12.9. Because the
prescan() procedure that processes e-mail addresses in
SMTP headers does not perform some char and int
conversions correctly, attackers may send a maliciously
crafted request to corrupt the Address Prescan Memory on
a Sendmail SMTP server and execute arbitrary code.

SMTP:SENDMAIL:ADDR-PRESCAN-ATK

sos5.0.0,
sos5.1.0

high

This signature detects attempts to exploit a vulnerability in
Sendmail versions 8.12.8 and earlier. Under certain
conditions, the Sendmail address parser does not perform
sufficient bounds checking when converting char to int.
Attackers may use this exploit to gain control of the server.

SMTP:SENDMAIL:SENDMAIL-FF-OF

937

Copyright © 2010, Juniper Networks, Inc.

Appendix E: Log Entries

Содержание NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1

Страница 1: ...Juniper Networks Network and Security Manager Administration Guide Release 2010 4 Published 2010 11 17 Revision 1 Copyright 2010 Juniper Networks Inc...

Страница 2: ...e GateD software copyright 1988 Regents of the University of California All rights reserved Portions of the GateD software copyright 1991 D L S Associates This product includes software developed by M...

Страница 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Страница 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Страница 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Страница 6: ...Copyright 2010 Juniper Networks Inc vi...

Страница 7: ...Device Configuration 5 Device Management 5 Importing Devices 6 Device Modeling 6 Rapid Deployment 6 Policy Based Management 6 Error Prevention Recovery and Auditing 7 Device Configuration Validation...

Страница 8: ...Administrators 33 Searching in the User Interface 33 Contains String C Search Mode 34 Starts With S Search Mode 34 Regular Expression R Search Mode 35 IP I Search Mode 36 Search for an Exact Match E...

Страница 9: ...les 62 Using Role Based Administration Effectively 63 Enterprise Organizations 63 Geographical Divisions 64 NOC and SOC 64 Administrator Types 64 Service Providers 65 Internal Network 66 Managed Secur...

Страница 10: ...ntrust Port Mode 105 Home Work Port Mode 105 Dual Untrust Port Mode 106 Combined Port Mode 106 Trust Untrust DMZ Port Mode 107 Trust Untrust DMZ Extended Mode 108 DMZ Dual Untrust Port Mode 109 Port M...

Страница 11: ...147 Adding Vsys Devices 147 Placing the Root Device in a Global Domain or a Subdomain 147 Importing Vsys Devices 148 Modeling Vsys Devices 149 Adding L2V Root Systems 150 Adding an Extranet Device 151...

Страница 12: ...deling and Activating Many Devices with Configlets 180 Activating Many Devices with Configlets 181 Adding Device Groups 181 Example Creating a Device Group 182 Setting Up NSM to Work With Infranet Con...

Страница 13: ...213 Identifying Ordered List Entries That Do Not Match the Template or Configuration Group Order 216 Using the Template Operations Directive 217 Select OS Name Section 218 Select Devices Section 218...

Страница 14: ...Configuration File 240 Automatic Import of Configuration Files 241 Chapter 6 Updating Devices 243 About Updating 243 How the Update Process Works 244 About Atomic Configuration ScreenOS Devices 245 Ab...

Страница 15: ...Page Shared Object 279 Importing Antivirus Live Update Settings 280 Uploading Live Update Settings 280 280 Linking to a Live Update File Shared Object 280 Importing Endpoint Security Assessment Plug i...

Страница 16: ...296 Scheduling Security Updates 296 Example Update Attack Objects and Push to Connected Devices 298 Scheduling the Update 298 Example Using Crontab to Schedule Attack Updates 299 Viewing Scheduled Sec...

Страница 17: ...dress Object 328 Editing and Deleting Address Objects 329 Replacing Address Objects 329 Adding an Address Object Group 329 Adding a Multicast Group Address Object 330 Adding Static DNS Host Addresses...

Страница 18: ...360 Configuring Compound Attack Members 360 Configuring the Direction Filter 362 Creating Custom DI Attack Groups 362 Creating Custom IDP Attack Groups 363 Creating Static Attack Groups 363 Creating D...

Страница 19: ...ervice Objects 387 Viewing Predefined Services 387 Creating Custom Services 389 Service Object Groups 390 Example Creating a Custom Service and Group 391 Example Creating a Custom Sun RPC Service 392...

Страница 20: ...jects 424 Using CRLs 424 Configuring CRLs 425 Configuring Extranet Policies 425 Configuring Binary Data Objects 426 Adding Binary Data Objects 426 Viewing Editing and Deleting Binary Data Objects 427...

Страница 21: ...and Destination Addresses for Firewall Rules 450 Support for Any IPv6 as a Source Address 451 Configuring Services for Firewall Rules 452 Defining Actions for Firewall Rules 452 Selecting Devices for...

Страница 22: ...Rules 481 Entering Comments for IDP Rules 481 Configuring multiple IDP policies for an MX Series Router 481 Configuring Application Policy Enforcement APE Rules 483 Adding the APE Rulebase Using the...

Страница 23: ...tting an Alert 497 Logging Packets 497 Setting Severity 497 Specifying VLANs 498 Setting Target Devices 498 Entering Comments 498 Configuring SYN Protector Rules 498 The TCP Handshake 498 SYN Floods 4...

Страница 24: ...e Options 507 Setting Notification 507 Setting Logging 507 Setting an Alert 508 Logging Packets 508 Setting Severity 508 Specifying VLANs 508 Setting Target Devices 508 Entering Comments 508 Installin...

Страница 25: ...prerules and postrules 528 Managing prerules and postrules 529 Add prerules and postrules 529 Push prerules and postrules to Regional Server 529 Modify prerules and postrules 529 Delete prerules and p...

Страница 26: ...Protecting Data in the VPN 556 Using IPSec 556 Using L2TP 558 Choosing a VPN Tunnel Type 558 About Policy Based VPNs 559 About Route Based VPNs 559 VPN Checklist 559 Define Members and Topology 559 D...

Страница 27: ...ing Users 585 Editing the VPN Configuration 586 Editing VPN Overrides 586 VPN Manager Examples 586 Example Configuring an Autokey IKE Policy Based Site to Site VPN 586 Example Configuring an Autokey I...

Страница 28: ...t Mode 631 Using Central Manager 631 Adding a Regional Server Object 631 Deleting a Regional Server Object 632 Logging into a Regional Server 632 Installing Global Policy to a Regional Server 632 Prer...

Страница 29: ...figuration Conflicts with the Infranet Controller in the UAC Manager 653 Enabling 802 1X on Enforcement Point Ports in the UAC Manager 654 Disabling 802 1X on Enforcement Point Ports in the UAC Manage...

Страница 30: ...ng Server Status 701 Viewing Additional Server Status Details 702 Viewing Process Status 703 Using Management System Utilities 705 Using Schema Information 706 Viewing Device Schema 707 Chapter 18 Ana...

Страница 31: ...able Components 728 Stopping Worms and Trojans 729 Example SQL Worm 729 Example Blaster Worm 730 Accessing Data in the Profiler Database 730 About Security Explorer 731 Security Explorer Main Graph 73...

Страница 32: ...rends Server 753 Managing Packet Data in Logs 753 Using the Log Viewer 756 Using Log Views 757 About Predefined Log Views 757 Creating Custom Views and Folders 759 Creating Per Session Views 760 Log V...

Страница 33: ...it Log Table 789 Managing the Audit Log Table 790 Target View and Device View 792 Setting a Start Time for Audit Log Entries 792 Managing Log Volume 793 Automatic Device Log Cleanup 793 Archiving Logs...

Страница 34: ...IDP Reports 812 Screen Reports 813 Administrative Reports 814 UAC Reports 814 Profiler Reports 815 AVT Reports 815 SSL VPN Reports 815 EX Series Switches Report 816 My Reports 816 Shared Reports 816...

Страница 35: ...ttack Trends 829 Example Using DI Reports to Detect Application Attacks 829 Using the Watch List 829 Part 5 Appendixes Appendix A Glossary 833 Network and Security Manager NSM Term Definitions 833 App...

Страница 36: ...Copyright 2010 Juniper Networks Inc xxxvi Network and Security Manager Administration Guide...

Страница 37: ...gure 15 User in Domain global with a Predefined Role 71 Figure 16 User in Domain global with Custom Role r1 72 Figure 17 User in Subdomain d1 With a Predefined Role 72 Figure 18 User in Subdomain d1 W...

Страница 38: ...IP Based Session Limit 209 Figure 53 View DoS Value for SYN ACK ACK Proxy Protection Setting 209 Figure 54 View Default SYN ACK ACK Proxy Protection Setting 209 Figure 55 Up and Down Arrows for Chang...

Страница 39: ...for AutoKey IKE VPN 590 Figure 91 Add Chicago Protected Resource for AutoKey IKE RAS VPN 592 Figure 92 Add New Local User for AutoKey IKE RAS VPN 592 Figure 93 Configure Security for AutoKey IKE RAS...

Страница 40: ...vestigator Results 785 Figure 114 Audit Log Viewer UI Overview 789 Chapter 20 Reporting 809 Figure 115 Generating A Quick Report 825 Figure 116 Logs by User Set Flag Report 826 Figure 117 Top FW VPN R...

Страница 41: ...ts 21 Table 13 Validation Status for Devices 32 Table 14 Validation Icons 32 Chapter 3 Configuring Role Based Administration 61 Table 15 How to Authenticate Users 69 Table 16 Predefined NSM Administra...

Страница 42: ...ce NAT Configuration Options 418 Table 42 Destination NAT Configuration Options 420 Chapter 9 Configuring Security Policies 435 Table 43 IDP Rule Actions 473 Table 44 Severity Levels Recommended Actio...

Страница 43: ...ata 717 Table 86 Network Profiler Data 718 Table 87 Applciation Profiler Data 721 Table 88 Detailed Network Information Data 725 Table 89 Transitional Graphs 736 Chapter 19 Logging 739 Table 90 Event...

Страница 44: ...ppendix A Glossary 833 Table 119 CIDR Translation 837 Appendix B Unmanaged ScreenOS Commands 859 Table 120 Unmanaged Commands for Firewall VPN Devices 859 Appendix C SurfControl Web Categories 861 Tab...

Страница 45: ...s a technical overview of the management system architecture It also explains how to configure basic and advanced NSM functionality including adding new devices deploying new device configurations upd...

Страница 46: ...rts you to the risk of personal injury from a laser Laser warning Table 2 on page xlvi defines text conventions used in this guide Table 2 Text Conventions Examples Description Convention Issue the cl...

Страница 47: ...tional or required Words separated by the pipe symbol internal external Represent optional keywords or variables Words enclosed in brackets level 1 level 2 11 Represent optional keywords or variables...

Страница 48: ...Devices Guide Provides procedures for basic tasks in the NSM user interface It also includes a brief overview of the NSM system and a description of the GUI elements Network and Security Manager Onlin...

Страница 49: ...ww juniper net us en local pdf resource guides 7100059 en pdf Product warranties For product warranty information visit http www juniper net support warranty JTAC Hours of Operation The JTAC centers h...

Страница 50: ...AC on the Web or by telephone Use the Case Management tool in the CSC at http www juniper net cm Call 1 888 314 JTAC 1 888 314 5822 toll free in the USA Canada and Mexico For international or direct d...

Страница 51: ...he management system and describe how to prepare to integrate your existing network security structure using NSM role based administration tools Part 1 contains the following chapters Introduction to...

Страница 52: ...Copyright 2010 Juniper Networks Inc 2 Network and Security Manager Administration Guide...

Страница 53: ...works of all sizes and complexity You can add a single device or create device templates to help you deploy multiple devices You can create new policies or edit existing policies for security devices...

Страница 54: ...he global domain and then create subdomains that automatically inherit these definitions from the global domain Role Based Administration Control access to management with NSM Define strategic roles f...

Страница 55: ...guration The same group can be applied to different sections of the configuration and different sections of one group s configuration statements can be inherited in different places in the configurati...

Страница 56: ...work design and deploy a new security policy with traffic shaping or create a new VPN tunnel that connects a branch office to your corporate network Rapid Deployment Rapid Deployment RD enables deploy...

Страница 57: ...Configuration Validation NSM alerts you to configuration errors while you work in the UI Each field that has incorrect or incomplete data displays an error icon Move your cursor over the icon to see d...

Страница 58: ...M provides the tools and features you need to manage your devices as a complete system as well as individual networks and devices To manage an individual device create a single device configuration de...

Страница 59: ...nformation about your managed devices in the Device Monitor Configuration and connection status of your managed devices Individual device details such as memory usage and active sessions Device statis...

Страница 60: ...system see the Network and Security Manager Installation Guide Architecture NSM is a three tier management system made up of a user interface UI management system and managed devices The devices proce...

Страница 61: ...gement system is made up of two components GUI Server Device Server See Figure 2 on page 11 Figure 2 NSM System Architecture GUI Server The GUI Server manages the system resources and data that drive...

Страница 62: ...tion data to the NSM UI for viewing or to the local data store for later retrieval guiSvrMasterController GUI Server License Manager is responsible for license storage retrieval and validation guiSvrL...

Страница 63: ...Walker Device Server Database Server devSvrDBServer Device Server Profiler Manager devSvrProfilerMgr Managed Devices In addition to dedicated security devices such as firewalls and IDP sensors your ma...

Страница 64: ...NetScreen 204 ScreenOS 4 0 5 0 5 0 FIPS 5 1 5 2 5 3 5 3 TMAV 5 4 5 4 FIPS Juniper Networks NetScreen 208 ScreenOS 4 0 5 0 5 0 FIPS 5 0 NSGP 5 0 GPRS 5 1 5 1 GPRS 5 1 shotglass 5 2 5 3 5 3 TMAV 5 4 5...

Страница 65: ...r2 and later 6 1 6 2 6 3 Juniper Networks SSG 320M ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350 ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350M ScreenOS 5 1 SSG 5 4 5 4...

Страница 66: ...service outage and a longer upgrade time SSG 5 SB replaces NetScreen 5GT SSG 5 SB is a 10 user variant of SSG 5 similar to the existing 10 user variant of NS 5GT Devices Running Junos OS Devices runn...

Страница 67: ...se 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks J6350 Services Router Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks J6350 Services Router with IDP Junos OS Release 9 5...

Страница 68: ...40e Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks M120 Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks M320 Junos OS Release 10 2 10 3 Juniper Networks MX...

Страница 69: ...os OS Release 9 2 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks EX3200 24P Junos OS Release 9 2 9 3 9 4 9 5 9 6 10 0 10 1 10 2 10 3 Juniper Networks EX3200 24T Junos OS Release 9 2 9 3 9 4 9 5...

Страница 70: ...Versions of SA Software NSM Supports Security Device SA Release 6 3 6 4 6 5 7 0 Juniper Networks Secure Access 2000 SA Release 6 3 6 4 6 5 7 0 Juniper Networks Secure Access 2500 SA Release 6 3 6 4 6...

Страница 71: ...is described by a unique Data Model DM that contains all the configuration data for that individual device The Abstract Data Model ADM contains configuration data for all objects in a specific domain...

Страница 72: ...SRX Series Services Gateways M Series Multiservice Edge Routers and MX Series Ethernet Services Routers EX Series Ethernet Switches Secure Access products Infranet Controller products See Managed Dev...

Страница 73: ...e following characters are not supported for NSM administrator names and passwords Period Number sign Dollar sign Asterisk Ampersand Circumflex NOTE Passwords in the NSM UI are case sensitive Managing...

Страница 74: ...hows a sample UI screen Figure 3 Overview of the User Interface Navigation Tree The navigation tree provides three panels Investigate panel Provides NSM modules with tree structures for monitoring you...

Страница 75: ...the Network and Security Manager Online Help Toolbar The toolbar contains buttons for common tasks The buttons displayed in the toolbar are determined by the selected module Status Bar The status bar...

Страница 76: ...Report Manager contains summary graphs and charts that describe specific security events that occur on your network NSM generates reports to show the information contained in your log entries You can...

Страница 77: ...more details see Analyzing Your Network on page 709 The Security Monitor applies to ScreenOS devices and IDP sensors It does not apply to J Series SRX Series Secure Access Infranet Controller M Serie...

Страница 78: ...ges security policies that contain the firewall multicast and VPN rules that control traffic on your network for devices that support centralized policy management Using a graphical easy to use rule b...

Страница 79: ...list of associated ICs and their port details You can use this feature to resolve configuration conflicts and enable or disable 802 1X ports on enforcement points Object Manager The Object Manager con...

Страница 80: ...ce is a collection of routing tables interfaces contained in these routing tables and routing option configurations A routing instance object configured in Object Manager can be included in the RADIUS...

Страница 81: ...epresent your management system components Servers Manage the individual server processes that make up your NSM system Server Monitor Monitors the status of your NSM servers Schema Information Allows...

Страница 82: ...messages Each has its own icon and text color in the tool tips as shown in Table 14 on page 32 Table 14 Validation Icons Priority Meaning Message Type Icon Highest Indicates that a configuration or p...

Страница 83: ...ed enabling other administrators to edit it However because the UI does not immediately refresh the object values you must manually refresh the UI to view the most recent versions When you attempt to...

Страница 84: ...ey to end the search operation and close the window The following sections provide examples of each search mode Contains String C Search Mode Use to locate a pattern anywhere in a string For example t...

Страница 85: ...bjects that detect denial of service attacks 1 In the main navigation tree select Object Manager Attack Objects DI Objects and then select the Predefined Attacks tab 2 Select the first entry in the co...

Страница 86: ...ess Table tab 2 Select the first entry in the column IP Domain Name and then press the backslash key to display the search mode window 3 Enter I and then enter 5 5 5 The UI automatically highlights th...

Страница 87: ...ing bbbb 1 In the main navigation tree select Object Manager Address Objects then select the Address Table tab 2 Select any entry in the Namecolumn and then press the backslash key to display the sear...

Страница 88: ...lated information If you select Name you must enter the name of the object in the Name field You can then specify whether you want the search to be a Case Sensitive or Regular Expression type of searc...

Страница 89: ...f devices appears in the Install On box 4 Click the Search button to execute the search The SearchResults appear at the bottom of the dialog box The applicable search category is listed to the left an...

Страница 90: ...Copyright 2010 Juniper Networks Inc 40 Network and Security Manager Administration Guide...

Страница 91: ...Devices Overview on page 41 Configuring IDP Capable Devices Overview on page 45 Simplifying Management on page 55 Creating an Information Banner on page 58 Configuring Devices Overview To manage Juni...

Страница 92: ...vice and import your device configuration a In the NSM main navigation tree select Device Manager Devices b In the main display area click the Add icon and select Device Follow the instructions in the...

Страница 93: ...heir permission level by creating and assigning roles See Configuring Role Based Administration on page 61 for details 3 Add your devices and model their device configurations in NSM Use templates to...

Страница 94: ...that all device parameters are correct Check progress in Job Manager For details about pushing a configuration to a device see Updating Devices on page 243 7 Create VPN rules Create Protected Resourc...

Страница 95: ...etScreen IDP 4 x The NSM system consists of the Device Server and the GUI Server the NSM User Interface is a client application used to access information stored in the NSM system Guidance for Intende...

Страница 96: ...configuring and managing IDP on the ISG2000 and ISG1000 devices Although you can use the ScreenOS CLI or Web UI to configure the firewall VPN capabilities of the security device you must use the NSM U...

Страница 97: ...xisting ISG2000 or ISG1000 device that is currently managed by NSM then upgrade the device firmware to ScreenOS 5 0 0 IDP1 NOTE After you have upgraded the firmware you must reimport the device config...

Страница 98: ...ck wizard 2 Follow the directions in the Change Device Sigpack wizard to update the attack object database on the selected managed devices Adding Objects Optional Create address objects for the networ...

Страница 99: ...000 device as a dedicated IDP system configure a single firewall rule that directs all traffic to the IDP rules By default the firewall denies all traffic NOTE When operating the security device in a...

Страница 100: ...etect specific malicious or anomalous activity in your network traffic For an overview of creating rules in the IDP rulebase see Configuring a Security Policy for IDP on page 48 For details see Config...

Страница 101: ...dow and select Add Backdoor Rulebase to open the selected rulebase tab Configure IDP Rules IDP detection and prevention capabilities work against attacks by dropping connections during the attack dete...

Страница 102: ...the current and future connections to or from the same IP address You configure IDP actions in the Action column of an IDP rule For details see Defining Actions For IDP Rules on page 473 You configur...

Страница 103: ...policy installation NSM installs the entire security policy including the firewall and IDP rules on the security devices you selected in the Install On column of each rule To install a policy a In th...

Страница 104: ...recommend that you perform frequent updates to the attack object database and to the IDP detection engine described in Managing the Attack Object Database on page 289 Creating IDP Only Administrators...

Страница 105: ...vice group Create reports using the log information from the entire device group Using Device Templates A template is a predefined device configuration that helps you reuse common information A domain...

Страница 106: ...e individual policy in the Security Policies list To simplify policy management and maintenance you can merge two policies into a single policy For details on merging policies see Configuring Security...

Страница 107: ...ides Function Some common functional abbreviations SV Server WS Workstation IIS Web Server MSX Mail Server SQL SQL Server SMS SMS Server APP Application Server Service Abbreviated name of the main ser...

Страница 108: ...into the NSM UI until they accept the message to continue If this banner is used users are required to accept the message each time they log in You can add an information banner from Central Manager o...

Страница 109: ...Setting Up an Information Banner The message is immediately available to NSM users connected to the server as shown in Figure 13 on page 59 Figure 13 Information Banner Login into Central Manager The...

Страница 110: ...iately available to all NSM users server wide Deleting an Information Banner This procedure assumes that a Central Manager administrator is logged onto a Central Manager client or a super user is logg...

Страница 111: ...egy and how to prepare your network for NSM NSM includes many features specifically designed for managing multiple Juniper Networks devices such as device groups and templates This chapter contains th...

Страница 112: ...tant if you plan to use VPNs in your network Because you can create VPNs only between devices in the same domain be sure to add the devices you want to connect with a VPN to the same domain About Role...

Страница 113: ...both your existing network structure and your desired permission structure Network Structure Use multiple domains to segregate large geographically distant networks into locally managed sections Perm...

Страница 114: ...typically the same location for small organizations but might be physically separate for larger more complex organizations Whether combined or separate NOC and SOC administrators perform distinct role...

Страница 115: ...ws reports for one or more domains A regional reporting administrator has a role with activities for viewing reports for their regional subdomain a corporate reporting administrator has a role with ac...

Страница 116: ...he super administrator creates The internal network of the CNM A subdomain for each customer The customer subdomain contains the devices and objects that belong to the customer network Because the cus...

Страница 117: ...assign new subdomains to the super administrator However to assign a subdomain to another administrator you must first create the administrator and specify their permissions within a selected subdoma...

