Hardware Component Overview; Jsa3800 Appliance Components Overview; Chapter 2 Hardware Component Overview - Juniper 3800 Hardware Manual

CHAPTER 2

Hardware Component Overview

JSA3800 Appliance Components Overview

Copyright © 2015, Juniper Networks, Inc.
JSA3800 Appliance Components Overview on page 5
Juniper Secure Analytics (JSA) includes the following deployment components:
Flow Processor —Collects data from devices, and various live and recorded feeds, such
as network taps, span/mirror ports, NetFlow, and JSA flow logs. When the data is
collected, the Flow Processor groups related individual packets into a flow. JSA defines
these flows as a communication session between two pairs of unique IP addresses
and ports that use the same protocol. A flow starts when the Flow Processor detects
the first packet with a unique source IP address, destination IP address, source port,
destination port, and other specific protocol options that determine the start of a
communication. Each additional packet is evaluated. Counts of bytes and packets are
added to the statistical counters in the flow record. At the end of an interval, a status
record of the flow is sent to an Event Collector, and statistical counters for the flow
are reset. A flow ends when no activity for the flow is detected within the configured
period of time.
Flow reporting generates records of all active or expired flows during a specified period
of time. If the protocol does not support port-based connections, JSA combines all
packets between the two hosts into a single flow record. However, a Flow Processor
does not record flows until a connection is made to another JSA component and data
is retrieved.
Event Collector —Collects security events from various types of security devices, known
as log sources, in your network. The Event Collector gathers events from local and
remote log sources. The Event Collector then normalizes the events and sends the
information to the Event Processor. The Event Collector also bundles all virtually
identical events to conserve system usage.
Event Processor —An Event Processor processes event and flow data from the Event
Collector. The events are bundled to conserve network usage. When received, the
Event Processor correlates the information from JSA and distributes it to the appropriate
area, depending on the type of event. The Event Processor also includes information
gathered by JSA to indicate any behavioral changes or policy violations for that event.
Rules are then applied to the events that allow the Event Processor to process according
to the configured rules. When complete, the Event Processor sends the events to the
Magistrate.
5