Страница 118: ...functionality we recommend that you consider the security of the super administrator password appropriately If you forget or lose the super administrator password please contact the Juniper Technical...

Страница 119: ...ping assignments and domain names in NSM If you use Steel Belted RADIUS you can copy the NSM RADIUS dictionary to your RADIUS server This file netscreen dct is available in the NSM If you installed NS...

Страница 120: ...ows an example Figure 14 Creating Custom Domain In Figure 14 on page 70 users belong to domain d1 and role r1 is defined in domain1 Therefore the domain name is global d1 and the role is global d1 glo...

Страница 121: ...tically inherited into the subdomain and can be assigned to a subdomain user NOTE A role defined in a subdomain belongs only to that subdomain Assigning Roles If a user is defined in the local databas...

Страница 122: ...ed in the NSM in global domain Figure 17 User in Subdomain d1 With a Predefined Role Figure 18 User in Subdomain d1 With a Custom Role r1 Create the custom role r1 in the subdomain d1 Copyright 2010 J...

Страница 123: ...Roles r1 and r2 are the custom roles assigned to the user Figure 20 Assigning Multiple Roles to a User in Subdomain Both r1 and r2 are the custom roles assigned to the user 73 Copyright 2010 Juniper...

Страница 124: ...s tab and choose a role for the new administrator When you assign a role to an NSM administrator the administrator can perform the predefined system activities specified in that role You can select a...

Страница 125: ...then switch to a subdomain using the domain menu For details on creating a subdomain see Creating Subdomains on page 91 Creating Custom Roles For more complex and diverse permissions requirements cre...

Страница 126: ...ect Create Delete Edit View Address Objects Pre rules and post rules are ordered lists of rules that are defined from the Central Manager at the global domain and subdomain levels as well as on region...

Страница 127: ...Create Edit View Backdoor Rulebase Allows an administrator to view a list of IP addresses blocked because of repeated failed attempts to log in to the server View Blocked IP A CA object represents a...

Страница 128: ...and managed devices Create Delete Edit View Database Versions Deep Inspection is a mechanism for filtering traffic that a security device permits You can enable Deep Inspection in firewall rules to e...

Страница 129: ...nt that occurred on a security device View Hide and Unhide Purge Archive Retrieve Device Logs This activity enables an administrator to view device passwords in configuration summaries and Job Manager...

Страница 130: ...u to configure and manage third party routers Create Delete Edit View Extranet Policy Objects Use Dial in objects to dial in and manage a device as a console You can create and edit lists of allowed n...

Страница 131: ...ator can also view shared historical log reports and their definitions View Historical Log Reports An ICAP object defines a server or server group to act as an ICAP AV server Create Delete Edit View I...

Страница 132: ...those logs from the management system Purge Job Status Logs A job is a task that NSM performs such as updating a device generating a device certificate request or importing a device View Cancel active...

Страница 133: ...custom IKE phase 1 and phase 2 proposals Create Delete Edit View Phase1 Phase2 Proposal Allows an administrator to manage custom objects added to a Policy table Create Delete Edit View Policy Custom...

Страница 134: ...c object similar to zone objects that maintains the mapping between the actual routing instance and the device in which it is created Create Delete Edit View Routing Instance Object A rulebase in a se...

Страница 135: ...t from Shared Reports to My Reports Create Edit Delete Shared Historical Log Report A subdomain is a separate unique representation of other networks that exist within your larger network View Create...

Страница 136: ...get command Troubleshoot Devices Allows an administrator to remove IP addresses from a list of IP addresses blocked because of repeated failed attempts to log in to the server N A Unblock IP Allows a...

Страница 137: ...ions granted to some activities have changed across releases which can cause behaviors to change following migration Permissions Changes in Release 2008 1 In Release 2008 1 the Create Device Device Gr...

Страница 138: ...4 x device only Set Admin Ports 4 x device only Set Admin SSH Enable Disable 4 x device only Edit Device Admin Failover Failover Device Modify BGP Peer Session BGP Refresh Route BGP Update Route on P...

Страница 139: ...y configuration of EX Series switches in the device itself Firewall Rulebase Configuration for Junos devices that support central policy management Allows editing of the policy configuration of J Seri...

Страница 140: ...e predefined system administrator role Forcing an Administrator to Log Out As of Release 2007 3 the system administrator can forcibly log out an administrator To log out an administrator forcibly 1 Fr...

Страница 141: ...for the currently selected domain subdomains appear only when you view the global domain You can designate a default RADIUS authentication server for the global domain and for each subdomain The defau...

Страница 142: ...on tree select the first subdomain MA_company1 NSM loads the subdomain 2 From the Menu bar click Tools Manage Administrators and Domains 3 In the Administrators tab click the Add icon to create the pr...

Страница 143: ...urn to the Administrators tab which now displays the following administrators Figure 23 Manage Administrators and Domains Administrators Tab 7 Click OK to save your changes 8 Repeat step 1 through ste...

Страница 144: ...P address Click OK to log in The NSM navigation tree and main display area appear Because the customer administrator account has permission only for viewing and reports the UI displays only the module...

Страница 145: ...PART 2 Integrating Adding Devices on page 97 Configuring Devices on page 187 Updating Devices on page 243 Managing Devices on page 265 95 Copyright 2010 Juniper Networks Inc...

Страница 146: ...Copyright 2010 Juniper Networks Inc 96 Network and Security Manager Administration Guide...

Страница 147: ...ScreenOS releases 5 0r11 5 1r4 5 2r3 5 3r10 5 4r11 6 0r2 6 1r4 6 2 and 6 3 Before you can manage a device with NSM you must add the device to the management system NSM supports adding individual devic...

Страница 148: ...lowing types of devices Physical devices Importing Devices on page 112 and Modeling Devices on page 130 later in this chapter provide details on how to add an existing or new device into NSM These dev...

Страница 149: ...the device status After adding the device you must verify the device configuration Determine Device Status How you add your devices to the management system depends on the network status of the devic...

Страница 150: ...of the device configuration running on the physical device This summary is known as a Get Running Config summary Managing the Device After adding a device you can manage its configuration objects and...

Страница 151: ...If you modify a device that supports centralized policy management and import or reimport the device into NSM a new policy is automatically created using the following naming syntax device_1 Each new...

Страница 152: ...e process Selecting the Domain Determine the domain in which you want to place the device A domain is a logical grouping of devices device security policies and device access privileges NSM includes a...

Страница 153: ...adding a single security device use the Add Device wizard to create the device object in NSM To activate a modeled device or create a configlet use the Activate Device wizard You can import or model...

Страница 154: ...e adding to NSM are running a supported version of the OS For example NSM no longer supports devices running 4 x or earlier versions of ScreenOS If you are not running a supported version you must upg...

Страница 155: ...ough 4 to the Trust interface which is bound to the Trust security zone Home Work Port Mode Home Work mode binds interfaces to the Untrust security zone and to Home and Work security zones The Home an...

Страница 156: ...primary interface See Figure 27 on page 106 for port interface and zone bindings Figure 27 Dual Untrust Port Mode Bindings This mode provides the following bindings Binds the Untrusted Ethernet port t...

Страница 157: ...y interface to the Untrust security zone Binds the Ethernet ports 3 and 2 to the ethernet2 interface which is bound to the Home zone Binds Ethernet port 1 to the ethernet1 interface which is bound to...

Страница 158: ...serial interface which you can bind as a backup interface to the Untrust security zone Trust Untrust DMZ Extended Mode Trust Untrust DMZ Extended mode binds interfaces to the Untrust Trust and DMZ se...

Страница 159: ...ScreenOS 5 1 and later See Figure 31 on page 109 for port interface and zone bindings Figure 31 DMZ Dual Untrust Port Mode This mode provides the following bindings Binds the Ethernet ports 1 and 2 to...

Страница 160: ...ome Work Mode Trust Untrust Mode Port Zone Interface Zone Interface Zone Interface Untrust ethernet3 Untrust ethernet3 Untrust Untrust Untrusted Trust ethernet1 Work ethernet1 Trust Trust 1 Trust ethe...

Страница 161: ...Supported Add Device Workflows by Device Family Table 22 on page 111 summarizes the methods or workflows you can use to add devices from each supported device family Table 22 Supported Add Device Work...

Страница 162: ...0 or later Junos 9 0 or later SA 6 2 or later or IC 2 2 or later When importing from a device the management system connects to the device and imports Data Model DM information that contains details o...

Страница 163: ...e interface that has an IP address Devices that use a dynamically assigned IP address must also support NACN The device must be operating in the desired port mode You cannot change the operational mod...

Страница 164: ...formation verify that the device type ScreenOS version and the device serial number are correct NSM autodetects the hostname configured on the device and uses it as the device name You can also change...

Страница 165: ...s with it Refer to the IDP NetScreen Security Manager Migration Guide for more information You need to upgrade unmanaged Sensors to 4 0 or later before adding them to NSM See the IDP Installer s Guide...

Страница 166: ...atus mouse over the device in Device Manager you can also check configuration status in Device Monitor The device status displays as Managed indicating that the device has connected and the management...

Страница 167: ...evice name or can enter a new name in the text box provided 10 Click Next to add the device to NSM 11 After the device is added click Next to import the device configuration 12 Click Finish to complet...

Страница 168: ...tected device information verify that the device type OS version and the device serial number are correct The wizard also detects the hostname configured on the device You can either use the hostname...

Страница 169: ...be executed on the device to connect to NSM The commands enable management and set the management IP address to the Device Server IP address enable the Management Agent set the Unique External ID and...

Страница 170: ...e the IDP Installer s Guide for more information To import an IDP 4 0 device with an unknown IP address follow these steps 1 From the domain menu select the domain in which to import the device 2 In D...

Страница 171: ...mported configuration To check the device configuration status mouse over the device in Device Manager you can also check configuration status in Device Monitor The device status displays as Managed i...

Страница 172: ...interface settings DNS settings and password 2 Select Authentication Auth Servers and enter the username and password of the NSM administrator in the applicable authentication server NOTE Onlypassword...

Страница 173: ...rm the following tasks on the Specify Device Admin User Name Password and One Time Password screen a Make a note of the unique external ID The device administrator will need it to configure connectivi...

Страница 174: ...in SSH transport layer interactions to set up an encrypted tunnel NSM authenticates itself to the device based on user name and password Confirm Connectivity and Import the Device Configuration into N...

Страница 175: ...ps 1 Connect the device to the network and configure one of the interfaces so that the device can reach the NSM device server 2 Add a user for NSM that has full administrative rights For complete deta...

Страница 176: ...rator user name and password for the SSH connection This name and password must match the name and password already configured on the device c Specify the First Connection One Time Password OTP that a...

Страница 177: ...g the commit operation ensures that NSM connects to the backup Routing Engine following failover of the master Routing Engine The device software initiates the TCP connection to NSM and identifies its...

Страница 178: ...ce check the status of that device in Device Monitor located in Realtime Monitor The imported device should display a configured status of Managed and a Connection status of Up indicating that the dev...

Страница 179: ...tion summaries to help you manage device configurations and prevent accidental misconfiguration Use configuration summaries after you import a device to ensure that the management system imported the...

Страница 180: ...To get the Running Config summary from the Device Manager launchpad click Device Config Options Get Running Config You see a list of devices to which you have access Select the device you just importe...

Страница 181: ...odel Device and then click Next 5 In the Specify Name Color OS Name Version and Platform screen enter the following information Enter a name and select a color to represent the device in the UI In the...

Страница 182: ...aces that is available for import You can create a configuration for the device object in NSM and then install that configuration on the device NOTE When modeling a NetScreen 500 5000 series or ISG se...

Страница 183: ...out of band method 5 After NSM autodetects the device click Next to activate the device in NSM 6 Click Update Now to update the configuration on the device with the settings from the modelled device...

Страница 184: ...update is complete the device status displays as Managed indicating that the device has connected and the management system has successfully pushed the device configuration Junos Devices To activate a...

Страница 185: ...plays as Managed indicating that the device has connected and the management system has successfully pushed the device configuration Devices with Dynamic IP Addresses A dynamic IP address is an IP add...

Страница 186: ...has not pushed the device configuration yet 10 Update the device configuration by right clicking the device and selecting Update Device The Job Information box displays the job type and status for th...

Страница 187: ...ord The device administrator will need it to configure the connectivity between the device and NSM NOTE All passwords handled by NSM are case sensitive d Click Finish to complete the Add Device wizard...

Страница 188: ...and password d In the Device List verify the connection status of the newly added device The status changes from Never connected to Up If the configuration status is platform mismatch you selected th...

Страница 189: ...trust nsHSC Home Work nsHSC Trust Untrust ns204 ns208 ns25 ns50 ns5GT Combined ns5GT Dmz Dual Untrust ns5GT Dual Untrust ns5GT Extended ns5GT Home Work ns5GT Trust Untrust ns5GTadsl Extended ns5GTadsl...

Страница 190: ...like any other security device in NSM NOTE If you delete the security device from the NSM system and then add the device again you must also re create the configlet and install it on the physical devi...

Страница 191: ...tically selects the interface on the device that will connect to the NSM management system This interface is determined by the device platform and cannot be changed Select the Device Server connection...

Страница 192: ...a private virtual circuit the service provider assigns a static IP address for the ADSL interface Routed PDUs enable the NetScreen 5GT ADSL device to exchange routing information with another router t...

Страница 193: ...nt Getting Started Guide This guide provides step by step instructions for connecting a security device to the network preparing the device to use a configlet and installing and running the configlet...

Страница 194: ...the WebUI cannot load the configlet To restore the factory defaults on the firewall device see the user s guide that came with your security device 5 Ensure that the Status LED on firewall device dis...

Страница 195: ...your PPPoA account 6 Click Next to initiate the connection to NSM The security device connects to the NSM Device Server During this first connection the device and the NSM Device Server exchange authe...

Страница 196: ...uring this combined operation both results Delta Config and Update Device are available to you by selecting View Device Delta Config if you have the appropriate administrator rights Otherwise you can...

Страница 197: ...eges 1 In the main navigation tree select Device Manager Devices 2 From the Device Manager launchpad select Update Device to open the Update Device s dialog box listing all connected and managed devic...

Страница 198: ...orting vsys devices is a two stage process Import the root device To import the root device use the Add Device wizard to add the root device to the appropriate domain For details see Importing Devices...

Страница 199: ...eck the configuration status in Device Monitor The device status displays as Managed indicating that the vsys has connected and the management system has successfully imported the vsys configuration M...

Страница 200: ...device status Check the configuration status by holding your mouse cursor over the device in Device Manager or by checking the configuration status in Device Monitor Ensure that the configuration stat...

Страница 201: ...0 and later For details on configuring these vsys modes see Network and Security Manager Configuring ScreenOS and IDP Devices Guide Adding an Extranet Device An extranet device is a firewall or VPN de...

Страница 202: ...at identifies the family of devices d Platform Select the device platform for all cluster members e Some ScreenOS devices only Mode Select the Port mode See Determining Port Mode ScreenOS Devices Only...

Страница 203: ...with no configuration or security policy you should 1 Create the cluster 2 Add the existing device by importing The Add Device Wizard automatically imports the device configuration 3 Add the new devic...

Страница 204: ...IP addresses NSM does not support importing Secure Access or Infranet Controller cluster members with static IP addresses NOTE Adding a cluster and adding a cluster member have no effect on the cluste...

Страница 205: ...the rest of the configuration A stub is placed in the device configuration tree instead If you need to manage these files in NSM you must import them later as shared objects and then create links to t...

Страница 206: ...stem J Series as the Junos OS Type a platform name and managed OS version You add cluster members one at a time in a similar manner to adding standalone devices You can add and import devices with dyn...

Страница 207: ...ers into a cluster ensure that you add the secondary member before you add the primary member 4 On each cluster member device configure and activate the NSM agent and establish an SSH session with NSM...

Страница 208: ...Use the configuration group mechanism to configure any member specific data See Configuring Devices on page 187 for details about configuring clusters and configuration groups Activating and Updating...

Страница 209: ...Cluster Members on page 160 Importing the Cluster configuration on page 161 Adding the Cluster Add a new cluster to NSM as follows 1 Select Device Manager Devices and then click the Add icon and sele...

Страница 210: ...ice administrator will need it to connect the device to NSM h Check the Keep Adding Cluster Members box to add another cluster member The Finish button changes to the Next button i Click Next and repe...

Страница 211: ...s 2 Right click SA Cluster the cluster name and select Import Device from the list NSM starts a job to import the configuration A job window reports the progress of the job When the job finishes the c...

Страница 212: ...2 In the New Cluster Member dialog box enter a name and color for the cluster member and select the Model Device radio button 3 Check the Keep Adding Other Cluster Members box and leave the Member ID...

Страница 213: ...ce 6 Leave the Keep Adding Other Cluster Members box unchecked 7 Set the Member ID to 1 Figure 36 Adding the Second Member to a J Series Cluster 8 Click Finish If you expand the cluster icon in the De...

Страница 214: ...figure and activate the connectivity with NSM a Log on to the J Series router b At the command line prompt identify the management system by device name device ID and HMAC For devices running the or 9...

Страница 215: ...iguration 5 Repeat Step 4 for the second cluster member J 2 Updating the Cluster After you have modeled the cluster configuration you can push the new configuration to the physical cluster using the U...

Страница 216: ...the following information For Name enter Paris Cluster For OS Name select ScreenOS IDP For Platform select ns5400 For OS Version select 5 1 d Click OK to save the new cluster object 2 Add cluster memb...

Страница 217: ...fault Vrouter and then click Next to continue e Click Finish to add the new vsys cluster device 4 Add the second vsys cluster device a Click the Add icon and select Vsys Device The new vsys device dia...

Страница 218: ...tings which you also configure as part of the rule Devices that match the rules for discovery also present an SSH key for your verification before the device is added to NSM Adding a Device Discovery...

Страница 219: ...onfigure pane of the NSM navigation tree click Device Discovery Rules 2 Select the rule you want to run 3 Click the Run icon in the discovery rules toolbar The device discovery Progress dialog box app...

Страница 220: ...atic IP addresses the device configuration is automatically imported during the Add Many Devices workflow When importing devices with dynamic IP addresses you must manually import the device configura...

Страница 221: ...tored the program files for the UI client for example C Program Files Network and Security Manager utils For each CSV file each row defines a single device s values for each parameter For text files c...

Страница 222: ...add four security devices that use static IP addresses create a text file with the following text Chicago green 10 100 31 78 netscreen netscreen ssh_v2 any Memphis orange 10 100 20 236 netscreen netsc...

Страница 223: ...twlan Dmz Dual Untrust ns5Gtwlan Combined ns5Gtwlan Home Work ns5Gtwlan Dual Untrust ns5Gtwlan Trust Untrust ns5Gtwlan Dual Dmz ns5XT Combined ns5XT Dual Untrust ns5XT Trust Untrust ns5XT Home Work ns...

Страница 224: ...name IC IC 4000 IC 4500 IC 6000 IC 6500 yes String Platform continued Set to none yes String Device subtype With OS name ScreenOS see Table 7 on page 13 for a list of OS versions that apply to each S...

Страница 225: ...if desired 3 Save the file to a location on your local drive Example Using a Text File to Add Multiple Dynamic IP Devices To add four devices that use dynamic IP addresses create a text file with the...

Страница 226: ...ction type is static String Device IP Address 8 24 28 32 Any valid netmask in CIDR format yes when connection type is static String Device Netmask yes when connection type is static String Device Gate...

Страница 227: ...e 5 0 off advanced netscreen123 dhcp 2netscreen netscreen2 off Save the file as a csv file Validating the CSV File When you add the device NSM validates the configuration information in the csv file a...

Страница 228: ...y the location of the CSV file 5 Click Next The Add Device wizard validates the CSV file and provides a Validation Report Select Cancel to quit the Add Many Devices process Select Add Valid Devices to...

Страница 229: ...menu select the domain in which to import the device 2 In Device Manager select Devices 3 Click the Add icon and then select Many Devices The Add Device wizard appears 4 In the Add Device wizard Sele...

Страница 230: ...cel to quit the Add Many Devices process Select Add Valid Devices to begin adding the devices for which you have provided valid device configurations The Add Device wizard adds the valid devices to th...

Страница 231: ...Server directory usr netscreen GuiSvr var ManyDevicesOutput inputFile_YYYYMMDDHHMM NOTE For security you cannot edit a configlet file directly To make changes to the information in any configlet file...

Страница 232: ...n group devices before configuring them You can add a device to more than one device group You can also add a device group to another device group NOTE You cannot apply a template to a device group Yo...

Страница 233: ...vice update to it The following procedures prevent these conflicts between NSM and the Infranet Controller Avoiding Naming Conflicts of the Authorization Server Object on page 183 Avoiding NACN Passwo...

Страница 234: ...ger Devices to list all the devices b Right click each Infranet Enforcer firewall device in turn and select Delete from the list 5 On NSM delete the infranet instances from the Object Manager a Select...

Страница 235: ...to add and import the device e Repeat steps b through d for each Infranet Enforcer device Avoiding NACN Password Conflicts When you need to manage the Infranet Enforcers reimport the configuration eac...

Страница 236: ...Copyright 2010 Juniper Networks Inc 186 Network and Security Manager Administration Guide...

Страница 237: ...he managed device for your changes to take effect For details on updating devices see Updating Devices on page 243 Use security policies to configure the rules that control traffic on your network For...

Страница 238: ...overview of each of these device families and lists of supported platforms and operating system versions Most devices can be configured using the following interfaces Native Web UI Native CLI NSM UI...

Страница 239: ...onfiguring Security Policies on page 435 Configuration Features You can edit the device object configuration through the device editor or you can use templates or configuration files to simplify confi...

Страница 240: ...g Device Templates on page 198 About Configuration Groups Configuration groups are similar to device templates in that you define configuration data to be used multiple times In configuration groups t...

Страница 241: ...and Configuration Tabs The Device Info tab contains information maintained in NSM This information can neither be imported from the device nor is it ever pushed to the device by an Update Device dire...

Страница 242: ...device families Figure 41 on page 192 shows an example Figure 41 ScreenOS and IDP Device Configuration Information Validation and Data Origination Icons The device editor might display some of the ic...

Страница 243: ...guration group Changes to the configuration group are also shown in the device editor Configuration Group Values Lowest A value is set for a field in a template or configuration group definition This...

Страница 244: ...our changes and continue making changes Click Cancel to discard all changes and close the device configuration To reset a device feature to its default value right click on the feature name in the dev...

Страница 245: ...s Guide and IDP ACM Help for more information Configuring functions that require device administrator intervention such as Secure Command Shell SCS and Secure Shell SSH client operation Executing debu...

Страница 246: ...nterfaces In this example the view is of the Network Settings screen Figure 43 Secure Access Device Object For details about configuring Secure Access devices see the Configuring Secure Access Devices...

Страница 247: ...ly as shared objects and then link to those objects from the stubs in the device configuration See Managing Large Binary Data Files Secure Access and Infranet Controller Devices Only on page 275 for d...

Страница 248: ...configuration information across multiple devices In a template you need define only those configuration parameters that you want to set you do not need to specify a complete device configuration Temp...

Страница 249: ...enhances the usability of the template If template categories are not selected the default display is a full tree view You can also view the associated template categories in the Device Template tabl...

Страница 250: ...er Device Templates 2 Click the Add icon in the Device Template Tree or the Device Template List and select ScreenOS IDP Template from the list The New Device Template dialog box displays the template...

Страница 251: ...h as device platform or release version Applying the Template Apply the template as follows 1 Ensure that the device you want to apply the template to has been added or modeled in the management syste...

Страница 252: ...en those values are also stored by NSM Where field keys match imported values override values inherited from the template so that the effective device object configuration matches the device The live...

Страница 253: ...he effect of moving the mouse cursor over the field name of an overridden value a tool tip message appears showing the name of the template whose value has been overridden Figure 46 Template Override...

Страница 254: ...sage appears If the template specifies a field that the device supports but the value is outside the permitted range for the device a validation message appears in the Device dialog box A template val...

Страница 255: ...Zone configuration screen appears d Click the Add icon in the Zone configuration screen and select Pre Defined Security Zone trust untrust dmz global The Predefined Zone dialog box appears NOTE Becaus...

Страница 256: ...g box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 48 on page 206 Figure 48 View Denial of Service Defense Values from DoS Templat...

Страница 257: ...een 208 device a In the navigation tree select Device Manager Devices Double click the NetScreen 208 device icon to open the Device dialog box b Select Info Templates in the device navigation tree Cli...

Страница 258: ...e untrust Predefined Zone dialog box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 51 on page 208 Although both the DoS and DoS2 te...

Страница 259: ...d from the device configuration itself and not a template by moving the cursor over the field name The message From object appears as shown in Figure 54 on page 209 Figure 54 View Default SYN ACK ACK...

Страница 260: ...elect Predefined Interface The Physical Interface dialog box appears 3 For Name enter ethernet1 NOTE When creating or editing predefined interfaces in a template you must use the exact name for each i...

Страница 261: ...one NOTE The ordering of list entries is a detailed point and of low significance to most users Skip this section if ordering of list entries is not significant to you To specify a sequence in which...

Страница 262: ...push the configuration to the device and then connect to the Web UI of the device and reorder the list entries such that the list entries that came from the template are reversed D1 D2 T2 T1 Now consi...

Страница 263: ...e of parameters in the template matches a contiguous subsequence of parameters in the device then NSM applies the new template order for the subsequence to the device Entries added in a template are p...

Страница 264: ...a matching subsequence the new sequence is transferred to the device After C A B Template Sequence 2 C 1 A B Device Sequence Example 3 The following example shows entries inserted into the list on the...

Страница 265: ...atching Subsequence Change Now add an entry to the template The new entry is added to the device in the same sequence as it was added in the template That is the new entry follows entry C in the templ...

Страница 266: ...as it was added in the template In this case however entry C has been deleted from the device so the inserted entry follows entry B After D C B A Template Sequence D B A 2 1 Device Sequence Identifyi...

Страница 267: ...s green highlight because they represent a common subsequence though not the longest c has a single entry out of order mark because it is adjacent to neither of its neighbors in the template NOTE If m...

Страница 268: ...Name Section Select a device family from the Select OS Name list to determine which set of templates and devices to show Select Devices Section In this section select one or more devices for template...

Страница 269: ...an templates previously assigned to the device Values in these templates will override values applied by lower priority templates Remove templates Removes all selected templates from each selected dev...

Страница 270: ...orts any errors Template Operations Box Recommended Workflow The Template Operations dialog box can be used in many ways This section describes one recommended workflow Step 1 Look at the Effect of Pl...

Страница 271: ...es generated in Step 1 Resolve any conflicts missing assignments or other errors as desired Repeat steps 1 and 2 until you are satisfied with your planned changes Step 3 Apply Templates and Clear Over...

Страница 272: ...1 From the Device Manager launch pad select Export Import and then select Export Device Template to File 2 In the Export Config to File dialog box select the template you want to export and then clic...

Страница 273: ...up mechanism is separate from the grouping mechanisms used elsewhere in the Junos configuration such as Border Gateway Protocol BGP groups Configuration groups provide a generic mechanism that can be...

Страница 274: ...ces to 1 Gbps by using a wildcard mechanism 1 Double click the device in the Device Manager and select the Configuration tab 2 In the configuration tree select Config Groups List 3 Click the Add icon...

Страница 275: ...field set the speed to 1g and click OK The configuration group icon appears next to the two interface entries in the group and next to each element in the tree above the interface entries See Figure 6...

Страница 276: ...the up and down arrows at the top of the main display area The order of lists is significant because configuration group wildcard matching is done starting from the first configuration group entry and...

Страница 277: ...n click Add The Available Config Groups list includes all configuration groups created in the device object The configuration group and icon move to the Applied Config Groups list 4 Click OK to apply...

Страница 278: ...ig Groups list select the configuration groups you want to exclude and then click Add The selected configuration group names move to the Excluded list 3 Click OK to exclude those groups from that part...

Страница 279: ...ed lists in the device object appear in a specific order determined by Junos convention By default entries from templates appear first followed by regular configuration data followed by entries create...

Страница 280: ...tch the Template or Configuration Group Order on page 216 for details and examples Using Configuration Groups with Templates If a field in a device object can inherit from both a template and a config...

Страница 281: ...faces To create this configuration follow these steps 1 Create a template containing a configuration group that will apply an MTU value of 3K to all devices to which the configuration group is applied...

Страница 282: ...e Add icon and select fe Physical Interfaces from the list c In the Set Slot Configuration dialog box set the slot range to 0 the PIC range to 0 the port range to 0 1 and click OK The new interfaces s...

Страница 283: ...of the device and click Templates b Click the Edit icon to display the Edit Templates dialog box c Check the box next to the template you just created and click OK to apply the template to the device...

Страница 284: ...rs use a special implementation of the configuration group mechanism to maintain differences between the members but within the same configuration file Although you cannot edit the configuration of a...

Страница 285: ...e 230 for details Configuring Member Level Data in a Junos Cluster To provide configuration data for a specific cluster member such as the node name NSM implements a special form of the wildcard mecha...

Страница 286: ...ting Engines differs from configuring a device with a single Routing Engine in that you can configure features for a specific Routing Engine Two special configuration groups are used for this purpose...

Страница 287: ...Figure 64 Configuring Routing Engine Specific Parameters Viewing a Routing Engine Configuration The following example shows how to display the hostname assigned to a specific Routing Engine See Figure...

Страница 288: ...ature allows you to use redundant routers on a LAN by configuring a single default route on the host All VRRP routers share the IP address corresponding to the configured default route One of the VRRP...

Страница 289: ...00M2 SPM2 Vsys devices Activating VRRP on a Device Interface You can enable VRRP on an Ethernet Interface only if VRRP has already been activated on the device You can only enable VRRP on a regular in...

Страница 290: ...d in the NSM database and a comment Click on an entry in the table to view the contents of a specific version The text file appears in the main part of the display You can edit the comment that appear...

Страница 291: ...The default is 25 versions The Config File Manager can automatically import config files from managed Junos OS based devices when configuration changes are committed on these devices enabling NSM to h...

Страница 292: ...Copyright 2010 Juniper Networks Inc 242 Network and Security Manager Administration Guide...

Страница 293: ...tion to the management server This chapter contains the following sections About Updating on page 243 Knowing When to Update on page 248 Using Preview Tools on page 252 Performing an Update on page 25...

Страница 294: ...essful update These tools include Audit Log Viewer This NSM module records changes made to a device configuration The audit log entry also identifies the administrator who performed the change shows w...

Страница 295: ...a Configuration Summary reveals no differences between the new configuration and the old configuration on the device you have successfully updated the running configuration About Atomic Configuration...

Страница 296: ...rformance of the management connection is enhanced Atomic updating also enables the device to temporarily lose connection to NSM during the update process If the management connection is down when the...

Страница 297: ...econnect are unsuccessful for two hours the update timer expires and the device automatically resets The device unlocks the active configuration and restores the saved active configuration the device...

Страница 298: ...NSM To synchronize the configuration data NSM imports the configuration after the update If an Update Device directive causes implicit configuration changes on one or more devices each device reports...

Страница 299: ...tor displays the current status of the device Up status The device is connected to the Device Server and is running properly Before you can update a device it must be in the Up state Down status An ev...

Страница 300: ...sical device configuration the configuration on the physical device is newer than the modeled configuration To synchronize the two configurations import the configuration from the physical device Mana...

Страница 301: ...evice type and OS version IP address domain the Attack Db version if it is a Firewall IDP device and the connection and configuration states To manually verify the configuration status for devices For...

Страница 302: ...ger to determine when you are receiving too many attacks of a certain type and order them by an IP address For example if you determine that the current device configuration and security policy cannot...

Страница 303: ...ommands run a configuration summary 1 From the launchpad select Devices Config Options Summarize Config The launchpad displays the Summarize Config dialog box 2 Select the devices or device groups for...

Страница 304: ...h the modeled configuration you might want to identify and verify the configuration you are installing on the device After updating Ensure that the device received the configuration as you expected an...

Страница 305: ...255 Figure 66 Delta Configuration Summary Example Occasionally the delta configuration report might display discrepancies that do not actually exist between the running configuration and the modeled...

Страница 306: ...evices vsys devices clusters virtual chassis or device groups using the same process Before updating Ensure that you have configured the device correctly created and assigned a policy to the device an...

Страница 307: ...ing any out of band changes made enable the option Do not Update If Device Has Changed Configuring Update Options You can configure device update and retry options on a systemwide basis in the UI pref...

Страница 308: ...e Manager and select Update Attacks When disabled the update options dialog box does not appear for single device updates initiated from the Device Manager Alternatively to disable from within the per...

Страница 309: ...ns in the NSM UI including the Devices and Tools menus in the NSM toolbar to access the Update directive from the File menu select Devices Configuration Update Device Configuration The Job Manager mod...

Страница 310: ...d on a single device For multiple device updates Job Manager tracks the progress of each job on each device in addition to the overall progress for all devices To view the Job status for an individual...

Страница 311: ...Passwords By default only the super administrator has this assigned activity Device States During Update During an update the managed device changes device state You can view the current device state...

Страница 312: ...plays the Job Status as Failed You can also check the Connection Status and Configuration Status columns for the device in the Realtime Monitor to determine whether the device is running After a devic...

Страница 313: ...ation Generated 5 Delta Config CLI Commands Specifically the update could not set the command pppoe name untrust clear on disconnect The delta configuration summary correctly detected a difference bet...

Страница 314: ...Copyright 2010 Juniper Networks Inc 264 Network and Security Manager Administration Guide...

Страница 315: ...e added to NSM without the need to upgrade NSM This feature applies only to devices with XML based schemas This chapter contains the following sections Managing Device Software Versions on page 266 Ma...

Страница 316: ...er from the menu bar The Software Manager lists all software image files in the repository To add the one you just downloaded click the Add icon navigate to the software image file you just downloaded...

Страница 317: ...8 a NetScreen 50 and a NetScreen 5XP at the same time but the image files for each device type must exist on the Device Server and must be the same OS version When a new version of Junos is installed...

Страница 318: ...e NSM If the software version of a device is upgraded outside NSM through the device CLI or Web UI NSM behaves differently depending on whether the upgraded software version is published and whether i...

Страница 319: ...upgrade by NSM See Upgrading the Device Software Version on page 266 To reconcile the OS versions right click a device and select Adjust OS Version to display the Adjust OS Version Wizard Follow the...

Страница 320: ...ice support The directive performs the following actions Performs an Adjust OS Version from the previously known ScreenOS version to the new version of ScreenOS running on the selected devices Optiona...

Страница 321: ...ickly view all license keys installed on a device and the features and capacities available on the device To import or view license key information 1 In the main navigation tree right click the device...

Страница 322: ...is upgraded through the Web UI or CLI new software packages are installed or a new license key is installed on the device then the inventory on the device is no longer synchronized with the NSM datab...

Страница 323: ...le how many VPNs a license supports how many licensed units are already in use and how many more are needed The license details include the key name or ID of the license the date the license was creat...

Страница 324: ...ry changes to Out of Sync in the Device List the Device Monitor and the device tooltip and the Reconcile button in the Device Inventory window becomes active 4 When you have finished viewing the diffe...

Страница 325: ...d Infranet Controller devices are handled differently from the remainder of the configuration in NSM The size of some of these binary files could make configurations large enough to overload resources...

Страница 326: ...ata file and linking that file into the Secure Access or Infranet Controller device configuration tree Subsequent sections provide details about each type of large binary data file To upload and link...

Страница 327: ...evice to open the device editor and then select the Configuration tab b Navigate to the node in the configuration where you want to load the binary file For example to load an ESAP package expand Auth...

Страница 328: ...ry data list by clicking the Add icon The Binary Data dialog box appears as in step 3 d Click OK to save the newly configured links Importing Custom Sign In Pages The customized sign in pages feature...

Страница 329: ...tion 3 Expand Signing In 4 Expand Sign in Pages 5 Select Users Administrator Sign in Pages and then click the Add icon in the right pane 6 Enter a name for the access page 7 Select Custom Sign in Page...

Страница 330: ...nfiguration To create a link from a Secure Access or Infranet Controller configuration tree to a shared object containing an AV patch live update file follow these steps 1 In the Device Manager double...

Страница 331: ...umber 6 Select a shared binary object from the Path to Package list 7 Click OK once to save the link and again to save the configuration Importing Third Party Host Checker Policies For Windows clients...

Страница 332: ...r policy follow these steps 1 In the Device Manager double click the Secure Access or Infranet Controller device to open the device editor and then select the Configuration tab 2 Expand Authentication...

Страница 333: ...t the Java applets You can upload individual jar and cab files or zip cab or tar archive files to NSM shared objects Archive files can contain Java applets and files referenced by the applets Within t...

Страница 334: ...les 4 Select the Global Role Options tab 5 In the Global Terminal Services Role Options tab select a shared binary data object from the Citrix Client CAB File list 6 Click OK to save the configuration...

Страница 335: ...x appears 3 Select the device or devices to which you want to restore the backup version and click OK Backing up multiple SA or IC Devices To create backup versions of the data in multiple IC or SA de...

Страница 336: ...p version and click Delete to delete the backed up version from the NSM database NOTE The backup and restore feature is available in the NSM UI on root clusters but not on cluster members However when...

Страница 337: ...not reachable 1 Click Next The Specify the connections settings dialog box opens 2 Specify the First Connection One Time Password OTP that authenticates the device 3 Edit the Device Server Connection...

Страница 338: ...2 User Name text box to enter user name search string By default this will be You can specify any regular expression string here 3 Sort on drop down list box to select the name of the field to sort o...

Страница 339: ...ly paid subscription To register your product go to www juniper net support After you have registered your product you can retrieve the service subscription To obtain the subscription for a service 1...

Страница 340: ...nload new attack objects from the server To update a managed device with new DI attack objects you must first obtain a DI subscription for your device For details see Activating Subscription Services...

Страница 341: ...P zip Download the file to your local disk Do not change the filename 4 Put both files in a local directory on the NSM GUI Server or on an internal Web server that is reachable by the NSM GUI Server 5...

Страница 342: ...loaded manually To load the attack object database update to your managed devices 1 From the Device Manager launchpad select SecurityUpdates UpdateDeviceAttack Database or from Devices in the menu ba...

Страница 343: ...IDP rules for the device from the GUI Server to the device For a security policy that uses DI attack objects NSM pushes all updated signatures from the GUI Server to the device Verifying the Attack O...

Страница 344: ...when you update the device configuration on a device you must also update the database on the managed device to match the version of the database on the GUI Server if the version on the GUI Server is...

Страница 345: ...liances J Series devices SRX Series devices and MX Series devices Automatic updates to the IDP engine occur when you Upgrade security device firmware The upgraded firmware includes the most recent ver...

Страница 346: ...ee Figure 74 on page 296 Figure 74 Attack Update Summary 3 Click Cancel to exit the Attack Update Manager Scheduling Security Updates For security devices running ScreenOS 5 0 0 IDP1 5 1 and later and...

Страница 347: ...ng unexpected changes To handle unconnected devices during the update you must also specify additional post action options shown in Table 30 on page 297 Table 30 Scheduled Security Update SSU Command...

Страница 348: ...tils guiSvrCli sh update attacks post action update devices skip Scheduling the Update You can perform a one time security update using guiSvrCli sh directly or you can use crontab or another scheduli...

Страница 349: ...ing the update the guiSvrCli utility updates its the attack object database then performs the post actions After updating and executing actions the system generates an exit status code of 0 no errors...

Страница 350: ...Admin Name Domain The administrator name for security update is guiSvrCli and the domain is Global entry appears as guiSvrCli Global Action The action appears as Scheduled Attack and Device Update To...

Страница 351: ...ecurity device you want to contact SurfControl 2 In the Device Manager launchpad select Security Updates Update System Categories This option updates the NSM management system predefined categories fr...

Страница 352: ...fied by the device and not by NSM Invoking the Launch Telnet menu item causes the Telnet window to appear even if the Telnet service is not enabled in the device The Launch Telnet menu is disabled if...

Страница 353: ...ries it connects to the previously configured DNS server to perform a lookup of each entry in its table To direct one or more devices to refresh their DNS table entries 1 From the Device Manager launc...

Страница 354: ...forms asset recovery Sets the device to FIPS mode Resets the device to its default settings Updates the OS Loads configuration files After you change the root administrator login and password only per...

Страница 355: ...to send a device back to the factory and replace it with a new device you can set the device to the RMA state This state allows NSM to retain the device configuration without a serial number or connec...

Страница 356: ...ftware Manager allows you to upgrade the firmware version in the physical device before RMA After upgrading NSM puts the device in the Update needed state NOTE The current OS version of the device is...

Страница 357: ...subsystem within the wireless security device during the device update process NOTE When using an authentication server for wireless authentication if you enable 802 1X support on that server you must...

Страница 358: ...When you create update or import a device the GUI Server edits the ADM to reflect the changes then translates that information to the DM Data Model Schema The structure of the ADM and DM is determined...

Страница 359: ...arranged similarly to objects in the management console each item VPN policy device device group and so on is represented by an object In the DM each item is a property of a single device During the d...

Страница 360: ...s interfaces routing tables users and VPN rules in the DM for each device The DM contains only the VPN information that relates to the specific device not the entire VPN During the device model update...

Страница 361: ...objects and object attributes in the ADM domain When you import a device configuration using the management console the device sends CLI commands to the Device Server which translates the CLI commands...

Страница 362: ...es the CLI commands into a DM with device configuration information The GUI Server translates the device configuration in the DM into objects and object attributes in the ADM The GUI Server then reads...

Страница 363: ...vers For details on stopping starting and restarting processes on the management system refer to the Network and Security Manager Installation Guide Archiving Logs and Configuration Data To archive lo...

Страница 364: ...up and restore procedures To restore log and configuration data 1 Stop Device Server and GUI Server processes 2 Use the mv command to transfer data from the var directories to a safe location This pre...

Страница 365: ...nistrator role has all the permissions necessary to manage schemas Alternatively you can define a custom role for schema management Three activities are relevant to defining such a role View Schema De...

Страница 366: ...the server Choose File to retrieve the schema from an intermediary file 4 Click Next to display information about the latest schema on the source Juniper Update Server or file along with current schem...

Страница 367: ...of files affected by the change Compare the version numbers to tell whether the staged schema is more recent than the currently running schema Check the information about the schema to determine wheth...

Страница 368: ...Copyright 2010 Juniper Networks Inc 318 Network and Security Manager Administration Guide...

Страница 369: ...Configuring Voice Policies on page 535 Configuring Junos NAT Policies on page 539 Configuring VPNs on page 551 Central Manager on page 629 Topology Manager on page 635 Role based Port Templates on pa...

Страница 370: ...Copyright 2010 Juniper Networks Inc 320 Network and Security Manager Administration Guide...

Страница 371: ...on page 322 Configuring Address Objects on page 326 Configuring Application Objects on page 332 Configuring Schedule Objects on page 334 Configuring Access Profile Objects on page 335 Configuring Qual...

Страница 372: ...evice configuration NSM automatically imports all objects defined in that configuration The Object Manager displays objects created in the current domain only When you work in the global domain all cu...

Страница 373: ...affic AV Profiles define the server that contains your virus definitions and antivirus software Web Filtering Profiles define the URLs the Web categories and the action you want a security device to t...

Страница 374: ...n VPN You cannot use a subdomain user object in a global domain VPN When creating a subdomain protected resource you can include a subdomain address object and a global domain service object but you c...

Страница 375: ...h by unchecking unnecessary categories Right click on a shared object node for example Address Objects and select Search Unused Objects 2 Select the search categories and click Next The Unused Shared...

Страница 376: ...to delete NSM displays a message that the selected objects will be deleted and a warning that the operation cannot be reversed NOTE When you select a group of duplicate objects such as an address grou...

Страница 377: ...k As you add address objects they appear in the tree and table tabs Creating Address Objects You can create the following address objects Host Represents devices such as workstations or servers connec...

Страница 378: ...address it displays the same address under the domain name This is an indication that a name is not configured for this address 6 Click OK to add the address object The new host address object immedia...

Страница 379: ...permission to view global domain objects for the objects you are replacing then all objects for the selected category in the current domain and the global domain are displayed in the Replace With wiza...

Страница 380: ...lobal and subdomain address objects appear in the Non members list NOTE You can drag address objects into and out of address groups from the main address tree 8 Click OK to add the group You can creat...

Страница 381: ...dresses to share a single firewall policy For example each site might have a Web server each with a different IP address If you define an address object using the hostname webserver and then using tha...

Страница 382: ...ication Table Tab Information Description Field The name of the application object Name The hierarchical category to which the application belongs Application Category The TCP UDP port ranges to be ma...

Страница 383: ...ing parameters in the General tab Name This is a mandatory field Application Category This is a mandatory field Supported Platforms Use the Edit icon to select supported platforms You must select at l...

Страница 384: ...to 6 00 PM December 5 Christmas Break Schedule 6 00 PM December 24 to 8 00 AM January 2 Use a recurring schedule to control access to a destination for a repeating time interval The schedule object d...

Страница 385: ...ccess profiles configured in NSM Access profiles are listed in a table consisting of the following columns Name Name of the access profile Comment Description of the access profile You can create view...

Страница 386: ...ed QoS parameters Each IP profile can have a maximum of 8 entries and each DSCP profile can have 64 entries In a QoS profile an existing entry can be overwritten with the same DSCP IP Precedence value...

Страница 387: ...you add predefined attack object groups created by Juniper Networks and your own custom attack object groups to the Profile object After creating the DI Profile you add the Profile object in the Rule...

Страница 388: ...of the Supported Platform links within an attack object dialog box Viewing Predefined DI Attack Object Groups To view predefined attack object groups in Object Manager select Attack Objects then sele...

Страница 389: ...and you can add multiple profile members to the profile object Within each profile member Select the attack object groups you want to include in this profile member Configure the action you want the...

Страница 390: ...e and Attack object and displays an alert in the Log Viewer Configure IP Action Enable this option to direct the device to take action against a brute force attack When enabled configure the following...

Страница 391: ...at and includes the following information Name of the attack object Severity of the attack critical major minor warning or info Category displaying the type of application Keywords for the attack CVE...

Страница 392: ...ts and Groups NSM lets you look at the details of predefined attack objects and groups Not all details are applicable to all attacks The Pattern field under the Details column in the General tab of th...

Страница 393: ...on page 363 For information about creating a DI Profile object see Creating DI Profiles on page 338 To use a custom IDP attack object to protect your network you can add the attack object in an IDP r...

Страница 394: ...ription and keywords which can make it easier for you to locate and maintain the attack object as you use it in your firewall rules Specifically the attack object wizard prompts you for the following...

Страница 395: ...he extended attack information Configuring Extended Information In the Extended tab enter specific information about the attack Specifically the attack object wizard prompts you for the following Impa...

Страница 396: ...the target platform and configure the attack version click the Add icon under Attack Versions to display the New Attack wizard On the Target Platform and Type page you must select the ScreenOS or IDP...

Страница 397: ...re traffic is identified as an attack By combining and even specifying the order in which signatures or anomalies must match you can be very specific about the events that need to take place before th...

Страница 398: ...the correct service select Any and DI attempts to match the signature in all services Because some attacks use multiple services to attack your network you might want to select the Any service binding...

Страница 399: ...ly When a client makes a remote procedure call to an RPC server the server replies with a remote program each remote program uses a different program number To detect attacks that use RPC configure th...

Страница 400: ...Control Message Protocol ICMP TCP 113 IDENT IDENT TCP 143 UDP 143 Internet Message Access Protocol IMAP Internet Relay Chat IRC Lightweight Directory Access Protocol LDAP Line Printer spooler lpr Mic...

Страница 401: ...e time attributes for the custom attack object Time attributes control how the attack object identifies attacks that repeat for a certain number of times By configuring the scope and count of an attac...

Страница 402: ...o After you finish entering the general attack properties for the attack type click Next to configure the attack detection properties Configuring Attack Detection Properties In the Attack Pattern scre...

Страница 403: ...atches Example Matches This syntax 01 86 A5 00 00 the five specified bytes verbatim X01 86 A5 00 00 X hello world hello or world hello world helloworld world hello hellohello hello or world one or mor...

Страница 404: ...ect and can improve performance Select first packet context to detect the attack in only the first packet of a stream When the flow direction for the attack object is set to any the security device ch...

Страница 405: ...stead of Any improves performance reduces false positives and increases detection accuracy Client to Server Detects the attack only in client to server traffic Server to Client Detects the attack only...

Страница 406: ...th existing TCP and UDP protocols IPv4 and IPv6 header matches cannot coexist in a single attack definition IPv6 enabled attacks are supported only on ISG1000 with SM and ISG2000 with SM devices Type...

Страница 407: ...attack target Seq Number Specify an operand none and a decimal value for the sequence number of the packet This number identifies the location of the data in relation to the entire data sequence ACK...

Страница 408: ...for the port number of the attack target Data Length Specify an operand none and a decimal value for the number of bytes in the data payload ICMP Headers For attacks that use ICMP and a packet context...

Страница 409: ...For details see Configuring Time Binding on page 351 Configuring a Compound Attack Object A compound attack object combines multiple signatures and protocol anomalies into a single attack object forci...

Страница 410: ...d protocol anomaly attack objects Additionally because the number of session transactions are not known for the service you cannot specify a scope in the Members tab To match a specific service select...

Страница 411: ...ropriate for the Service you selected If you selected a service binding of any you are restricted to the IP based protocol anomaly attack objects Configuring an Attack Object Ordered Match Use the oAN...

Страница 412: ...re active in the attack object By default the direction filter is automatically set to the direction of the most recently created or edited attack version Creating Custom DI Attack Groups You can crea...

Страница 413: ...ttacks to which you know your network is vulnerable or to group custom attack objects For example you might want to create a group for a specific set of informational attack objects that keep you awar...

Страница 414: ...icon and select one of the following Add Products Filter to add attack objects based on the application that is vulnerable to the attack Add Severity Filter to add attack objects based on the attack s...

Страница 415: ...mic Group dialog box appears 2 Enter a name and description for the group Select a color for the group icon Figure 78 New Dynamic Group 3 In the Filters tab click the Add icon and add the filters that...

Страница 416: ...r meet their dynamic group criteria The update also reviews updated attack objects to determine if they now meet any other dynamic group criteria and adds them to those groups if necessary For all del...

Страница 417: ...e 370 Miscellaneous UTM Features on page 371 ScreenOS Threat Management Features on page 373 Creating UTM Profiles A UTM profile can define more than one UTM feature You can have more than one custom...

Страница 418: ...es The allowed range is 20 20000 Set a time out period The allowed range is 1 1800 Set the decompression limit in the range of 1 4 Set the HTTP tricking time out in the range of 0 600 Set the scan mod...

Страница 419: ...profile 5 Enter a comment or description 6 Select a color from the drop down list 7 Enable Use default SBL 8 Select an action Block Tag header Tag subject 9 Enter a tag string 10 Select OK Creating a...

Страница 420: ...urf control Integrated set the following Default action Block or permit Timeout period In the range of 1 1800 Mouse over the field to see a tool tip with the allowed values Enter a deny message Set Fa...

Страница 421: ...Select in the CustomUTMMimeListProfiles table The New Mime List Profile window opens 3 Enter a name for the profile 4 Enter a comment or description 5 Select a color from the drop down list 6 Enter th...

Страница 422: ...eate and view URL patterns 1 Select Object Manager UTM Misc URL Patterns You can view all the URL patterns and create a new URL pattern 2 Select The New URL Pattern window opens 3 Enter a name for the...

Страница 423: ...methods External AV scanning This method forwards traffic to a Trend Micro device for scanning This option is not supported by devices running ScreenOS 5 3 or higher The security device forwards all t...

Страница 424: ...ust specify the protocols HTTP and SMTP that the external AV server scans for viruses The default protocol timeout is 180 seconds but you can edit this default to meet your networking requirements You...

Страница 425: ...set the following settings for each enabled protocol Scan Mode All Intelligent or by File Extension If you select Scan by File Extension you must populate the Ext List Include field Scanning Timeout S...

Страница 426: ...or all of them to server groups You can then assign this server object or server group to an AV profile then assign that profile to a security policy To specify a server you will need the following in...

Страница 427: ...so specify the MIME list that will be used for comparison See Multipurpose Internet Mail Extension MIME Lists on page 371 for information on creating MIME lists SMTP tab SMTP Enable Selecting this che...

Страница 428: ...s organized by content There are two types of categories Custom Lists and Predefined Categories Custom Lists You can group URLs and create custom lists specific to your needs You can include up to 20...

Страница 429: ...ble to display multiple shared objects in each cell This allows for a better filtering mechanism for the information reduces data redundancy in the case where all rules need to have the same e mail ad...

Страница 430: ...rules and will ask you for confirmation of the command Once you confirm that you want to delete the object NSM will remove all usages of the object you are deleting from the security policy rules tha...

Страница 431: ...r example you can configure a security policy that enables a device to control GTP traffic differently based on source and destination zones and addresses action and so on You configure GTP objects in...

Страница 432: ...S Tunneling Protocol GTP Because GSNs have a limited capacity for GTP tunnels you might want to configure the security device to limit the number of GTP tunnels created To limit GTP tunnels enable Lim...

Страница 433: ...GPP and 2GPP networks enable Remove r6 IE Inspecting Tunnel Endpoint IDs You can configure the security device to perform Deep Inspection on the tunnel endpoint IDs TEID in G PDU data messages To perf...

Страница 434: ...y two messages above the set rate limit To view GTP traffic log entries use the Log Viewer Configuring IMSI Prefix and APN Filtering You can use the IMSI Prefix and APN to restrict access to a specifi...

Страница 435: ...cify one and that the HLR did not verify the user s subscription to the network Verified MS or Network provided APN subscription verified This Selection Mode indicates that the MS or the network provi...

Страница 436: ...the following Set Subscribers Set the number of number of subscribers that the security device actively traces concurrently The default number of simultaneous active traces is three 3 Specify Log Byte...

Страница 437: ...r existing protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined service objects for most standard services You can also create custom se...

Страница 438: ...meout value you can view the following service settings For Non ICMP services the service object displays the protocol ID source port range and destination port range For ICMP services the General tab...

Страница 439: ...it that service object Creating Custom Services You can create custom service objects to represent protocols that are not included in the predefined services or to meet the unique needs of your networ...

Страница 440: ...ports Service Object Groups You can group services together as a service object group then use that group in security policies and VPNs to simplify administration Each service object can be referenced...

Страница 441: ...Non ICMP Services Entries area click the Add icon and select TCP The New Service Entry dialog box appears Configure the following a For Source Port select Range b For Source Port Range enter 0 to 6553...

Страница 442: ...ese two numbers The ALG maps the program numbers into dynamically negotiated TCP UDP ports and permits or denies the service based on a policy you configure To create the Sun RPC service 1 In the main...

Страница 443: ...To permit them you create an ms exchange info store service object that contains these four UUIDs The ALG maps the program numbers into dynamically negotiated TCP UDP ports based on these four UUIDs...

Страница 444: ...h a service group object that contains the replaced service object You cannot undo or roll back a Replace With operation NOTE Replacingserviceobjectsonlyappliestothoseobjectsinthedomain in which you a...

Страница 445: ...M administrators and remote access services RAS users on your network The information stored in an authentication server determines the privileges of each administrator When the security device receiv...

Страница 446: ...hentication period never times out Admin user If the length of idle time reaches the timeout threshold the security device terminates the administrator session To continue managing the device the admi...

Страница 447: ...ional and is not required to configure a RADIUS authentication server However you might need to configure this setting when implementing a new RADIUS server with an existing network and established us...

Страница 448: ...entication requests The default port number is 1645 RADIUS Secret The secret password shared between a security device and the RADIUS server The RADIUS server uses the shared secret to generate a key...

Страница 449: ...provided You can separate the authentication and accounting functions by specifying different RADIUS Authentication and Accounting servers In ScreenOS devices running 6 2 and later you can enable or...

Страница 450: ...etworks uses the standard RADIUS attribute for IP address assignments Juniper Networks provides two dictionary files one for Funk Software RADIUS servers and one for Cisco RADIUS servers For Funk Soft...

Страница 451: ...its shared secret as A56htYY97kl You change the authentication timeout value from the default 10 minutes to 30 minutes and the RADIUS retry timeout from 3 seconds to 4 seconds You also assign its two...

Страница 452: ...ut against value generated by the RSA ACE server algorithm If the values match the authentication is successful For a SecurID authentication server object you must configure the following Authenticati...

Страница 453: ...olled by directory servers To create an LDAP authentication server object configure the following LDAP Server Port The port number on the LDAP server to which the security device sends authentication...

Страница 454: ...or deny access to individuals or groups NSM supports two types of user objects Local Users Users with accounts that are managed by your security devices You can create local user groups that include m...

Страница 455: ...t 1 In the navigation tree double click the Object Manager select User Objects then select LocalUsers In the main display area click the Add icon and select New Group to display the New Local User Gro...

Страница 456: ...DN e mail address during phase 2 the device prompts the user for their U FQDN for authentication To add an external user group object 1 In the navigation tree select Object Manager User Objects Extern...

Страница 457: ...the RADIUS server documentation If you are using a Microsoft IAS RADIUS server there is no dictionary file to load you must manually define the correct vendor specific attributes VSAs on the server 2...

Страница 458: ...gs You can use more than one VLAN object in a rule VLAN objects have the following components Name What the object is called in the NSM UI Comment and Color Useful for organizing and explaining the ob...

Страница 459: ...evice configuration or VPN for a device running ScreenOS 5 1 or earlier the device automatically uses the first IP range defined in the IP Pool object To modify or delete an IP range from an IP Pool o...

Страница 460: ...in the group expressions must be external users that are stored on an external RADIUS server A RADIUS server enables a user to belong to more than one user group The operators have different meanings...

Страница 461: ...hat match the description of group expression a AND group expression b the security device authenticates the user only if both group expressions reference that user AND If the security policy defines...

Страница 462: ...you can use that object in the Authentication rule options In this example you configure a group expression to authenticate all users that belong to your Sales group and your Marketing group then add...

Страница 463: ...imary DNS server DNS2 Enter the IP address of the secondary DNS server WINS1 Enter the IP address of the primary WINS server WINS2 Enter the IP address of the secondary WINS server Configuring Routing...

Страница 464: ...t 4 Select a color to represent the routing instance object 5 Enter a comment or description about the routing instance object 6 In the New Routing Instance dialog box click the Add icon The New Routi...

Страница 465: ...For SRX Series gateways NAT settings must be configured in the device For more information on DIP MIP and VIP objects see the following sections Configuring DIP Objects on page 415 Configuring MIP Obj...

Страница 466: ...click the Add icon to specify the device specific VIP configuration Device Select the security device that includes the VIP Interface Select the interface on the device that uses the virtual IP addre...

Страница 467: ...AT Object on page 419 Deleting a Source NAT Object on page 419 Adding a Source NAT Object To add a source NAT object 1 Select Object Manager Junos NAT Objects Source NAT The Source NAT dialog box appe...

Страница 468: ...ress prefixes IP Address Ipaddr Address By default port translation is enabled Enter a port range Select the No Translation check box to disable port translation Specify whether port translation must...

Страница 469: ...referenced this object then all referenced areas are displayed as links in this dialog box Click on a link to navigate to the area where this object is referenced You can proceed with or cancel the d...

Страница 470: ...ect the IP address of the interface which accepts the ARP requests from the Proxy ARP drop down list If there are no values listed select to configure a new value The New Interface dialog box appears...

Страница 471: ...addresses whose ARP requests this device must accept as follows Click Address and select to configure the start of the address range in the New dialog box Click To and configure the end of the address...

Страница 472: ...for those devices Generate a local and CA certificate in one click using SCEP Use OCSP to automatically check for revoked certificates ScreenOS 5 0 or later devices only Use a certificate chain that i...

Страница 473: ...back to the root Partial Use partial validation to validate the certificate path only part of the way to the root Revocation Check Check for revocation Select this option to enable revocation checking...

Страница 474: ...icate CA IDENT Enter the name of the certificate authority to confirm certificate ownership Challenge Enter the challenge words sent to you by the CA that confirm the security device identity to the C...

Страница 475: ...our rule in an Extranet Policy object To create an Extranet Policy object 1 In the Object Manager select Extranet Policies The New ExtranetPolicyObject window appears 2 Enter the name of the Extranet...

Страница 476: ...Third party host checker policies Secure virtual workspace wallpaper images Hosted Java applets Custom Citrix client CAB files See Managing Large Binary Data Files Secure Access and Infranet Controlle...

Страница 477: ...es consist of the following elements IP Address The address represents the computer network or range of addresses to be considered part of this protected resource The address can be an individual host...

Страница 478: ...eway to the protected resource You can add multiple security gateways to provide redundant access for the protected resource Editing Protected Resources You can edit protected resources to accommodate...

Страница 479: ...proposals from VPN Manager select IKE Phase1 Proposals or IKE Phase2 Proposals Creating Custom IKE Phase1 Proposals Create a custom proposals for a specific combination of authentication and encryptio...

Страница 480: ...ault value is 28800 seconds 8 hours Click OK to add the custom IKE object to the management system Creating Custom IKE Phase 2 Proposals Create a custom proposals for a specific combination of authent...

Страница 481: ...then select the desired algorithm NOTE We strongly recommend that you do not use null AH with ESP Click OK to add the custom IKE object to the management system Configuring Dial in Objects Netscreen...

Страница 482: ...vice a gateway in the device and a service point in the gateway BSG Admission Controllers BSG Admission Controllers control Session Initiation Protocol SIP dialogs and transactions You can define the...

Страница 483: ...ported in Junos OS Release 9 5 and later When updating devices running under earlier versions of Junos OS the admission controller setting is dropped 433 Copyright 2010 Juniper Networks Inc Chapter 8...

Страница 484: ...Copyright 2010 Juniper Networks Inc 434 Network and Security Manager Administration Guide...

Страница 485: ...ll as how that traffic is treated while inside A security policy can contain firewall rules in the Zone and Global rulebases multicast rules in the Multicast rulebase and IDP rules in the Application...

Страница 486: ...signing a policy to a device see Assigning a Security Policy to a Device on page 509 Viewing Rulebase Columns for a Security Policy By default each rulebase displays a subset of available columns for...

Страница 487: ...x Viewing and Editing Custom Policy Fields NSM allows you to create multiple fields under Rule Options You can customize this fields to save metadata and you can edit and filter the values in each of...

Страница 488: ...rulebase when you need to control traffic between specific zones The zone specific rulebase can contain firewall rules and VPN rules and links Global Contains rules that are valid across all zones Cre...

Страница 489: ...s by ensuring that the three way handshake is performed successfully for specified TCP traffic If you know that your network is vulnerable to a SYN flood use the SYN Protector rulebase to prevent it T...

Страница 490: ...ks by permitting or denying specific network traffic flowing from one zone to another zone After you have added a device in NSM you can create rules in the firewall rulebases of your security policy Y...

Страница 491: ...e on which the firewall rule is installed You can install the same rule on multiple devices To begin configuring firewall rules for your managed devices see Configuring Firewall Rules on page 448 VPN...

Страница 492: ...t group address in an internal zone to a different address on the outgoing interface specify both the original multicast address and the translated multicast group address in a multicast rule When you...

Страница 493: ...is directly in the path of traffic on your network and can detect and block attacks For example you can deploy the device with integrated Firewall VPN IDP capabilities between the Internet and an ente...

Страница 494: ...hat rules are applied to network traffic by placing the rules in the desired sequential order disabling a rule negating source or destination addresses ScreenOS 5 x devices only and so on Validate a s...

Страница 495: ...address objects DI profiles and Global MIPS no predefined objects exist before you can use one of these objects in a rule you must create the object in Object Manager Applying the Same Object to Multi...

Страница 496: ...es a Policy Filter tool to filter policy rules based on one or more filter conditions specified for rule attributes One filter can contain several filter conditions for different attributes The filter...

Страница 497: ...emplate contains rules that use the default actions associated with the attack object severity and protocol groups You should customize these templates to work on your network by selecting your own ad...

Страница 498: ...s Security policies start with a minimum of rules and rulebases You can add additional rules to the rulebases as needed To add a rulebase 1 In the main navigation tree select Policies then double clic...

Страница 499: ...on addresses using the Select Address Dialog box In this dialog box you can populate hosts networks group addresses and polymorphic objects based on the context of the IP version selected The policy f...

Страница 500: ...are configuring the Source and Destination components of a rule right click in the Source or Destination column of a rule and select Add Address Next click the Add icon at the top of the New Source Ad...

Страница 501: ...rvers to your Engineering Servers set the To Zone to Engineering and the From Zone to Marketing Set the source address as the address group object that represents your Marketing servers and the destin...

Страница 502: ...ory To control FTP traffic from the Engineering Server in the trust zone to the corporate Web Server in the DMZ zone select the FTP HTTP IMCP ANY and TELNET service objects You can create your own ser...

Страница 503: ...ofiles to detect and prevent attacks in permitted traffic For J Series and SRX Series devices you can also use the NSM GUI to enable or disable DI IDP and Application Services To use this feature 1 Se...

Страница 504: ...for Firewall Rules on page 461 Configuring Antivirus for Firewall Rules on page 462 Configuring a DI Profile Enable IDP for Firewall Rules on page 463 Configuring the Session Close Notification Rule...

Страница 505: ...ng Firewall VPN Devices For J Series devices you can configure a NAT for a policy rule as one of the following An interface A pool of a specific device interface A PoolSet defined under the source NAT...

Страница 506: ...o pass through the ingress interface Priority You can set a priority for each firewall rule in your security policy Your security device passes permitted traffic according to the priority level specif...

Страница 507: ...ches network traffic to the rule the device creates a traffic log entry that describes that event and NSM displays the traffic log entry in the Log Viewer You can enable logging when a session is init...

Страница 508: ...ts the system to output logs to an e mail address in SMTP format You must specify the recipient e mail address es that receives the exported log records Running Scripts Selecting this option directs t...

Страница 509: ...curity device correctly checks traffic ID The rule ID is a number that uniquely identifies a rule within the rulebase and security policy After you install a rule as part of a security policy on a sec...

Страница 510: ...d to a firewall rule When a profile is bound to the firewall rule the security device matches the URL in the incoming HTTP request to the categories in the profile in the following sequence Black List...

Страница 511: ...pecified RAS users to connect without authentication Authentication Use for RAS users that use HTTP FTP or Telnet services to connect to the protected network You can select an access profile as an au...

Страница 512: ...et OR is located behind a NAT device that uses a single IP address for all NAT assignments only the first remote user from that source address must initiate and authenticate an HTTP FTP or Telnet conn...

Страница 513: ...tect the attack itself NSM contains a database of predefined attack objects that detect known and unknown attacks against your network You can use these predefined attack objects and your own custom a...

Страница 514: ...ther mode enables IDP for the firewall rule and configures the security device to forward all permitted traffic to the IDP rulebases for further processing Limiting Sessions per Policy from Source IPs...

Страница 515: ...ult this option is disabled Before you can enable the Session Close Notification feature on NSM for a device you must first set the following options a From Device Advanced Packet flow Disable Skip TC...

Страница 516: ...ination zone These zones must be available on the security devices on which you install the policy You can also select multiple zone exceptions for both source and destination zones A zone exception i...

Страница 517: ...ast2 For Color select red For IP Address enter 232 1 1 2 For Netmask enter 16 NOTE NSM validation prevents you from setting a 32 bit netmask in multicast In the main navigation tree select Policies th...

Страница 518: ...ination zones source destination address objects and the application layer protocols services supported by the destination address object You can also negate zones address objects or services Standalo...

Страница 519: ...sections detail the Match columns of an IDP rule Configuring Source and Destination Zones for IDP Rules Does not apply to Standalone IDP Sensor rulebases You can select multiple zones for the source a...

Страница 520: ...irewall Rule Options When it receives a packet the firewall verifies the role name of the user against the list of user roles and user role groups provided before forwarding the packet You can configu...

Страница 521: ...ervices that use TCP UDP RPC and ICMP transport layer protocols Service objects represent the services running on your network NSM includes predefined service objects that are based on industry standa...

Страница 522: ...ether or not the traffic matches the attack objects in the matching rule You can use a terminal rule for the following purposes To set different actions for different attacks for the same Source and D...

Страница 523: ...against attacks that match rules in your security policy For each attack that matches a rule you can choose to either take action on the packet containing the attack permit or drop packet or take act...

Страница 524: ...through Drop Packet IDP drops the connection without sending a RST packet to the sender preventing the traffic from reaching its destination Use this action to drop connections for traffic that is not...

Страница 525: ...cks is a good option if you know the exact name of the attack you want to add to a rule To locate a specific word or string in the attack object name use the integrated search function in NSM Attack G...

Страница 526: ...ects for several predefined operating systems to help you choose the attack objects that are the most dangerous to specific components on your network You can choose BSD Linux Solaris or Windows Addin...

Страница 527: ...he rule Configuring IP Actions in IDP Rules This column only appears when you view the security policy in Expanded Mode To change the security policy view from Compact Mode to Expanded Mode from the m...

Страница 528: ...l The security device blocks future traffic based on the source destination destination port and protocol of the attack traffic This is the default Source The security device blocks future traffic bas...

Страница 529: ...important security events on your network NOTE J Series and SRX Series devices do not send packet data to NSM If your policy rules attempt to do so then NSM does not log the data Setting Logging In th...

Страница 530: ...r a range of VLAN tag values Use VLAN objects to create individual VLAN tags or ranges of VLAN tags You can assign more than one VLAN object to a rule To assign a VLAN object to a rule or to set the V...

Страница 531: ...ndalone IDP Sensors function in this mode by default and do not have to be specifically configured for it In this example you are deploying an ISG2000 device as a standalone IDP security system betwee...

Страница 532: ...IDP policy NOTE If you select an IDP rule associated with multiple IDP policies from the IDP rule table in a Security Policy window the Policies panel displays the multiple IDP policies to which the r...

Страница 533: ...lication objects You can specify the action you want the security device to perform against the current connection and future connections from the same source IP address see Choosing an IP Action Conf...

Страница 534: ...e traffic flow row 4 Select Create Application Rules For Policies The New Application Rules dialog box is displayed NOTE If an APE rulebase is not already configured the rulebase is automatically conf...

Страница 535: ...In the NSM system address objects are used to represent components on your network hosts networks servers and so on Typically a server or other device on your network is the destination IP for incomin...

Страница 536: ...your network you can specify which services are supported by the destination IP to make your rule more efficient NOTE All services rely on a transport layer protocol to transmit data IDP includes ser...

Страница 537: ...iption Action IDP takes no action against the connection If a rule that contains an action of None is matched the corresponding log record displays accept in the action column of the Log Viewer None I...

Страница 538: ...in Expanded Mode To change the security policy view from Compact Mode to Expanded Mode from the menu bar select View Expanded Mode If the current network traffic matches a rule the security device ca...

Страница 539: ...re are no logging options set Setting Timeout Options You can set the number of seconds that you want the IP action to remain in effect after a traffic match For permanent IP actions leave the timeout...

Страница 540: ...packet capture enabled match the same attack the security device captures the maximum specified number of packets For example you configure Rule 1 to capture 10 packets before and after the attack and...

Страница 541: ...rforming the specified action or creating a log record for the event NOTE If you delete the IDP rulebase the Exempt rulebase is also deleted You might want to use an exempt rule when an IDP rule uses...

Страница 542: ...r network traffic originating or destined for any zone NOTE You can create custom zones for some security devices The list of zones from which you can select source and destination zones includes the...

Страница 543: ...shed to the target devices To enter a comment right click the Comments column and select Edit Comments The Edit Comments dialog box appears You can enter up to 1024 characters in the Comments field Cr...

Страница 544: ...can detect all backdoors both known and unknown If interactive traffic is detected IDP can perform IDP actions against the connection to prevent the attacker from further compromising your network Wh...

Страница 545: ...OTE You can create custom zones for some security devices The list of zones from which you can select source and destination zones includes the predefined and custom zones that have been configured fo...

Страница 546: ...spoofing Drop Connection IDP closes the interactive connection and sends a RST packet to both the client and the server If the IDP is in sniffer mode IDP sends a RST packet to both the client and ser...

Страница 547: ...og record Logging Packets You can record the individual packets in the network traffic that matched a rule by capturing the packet data for the attack Viewing the packets used in an attack on your net...

Страница 548: ...or rulebase to prevent it The TCP Handshake When a TCP connection is initiated a three way handshake takes place A client host sends a SYN packet to a specific port on the server to request a connecti...

Страница 549: ...hold below which SYN Protector will be deactivated the default value is 1000 Upper SYN s per second threshold above which SYN Protector will be activated the default value is 20 Once the SYN Protector...

Страница 550: ...ons are established promptly minimizing the use of server resources The timer IDP uses for the connection establishment is shorter than the timer the server uses for the connection queue IDP transfers...

Страница 551: ...column of the Log Viewer for the matching log record Logging Packets You can record the individual packets in the network traffic that matched a rule by capturing the packet data for the attack Viewin...

Страница 552: ...to connect to every port on a single machine port scanning or connect to multiple IP addresses on a network network scanning By determining which services are allowed and responding on your network at...

Страница 553: ...an 50 IP addresses on your internal network within 120 seconds The same Source IP attempts to ping 50 IP addresses on your internal network within 120 seconds Session Limiting You can set a session li...

Страница 554: ...monitor The values are measure in number of hits Port Count in a particular number of seconds Time Threshold Setting Response Options The IP Action column governs what action the IDP Sensor takes whe...

Страница 555: ...column of the Log Viewer for the matching log record Logging Packets You can record the individual packets in the network traffic that matched a rule by capturing the packet data for the attack Viewin...

Страница 556: ...tackers who are attempting to break into your network A counterfeit port can appear to offer notoriously vulnerable services to make the port attractive to attackers You create a counterfeit port in t...

Страница 557: ...Configure your IP Action settings as appropriate for your network Setting Notification You can choose to log an attack and create log records with attack information that you can view real time in the...

Страница 558: ...fter the attack NOTE Packet captures are restricted to 256 packets before and after the attack Setting Severity You can override the inherent attack severity on a per rule basis within the SYN Protect...

Страница 559: ...you want to assign to the device Double click a device to open the device configuration In the Info tab under Policy for device select the policy you want to assign to the device You can use a single...

Страница 560: ...l problems can leave your network vulnerable Rule Duplication Rule duplication occurs when an administrator configures the same rule in a rulebase more than once Rule duplication can also occur during...

Страница 561: ...lso identify unsupported options in your security policy Because different security devices and system support different features and options policy validation checks the rules in the policy to ensure...

Страница 562: ...olicy installation NSM installs the rules in the policy on the security devices you selected in the Install On column of each rule The install process occurs between the management system and your man...

Страница 563: ...m the menu bar select Tools Preferences Device Update The system wide setting enabled or disabled becomes the default setting for all device updates but you can change the setting as needed for each i...

Страница 564: ...pdate IDP Rulebase Only check box in the Update Device Options dialog box The IDP on ISG rulebases are as follows IDP Backdoor Exempt Managing Rules and Policies Managing rules and policies for multip...

Страница 565: ...t disable an entire security policy or a rulebase You can however disable individual rules for details see Disabling a Rule on page 517 When you reimport a device that was previously managed by NSM yo...

Страница 566: ...he field value you cut or copied is added in the field that received the paste operation If an element is pasted into a field that specifies any then any is deleted Cut copy and paste operations are n...

Страница 567: ...alone IDP device into the Install On column for a zone based firewall rulebase Dragging and dropping objects is also not supported on any predefined IDP policy Deleting a Rule To delete a rule right c...

Страница 568: ...reassign a policy to a reimported device For example if you reimport a previously managed security device you might want to first merge the imported policy with a more comprehensive policy then assig...

Страница 569: ...and install on columns then collapses those rules into a single rule NSM does not collapse rules that contain different zones or rules that refer to unique VPNs By default NSM also updates the device...

Страница 570: ...case of in device policy management In addition the inactive policies are not displayed on the UI when the device is in central policy manager mode All shared objects that are used in the inactive pol...

Страница 571: ...ile Export Policy from the menu bar In the dialog box select Zone based Firewall Rules Select Show Expanded View Browse to an export directory and click Select Export Directory Click Export NSM create...

Страница 572: ...ays the version history for the selected policy You can use this window to create a new version or work with existing versions When you set NSM up for automatic policy versioning a new version is crea...

Страница 573: ...on This section explains how to edit comments for an existing policy version To edit comments for an existing version 1 In the NSM GUI right click on a policy 2 In the popup menu select View Versions...

Страница 574: ...Select an earlier version in the window and click Next A Diff window appears comparing the old and current version 6 View the differences and click Next The Object Editor appears 7 Make any necessary...

Страница 575: ...to decrement the final number default none Comments Contains You can enter partial text from the version comments in this field Create After Click the up arrow the increment the start date for the app...

Страница 576: ...evices 2 Under the Device Tree tab right click on a listed device 3 In the popup menu select View Versions The Version History window appears 4 Select the older database version in the window and clic...

Страница 577: ...omain hierarchy is used when applying pre post rules to subdomains Within any subdomain global domain pre rules take precedence over subdomain pre rules which take precedence over Security policy spec...

Страница 578: ...dds a domain level pre post rule either from the regional server or from the Central Manager server pushing prerules and postrules to the regional server the regional server generates a server wide un...

Страница 579: ...nd postrules to Regional Server This procedure assumes that a Central Manager administrator is logged onto a Central Manager client and a pre post rule has been added To push a pre post rule 1 In the...

Страница 580: ...cts are objects that can be defined at the Central Manager or regional server level Polymorphic objects can be used as place holders for values that will be defined in a different context in a regiona...

Страница 581: ...ect Categories Polymorphic objects are in the same category as concrete objects of the same nature The shared object type attribute includes a new value for polymorphic objects of a specific category...

Страница 582: ...Address to open the Add Polymorphic Address dialog box 4 Enter the following information for the new polymorphic address then click OK Name Color optional IP version IPv4 or IPv6 Comment optional NSM...

Страница 583: ...o show the polymorphic address objects pushed to this regional server 4 Double click the object you want to map to a real value 5 Click the Add icon in the toolbar to open the New Address Map Entry di...

Страница 584: ...Copyright 2010 Juniper Networks Inc 534 Network and Security Manager Administration Guide...

Страница 585: ...these shared objects into the transaction rule Juniper Networks M Series and MX Series routers running Junos 9 5 and later can be managed in two modes Central Policy management CPM and In Device manag...

Страница 586: ...st source Enter a regular expression Contacts Enter a regular expression 7 Select the desired action for the rule under the Then header The actions are Accept Accept the traffic and send it to its des...

Страница 587: ...from log reports Admission controller settings are dropped from the policies pushed to devices running Junos OS Releases earlier than 9 5 NOTE NSM 2009 1 and later releases support BSG transactions in...

Страница 588: ...Copyright 2010 Juniper Networks Inc 538 Network and Security Manager Administration Guide...

Страница 589: ...t to this NAT rulebase A rule set consists of a general set of matching conditions for traffic If the traffic matches these conditions then that traffic is selected for NAT A rule set can contain mult...

Страница 590: ...Rule Set to the Source NAT Rulebase To add a rule set to the source NAT rulebase 1 Click at the upper left corner of the Source NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set di...

Страница 591: ...ing a Rule to a Source NAT Rule Set To add a new rule to a rule set 1 From the Source NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Source NAT t...

Страница 592: ...tions to perform Under the Name header Add Rule Enables you to add rules to the rule set from the New Rule dialog box Specify the values and click OK Add Source Enables you to view and modify the sour...

Страница 593: ...t All requests from a specific internal IP address and port are mapped to the same reflexive transport address Target host port All requests from a specific internal IP address and port are mapped to...

Страница 594: ...e set to the destination NAT rulebase 1 Click at the upper left corner of the Destination NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set dialog box appears Here you must specify...

Страница 595: ...le to a Destination NAT Rule Set To add a new rule to a rule set 1 From the Destination NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Destinatio...

Страница 596: ...e source that you set previously Under the Match header Src Address Edit Enables you to cut copy and paste the values that are within this field Add Src address Enables you to add additional sources E...

Страница 597: ...is rulebase For more information on adding a static NAT rule sets to the rulebase see Adding a Rule Set to a Static NAT Rulebase on page 547 Adding a Rule Set to a Static NAT Rulebase To add a rule se...

Страница 598: ...name gets created and is displayed in the Security Policy window The next step is to add rules to the rule set For more information see Adding a Rule to a Static NAT Rule Set on page 548 Adding a Rule...

Страница 599: ...are satisfied with the values click OK Add Source Enables you to view and modify the source that you set previously Under the Zone RJ Interface header View Modify Source Enables you to view and modify...

Страница 600: ...Copyright 2010 Juniper Networks Inc 550 Network and Security Manager Administration Guide...

Страница 601: ...appear as a single wide area network WAN VPNs replace costly Point to Point Protocol PPP and Frame Relay connections that require dedicated lines and sometimes even satellites between your private net...

Страница 602: ...single device Creating System Level VPNs with VPN Manager For AutoKey IKE and L2TP VPNs create the VPN at the system level using VPN Manager VPN Manager supports AutoKey IKE VPNs In policy based or ro...

Страница 603: ...or policy based VPNs or to control traffic through the tunnel for route based VPNs You can also create AutoKey IKE L2TP and L2TP over AutoKey IKE VPNs at the device level Supported VPN Configurations...

Страница 604: ...tunnel VPN tunnel termination points are the end points of the tunnel traffic enters and departs the VPN tunnel through these end points Each tunnel has two termination points a source and destination...

Страница 605: ...l spokes if you do not include the hub the hub device routes traffic between spokes Use a hub and spoke topology when you want to route VPN traffic through a VPN member that does not contain protected...

Страница 606: ...ata is encrypted at the source and remains encrypted until reaching its destination Intermediate systems that transmit the packet like routers and switches on the Internet do not need to decrypt the p...

Страница 607: ...Key IKE VPN you can use the Internet Key Exchange IKE protocol to generate and distribute encryption keys and authentication algorithms to all VPN nodes IKE automatically generates new encryption keys...

Страница 608: ...RADIUS servers However because PPP is not an IP protocol Internet routers and switches cannot route PPP packets To route PPP packets you use L2TP which encapsulates PPP packet inside an Internet rout...

Страница 609: ...e Based VPNs Like a policy based VPN a route based VPN tunnels traffic between two security devices or between one security device and a remote user However a route based VPN automatically tunnels all...

Страница 610: ...s Define Security Protocol Encryption and Authentication How do you want to protect the VPN traffic Autokey IKE L2TP L2TP over AutoKey IKE Manual Key you cannot use VPN Manager to create a Manual Key...

Страница 611: ...and AH Authentication ESP AutoKey IKE Encryption IP traffic Remote access users L2TP RAS VPN Use to authenticate but not encrypt PPP or other non IP traffic between RAS users and protected resources A...

Страница 612: ...ust configure all basic and required policy and route based components NOTE For step by step instructions on creating VPNs see the NSM Online Help topic VPNs Preparing Basic VPN Components To create a...

Страница 613: ...that represent those network components to the protected resource object To protect a single network component that is accessible by multiple security devices add multiple devices to the protected res...

Страница 614: ...IKE Uses IPSec ESP and AH for encryption and authentication AutoKey IKE users have a unique IKE ID that NSM uses to identify and authenticate the user during IKE Phase I negotiations To simplify RAS...

Страница 615: ...DC in wildcard when using ASN1 DN to create IKE ID or a group of Wildcard ID NSM devices authenticate a RAS IKE user s ID if the values in the RAS IKE user s ASN1 DN identity fields match those in th...

Страница 616: ...unnel interface borrows the IP address of the default interface of the security zone Tunnel Zones A tunnel zone is a logical construction that includes one or more numbered tunnel interfaces You must...

Страница 617: ...t obtain and install a digital certificate on each VPN member A digital certificate is an electronic means for verifying identity through the word of a trusted third party known as a Certificate Autho...

Страница 618: ...t CA You can also use SCEP to configure the device to automatically obtain a CA certificate at the same time it receives the local certificate Configuring CRL Objects A Certificate Revocation List CRL...

Страница 619: ...not support routing based VPNs mixed mode VPNs or L2TP RAS users L2TP RAS VPN Use to connect L2TP RAS users and protected resources without encryption L2TP over AutoKey IKE RAS VPN Use to connect L2TP...

Страница 620: ...gs For all protected resources you can configure policy based NAT Use policy based NAT to translate private source IP addresses to Internet routeable IP addresses Configuring NAT is optional if you do...

Страница 621: ...MIP to use a mapped IP address for the interface Global MIP Select the global MIP object that represents the mapped IP address you want to use for the interface Global VIP Select the global VIP object...

Страница 622: ...e settings object on a specific device in the VPN those settings override the settings defined in the VPN Adding RAS Users In the Remote User area you can add RAS users to the VPN When configuring an...

Страница 623: ...table entry to a specific VPN tunnel in the NHTB table the device can use one tunnel interface for all VPN traffic through the device This option is enabled by default To create entries in the Next H...

Страница 624: ...capabilities and the topology describes the logical connections between those nodes A node can be Hub A hub can connect to a branch or main Main A main can connect to a hub branch or another main Whe...

Страница 625: ...already set as a Hub then you cannot set it as a Spoke or vice versa Assign NHRP redistribution rules You can make this setting from the VPN Manager VPNs AutoKey IKE VPN VPN Device Tunnel Summary Edit...

Страница 626: ...automatically generates the termination point for the serial interface during VPN creation To override the default termination interface right click the VPN member select Edit and select a new termin...

Страница 627: ...ts VPN performance you should only use NAT Traversal for remote users that must connect to the VPN over an external NAT device You do not need to enable NAT T for your internal security device nodes t...

Страница 628: ...to authenticate Allowed Authentication Type Select Any or CHAP User Name and Password Enter the user name and password that the RAS user must provide for authentication NOTE All passwords handled by...

Страница 629: ...uthenticationmethod to Preshared Key To use a user defined proposal select a single proposal from the list of predefined and custom IKE Phase 1 Proposals For details on custom IKE proposals If your VP...

Страница 630: ...ully Qualified Domain Name when the gateway is a dynamic IP address such as a RAS user A U FQDN is an e mail address For example user1 mycompany com Configuring IKE To configure the IKE properties and...

Страница 631: ...at the VPN monitoring status has changed the device triggers an SNMP trap the VPN Monitor in RealTime Monitor tracks these SNMP statistics for VPN traffic in the tunnel and displays the tunnel status...

Страница 632: ...If your VPN includes extranet devices you should use multiple proposals to increase security and ensure compatibility Autogenerating VPN Rules When you have completed configuring the policy and route...

Страница 633: ...ate NSM window using the same row and column format as in the Security Policies NOTE Policy rules do not appear for route based VPNs Changing Rule Position The position of the rules indicates the orde...

Страница 634: ...oKey IKE VPN Settings For VPNs that use AutoKey IKE this displays the VPN name remote gateway and IPSec Mode for each tunnel in the VPN To override the general properties security binding proxyID and...

Страница 635: ...rides the VPN link automatically updates to reflect those edits Editing VPNs To edit a VPN created with VPN Manager 1 In the navigation tree select VPNs A table listing all configured VPNs appears in...

Страница 636: ...Manual Key VPN see Device Level VPN Examples on page 616 Example Configuring an Autokey IKE Policy Based Site to Site VPN An AutoKey IKE VPN connects protected resources using AutoKey IKE Use this VPN...

Страница 637: ...t Network Configure the following then click OK For Name enter Tokyo Trust LAN For IP Address Netmask enter 10 1 1 0 24 For Color select magenta For Comment enter Tokyo Trust Zone b Add the Paris Trus...

Страница 638: ...tected Resource Object for AutoKey IKE VPN 5 Create the VPN In the navigation tree double click VPN Manager then right click VPNs and select AutoKey IKE VPN The New AutoKey IKE VPN dialog box appears...

Страница 639: ...lowing For Hub and Supernet leave the default of none Enable Mesh Main s In the Mains window select the Paris and Tokyo security devices c Click OK to return to the Topology dialog box then click OK t...

Страница 640: ...d the VPN Manager autogenerated rules You create this link by inserting a VPN link in the zone rulebase this links points to the VPN rules that exist in the VPN Manager In Security Policies select an...

Страница 641: ...1 1 1 24 in the Untrust zone 2 Create the address objects that you will use to create Protected Resources for details on creating or editing address objects a Add the Chicago Corporate Trusted LAN 10...

Страница 642: ...s In the main display area click the Add icon and select Local Configure then click OK Figure 92 Add New Local User for AutoKey IKE RAS VPN 6 Create the VPN In the navigation tree double click VPN Man...

Страница 643: ...Chicago Corporate to use ethernet3 as the termination point this is the Untrust interface then click OK to return to the main display area 9 Configure the remote users for the VPN a In the Remote User...

Страница 644: ...of the policy but you can move the VPN link anywhere in the policy just as you would a firewall rule Example Configuring an Autokey IKE Route Based Site to Site VPN In this example an AutoKey IKE VPN...

Страница 645: ...s Netmask enter 10 2 2 0 24 For Color select magenta For Comment enter Paris Trust Zone Create the VPN In the navigation tree double click VPN Manager Right click VPNs and select AutoKey IKE VPN The N...

Страница 646: ...his VPN is route based no rules are autogenerated However you can view the device tunnel summary to see all autogenerated tunnels between each security device in the VPN Figure 94 View Tunnel Summary...

Страница 647: ...Select Network Virtual Router to display the list of virtual routers on the device 8 Double click the trust vr route to open the vr for editing In the virtual router dialog box click Routing Table th...

Страница 648: ...attributes VSAs on the server 2 Add the authentication server object In the main navigation tree select Object Manager Authentication Servers and click the Add icon Configure the following then click...

Страница 649: ...Reseller group In the Object Manager select Address Objects then click the Add icon and select Network The New Network dialog box appears Configure the following then click OK For Name enter reseller...

Страница 650: ...OK 2 Configure the termination points of the VPN Click the Termination Points link The Termination Points dialog box appears 3 Configure the Bozeman device to use ethernet3 as the termination point t...

Страница 651: ...area Right click the autogenerated gateway and select Edit The Properties tab appears In the IKE IDs XAuth tab configure the XAuth area to authenticate only the Reseller external group For user select...

Страница 652: ...t support RAS users L2TP VPNs support transport mode and can be policy based Creating AutoKey IKE VPNs Creating device level AutoKey IKE VPNs is a four stage process Configure Gateway Configure Routes...

Страница 653: ...for that device Each security device member has a remote gateway that it sends and receives VPN traffic to and from To configure a gateway for a VPN member you need to define the local gateway the int...

Страница 654: ...t are users select the User object or User Group object that represents the RAS user Dynamic IP Address For remote gateways that use a dynamic IP address select dynamic IP address Outgoing Interface T...

Страница 655: ...ASN1 DN Abstract Syntax Notation version 1 is a data representation format that is non platform specific Distinguished Name is the name of the computer Use ASN1 DN to create a Group ID that enables m...

Страница 656: ...authentication password is sent in the clear User Name and Password Enter the user name and password that the RAS user must provide for authentication NOTE All passwords handled by NSM are case sensit...

Страница 657: ...urity and ensure compatibility Configuring Routes Route based only For a routing based VPN member you must configure Tunnel zone or tunnel interfaces on the member Static or dynamic routes from the me...

Страница 658: ...de for L2TP over IPSec NSM does not encapsulate the IP packet meaning that the original IP header must remain in plaintext However the original IP packet can be authenticated and the payload can be en...

Страница 659: ...ed tunnel zone on the security device to bind the VPN tunnel directly to the tunnel zone The tunnel zone must include one or more numbered tunnel interfaces when the security device routes VPN traffic...

Страница 660: ...le VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitoring behavior as follows Considers incoming traffic in the VPN tunnel as ICMP echo repli...

Страница 661: ...ic routes from the member to other VPN members VPN traffic flows through the tunnel zones or tunnel interfaces on the security device and uses static or dynamic routes to reach other VPN members You m...

Страница 662: ...ace or tunnel zone to increase the number of available interfaces in the security device To use a tunnel interface and or tunnel zone in your VPN you must first create the tunnel interface or zone on...

Страница 663: ...populate the next hop tunnel binding table NHTB table and the route table when multiple VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitorin...

Страница 664: ...ion assigned by the user s ISP However when the L2TP RAS user sends VPN traffic through the tunnel the security device assigns a new IP address and WINS DNS information that enables the traffic to rea...

Страница 665: ...4 2 Configure L2TP Settings see Configuring L2TP on page 614 3 Configure Peer Gateway see Configuring Gateways on page 603 4 Configure Routes Route based only see Configuring Routes Route based only o...

Страница 666: ...e on the source VPN member that contains the termination interface for the VPN tunnel To Zone Select the zone on the destination VPN member that contains the termination interface for the VPN tunnel S...

Страница 667: ...1 Add the Tokyo and Paris security devices 2 Configure the Tokyo device with the following interfaces Ethernet1 is the Trust IP 10 1 1 1 24 in the Trust zone Ethernet3 is the Untrust IP 1 1 1 1 24 in...

Страница 668: ...as shown below For Name enter Tokyo_Paris For Gateway enter 2 2 2 2 For Local SP enter 3020 For Remote SPI enter 3030 For Outgoing Interface select ethernet3 For ESP AH select ESP CBC For Encryption A...

Страница 669: ...tables 16 Configure a route from the untrust interface to the gateway and then click OK Figure 95 Configure Tokyo Route for RB Site to Site VPN MK 17 Configure route from the trust zone to the tunnel...

Страница 670: ...Properties screen appears 3 Configure the following then click OK For Zone select untrust For IP Options select Unnumbered For Source Interface select ethernet3 4 Create the Paris VPN In the device na...

Страница 671: ...ation based and source based routing tables ScreenOS 5 1 and later devices display destination based source based and source interface based routing tables 4 Configure a route from the untrust interfa...

Страница 672: ...rity devices and the shared address objects Next you configure the VPN tunnel and add the necessary static routes on each device Finally you create VPN rules in a security policy to create the VPN tun...

Страница 673: ...tication Algorithm select SHA 1 then select Generate Key by Password and enter the password PNas134a 4 Select the Binding tab Enable Tunnel Zone and select untrust tun 5 Click OK to save the new VPN 6...

Страница 674: ...e settings objects 1 Configure an L2TP user object for Adam then click OK For Name enter Adam Select Enable then select L2TP Select Password then enter and confirm the password AJbioJ15 2 Configure an...

Страница 675: ...lect Field Sales 4 Click OK to save your changes to the device 5 Configure a rule in the Zone Rulebase of a security policy Auto Connect Virtual Private Network Hub and spoke configurations are deploy...

Страница 676: ...en select the devices to be included in the hub and spoke topology Click OK 3 Configure the topology In the general configuration area of the VPN Manager click the Topology link The New Topology dialo...

Страница 677: ...ox appears Click Protocol NHRP Ensure that the Enable NHRP check box is selected Click OK 8 For the hub virtual router NHRP settings In the configuration area of this VPN click the Device Tunnel Summa...

Страница 678: ...Copyright 2010 Juniper Networks Inc 628 Network and Security Manager Administration Guide...

Страница 679: ...are used by Central Manager pre post rules are available in regional servers attack db and so on When you update pre post rules the Central Manager and regional server versions must match NOTE You can...

Страница 680: ...any of the regional servers managed by Central Manager and begin managing the servers using all assigned permissions No extra log on off steps are required for administrators to navigate from one reg...

Страница 681: ...object manager and the VPN manager NOTE You cannot switch a J Series or SRX Series device from central management mode to device management mode if the device has an assigned policy Using Central Mana...

Страница 682: ...Central Manager administrators can log into regional servers directly from Central Manager The following procedure assumes that a Central Manager administrator is logged onto a Central Manager client...

Страница 683: ...pdated only if they are actually being used by the pre post rules on the Central Manager server All new shared objects are replicated inserted into the global domain of the regional server Objects tha...

Страница 684: ...added existing polymorphic object are kept and incoming global policy rules use existing polymorphic object Incoming polymorphic object with the same name are discarded Name conflict with a regional s...

Страница 685: ...networkcan include J Series M Series MX Series and EX Series devices as well as ScreenOS and IDP devices IP phones desktops printers and servers The Topology Manager also provides details about connec...

Страница 686: ...ws and not the different table views To add a device a Select the Manage Devices icon A dialog opens b Enter the SSH user name and password c Select OK Set Preferences Use this tool to set preferences...

Страница 687: ...all switches and switch ports as well as on all LLDP or LLDP MED enabled devices such as IP Phones Ensure that the included subnets specified in Topology Manager preferences are sufficient for all swi...

Страница 688: ...links among network devices in the topology both between network devices as well as between network and end point devices 9 Select Free Ports to view a list of EX Series switches and the available po...

Страница 689: ...part of a Link Aggregation Group LAG are displayed as a single distinctive link between the interfaces Menu Options in the Topology Map View You can perform the following actions from the right click...

Страница 690: ...only when the topology discovery is completed About the NSM Topology Table Views The NSM Topology Manager provides both graphical and tabular views of your network topology A tabular view of the topol...

Страница 691: ...table lists all the free ports available on the devices discovered by the topology discovery engine If the administrative status of a device port is down it is considered a free port The managed statu...

Страница 692: ...topology You can set a particular time of day or regular intervals The time of your initial discovery serves as the basis of calculation for future discoveries Preferred Subnets Tab This tab allows yo...

Страница 693: ...u to open the configuration editor to view and edit a device s configuration Update device configuration You can use the Update menu to update the changed configuration on the device View device detai...

Страница 694: ...Copyright 2010 Juniper Networks Inc 644 Network and Security Manager Administration Guide...

Страница 695: ...ethernet switching port mode is set to access RSTP is enabled with the edge option and port security parameters MAC limit 1 dynamic ARP Inspection and DHCP snooping enabled are set Layer 2 Uplink Port...

Страница 696: ...ion to resolve conflicts between the port template configuration and the actual configuration on the associated device See Detect and Resolve Configuration Conflicts on page 648for details Customize p...

Страница 697: ...ave the changes and close the Manage Template Port Association screen To edit port template parameters 1 Select the port template from the list in the Manage Template Port Association screen 2 Click E...

Страница 698: ...administrator you can create port templates using the Customize Port Template feature 2 To modify the default template name type a name in the Template Name field 3 To modify the default description t...

Страница 699: ...duler Map Name field 4 To edit scheduler settings click Edit Scheduler The Edit Scheduler screen is displayed Specify the following Scheduler name Transmit Rate Select one Unconfigured if you do not w...

Страница 700: ...Copyright 2010 Juniper Networks Inc 650 Network and Security Manager Administration Guide...

Страница 701: ...of Infranet Controllers IC and Enforcement Points EP The Infranet Controller View on page 651 The Enforcement Point View on page 652 The Infranet Controller View The NSM main display area is horizont...

Страница 702: ...n the selected IC Each EP can be associated with only one Location Group available in the IC 5 Enter the Infranet Controller port to which the EP should communicate The default port is 1812 6 Enter th...

Страница 703: ...re removed from the IC Resolving Configuration Conflicts with the Infranet Controller in the UAC Manager Before you resolve configuration conflicts perform an Import Device to identify the actual conf...

Страница 704: ...onfiguration Conflicts operation cannot identify these entries from the RADIUS client of the IC Enabling 802 1X on Enforcement Point Ports in the UAC Manager To enable 802 1X on ports on Enforcement P...

Страница 705: ...Resolving Configuration Conflicts Between Devices and 802 1X Ports in the UAC Manager The Resolve Configuration Conflict option allows you to detect any inconsistency between the device configuration...

Страница 706: ...Copyright 2010 Juniper Networks Inc 656 Network and Security Manager Administration Guide...

Страница 707: ...PART 4 Monitoring Realtime Monitoring on page 659 Analyzing Your Network on page 709 Logging on page 739 Reporting on page 809 657 Copyright 2010 Juniper Networks Inc...

Страница 708: ...Copyright 2010 Juniper Networks Inc 658 Network and Security Manager Administration Guide...

Страница 709: ...time Monitor on page 697 Monitoring the Management System on page 698 About the Realtime Monitor The Realtime Monitor module in NSM enables you to monitor real time status and statistics about all the...

Страница 710: ...sessions that have been implemented within the domain you are working in From the VPN Monitor you can determine if a VPN tunnel is up down or not monitored NSPR Monitor Displays status information ab...

Страница 711: ...ously detected in NSM This could happen in the event that the automatic adjustment option was cleared during a change device firmware directive or an Update Device directive was issued to an IDP devic...

Страница 712: ...device in NSM Up Device is currently connected to NSM Down Device is not currently connected to NSM but has connected in the past Never Connected Device has never connected to NSM The Device Server c...

Страница 713: ...The inventory information in the NSM database is synchronized with the licenses on the device Out Of Sync The inventory information in the NSM database is not synchronized with the licenses on the de...

Страница 714: ...formation appears in the Device Monitor in the Device Summary Interface Viewing Device Monitor Alarm Status Alarms refresh automatically through periodic polling To view the Alarm status and time 1 Fr...

Страница 715: ...tus Table 51 Device Detail Status Items Description Item ScreenOS firmware version running on the device OS Version Current operation mode of the device Network Address Translation NAT Transparent or...

Страница 716: ...ndow NOTE The information in the Device Statistics window appears slightly different for firewall VPN devices and IDP sensors Device Statistics Summary The Device Statistics Summary displays the follo...

Страница 717: ...from Greenwich Mean Time this is not displayed in the Vsys view GMT Time Offset Hours Whether you have enabled the security device to adjust time for daylight savings DayLight Saving Additional Devic...

Страница 718: ...ecurity device Enables you to view CPU Memory and Session Utilization trends Resource Statistics System View administrator and user activities active VPNs and authenticated users on a security device...

Страница 719: ...al number of data connections Total Connections The relative percentage of connections Connection Rel The total numerical difference between the current connection value and the previous connection va...

Страница 720: ...enabled for each security device You can view up to ten protocols A bar graph displays a percentage of the absolute number of bytes for the top 10 protocols by default Table 55 on page 670 describes...

Страница 721: ...and data depicted graphically in the same way that you adjust the Policy Distribution graphs You can also adjust the data types in the Protocol Distribution graph by Bytes In Bytes Out Packets In Pac...

Страница 722: ...rity Association SA information Traffic over the tunnel such as bytes in out packets in out utilization Table 56 on page 672 describes all the information that is available from the VPN Monitor Table...

Страница 723: ...alue and the previous packets in value Delta Packets In The number of outgoing packets handled by the protocol through the security device Packets Out Total numerical difference between the current pa...

Страница 724: ...IP address for the security device connected to the active VPN Peer Address Monitoring capability status for the VPN ON or OFF Monitor IPSec IP security protocol for the active VPN AH Authentication...

Страница 725: ...ecific security device the following interfaces apply Trust and Untrust interfaces available on all security devices DMZ interface available on NetScreen 25 NetScreen 50 and NetScreen 500 devices the...

Страница 726: ...ts processed through the security device over the selected interface Broadcast The number of packets generating a cyclic redundancy code error processed through the security device over the selected i...

Страница 727: ...ual systems VLAN In The number of VLAN packets sent through the security device applies to virtual systems VLAN Out The number of connections that occurred for a given interface Connections The number...

Страница 728: ...victim as both the destination and source IP address This creates an empty connection Flooding a system with such empty connections can overwhelm the system causing a Denial of Service Security device...

Страница 729: ...for the remaining packets to arrive so it can reassemble them When a server or host is flooded with connections that cannot be completed the host s memory buffer eventually fills No further connectio...

Страница 730: ...IP Stream When the protocol field indicates ICMP packets and the fragment flag is set to 1 or an offset is indicated ICMP Frag An ICMP packet with a length greater than 1024 Large ICMP Both the SYN a...

Страница 731: ...ics Viewing System Statistics You can also view system related information for a security device Viewing Resource Statistics Click the Resource Statistics node to view the resources for a security dev...

Страница 732: ...ns You can view a snapshot of ongoing active sessions on the security device You can view active sessions from the Active Statistics view When you click the Active Sessions tab a short view of the act...

Страница 733: ...Bytes Out The total number of packets sent Total Packets The length in seconds of the connection session Duration The time that the session started Start Time Using the Session Filter You can control...

Страница 734: ...w according to the Source IP Address and Port number or Port Range 3 Click in the Destination tab to specify the sessions that you want to view according to Destination IP Address and Port number or P...

Страница 735: ...rity devices to be highly available you can view NSRP related statistics on the device by accessing the HA Statistics view Table 65 on page 685 describes all of the information that is available from...

Страница 736: ...sensors in your network Viewing IDP Device Status Table 66 on page 686 lists and describes information about IDP sensors that you can view through the Device Monitor Table 66 Device Status Informatio...

Страница 737: ...d by NSM Config Status Connection status of the sensor in NSM Up Sensor is currently connected to NSM Down Sensor is not currently connected to NSM but has connected in the past Never Connected Sensor...

Страница 738: ...evice Detail Status Items Description Item IDP firmware version running on the sensor OS Version Current operation mode of the device Mode Percentage of the time the CPU was idle CPU Idle Percentage o...

Страница 739: ...you can also access the Statistics view to access traffic and other system related information on the device To view statistics on a particular sensor right click the sensor in either the Device Moni...

Страница 740: ...tunnel when configuring the tunnel for the device Viewing the VPN Status Summary The VPN Monitor lists a summary of all the VPN tunnels that have been implemented in your system It includes visual in...

Страница 741: ...lter to control the information that is provided in the VPN Monitor You can view VPN information related to the type status or the specific security device or virtual system associated with the VPN tu...

Страница 742: ...delete 4 Select the delete icon The selected filter is deleted Configuring a VPN Display Filter You can control the information that is provided in the VPN Monitor by configuring a VPN display filter...

Страница 743: ...a summary of the top level information on the selected cluster From the NSRP Summary you can view the following details about a specific cluster Key details describing the cluster such as name number...

Страница 744: ...Table 72 on page 694 describes the information available from the VSD RTO summary Table 72 VSD RTO Summary Description Item The name of the cluster associated with this VSD Cluster The name of this VS...

Страница 745: ...n the master device Master Conflict The number of conflicts that occurred on the primary backup device Primary Backup Conflict The number of transmitted heartbeats on the devices Tx Heartbeat The numb...

Страница 746: ...Name Status of the cluster OK Warning or Fail Status Domain in NSM in which the source IDP cluster is managed Domain Viewing IDP Cluster Summary Information Click IDP Cluster Monitor to view a summary...

Страница 747: ...hat the master node goes down Backup Availability Number of active backup devices No of Backup Members Monitoring IDP Cluster Members Click any IDP cluster to view details of each member in the cluste...

Страница 748: ...ovide you with context for events leading to the security device disconnection This will help you to determine the cause of the problem You notice several very suspicious log entries that indicate tha...

Страница 749: ...Device Server Server Type Either Device Server or Device Server Cluster If you are installing the management system with HA enabled you need to configure the Device Server as part of an HA Cluster Af...

Страница 750: ...ess of the GUI server IP Address IP address of the secondary server IP Address of secondary server You can configure the following parameters for the GUI Server Server Type Select GUI Server or GUI Se...

Страница 751: ...Server or Device Server Viewing Server Status To view the status of any server in the management system select Server Manager in the navigation tree and then select Server Monitor Machine wide Info Fi...

Страница 752: ...PU used CPU Usage State of the server s peer server only applicable if you have added a secondary server and configured it in an HA Cluster Peer Device Server State Whether the currently active server...

Страница 753: ...f swap space Total Swap Amount in megabytes or gigabytes of used swap space Used Swap Percentage of used swap space Swap Usage Viewing Process Status From the Server Monitor you can also view the stat...

Страница 754: ...page 704 lists and describes the information that appears in the Process Status Table 82 Process Status Description Name Name of the GUI Server or Device Server process Name Displays if the process is...

Страница 755: ...lities Description Name Provides information on peak average logging rate total log database size and average log size This utility is located on the Device Server at usr netscreen DevSvr utils logcou...

Страница 756: ...xdbAuditLogConverter sh In NSM enhancements to the audit log exporter tool allow you to Invoke detailed help messages from the audit log exporter tool with xdbAuditLogConverter help Use showdiff to v...

Страница 757: ...es Viewing Device Schema To view current and running schema 1 In the User Interface click Administer 2 In the navigation tree select Server Manager Schema Information The main display area displays th...

Страница 758: ...Copyright 2010 Juniper Networks Inc 708 Network and Security Manager Administration Guide...

Страница 759: ...ime monitor of these watch lists and the top 10 attacks within the previous hour The interval at which these lists are updated ranges from 2 minutes default rate to 30 minutes The lists are updated au...

Страница 760: ...orate network while working in a conference room Normal Event Wendy holds a meeting every Tuesday at 4 00 PM in conference room A Every meeting she connects her laptop to the network and accesses docu...

Страница 761: ...nd recover from any damage For details see Stopping Worms and Trojans on page 729 Detect violations of your corporate security policy The Profiler can help you confirm suspected violations such as rog...

Страница 762: ...ternal hosts Include Non tracked IP Profiles Maximum database size for the Profiler on each device By default the maximum database size is 3 GB db limit in MB Enables the Profiler to perform passive O...

Страница 763: ...icating to www yahoo com and www cnn com as one entry in the Profiler DB You can select unlimited internal network objects You can also use the Exclude List tab to select the network objects that repr...

Страница 764: ...xceeded alert to indicate when you have reached the maximum limit of the database size You can configure the maximum limit of the Profiler DB using the dbLimit parameter in the General tab of the Prof...

Страница 765: ...dialog box select the appropriate devices then click OK or optionally right click on any device from the Device Manager and select IDP Profiler Stop Profiler NOTE After you stop the Profiler for a spe...

Страница 766: ...along with the Source Destination IP and Source Destination MAC and Organizationally Unique Identifier OUI Use this view to quickly see which hosts are communicating with other hosts and what services...

Страница 767: ...able recorded Context When you select a context the values that your devices recorded for a selected context Value Source MAC addresses of traffic profiled Src MAC Destination MAC addresses of traffic...

Страница 768: ...ongs Role All services of traffic profiled Service Type of the traffic profiled Access indicates a successful connection during which the device recorded valid requests and responses from the server t...

Страница 769: ...only those items that violate the criteria that you set Configuring Permitted Objects Permitted objects are shared objects specific to the Profiler They enable you to configure objects in the Profiler...

Страница 770: ...he traffic you do not want on your network take the appropriate security measures for example remove the unauthorized network components incorporate the components services into your existing corporat...

Страница 771: ...de the aggregate traffic volume information from the parent application group As you move up the root of the application hierarchy you can view the total network traffic volume The Application Profile...

Страница 772: ...ny of the columns that appear in the Filter Criteria A dialog box lets you add entries that match the column you selected as a criterion to filter the Profiler view The Profiler view automatically upd...

Страница 773: ...e First Seen timestamp as the last 2 days Use the Last Seen setting to define a last timestamp threshold If the device logged an event and the event timestamp is before the last timestamp the event ap...

Страница 774: ...rting Sort on any column except the Application column The Application column does not support sorting because application values are similar for each application group When you perform a sort on any...

Страница 775: ...umn Details about the selected host IP including IP Address MAC Address OUI Organizationally unique identifier a mapping of the first three bytes of the MAC address and the organization that owns the...

Страница 776: ...Tools preferences menu to change these parameters To manually purge the Profiler DB of all records click Clear All DB This operation can take up to one minute During this time a message appears on al...

Страница 777: ...s accurately depicting your normal traffic patterns Because all networks are different the learning phase can range from a few hours to a few weeks Setting a Baseline When you are satisfied that the P...

Страница 778: ...e of their device Because these passwords can be guessed easily the vendor recommends that users change the default password immediately However for convenience some users leave the default configurat...

Страница 779: ...rate security policy does not permit SQL servers on the internal network However during a regular Microsoft update SQL applications are installed on a network server without your knowledge Because you...

Страница 780: ...of the Blaster worm From the Profiler 1 Restart the Profiler 2 Select the Network Profiler to quickly see the source destination and service of traffic on your network 3 In the Service data table sel...

Страница 781: ...nables you to visualize and correlate network behavior based on data collected in the Profiler Log Viewer and Report Manager You can use the Security Explorer to perform the following tasks Get a dyna...

Страница 782: ...that displays the following nodes Host Displayed as an IP address Network Displayed using CIDR notation ip class 8 16 24 Protocol These include TCP ICMP and so on Attack Specific attack object name Se...

Страница 783: ...ver Profiles One host or network and the context for server related traffic Every context is connected to its host network related value for example on a host is an SSL server running version 3 1 The...

Страница 784: ...ve selected Reports Viewer Use the Reports tab to generate and view one of the following reports in Security Explorer Top Alarms Top Traffic Alarms Top Traffic Logs Top IDP DI Attacks Top Screen Attac...

Страница 785: ...n other activities you may want to use with Security Explorer you also may need proper administrative privileges to View Profiler View Device Logs View Historical Log Reports View Devices View Shared...

Страница 786: ...phs Use the icons that appear in the main graph to quickly access additional information related to your point of reference Depending upon the type of icon that you select you can transition to anothe...

Страница 787: ...ty Explorer with the latest data available Adding and Removing Panels You can also view additional data and graphs by adding and removing additional panels to Security Explorer Use the icon to add a S...

Страница 788: ...Copyright 2010 Juniper Networks Inc 738 Network and Security Manager Administration Guide...

Страница 789: ...tive event such as the administrator name timestamp of the change and job details You can configure each managed device to generate and export specific log records to multiple formats and locations su...

Страница 790: ...for each event that matches that rule An event matches a predefined set of conditions configured on a managed device or the management system Some events generate log entries that appear in the Log V...

Страница 791: ...res immediate action Alert Log entries triggered when system encounters critical conditions Critical Log entries triggered when system becomes unusable Emergency Log entries triggered when system enco...

Страница 792: ...gs from ScreenOS and IDP devices are displayed as Device_critical_log and Device_warning_log If upgrading from an earlier release you may need to modify your action manager criteria to match the new c...

Страница 793: ...re is not supported Log Investigator analysis can only be applied to those partially structured syslogs that provide the source address and destination address in related columns Log Viewer provides o...

Страница 794: ...estination except Firewall Options Table 93 Destinations of Log Entry Severities Severities Description Destination All severities The PC you use to view log entries in NSM Console Emergency Alert Cri...

Страница 795: ...was dropped or terminated at the device When negotiating an IKE key the VPN client communicates with the security device Log IKE Packets to Self Creates a log entry for an SNMP packet that was droppe...

Страница 796: ...the managed device to report specific events to NSM Select the appropriate NSM Device Server then select the events that are logged on the device and reported to NSM The following sections detail each...

Страница 797: ...larm threshold in a security policy rule The traffic alarm log entry which displays in the Log Viewer describes the security event that triggered the alarm Traffic alarms generate log entries that app...

Страница 798: ...ng columns of information in the Log Viewer Source Address Destination Address Service Action Category Predefined or Custom Subcategory for details on Deep Inspection alarm subcategories see Deep Insp...

Страница 799: ...page 951 Self Log Entries The device generates self log entries for any packet that terminates at the device Self log entries display information on traffic that was dropped by the device or that term...

Страница 800: ...hat entered the device Attack statistics do not generate log entries the statistics are used by the Realtime Monitor module For details on how attack statistics are displayed in the Realtime Monitor s...

Страница 801: ...ng options For details on Atomic Updating see About Atomic Updating ScreenOS Devices on page 246 Configuring SNMP Reporting Settings Use SNMP settings to configure the Simple Network Management Protoc...

Страница 802: ...Defines the versions supported by the community SNMPv1 SNMPv2c or both SNMP versions as required by the SNMP management stations For backward compatibility with earlier ScreenOS releases that only su...

Страница 803: ...ends dialog box Enter appropriate data into the following fields Table 97 WebTrends Settings for Log Entries Description Field Directs NSM to forward a log to the WebTrends server Enable WebTrends Mes...

Страница 804: ...s stored permanently on the NSM server until or unless it is purged by the user To store the packet data on the IDP sensor double click an IDP sensor select Report Settings in the navigation tree and...

Страница 805: ...Figure 103 View Packet Data in a Log Figure 104 on page 756 provides an example of packet data 755 Copyright 2010 Juniper Networks Inc Chapter 19 Logging...

Страница 806: ...ity Using Log Views on page 757 The Log Viewer includes several predefined views for critical severity attacks configuration log entries scans and other important activity This section describes how t...

Страница 807: ...Viewer Integration on page 776 This section describes how to use the Log Viewer integration to jump from a log entry directly to the responsible security policy or managed device configuration Identi...

Страница 808: ...pe Category Admin 13 Admin SUBCATEGORY SYS10061 SYS10062 Cluster Subcategory AUT23523 AUT23524 Dynamic Policy Evaluation Category Events 14 Events Subcategory SYS24013 SYS24014 SYS24015 ERR24016 SYS24...

Страница 809: ...te Exceeded UDP Port Scan UDP Port Scan In Progress Scans Creating Custom Views and Folders A custom view enables you to organize log entries in a format that is most helpful to you Because the custom...

Страница 810: ...lect Save As In the New View dialog box enter a name for the custom view enter a name for the folder that you want to save the view in and click OK The new view is displayed in the navigation tree in...

Страница 811: ...egory A category is either admin alarm config custom event implicit info predefined profiler screen self sensors traffic urlfiltering or user A subcategory is an attack type Default Category Subcatego...

Страница 812: ...since the beginning of the current session No Elapsed Secs Specifies if this log has associated packet data No Has Packet Data A destination port that has undergone NAT and is associated with the pack...

Страница 813: ...and later and Junos firewall devices The Policy ID column remains empty for older logs Log Viewer Detail Panes The Log Viewer contains additional panes that provide summary and detail information for...

Страница 814: ...to top of log entry list Page up within log entry list Scroll up within log entry list Use the slider to move up or down within log entry list The farther you drag the slider from the center the faste...

Страница 815: ...pecific log entry immediately Typically you use a log ID search when you have previously viewed the log entry and need to find it again quickly A value search that searches for a log entry based on th...

Страница 816: ...use the Out and In buttons From left to right the time blocks are 14 days 7 days 3 days 1 day 12 hours 6 hours 3 hours 1 hour 30 minutes 1 minute Click the Out button to select the time block to the...

Страница 817: ...configuration log entries from that device 3 Select Tailing Logs The view jumps to the bottom of the log entry list and remains there as new configuration log entries for the device arrive they appea...

Страница 818: ...ons Edit Use this option to set multiple filters for cell content at the same time Select to display the Filter dialog box for that column then select the columns you want to filter on To display only...

Страница 819: ...flag filter right click the Flag column header and select Filter Set Filter Select the flag types that you want to use as the filter criteria then click OK NSM applies the filter to all log entries an...

Страница 820: ...n a specific end time select To and configure the end date and time When applied this filter displays log entries for events that were generated or received before or at the specified end time To filt...

Страница 821: ...ilter on a minimum number of bytes only select From and enter a value When applied this filter displays log entries for events that received or transmitted more than or equal to the specified minimum...

Страница 822: ...mn settings for the view The more columns you configure to appear in the Log Viewer the more information you can see at one time and the more you must scroll from side to side to view all columns sett...

Страница 823: ...e columns to narrow your search To configure the column settings 1 In the navigation tree select the Log Viewer module 2 From the View menu select Choose Columns NSM displays the Column Settings dialo...

Страница 824: ...splayed 2 From the Filter Summary dialog box select a column on which you want to filter log entries 3 Select the filter settings you wish to apply for the specified column then click OK 4 To select a...

Страница 825: ...a Log Viewer column that was selected for filtering log entries 1 Select View Filter Summary The Filter Summary dialog box is displayed 2 To clear a single column Clear the column check box that you d...

Страница 826: ...ase snapshots also enable you to view previous object versions For details on database snapshots see Automatic Policy Versioning on page 521 Other options for archiving and restoring logs and configur...

Страница 827: ...network Use the information in Table 105 on page 777 to determine if the attack is relevant Table 105 Irrelevant Versus Relevant Attacks Relevant Attacks Irrelevant Attacks Attack attempts to exploit...

Страница 828: ...formation in table and chart format Configuring Log Investigator Options on page 780 Configure the criteria the Log Investigator uses to create the matrix including the time period Left and Top Axes s...

Страница 829: ...is setting which determines data set that is used for Top Axis setting Top Axis The controlled axis for log entry data the dependent axis The Log Investigator collects log entry data for the Left Axis...

Страница 830: ...ur network activity Typically you use a longer interface time to initially locate problems After you have identified the issues you want to investigate set a shorter time interval to eliminate irrelev...

Страница 831: ...log entry matrix By default the Left Axis is set to the data type Top Sources After the Left Axis data set has been determined the Log Investigator searches that data set for data that matches the Top...

Страница 832: ...most popular source addresses are generating attacks against the most popular destinations Select the Left Axis the independent axis as Top Sources Select the Top Axis the dependant axis as Top Destin...

Страница 833: ...ria for log entries and the Log Investigator filters out log entries that do not match the filter criteria Using the Filter Summary dialog box you can select and apply multiple filters to the Log Inve...

Страница 834: ...level of a generated alarm User Flag Severity Alarm Filters Various Details Protocol Category Alert Roles User Application name Miscellaneous Filters NOTE For a complete list of log entry columns ava...

Страница 835: ...are ready to begin investigating your log entry data Using Rows and Columns Each row or column in the Log Entry matrix represents events for a single data type When selecting a row or column you are...

Страница 836: ...nternal trojan You probably need to get more details such as destination ports used and attack subcategories for the events before you can resolve the issue Table 107 on page 786 details the benefits...

Страница 837: ...f attacks received by that port number Because services are mapped to specific port numbers you can use the port number to identify the service used in the attack The right pane displays a chart using...

Страница 838: ...en investigating events that generate lower values To exclude a specific attack from the Log Investigator calculations right click the attack cell and select Exclude To help you keep track of excluded...

Страница 839: ...hich a user is allowed to view audit logs The values are empty Audit log entries created prior to this NSM release that do not have targeted objects or devices These logs can be viewed by all NSM user...

Страница 840: ...Log table The following sections describe these data management options Select Audit Log Table Use the Set Audited Activities option in the Edit menu to select read write or read only auditable activ...

Страница 841: ...ield filter right click a column field and select Filter to display the filter menu options Time based column filter To create a time based filter right click a field in the Time Generated column and...

Страница 842: ...ntry for that change in the Audit Log table then view the Target View to see details about that change Device View For a change made to the device itself such as adding the device autodetecting a devi...

Страница 843: ...creen DevSvr var devSvr cfg file contains log cleanup parameters that you can use to manage log disk space storageManager alert If you configure this parameter the Device Server triggers a warning whe...

Страница 844: ...do not need to stop the processes on the Device Server before archiving Log Archival Mechanism All managed device logs are stored in usr netscreen DevSvr var logs that contains logs and associated fil...

Страница 845: ...s all the logs from the selected date Required Disk Space After you define the number of logs and the number of days you want archived NSM estimates the disk space required for storing the logs In cal...

Страница 846: ...nd line utility located on the NSM Device Server NOTE You can also forward logs based on specific rules in a security policy See Configuring Firewall Rules on page 448 for more information Sending E m...

Страница 847: ...xport qualified logs to the system log SNMP CSV XML or e mail configure the export settings for each format as detailed in the following sections For every log action criteria you can specify and edit...

Страница 848: ...L you must select XML Enable from the Actions tab in the Device Log Action Criteria node Exporting to E mail For exporting to e mail configure the following e mail and SMTP settings SMTP Enable Enable...

Страница 849: ...system to e mail qualified log records specify the From and To e mail addresses From Email Address The e mail address that the server uses to send e mail Some servers require a valid from e mail addr...

Страница 850: ...t status code of 0 no errors or 1 errors The following sections detail common filters actions and required and optional format specific filters Using Filters The log2action utility generates data for...

Страница 851: ...ype yes yes device family global subdomain name Domain path yes yes domain a b c d n a b c d Destination IP address yes yes dst ip 0 65535 0 65535 Destination port yes yes dst port yyyymmdd 0 MAX yyyy...

Страница 852: ...mmon Filter with Multiple Entries To set a filter that displays all log entries for IDP and EX Series devices type devSvrCli sh log2action filter device family idp junos ex action csv file path tmp mo...

Страница 853: ...n most Web browsers Using XML Required and Optional Format Specific Filters You can use the following required and optional format specific filters for exporting to XML Meaning Required Multiple CSV S...

Страница 854: ...ort Dst Zone Dst Intf Dst Addr Dst Port NAT Dst Addr NAT Dst Port Protocol Policy Domain Policy Domain Version Policy Rulebase Rule Number Policy ID Action Severity Is Alert Details User App URI Elaps...

Страница 855: ...urce port nat src ip nat src port destination zone destination interface destination ip destination port nat dst ip nat dst port protocol rule domain rule domain version policy rulebase rulenumber act...

Страница 856: ...il Meaning Required Multiple E mail SMTP Specify the receiving e mail address for the SMTP log records Yes Yes recipient Specify the sender e mail address No No sender Exporting to syslog The syslog a...

Страница 857: ...olicyname rulebase rule number policy id action severity is alert details user str application str uri str elapsed bytes in bytes out bytes total packet in packet out packet total repeatCount hasPacke...

Страница 858: ...dling for the specified script When using this filter you must specify one of the following error handling filters skip Directs the system to skip any log for which the script had an error retry Direc...

Страница 859: ...ing The Report Manager module in NSM is a powerful and easy to use tool that enables you to generate reports summarizing key log and alarm data originating from the managed devices in your network The...

Страница 860: ...administrators and operations staff interested in tracking and analyzing specific types of information to work only within the group of reports that they need For details on each of the specific repo...

Страница 861: ...811 DI IDP Reports on page 812 Screen Reports on page 813 Administrative Reports on page 814 UAC Reports on page 814 Profiler Reports on page 815 AVT Reports on page 815 SSL VPN Reports on page 815 EX...

Страница 862: ...4 hours 20 IP addresses that have most frequently been prevented from attacking the network during the last 24 hours Top 20 Attackers Prevented All Attacks last 24 hours 20 IP addresses that have most...

Страница 863: ...s listed in the Profiler over the last 7 days Profiler New Ports last 7 days New Protocols listed in the Profiler over the last 7 days Profiler New Protocols last 7 days The total number of log entrie...

Страница 864: ...es generated by specific rules in your ScreenOS DI policies You can use the Top Rules report to identify those rules that are generating the most log events This enables you to better optimize your ru...

Страница 865: ...tracking Table 116 AVT Reports Description Report Ten applications with highest volume in bytes in the past 24 hours Top 10 Applications by Volume Ten application categories with highest volume in byt...

Страница 866: ...ibing each report refer to the Network and Security Manager Online Help My Reports Once you are comfortable using reports you can create your own custom reports to provide the exact information that y...

Страница 867: ...ecting the corporate DMZ network A Top Attacks report comes predefined in IDP but the report displays attacks on the entire network and you are interested only in the DMZ To create a custom report bas...

Страница 868: ...s folder For more information about editing and deleting a report folder refer to the Network and Security Manager Online Help Generating Reports Automatically You can generate scheduled log based rep...

Страница 869: ...ectory that is run on completion of the report generation Creating and Editing Action Scripts NOTE Sample scripts enabling you to e mail and FTP the report results are available in usr netscreen GuiSv...

Страница 870: ...mote user somewhere net Email server not required if sendmail is configured for mail transport my email_server everywhere net Subject my subject Reports are here Body text for emails with reports as a...

Страница 871: ...Script In this example perform the following steps to generate a predefined report and FTP it to a server every Monday at 12 01 in the morning 1 Change to the utility directory by typing cd usr netscr...

Страница 872: ...a available from the current day in a horizontal bar chart You can configure the duration number of data points and appearance of each report by using the Set Report Options selection in the View menu...

Страница 873: ...on September 15 at 6 00 PM you could set the Starting At Time Period Duration report field in the options on a Top Screen Attacks report to that time then generate the report If you are not sure of th...

Страница 874: ...port operation requires can have an adverse impact on your overall management performance To prevent extraordinarily lengthy report operations from impacting your overall system performance you can us...

Страница 875: ...e in a later UI session Generating Quick Reports You can generate a Quick Report from data displayed in the Log Viewer or Log Investigator Use the Quick Report tab located at the bottom of the Log Vie...

Страница 876: ...menu After completing their investigation they change the flag to either Closed or Assigned for further investigation During normal operations firewall administrators investigate over 200 log entries...

Страница 877: ...or the top 100 rules that are generating log events Figure 117 on page 827 shows the Top FW VPN Rules report Figure 117 Top FW VPN Rules Report By identifying the new rules that you implemented in the...

Страница 878: ...e undergone the most configuration changes committed during the past seven days Figure 118 on page 828 shows the Top Configuration Changes report Example Using SSL VPN Reports to Track Authentication...

Страница 879: ...ers report for the last day The report indicates an IP address as the top attacker for all the DI attacks that you have been tracking You recognize the IP address as an external server that is running...

Страница 880: ...ource Watch List from Tools Preferences For details about creating and configuring watch lists refer to the Network and Security Manager Online Help Copyright 2010 Juniper Networks Inc 830 Network and...

Страница 881: ...ixes Glossary on page 833 Unmanaged ScreenOS Commands on page 859 SurfControl Web Categories on page 861 Common Criteria EAL2 Compliance on page 869 Log Entries on page 871 831 Copyright 2010 Juniper...

Страница 882: ...Copyright 2010 Juniper Networks Inc 832 Network and Security Manager Administration Guide...

Страница 883: ...you through activating a modeled device in the NSM User Interface Add Device Wizard The Add Device wizard guides you through importing or modeling a new device to the NSM User Interface Address Objec...

Страница 884: ...the timeout process returns to normal Antivirus AV Scanning A mechanism for detecting and blocking viruses in File Transfer Protocol FTP Internet Message Access Protocol IMAP Simple Mail Transfer Prot...

Страница 885: ...connectivity to the management system the device rolls back to the last installed configuration This minimizes downtime and ensures that NSM always maintains a stable connection to the managed device...

Страница 886: ...d with the minimal software to support a single network service BGP Neighbor Also known as a BGP Peer BGP is a the Border Gateway Patrol dynamic routing protocol A BGP neighbor is another device on th...

Страница 887: ...m the World Wide Web to provide quicker access to content for users and to increase server security Classless Routing Support for interdomain routing regardless of the size or class of the network Net...

Страница 888: ...tween the configuration running on the physical device and the difference between the configuration in NSM are known as deltas Demilitarized Zone A DMZ is an area between two networks that are control...

Страница 889: ...chemas for configuration inventory management logging and status monitoring DMI schemas can be updated without the need to upgrade NSM DNS The Domain Name System maps domain names to IP addresses Doma...

Страница 890: ...P provides confidentiality to IP datagrams Ethernet Ethernet is a local area network LAN technology invented at the Xerox Corporation Palo Alto Research Center Ethernet is a best effort delivery syste...

Страница 891: ...interface between two GSNs located in different PLMNs GPRS General Packet Radio Service A packet based technology that enables high speed wireless Internet and other data communications GPRS provides...

Страница 892: ...pplication Layer Gateway ALG lets you to secure Voice over IP VoIP communication between terminal hosts such as IP phones and multimedia devices In such a telephony system gatekeeper devices manage ca...

Страница 893: ...the Device Editor on a specific device and not through the central NSM Policy Manager If you select this method to manage policies on a J Series or SRX Series device the NSM Policy Manager Object Mana...

Страница 894: ...networks See also DES CBC ESP AH IP Sweep An IP sweep is similar to a port scan attack Attackers perform IP sweeps by sending ICMP echo requests or pings to different destination addresses and wait f...

Страница 895: ...ead of relying on rumored information from directly connected neighbors as in distance vector protocols each router in a link state system maintains a complete topology of the network and computes SPF...

Страница 896: ...can deploy the GUI Server and Device Server on separate servers however the combination of the two servers is known as the management system Mapped IP Address A MIP is a direct one to one mapping of t...

Страница 897: ...guring a BGP network you need to establish a connection between the current device and a counterpart adjacent device known as a neighbor or peer While this counterpart device may seem like unneeded in...

Страница 898: ...routers do not track sessions except when doing NAT which tracks the session for NAT purposes PDP Packet Data Protocol PDP Context A user session on a GPRS network PDU Protocol Data Unit Peer See Nei...

Страница 899: ...ces in hopes that one port will respond If a remote host scans 10 ports in 0 3 seconds the security device flags this as a port scan attack and drops the connection Preference A value associated with...

Страница 900: ...at one program can use to request a service from a program located in another computer in a network Role Based Administration RBA Role based administration enables you to define strategic roles for yo...

Страница 901: ...s are session table entries ARP cache entries certificates DHCP leases and IPSec Phase 2 security associations SAs S Scheduled Object A schedule object defines a time interval that a firewall rule is...

Страница 902: ...m Service Object Service objects represent the IP traffic types for existing protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined servic...

Страница 903: ...tively predictable and where network design is relatively simple Status Bar The status bar is the lower section of the NSM UI The status bar displays supplemental information Subdomain A subdomain is...

Страница 904: ...cify a complete device configuration The software remembers static routes until you remove them However you can override static routes with dynamic routing information through judicious assignment of...

Страница 905: ...r that supports VPN tunneling the remote user as well as the organization knows that it is a secure connection All remote dial in users are authenticated by an authenticating server at the Internet Se...

Страница 906: ...ir location on a physical subnetwork but through the use of tags in the frame headers of their transmitted data VLANs are described in the IEEE 802 1Q standard Virtual Private Network VPN A VPN is an...

Страница 907: ...ou can configure the security device to scan any incoming Microsoft NetBIOS Session Service packets modify them and record the event as a WinNuke attack Worm A worm is a self replicating attack progra...

Страница 908: ...Copyright 2010 Juniper Networks Inc 858 Network and Security Manager Administration Guide...

Страница 909: ...t this command the security device displays an error message common criteria These commands define environment variables Security devices use environment variables to make special configurations at st...

Страница 910: ...trol MAC address for a security device interface set mac These commands display timer settings or configure a security device to automatically execute management or diagnosis at a specified time All t...

Страница 911: ...r sexually violent text or graphics Bondage fetishes genital piercing Nudist sites that feature nudity Erotic or fetish photography which depicts nudity NOTE We do not include sites regarding sexual h...

Страница 912: ...rugs or abuse of other legal substances Distributing alcohol illegal drugs or tobacco free or for a charge Displaying selling or detailing use of drug paraphernalia NOTE We do not include sites that d...

Страница 913: ...e Beauty and cosmetics Modeling information and agencies Glamour and Intimate Apparel Government services such as taxation armed forces customs bureaus emergency services Local government sites Politi...

Страница 914: ...the group Sets itself outside of society Hate General health such as fitness and wellbeing Medical information about ailments conditions and drugs Medical reference Medical procedures including electi...

Страница 915: ...buying or selling a home Real estate agents Home improvement and inspection sites Real Estate Personal professional or educational reference Online dictionaries maps and language translation sites Cen...

Страница 916: ...rist information Weather bureaus Car Rentals Travel Newsgroups Opinion or discussion forums Weblog blog sites Usenet News Forums Newsgroups Opinion or discussion forums Weblog blog sites Usenet News F...

Страница 917: ...on or poisonous substances Displaying or detailing the use of guns weapons ammunition or poisonous substances Clubs which offer training on machine guns automatics and other assault weapons and or sni...

Страница 918: ...Copyright 2010 Juniper Networks Inc 868 Network and Security Manager Administration Guide...

Страница 919: ...stalled on dedicated systems These dedicated systems must not contain user processes that are not required to operate the NSM software Guidance for Personnel There must be one or more competent indivi...

Страница 920: ...Copyright 2010 Juniper Networks Inc 870 Network and Security Manager Administration Guide...

Страница 921: ...larm Log Entries The Screen category contains the subcategories shown in Table 122 on page 871 Table 122 Screen Alarm Log Entries ScreenOS Message ID Attack Attacks Alert 00017 Address Sweep Attack At...

Страница 922: ...IP Spoof Attack Attacks Alert 00010 Land Attack Attacks Critical 00032 Malicious URL Protection Auth Alert 00003 Multiple Authentications Failed Attacks Emergency 00007 Ping of Death Attack Policies A...

Страница 923: ...30 CPU Usage High DHCP Alert 00029 DHCP Critical 00029 DHCP DNS Critical 00021 DNS Host Interface Critical 00090 Interface Failover Device Critical 00022 Hardware ARP Critical 00031 IP Conflict Loggin...

Страница 924: ...e High Availability Critical 00071 NSRP VSD Master High Availability Critical 00072 NSRP VSD Pbackup OSPF Critical 00206 OSPF Packet Flood RIP Critical 207 RIP Packet Flood OSPF Critical 200 Route add...

Страница 925: ...ther user CHAT AUDIT YMSG FILE SEND sos5 1 0 info This protocol anomaly is a Yahoo Messenger e mail address that exceeds the user defined maximum A Yahoo Messenger server sends an e mail address as pa...

Страница 926: ...EP QTYPE UNEXPECTED sos5 1 0 info This protocol anomaly is a DNS reply with a query reply bit QR that is unset indicating a query This may indicate an exploit attempt DNS AUDIT REP S2C QUERY sos5 1 0...

Страница 927: ...protocol anomaly is a DNS name that exceeds 255 characters This may cause problems for some DNS servers DNS OVERFLOW NAME TOO LONG sos5 1 0 critical This protocol anomaly is a suspiciously large NXT...

Страница 928: ...ignature detects attempts to exploit a vulnerability in a LinkSys Cable DSL router Attackers may submit an overly long sysPasswd parameter within a malicious HTTP request to crash a LinkSys Cable DSL...

Страница 929: ...s users but relative to for users with accounts specifying the actual bin rather than ftp bin Attackers may establish an FTP account on the system and run the site exec command to gain access to the b...

Страница 930: ...crash the service or execute arbitrary code FTP EXPLOIT WIN32 WFTPD BOF sos5 1 0 medium This signature detects an attempt by an attacker to exploit a directory traversal vulnerability in the SunFTP da...

Страница 931: ...ay gain write access remotely create long pathnames and overflow the buffer to gain root access FTP OVERFLOW PATH LINUX X86 1 sos5 0 0 sos5 1 0 critical This signature detects attempts to exploit a re...

Страница 932: ...ccounts using easily guessed passwords FTP PASSWORD COMMON PASSWD sos5 0 0 sos5 1 0 high This signature detects attempts to use the default rootkit password h0tb0x to access a FreeBSD rootkit account...

Страница 933: ...he FTP daemon uses a vulnerable version of GNU ls attackers may send an oversized width parameter to GNU ls to cause the server CPU utilization to temporarily reach 100 and exhaust system memory This...

Страница 934: ...NIX and Linux systems Wu ftpd versions 2 6 1 to 2 6 18 are vulnerable Attackers may send a maliciously crafted pathname in a CWD or LIST command to the FTP server to execute arbitrary commands as root...

Страница 935: ...lear its logs Attackers may use spoofed IP address to send a log clear request without authenticating HTTP 3COM LOG CLEAN sos5 0 0 sos5 1 0 high This signature detects attempts to exploit a vulnerabil...

Страница 936: ...ache HTTP daemon the daemon may require a manual restart HTTP APACHE PHP INVALID HDR sos5 1 0 low By submitting a malformed HTTP GET request to an Apache server using the default configuration supplie...

Страница 937: ...ings in hex code ie 2e 2e 2f in a query to access the remote administration utility password and gain full remote administration abilities HTTP CGI ALTAVISTA TRAVERSAL sos5 1 0 sos5 1 0 high This sign...

Страница 938: ...loit a vulnerability in IkonBoard a popular Web based discussion board Attackers may send a maliciously crafted cookie that contains illegal characters to IkonBoard to execute arbitrary code with Ikon...

Страница 939: ...stem files HTTP CGI WEBSPIRS FILE DISCLSR sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the YaBB pl CGI script Attackers may view arbitrary files HTTP CGI YABB...

Страница 940: ...ver Attackers may pass a semicolon character to JRun to expose the script source code and other sensitive files HTTP COLDFUSION JRUN SC PARSE sos5 1 0 high This signature detects attempts to exploit a...

Страница 941: ...us Web site appears as the destination IP address HTTP EXPLOIT IE ZONE SPOOF sos5 0 0 sos5 1 0 medium This signature detects illegal characters in a Host header field of an HTTP 1 1 request Attackers...

Страница 942: ...WD REQ sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the browse asp script supplied with Hosting Controller a tool that allows Microsoft Windows network admini...

Страница 943: ...ects buffer overflow attempts against Microsoft ISAPI Indexing Service for IIS Index Server 2 0 and Indexing Service 2000 in IIS 6 0 beta and earlier versions are vulnerable Attackers may send a long...

Страница 944: ...Microsoft IIS 5 0 Attackers may send malicious PROPFIND requests to the server to crash it HTTP IIS PROPFIND sos5 1 0 medium This signature detects the sadmind IIS worm attempting to infect Microsoft...

Страница 945: ...e parameters on the same line as the request method This may indicate a poorly written Web application or HTTP tunneling HTTP INFO HTTPPOST GETSTYLE This signature detects attempts to bypass directory...

Страница 946: ...his signature detects an attempt to gain unauthorized administrative access to an EmuLive Server4 daemon HTTP MISC EMULIVE ADMIN sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS a...

Страница 947: ...his signature detects denial of service DoS attempts that exploit the Web Publishing REVLOG command in Netscape Enterprise Server 3 x HTTP NETSCAPE ENTERPRISE DOS sos5 0 0 sos5 1 0 medium This signatu...

Страница 948: ...ength header HTTP OVERFLOW CONTENT LENGTH sos5 1 0 medium DI has detected a suspiciously long Content Location header HTTP OVERFLOW CONTENT LOCATION sos5 1 0 medium DI has detected a suspiciously long...

Страница 949: ...D ROOT OF sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS attempts against Pi3Web Server Attackers may send a URL with more than 354 Slashes to crash the server HTTP OVERFLOW PI3...

Страница 950: ...ttackers may bypass user authorization to gain administrative privileges HTTP PHP GALLERY EMBED AUTH sos5 1 0 high This signature detects attempts to exploit a vulnerability in Gallery a Web based pho...

Страница 951: ...rative password of the board without user verification and access restricted files on the local system HTTP PHP PHORUM ADMIN PW CHG sos5 0 0 sos5 1 0 high This signature detects access to the vulnerab...

Страница 952: ...m This signature detects attempts to exploit a vulnerability in PHP Nuke AttackersmayexecutearbitrarySQLcommands on a Web server HTTP PHP PHPNUKE CID SQL INJECT sos5 0 0 sos5 1 0 medium This signature...

Страница 953: ...included with the VBulletin package Attackers may run the vbull c exploit to execute arbitrary commands with Web Server user permissions HTTP PHP VBULL CAL EXEC sos5 0 0 sos5 1 0 medium Any user on th...

Страница 954: ...nerable Internet Explorer users may use these malicious URLs to evade web proxies and gain direct access to the internet HTTP PROXY DOUBLE AT AT sos5 0 0 sos5 1 0 medium This signature detects attempt...

Страница 955: ...a SQL injection attack However it may be a false positive Some attempts at Cross Site Scripting attacks will also trigger this signature HTTP SQL INJECTION GENERIC sos5 0 0 sos5 1 0 medium This signat...

Страница 956: ...e detects the download of a maliciously crafted WinAmp playlist file Using WinAmp to open this file may execute arbitrary code HTTP STC WINAMP CDDA OF2 sos5 1 0 medium This signature detects attempts...

Страница 957: ...sion 1 0 and earlier are vulnerable Attackers may navigate to any directory on the server HTTP WASD DIR TRAV sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in Bea...

Страница 958: ...e information such as usernames passwords credit card numbers social security numbers bank accounts etc HTTP XSS HTML SCRIPT IN URL PRM sos5 1 0 medium This signature detects cross site scripting atta...

Страница 959: ...ly is an IMAP reference field that is too long This may indicate a buffer overflow attempt IMAP OVERFLOW REFERENCE sos5 0 0 sos5 1 0 high This protocol anomaly is an IMAP tag field that is too long Th...

Страница 960: ...EPM WRONG RHS LEN sos5 1 0 high This protocol anomaly is an EPM message with a tower length that is inconsistent with message s LHS and RHS lengths MS RPC ERR EPM WRONG TOWER LEN sos5 1 0 medium This...

Страница 961: ...This protocol anomaly is too many DCE RPC ISystemActivate requests Excessive requests can cause a denial of service DoS in the RPCSS module MS RPC MSRPC ISYSACTIVATE RACE sos5 1 0 medium This signatur...

Страница 962: ...protocol anomaly is label for the second level encoding of a Netbios name that contains a pointer NETBIOS NBDS BAD_LABEL_FORMAT sos5 1 0 medium This protocol anomaly is an invalid first level encodin...

Страница 963: ...TBIOS NBNS INVALID HDR Z sos5 1 0 high This protocol anomaly is a label for the second level encoding of a Netbios name that has a label length larger than 63 or the label is the first label and the l...

Страница 964: ...protocol anomaly is a Gnutella message with a payload type that is not defined in the Gnutella RFC P2P AUDIT GNUTELLA MESSAGE sos5 1 0 info This protocol anomaly is a Gnutella message with a payload l...

Страница 965: ...use of the Direct Connect Plus Plus DC file sharing client P2P DC DC PP ACTIVE sos5 1 0 info This signature detects version checks by eDonkey 2000 a peer to peer file sharing client The eDonkey clien...

Страница 966: ...e vulnerable Attackers may send a maliciously crafted DELE or UIDL request to the POP3 daemon to crash the POP3 SMTP and IMAP services POP3 DOS MDAEMON POP DOS sos5 1 0 high This protocol anomaly is a...

Страница 967: ...EXT DOT CMD sos5 1 0 medium This signature detects e mail attachments with the extension com received via POP3 This may indicate an incoming e mail virus COMs executable files contain one or more scr...

Страница 968: ...ved using POP3 This may indicate an incoming e mail virus HTA files are HTML application files that can be executed by a web browser Generally HTA files are not sent via e mail As a general network se...

Страница 969: ...s this may indicate an incoming e mail virus Attackers may create malicious scripts tricking users into executing the file and infecting the system POP3 EXT DOT MDB sos5 1 0 high This signature detect...

Страница 970: ...ers may create malicious entries tricking users into executing the file and infecting the system POP3 EXT DOT REG sos5 1 0 high This signature detects e mail attachments with the extension scr sent vi...

Страница 971: ...malicious scripts tricking the user into executing the file and infecting the system POP3 EXT DOT WSC sos5 1 0 high This signature detects e mail attachments with the extension wsf received via POP3 T...

Страница 972: ...s POP3 OVERFLOW BOUNDARY_OVERFLOW sos5 0 0 sos5 1 0 high This protocol anomaly is a POP3 command that exceeds 4 bytes the standard length for a POP3 command This may indicate a nonstandard POP3 client...

Страница 973: ...other attacks SCAN AMAP FTP ON HTTP sos5 1 0 low This signature detects the scanner tool AMAP made by The Hacker sChoice THC AttackersmayuseTHC AMAPduring their initial reconnaissance to determine se...

Страница 974: ...s PACKETS for a HP UX PA RISC instruction sequence common in buffer overflow exploits You may want to apply this signature to all non TCP traffic to your HP UX servers SHELLCODE HP UX HP NOOP 2 PKT so...

Страница 975: ...SMBFS implemented in the Linux kernel Kernels 2 4 and 2 6 are vulnerable Attackers may gain root access on the target host SMB EXPLOIT LINUX TRANS2 OF sos5 1 0 medium This protocol anomaly is an empty...

Страница 976: ...NETBIOS names are 16 bytes and may encode to a maximum of 34 bytes SMB NETBIOS INV SNAME LEN sos5 1 0 medium This signature detects attempts to remotely access the Windows registry Attackers may use a...

Страница 977: ...hich can lead to remote code execution SMTP EMAIL EUDORA SPOOF3 sos5 1 0 medium This signature detects attempts to spoof an e mail attachment Eudora Windows 6 2 0 7 and earlier versions are vulnerable...

Страница 978: ...an e mail message with an empty charset value in the MIME header to cause a denial of service DoS SMTP EXCHANGE DOS sos5 1 0 high This protocol anomaly is a BDAT command that is not chunk size SMTP EX...

Страница 979: ...ripts tricking users into executing the macros and infecting the system SMTP EXT DOT ADP sos5 1 0 medium This signature detects e mail attachments that have the extension bas and were sent via SMTP Be...

Страница 980: ...nature detects GRP files sent over SMTP GRP files can contain Windows Program Group information and may be exploited by malicious users to deposit instructions or arbitrary code on a target s system U...

Страница 981: ...infecting the system SMTP EXT DOT JSE sos5 1 0 medium This signature detects e mail attachments that have the extension lnk and were sent via SMTP Because LNKs Windows link files can point to any prog...

Страница 982: ...TP EXT DOT PCD sos5 1 0 medium This signature detects e mail attachments with the extension pif sent via SMTP This may indicate an incoming e mail virus PIFs Program Information Files are standard Mic...

Страница 983: ...cute arbitrary code SMTP EXT DOT WMF sos5 1 0 medium This signature detects e mail attachments with the extension wsc sent via SMTP This may indicate an incoming e mail virus WSCs Windows Script Compo...

Страница 984: ...eds actual multipart data all data is processed but unfinished boundary delimiters exist SMTP INVALID UNFIN MULTIPART sos5 0 0 sos5 1 0 high This signature detects attempts to send shell commands via...

Страница 985: ...of SQLsnake a MSSQL worm SQLsnake infects Microsoft SQL Servers that have SA administrative accounts without passwords The worm sends a password list and other system information via e mail to ixltd p...

Страница 986: ...maliciously crafted SMTP messages to execute arbitrary code at the same privilege level as the target typically a user Note Systems that typically carry non English e mail messages should not include...

Страница 987: ...thin specified mail to and or rcpt to e mail addresses to cause Sendmail to reroute data to another program attackers receive a 550 error message SMTP RESPONSE PIPE FAILED sos5 1 0 medium This signatu...

Страница 988: ...nds spam from an infected host machine TROJAN PHATBOT FTP CONNECT sos5 0 0 sos5 1 0 high This signature detects the string nongmin_cn within an SMTP header from field sent from a remote system to loca...

Страница 989: ...a upon reboot VIRUS POP3 FIX2001 sos5 1 0 high This signature detects e mail attachments named Link vbs sent via POP3 This may indicate the VBS Freelink e mail virus is attempting to enter the system...

Страница 990: ...soft Outlook preview pane once triggered the CHM file runs myromeo exe in the background Myromeo exe obtains e mail addresses from the Microsoft Outlook database sends infected e mail messages to all...

Страница 991: ...lated files Nimda then obtains e mail addresses and sends infected messages to all addresses found using its own SMTP server VIRUS POP3 NIMDA sos5 1 0 critical This signature detects e mail attachment...

Страница 992: ...irus does not carry a payload and is apparent only through a video effect VIRUS POP3 SIMBIOSIS sos5 1 0 critical This signature detects e mail attachments named Suppl doc sent via POP3 This may indica...

Страница 993: ...POP3 TOADIE sos5 1 0 high This signature detects e mail attachments named 666test vbs sent via POP3 This may indicate the e mail virus TripleSix is attempting to enter the system The executed file di...

Страница 994: ...POP3 This may indicate the e mail virus Zelu is attempting to enter the system disguised as the utility ChipTec Y2K Freeware Version The executed file scans available directories corrupts writeable f...

Страница 995: ...e mail virus Nail to enter the system When executed the virus assigns the Microsoft Word auto dot template to a template located on an attacker Web site enabling the attacker to upload new virus code...

Страница 996: ...F SMTP sos5 0 0 sos5 1 0 high This signature detects the Berbew worm as it uploads keylogger information to a listening post Berew monitors user keystrokes for financial data and reports that informat...

Страница 997: ...il attachments containing the W32 Sobig E worm sent via SMTP WORM EMAIL W32 SOBIG E sos5 1 0 high This signature detects the Mimail A worm attachment in SMTP traffic After infecting a Windows based ho...

Страница 998: ...TTP WORM NIMDA MSADC ROOT sos5 1 0 medium This signature detects attempts to create EML files on the system a common sign of the NIMDA worm The worm browses remote directories and creates EML files th...

Страница 999: ...ew targets for infection The source IP of this log is likely infected with a variant of Santy WORM SANTY GOOGLE SEARCH sos5 1 0 high This signature detects a machine infected with the Santy worm attem...

Страница 1000: ...DIP DNS Notification 00004 DNS DNS Notification 00029 DNS REP System Notification 00023 Erase System Notification 00006 Hostname Interface Notification 00009 Interface MIP Notification 00021 MIP High...

Страница 1001: ...tion 00026 SSH SSL Notification 00035 SSL Syslog and WebTrends Notification 00019 Syslog High Availability Notification 00050 Track IP WEB Filtering Notification 00013 URL User Notification 00014 User...

Страница 1002: ...tion 00553 Configuration Size N A Device Connect N A Device Disconnect DHCP Information 00530 DHCP CLI DNS Information 00004 DHCP DNS System Information 00767 Generic VIP Notification 00533 VIP Svr Up...

Страница 1003: ...ation 00533 VIP Server Status DHCP Information 00527 DHCP Server Status NOTE For security devices running ScreenOS 5 0 x or higher Network and Security Manager does not generate information logs for d...

Страница 1004: ...warded prohibited state invalid rate limited or tunnel limited Interface vsys or vrouter name if applicable For log entries generated by GTP objects with Extended logging enabled you can view the foll...

Страница 1005: ...PART 6 Index Index on page 957 955 Copyright 2010 Juniper Networks Inc...

Страница 1006: ...Copyright 2010 Juniper Networks Inc 956 Network and Security Manager Administration Guide...

Страница 1007: ...te 76 audit logs 77 auditable activities 76 authentication server 77 AV pattern 77 backdoor rulebase 77 blocked IP 77 CA 77 catalog objects 77 channel 77 CLI based reports 77 CLI based security update...

Страница 1008: ...85 supplemental CLIs in devices and templates 85 SYNProtector rulebase 85 system status monitor view 85 system URL categories 85 template operations 86 traffic signature rulebase 86 troubleshoot devi...

Страница 1009: ...ure service binding 348 custom signature stream 1K context 355 custom signature stream 256 context 354 custom signature stream 8K context 355 custom signature stream context 354 custom signature suppo...

Страница 1010: ...Series 235 configuring Junos 235 configuring SRX Series 235 editing the configuration 234 IDP adding 153 Infranet Controller adding 153 Infranet Controller importing 154 J Series activating 158 J Seri...

Страница 1011: ...ard using 709 Data Model defined 308 importing 311 updating 309 data model defined 839 data origination icons 192 data point count configuring 782 823 data types 781 Deep Inspection activating subscri...

Страница 1012: ...132 adding multiple with CSV file 169 adding multiple with discovery rules 168 configuring 187 EX Series activating 134 136 EX Series importing 116 125 extranet adding 151 IDP sensors activating 135 I...

Страница 1013: ...492 exempt rules configuring attacks 493 configuring from the Log Viewer 493 configuring match columns 492 configuring source and destination 492 entering comments 493 expanded VPN view 552 585 expor...

Страница 1014: ...s 449 deleting 517 deny action 453 disabling 517 negating source or destination 450 permit action 453 reject action 453 reject action changed to deny 511 rule groups 517 using MIPs as source or destin...

Страница 1015: ...ng notification 479 configuring services 471 configuring source and destination 470 IDP sensors activating with dynamic IP address 135 IKE proposals 428 IMSI prefix filter 385 information banner 58 in...

Страница 1016: ...e 271 installing on device 271 obtaining 271 linking to a device from Log Viewer 776 list key parameters in templates 210 local attack object update 290 local user groups 404 local users 564 log actio...

Страница 1017: ...s 776 filtering 760 768 find utility 768 flagging log events 767 generating a Quick Report 825 hiding and moving columns 772 integration with reports 824 linking to a device 776 log categories 768 log...

Страница 1018: ...ewall rules 454 destination NAT 416 DIP global 415 in VPNs 563 Junos OS 417 MIP global 416 VIP global 416 NAT Traversal 577 navigation tree 24 negating source or destination in firewall rules 450 NetS...

Страница 1019: ...ustom signature attacks attack pattern 352 custom signature attacks attack pattern syntax 352 custom signature attacks false positive setting 348 custom signature attacks first data packet context 354...

Страница 1020: ...ules 459 prerules and postrules 526 preview tools 252 primary interface fail over 305 priority levels for traffic shaping 456 Profiler alerts 714 configuring 712 configuring permitted objects 719 cont...

Страница 1021: ...VPN 811 Logs by User set Flag 814 826 naming 822 Profiler 815 Screen 813 SSL VPN 815 time based 823 Top Alarms 811 Top Attackers Screen 814 Top Attacks DI 812 Top Attacks Screen 813 Top Configuration...

Страница 1022: ...ions 35 Secure Access clusters adding 153 importing 154 Secure Access devices adding clusters 153 configuring features of 196 importing clusters 154 importing with dynamic IP address 121 supported pla...

Страница 1023: ...importing with dynamic IP address 125 importing with static IP address 116 modeling clusters 157 supported platforms 16 SSL VPN devices See Secure Access devices SSL UAC predefined log views 758 SSL V...

Страница 1024: ...2 Top Rules report 814 Top Self Logs report 812 Top Targets Screen report 814 829 Top Traffic Alarms report 811 Top Traffic Log report 811 Traffic Anomalies Rulebase other scans 503 session limiting 5...

Страница 1025: ...coming DIP 570 configuring NAT with MIP VIP and Outgoing DIP 571 configuring NAT with tunnel interface and zone 571 configuring overrides 583 configuring overrides device configuration 584 configuring...

Страница 1026: ...s adding 165 vsys devices adding 147 importing 148 modeling 149 W warning icon 193 Web categories permission to update on device 80 updating on device 301 updating on system 301 Web filtering black li...

Отзывы: