1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE...
  6. Manual

Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1 Manual

Configuring intrusion detection and prevention devices guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Network and Security
Manager
Configuring Intrusion Detection and Prevention
Devices Guide
Release
2010.3
Published: 2010-08-17
Revision 01
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1

  • Page 1 Network and Security Manager Configuring Intrusion Detection and Prevention Devices Guide Release 2010.3 Published: 2010-08-17 Revision 01 Copyright © 2010, Juniper Networks, Inc.
  • Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
  • Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
  • Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
  • Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
  • Page 6 Copyright © 2010, Juniper Networks, Inc.

  • Page 7: Table Of Contents

    Network Profiler ..........23 Copyright © 2010, Juniper Networks, Inc.
  • Page 8 Configuring an SNMP Agent (NSM Procedure) ......79 Configuring Syslog Collection (NSM Procedure) ......80 viii Copyright © 2010, Juniper Networks, Inc.
  • Page 9 Stopping the Profiler ..........123 Copyright © 2010, Juniper Networks, Inc.
  • Page 10 Index ............143 Copyright © 2010, Juniper Networks, Inc.

  • Page 11: About This Guide

    Objectives Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices. Intrusion Detection and Prevention (IDP) series uses eight detection methods to detect malicious network traffic.
  • Page 12 The angle bracket (>) Indicates navigation paths through the UI Object Manager > User Objects > Local by clicking menu options and links. Objects Table 3 on page xiii defines syntax conventions used in this guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 13: List Of Technical Publications

    It also includes a brief overview of the NSM system and a description of the GUI elements. IDP Installation Guide Details the physical features of Juniper Networks Intrusion Detection and Prevention (IDP) series. It also explains how to install, configure, update/reimage, and service the IDP system. Copyright © 2010, Juniper Networks, Inc.

  • Page 14: Requesting Technical Support

    Table 4: Network and Security Manager and IDP Device Publications (continued) IDP Concepts & Examples Guide Details about the Juniper Networks Intrusion Detection and Prevention (IDP) series that uses multiple methods to detect and prevent network attacks. IDP is designed to reduce false positives to ensure that only actual malicious traffic is detected and stopped.

  • Page 15: Opening A Case With Jtac

    About This Guide Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone.
  • Page 16 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 17: Getting Started

    PART 1 Getting Started Intrusion Detection and Prevention Device and NSM Installation Overview on page 3 Understanding Intrusion Detection and Prevention Device Configuration and Integration Overview on page 5 Copyright © 2010, Juniper Networks, Inc.
  • Page 18 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 19: Intrusion Detection And Prevention Device Installation Overview

    NSM Installation Overview NSM is a software application that enables you to integrate and centralize management of your Juniper Networks environment. You need to install two main software components to run NSM: the NSM management system and the NSM user interface (UI).
  • Page 20 Configuring Intrusion Detection and Prevention Devices Guide Related Topics Intrusion Detection and Prevention Device Installation Overview on page 3 NSM and Intrusion Detection and Prevention Device Management Overview on page 5 Copyright © 2010, Juniper Networks, Inc.

  • Page 21: And Integration Overview

    Using Templates and Configuration Groups in NSM Overview on page 8 NSM and Intrusion Detection and Prevention Device Management Overview NSM is the Juniper Networks network management tool that allows distributed administration of network appliances. You can use the NSM application to centralize status monitoring, logging, and reporting, and to administer IDP Series configurations.

  • Page 22: Intrusion Detection And Prevention Services And Device Configurations Supported

    Logging configuration details that are set on the IDP device will apply to NSM. Packaging log files or debug files for remote analysis Managing interface settings such as setting IP addresses, settings IDP device host and network information, interoperability with NSM, Infranet Controllers, Secure Access Copyright © 2010, Juniper Networks, Inc.
  • Page 23 Adding Intrusion Detection and Prevention Clusters in NSM Overview on page 8 Using Templates and Configuration Groups in NSM Overview on page 8 NSM and Intrusion Detection and Prevention Device Management Overview on page 5 Copyright © 2010, Juniper Networks, Inc.

  • Page 24: Adding Intrusion Detection And Prevention Devices In Nsm Overview

    Templates provide these benefits: You can configure parameter values for an IDP device by referring to one or more templates when configuring the device. Copyright © 2010, Juniper Networks, Inc.
  • Page 25 For complete details on using device templates and configuration groups, see the Network and Security Manager Administration Guide. Related Topics NSM and Intrusion Detection and Prevention Device Management Overview on page 5 Intrusion Detection and Prevention Services and Device Configurations Supported in NSM on page 6 Copyright © 2010, Juniper Networks, Inc.
  • Page 26 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 27: Configuring Intrusion Detection And Prevention Devices

    Configuring SNMP and Syslog Settings on page 79 Configuring Anti-Spoof Settings on page 83 Configuring Intrusion Detection and Prevention Device Settings on page 87 Configuring Additional Intrusion Detection and Prevention Features on page 111 Copyright © 2010, Juniper Networks, Inc.
  • Page 28 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 29: Configuring Profiler Settings

    To configure the Profiler on a given IDP sensor, open the Device window and select Profiler Settings. You configure Profiler options to enable Profiler features, set network addresses and applications subject to profiling, and set alerts. Setting Up the Profiler Using the Profiler involves the following steps: Copyright © 2010, Juniper Networks, Inc.

  • Page 30: Specifying General Options

    The first part of configuring the Profiler is to inform the device which network objects you want the device to profile. When you start the Profiler, the device begins collecting data from the selected hosts. Copyright © 2010, Juniper Networks, Inc.
  • Page 31 NOTE: If you change Profiler settings, you must push a configuration update to the device before the new settings take effect. From the Device Manager, right-click the device, select Update Device, select the Restart IDP Profiler After Device Update checkbox, and click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 32: Specifying Tracked Hosts

    Color—Select any color from the drop-down list. Comment—Enter any additional comments. IP/IP Address—Enter the IP address when you select IP. Domain/Domain name—Enter the domain name when you select domain name. Resolve—Resolve the domain name with the IP and vice versa. Copyright © 2010, Juniper Networks, Inc.

  • Page 33: Specifying Context Targets

    FTP contexts in the Contexts to Profile tab. After the Profiler is started, the device begins collecting information about FTP logins, usernames, and commands, enabling you to quickly identify the users using FTP on your network and the actions they perform over that protocol. Copyright © 2010, Juniper Networks, Inc.

  • Page 34: Specifying Alert Options

    You can configure the maximum limit of the Profiler database using the dbLimit parameter in the General tab of the Profiler Configuration dialog box. The default is 500 MB; the minimum-maximum range is 0 to 500 MB. After Copyright © 2010, Juniper Networks, Inc.
  • Page 35 NOTE: If you change Profiler settings, you must push a configuration update to the device before the new settings take effect. From the Device Manager, right-click the device, select Update Device, select the Restart IDP Profiler After Device Update checkbox, and click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 36: Viewing Profiler Logs (Nsm Procedure)

    Source IP address of the traffic profiled. Dst IP Destination IP address of the traffic profiled. User The user associated with the traffic profiled. Role The role group to which the user that is associated with the traffic profiled belongs. Copyright © 2010, Juniper Networks, Inc.
  • Page 37 TIP: You can jump from the Application Profiler tab to the APE rulebase editor by right-clicking an application in the left pane and selecting a policy editor option. For information about using NSM features to sort, filter, and drill down on records, see the NSM online help. Copyright © 2010, Juniper Networks, Inc.

  • Page 38: Protocol Profiler

    Timestamp for the first time the device logged the event (within the specified time interval). Last Time Timestamp for the last time the device logged the event (within the specified time interval). Domain NSM domain. Copyright © 2010, Juniper Networks, Inc.

  • Page 39: Network Profiler

    Probe indicates a request that does not expect a reply. For non-TCP sessions, the device recorded an ICMP error; for TCP sessions, the device recorded a SYN packet from the client followed by a RST from the server. Src MAC Source MAC addresses of traffic profiled. Copyright © 2010, Juniper Networks, Inc.

  • Page 40: Violation Viewer

    Click the Violation Viewer tab. Click on the + icon that appears on the top of the right-hand window to display the New Permitted Object dialog box. Type a name for the permitted object. Copyright © 2010, Juniper Networks, Inc.

  • Page 41: Modifying Profiler Settings (Nsm Procedure)

    Specifies the maximum size of the purged profiler database. The default value is 750 MB. Profiler query timeout (in seconds) Specifies the timeout entry for a profiler query. The default value is 120 seconds. Copyright © 2010, Juniper Networks, Inc.

  • Page 42: Configuring Profiler Database Preferences (Nsm Procedure)

    Table 12 on page 25. You can use the Profiler Settings dialog box to modify Profiler database settings and default settings for application volume tracking reports. Data discovered by Profiler is stored in a database located on the NSM GUI server. Copyright © 2010, Juniper Networks, Inc.

  • Page 43: Displaying Profiler Database Information (Nsm Procedure)

    Data discovered by Profiler is stored in a database located on the NSM GUI server. Use the steps in this procedure to display information about the Profiler database. Action To display Profiler database information: In the NSM Navigation tree select Investigate > Security Monitor > Profiler. Copyright © 2010, Juniper Networks, Inc.

  • Page 44: Querying The Profiler Database (Nsm Procedure)

    To manually purge the database: In the NSM Navigation tree, select Investigate > Security Monitor > Profiler. Click the Clear All DB icon in the upper right corner. Related Topics Configuring Profiler Options (NSM Procedure) on page 13 Copyright © 2010, Juniper Networks, Inc.
  • Page 45 Chapter 3: Configuring Profiler Settings Configuring Profiler Database Preferences (NSM Procedure) on page 26 Displaying Profiler Database Information (NSM Procedure) on page 27 Querying the Profiler Database (NSM Procedure) on page 28 Copyright © 2010, Juniper Networks, Inc.
  • Page 46 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 47: Configuring Security Policies

    A rulebase is an ordered set of rules that use a particular detection method to identify and prevent attacks. Table 14 on page 32 describes the IDP security policy rulebases. A security policy can contain only one instance of any rulebase type. Copyright © 2010, Juniper Networks, Inc.
  • Page 48 IDP Rulebase Protects your network from attacks by using attack objects to detect known and unknown attacks. Juniper Networks provides predefined attack objects that you can use in IDP rules. You can also configure your own custom attack objects. Exempt Rulebase You configure rules in this rulebase to exclude known false positives or to exclude a specific source, destination, or source/destination pair from matching an IDP rule.

  • Page 49: Configuring Predefined Security Policies (Nsm Procedure)

    Troubleshooting Security Policy Validation Errors (NSM Procedure) on page 118 Configuring Predefined Security Policies (NSM Procedure) The highly respected Juniper Networks Security Center team (J-Security Center) provides the default IDP security policy—named Recommended. We advise that you use this policy to protect your network from the likeliest and most dangerous attacks.

  • Page 50: Creating A New Security Policy (Nsm Procedure)

    Text to further identify the policy. In the security policy list, you can sort on comments. On the second page, complete the settings and then click Next. Table 18 on page 35 describes page two settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 51 Rules include IPv6, VPN, and also VPN link. For more information, see the IDP Concepts & Examples guide Related Topics Intrusion Detection and Prevention Devices and Security Policies Overview on page 31 Copyright © 2010, Juniper Networks, Inc.

  • Page 52: Modifying Idp Rulebase Rules (Nsm Procedure)

    Notification You can choose none, or enable logging and select the logging options that are appropriate for your network. VLAN Tag Specifies the VLAN tags you want to match in applying the rule. Copyright © 2010, Juniper Networks, Inc.

  • Page 53: Specifying Rule Match Conditions

    Any–Matches any source of traffic. To guard against incoming attacks, you typically specify Any. Negate–Matches any except those specified. To use address negation: Add the address object. Right-click the address object and select Negate. Copyright © 2010, Juniper Networks, Inc.

  • Page 54: Specifying Idp Rulebase Attack Objects

    User role-based rules are evaluated before IP source rules. If a user role matches, and if the other match criteria are met, the rule is applied and IP address-based rules are not consulted. NOTE: Matching based on user role depends on integration with Juniper Networks Infranet Controllers.

  • Page 55: Specifying Rule Session Action

    Chapter 4: Configuring Security Policies To add attack objects recommended by Juniper Networks Security Center (J-Security Center), expand Recommended Attacks, browse groups, and select groups or individual attack objects. To add other predefined attack objects, expand All Attacks, browse groups, and select groups or individual attack objects.
  • Page 56 IDP closes the connection to the server but not to the client. Table 24 on page 40 describes the logic applied to the value Recommended, a setting coded in predefined attack objects provided by Juniper Networks Security Center. Table 24: IDP Rulebase Actions: Recommended Actions by Severity...

  • Page 57: Specifying Rule Ip Action

    IP Close IDP closes the matching connection and future connections that match combinations of the following properties you specify: Source IP address Source subnet Protocol Destination IP Address Destination Subnet Destination Port From Zone Copyright © 2010, Juniper Networks, Inc.

  • Page 58: Specifying Rule Notification Options

    VLAN tag. To specify that rules match a VLAN tag, right-click the table cell and configure your setting. Table 27 on page 43 describes VLAN tag settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 59: Specifying Rule Targets

    We recommend that you log such attacks. Warning Attacks that attempt to obtain noncritical information or scan the network. They can also be obsolete attacks (but probably harmless) traffic. We recommend that you log such attacks. Copyright © 2010, Juniper Networks, Inc.

  • Page 60: Specifying Rule Optional Fields

    Configuring Predefined Security Policies (NSM Procedure) on page 33 Configuring Exempt Rulebase Rules (NSM Procedure) on page 45 Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM Procedure) on page 117 Copyright © 2010, Juniper Networks, Inc.

  • Page 61: Configuring Exempt Rulebase Rules (Nsm Procedure)

    Select any to monitor network that is the source of the traffic originating from any IP traffic. address. NOTE: You can also negate one or more address objects to specify all sources except the excluded object. Copyright © 2010, Juniper Networks, Inc.
  • Page 62 Creating a New Security Policy (NSM Procedure) on page 34 Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM Procedure) on page 117 Configuring Backdoor Rulebase Rules (NSM Procedure) on page 47 Copyright © 2010, Juniper Networks, Inc.

  • Page 63: Configuring Backdoor Rulebase Rules (Nsm Procedure)

    Default—Accepts the service specified by the attack object. Select Service—Chooses specific services from the list of defined service objects. Operation Specifies whether to detect Select either Detect or Ignore. or ignore the backdoor traffic. Copyright © 2010, Juniper Networks, Inc.
  • Page 64 Modifying IDP Rulebase Rules (NSM Procedure) on page 36 Configuring SYN Protector Rulebase Rules (NSM Procedure) on page 49 Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM Procedure) on page 117 Copyright © 2010, Juniper Networks, Inc.

  • Page 65: Configuring Syn Protector Rulebase Rules (Nsm Procedure)

    Specifies service objects in Set a service by selecting any of rules to service an attack to the available options. access your network. NOTE: We recommend that you do not change the default value, TCP-ANY. Copyright © 2010, Juniper Networks, Inc.
  • Page 66 Select Alert to have an alert flag placed in the Alert column of the Log Viewer for the matching log record. In the Log Actions tab, select desired log actions, if any. Copyright © 2010, Juniper Networks, Inc.

  • Page 67: Configuring Traffic Anomalies Rulebase Rules (Nsm Procedure)

    To configure a traffic anomalies rulebase rule: In the NSM navigation tree, select Policy Manager > Security Policies. Select and double-click the security policy to which you want to add the traffic anomalies rulebase rule. Copyright © 2010, Juniper Networks, Inc.
  • Page 68 When you select this option, the Traffic Anomalies dialog box appears. Select the scans or sweep you want to detect and enter values for Port Count and Time Threshold (in seconds) or Session Count. Copyright © 2010, Juniper Networks, Inc.
  • Page 69 Set the severity to Default, Info, the inherent attack severity Warning, Minor, or Critical. on a per-rule basis within the NOTE: This column only appears IDP rulebase. when you view the Security Policy in Expanded Mode. Copyright © 2010, Juniper Networks, Inc.

  • Page 70: Configuring Network Honeypot Rulebase Rules (Nsm Procedure)

    Right-click the table cell for the delete, copy, or reorder rules. rule number and make your required modifications. Source Address Specifies the address object Select any source address or that is the source of the group. traffic. Copyright © 2010, Juniper Networks, Inc.
  • Page 71 Select Alert to have an alert flag placed in the Alert column of the Log Viewer for the matching log record. In the Log Actions tab, select desired log actions, if any. Copyright © 2010, Juniper Networks, Inc.
  • Page 72 Modifying IDP Rulebase Rules (NSM Procedure) on page 36 Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM Procedure) on page 117 Validating a Security Policy (NSM Procedure) on page 118 Copyright © 2010, Juniper Networks, Inc.

  • Page 73: Configuring Application Rulebase Rules (Nsm Procedure)

    If a value for User Role matches, the Source parameter is not consulted. Matching based on user role depends on integration with a compatible Juniper Networks IC Series Unified Access Control appliance. Copyright © 2010, Juniper Networks, Inc.
  • Page 74 Hence it is matching source and destination parameters, recommended to use the application set both the service parameter and the parameter instead of the service parameter application parameter to Any. whenever possible. Copyright © 2010, Juniper Networks, Inc.
  • Page 75 You can verify the APE rulebase functionality in your lab and view APE related statistics in the Command-Line Interface (CLI). It is recommended that you retain defaults for APE rulebase. By default: Copyright © 2010, Juniper Networks, Inc.
  • Page 76 For more information, see the IDP Concepts & Examples guide. Related Topics Intrusion Detection and Prevention Devices and Security Policies Overview on page 31 Modifying IDP Rulebase Rules (NSM Procedure) on page 36 Copyright © 2010, Juniper Networks, Inc.

  • Page 77: Working With Attack Objects

    Creating custom attack objects Updating predefined IDP attack objects and groups Related Topics Working with Attack Groups (NSM Procedure) on page 64 Viewing Predefined Attack Objects (NSM Procedure) Loading J-Security-Center Updates (NSM Procedure) on page 62 Copyright © 2010, Juniper Networks, Inc.

  • Page 78: Loading J-Security-Center Updates (Nsm Procedure)

    Configuring Intrusion Detection and Prevention Devices Guide Loading J-Security-Center Updates (NSM Procedure) The Juniper Networks Security Center (J-Security Center) routinely makes important updates available to IDP security policy components, including updates to the IDP detector engine and NSM attack database.

  • Page 79: Viewing Predefined Attack Objects (Nsm Procedure)

    Working with Attack Groups (NSM Procedure) on page 64 Viewing Predefined Attack Objects (NSM Procedure) Purpose Juniper Networks Security Center (J-Security Center) develops predefined attack objects and attack object groups for IDP rulebase rules. Copyright © 2010, Juniper Networks, Inc.

  • Page 80: Working With Attack Groups (Nsm Procedure)

    NSM groups are administrative objects that facilitate configuration and monitoring tasks. You can add attack groups or individual attack objects to IDP rulebase rules and Exempt rulebase rules. Creating Dynamic Groups on page 65 Creating Static Groups on page 66 Copyright © 2010, Juniper Networks, Inc.

  • Page 81: Creating Dynamic Groups

    Filters attack objects based on the application that is vulnerable to the attack. Add Severity Filter Filters attack objects based on attack severity. NOTE: All predefined attack objects are assigned a severity level by Juniper Networks. However, you can edit this setting to match the needs of your network. Add Category Filter Filters attack objects based on category.

  • Page 82: Creating Static Groups

    Select a color for the group icon. Select the attack or group from the Attacks/Group list and click Add . Click OK. Related Topics Attack Objects in Intrusion Detection and Prevention Security Policies Overview on page 61 Copyright © 2010, Juniper Networks, Inc.

  • Page 83: Creating Custom Attack Objects (Nsm Procedure)

    Specifies that this attack object is part of your highest risk set of attack objects. Later, when you add this attack object to dynamic groups, you can specify whether only recommended attack objects will be included. Attack Versions Skip this for now. Detection Performance Select High, Medium, Low, or Not Defined. Copyright © 2010, Juniper Networks, Inc.
  • Page 84 Stateful signature attack objects also include the protocol or service used to perpetrate the attack and the context in which the attack occurs. If you know the exact attack signature, the protocol, and the attack context used for a known attack, select this option. Copyright © 2010, Juniper Networks, Inc.

  • Page 85: Creating A Signature Attack Object

    Table 40 on page 69. Table 40: Custom Attack – General Properties Property Description False Positives Select the frequency that the attack object produces a false positive on your network: Unknown, Rarely, Occasionally, Frequently. Copyright © 2010, Juniper Networks, Inc.
  • Page 86 Count/Min–Enter the number of times per minute that the attack object must detect an attack within the specified scope before the device considers the attack object to match the attack. Copyright © 2010, Juniper Networks, Inc.
  • Page 87 To match 1 or more symbols. To match 0 or 1 symbols. Grouping of expressions. Alternation. Typically used with (). [<start>-<end>] Character range. [^<start>-<end>] Negation of character range. Negate Select this option to negate the attack pattern. Copyright © 2010, Juniper Networks, Inc.
  • Page 88 TIP: Using a single flow (instead of Both) improves performance and increases detection accuracy. Click Next. On the Custom Attack – IP Settings and Header Matches page, specify signature settings as described in Table 42 on page 73. Copyright © 2010, Juniper Networks, Inc.
  • Page 89 If you selected TCP for Service Binding and packet or first-data-packet as the Context, click the Protocols tab, select TCP packet header fields, and configure TCP Header Match settings as described in Table 43 on page 74. Copyright © 2010, Juniper Networks, Inc.
  • Page 90 Table 44: UDP Header Match Settings Setting Description Source Port Enter the port number on the attacking device. Destination Port Enter the port number of the attack target. Data Length Enter the number of bytes in the data payload. Copyright © 2010, Juniper Networks, Inc.

  • Page 91: Verifying The Attack Object Database Version (Nsm Procedure)

    When NSM detects that the managed device contains an older attack object database version than the one stored on the GUI server, the UI displays a warning for that device, indicating that you should update the attack object database on the device. Manual Verification Copyright © 2010, Juniper Networks, Inc.

  • Page 92: Updating The Idp Detector Engine (Nsm Procedure)

    NOTE: Updating the IDP detector engine on a device does not require a reboot of the device. For more information, see Network and Security Manager Administration Guide. Related Topics Attack Objects in Intrusion Detection and Prevention Security Policies Overview on page 61 Copyright © 2010, Juniper Networks, Inc.
  • Page 93 Chapter 5: Working with Attack Objects Working with Attack Groups (NSM Procedure) on page 64 Loading J-Security-Center Updates (NSM Procedure) on page 62 Viewing Predefined Attack Objects (NSM Procedure) Copyright © 2010, Juniper Networks, Inc.
  • Page 94 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 95: Configuring Snmp And Syslog Settings

    You have the option of configuring an SNMP agent for NSM (if you want to send the NSM collection to SNMP) or configuring an SNMP agent for each IDP device. To configure an SNMP agent for NSM, see the NSM online Help. Copyright © 2010, Juniper Networks, Inc.

  • Page 96: Configuring Syslog Collection (Nsm Procedure)

    To configure syslog forwarding for NSM, see the NSM online Help. To configure syslog forwarding for a single IDP device: In the NSM Device Manager, double-click the IDP device to display the device configuration editor. Click Report Settings. Copyright © 2010, Juniper Networks, Inc.
  • Page 97 Specify whether to forward packet logs to the syslog server. Click OK. Related Topics NSM Logs and Reports Overview on page 127 Viewing Logs on page 127 Configuring an SNMP Agent (NSM Procedure) on page 79 Copyright © 2010, Juniper Networks, Inc.
  • Page 98 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 99: Configuring Anti-Spoof Settings

    Select a forwarding interface to configure. Logging Enable logging for spoofed IP address. Alarm Enable alerts for spoofed IP addresses. Check Other Interfaces Indicate whether the device should check the status of other interfaces when determining spoofing. Copyright © 2010, Juniper Networks, Inc.

  • Page 100: Example: Applying Antispoof To A Web Server And Database Server

    IP address appears at this interface, you want the sensor to let you know. Select None from the Action list. You just want to log this event. Select the Web server as the address object assigned to this interface. Copyright © 2010, Juniper Networks, Inc.

  • Page 101: Procedure)

    Chapter 7: Configuring Anti-Spoof Settings Related Topics Configuring Antispoof Settings in Intrusion Detection and Prevention Devices (NSM Procedure) on page 83 Intrusion Detection and Prevention Services and Device Configurations Supported in NSM on page 6 Copyright © 2010, Juniper Networks, Inc.
  • Page 102 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 103: Configuring Intrusion Detection And Prevention Device Settings

    In NSM Device Manager, double-click the IDP device for which you want to configure load-time parameters. The device configuration editor appears. Click Sensor Settings. Click the Load Time Parameters tab. Configure load-time parameters using Table 48 on page 88. Click Apply. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 104: Configuring Run-Time Parameters (Nsm Procedure)

    Configuring Run-Time Parameters (NSM Procedure) Run-time parameters include options for tuning IDP detection methods. In general, you modify these settings only if you encounter false positives or performance issues. These options control the security module operations. Copyright © 2010, Juniper Networks, Inc.
  • Page 105 Ratio of small packets to the total packets (percentage)–Controls the minimum percentage of small packets that the IDP device uses for backdoor detection heuristics. If the IDP device sees less than this minimum, it does not report a backdoor event. The default is 20%. Copyright © 2010, Juniper Networks, Inc.
  • Page 106 Reset block table with policy load/unload–Allows the IDP device to reset the block table. The block table maintains the state of active IP actions each time a security policy loads or unloads. This setting is enabled by default. Copyright © 2010, Juniper Networks, Inc.
  • Page 107 An attack in the signature hierarchy may have multiple parents or multiple children. If a child attack is part of two discovered parents, IDP takes action based on the parent with the highest severity. Specify 0 to disable. Copyright © 2010, Juniper Networks, Inc.
  • Page 108 Enable GTP decapsulation support–Enables GPRS Tunneling Protocol (GTP) decapsulation. IDP supports decapsulation of UDP GTPv0 and GTPv1 only. GTP decapsulation is not enabled by default. Enable SSL decryption support–Enables SSL inspection. SSL decryption is not enabled by default. Copyright © 2010, Juniper Networks, Inc.
  • Page 109 Controls the number of seconds a connection is maintained while waiting for the final ACK. To improve IDP performance during heavy loads, decrease the timeout—this reduces the size of the flow table by closing connections sooner. The default is 120 seconds. Copyright © 2010, Juniper Networks, Inc.

  • Page 110: Configuring Router Parameters (Nsm Procedure)

    In NSM Device Manager, double-click the IDP device for which you want to configure router parameters. The device configuration editor appears. Click Sensor Settings. Click the Router Parameters tab. Configure the router parameters using Table 50 on page 95. Click Apply. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 111: Configuring Protocol Handling (Nsm Procedure)

    In NSM Device Manager, double-click the IDP device that you want to modify. The device configuration editor appears. Click Sensor Settings. Click the Protocol Thresholds and Configuration tab. Configure the protocol thresholds using Table 51 on page 96. Click Apply. Click OK. Copyright © 2010, Juniper Networks, Inc.
  • Page 112 Maximum time of a dns cache –Controls the maximum amount of time for a DNS query and reply. The default is 60 seconds. Maximum number of logs in a session –Controls the maximum number of DNS queries kept to match a reply. The default is 1000 queries. Copyright © 2010, Juniper Networks, Inc.
  • Page 113 Gopher server to a client that contains more bytes than the specified maximum. The default is 512 bytes. Maximum hostname length–Raises a protocol anomaly if IDP detects, in a Gopher server-to- client connection, a hostname that contains more bytes than the specified maximum. The default is 64 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 114 Minimum time interval (in seconds) between packets–Raises a protocol anomaly if IDP detects ICMP packets that have less than the specified minimum time interval between them. The default is 1 second. Use this setting to tune the Flood attack object (ICMP:EXPLOIT:FLOOD). Copyright © 2010, Juniper Networks, Inc.
  • Page 115 This setting tunes detection with the imap_literal_length_overflow attack object (key is IMAP:OVERFLOW:LIT_LENGTH_OFLOW). Maximum number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the maximum. The default is 4 IMAP login failures per minute. Copyright © 2010, Juniper Networks, Inc.
  • Page 116 The default is 64 bytes. Maximum Nickname length–Raises a protocol anomaly if IDP detects an IRC nickname containing more bytes than the specified maximum. The default is 16 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 117 The default is 8 nested operators. Maximum Number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the maximum. The default is 4 LDAP login failures per minute. Copyright © 2010, Juniper Networks, Inc.
  • Page 118 Maximum filename length for format related sub commands–Raises a protocol anomaly if IDP detects in an LPR control file a format-related file name containing more bytes than the specified maximum. The default is 32 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 119 The default is 1024 bytes. Maximum buffer length for read/write–Raises a protocol anomaly if IDP detects an NFS read/writer buffer larger than the specified maximum. The default is 32,768 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 120 Maximum time for an NTP Symmetric passive association to dissolve–A symmetric passive association between two NTP peers must be dissolved after sending one reply. This setting is the time in seconds after which IDP considers such an association as expired.The default is 900 seconds. Copyright © 2010, Juniper Networks, Inc.
  • Page 121 The default is 8192 bytes. Maximum number of login failures per-minute–Raises a BRUTE_FORCE protocol anomaly if IDP detects more login failures than the specified maximum. The default is 4 SMB login failures per minute. Copyright © 2010, Juniper Networks, Inc.
  • Page 122 The default is 4 TELNET login failures per minute. TFTP Maximum Filename length–Raises a protocol anomaly if IDP detects a filename containing more bytes than the specified maximum. The default is 128 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 123 The default is 4 VNC login failures per minute. WHOIS Maximum Request length–Raises a protocol anomaly if IDP detects a WHOIS request containing more bytes than the specified maximum. The default is 128 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 124 The default is 1024 bytes. Maximum Chatroom message length–Raises a protocol anomaly if IDP detects a Yahoo! Messenger chat room message containing more bytes than the specified maximum. The default is 2000 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 125 The default is 124 bytes. Related Topics Updating the IDP Detector Engine (NSM Procedure) on page 76 Configuring Traffic Anomalies Rulebase Rules (NSM Procedure) on page 51 Copyright © 2010, Juniper Networks, Inc.
  • Page 126 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 127: Configuring Additional Intrusion Detection And Prevention Features

    Traffic (NSM Procedure) You can enable IDP processing of encrypted and encapsulated traffic through NSM. 1. Enabling SSL Decryption on page 112 2. Enabling GRE Decapsulation on page 112 3. Enabling GTP Decapsulation on page 113 Copyright © 2010, Juniper Networks, Inc.

  • Page 128: Enabling Ssl Decryption

    In the NSM Device Manager, double-click the IDP device to display the device configuration editor. Click Sensor Settings. Click the Run-Time Parameters tab. Expand the Run-Time Parameters group. Select Enable GRE decapsulation support. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 129: Enabling Gtp Decapsulation

    Expand the Run-Time Parameters group. Select Enable GTP decapsulation support. Click OK. Related Topics Configuring Additional Intrusion Detection and Prevention Features Overview on page 111 NSM and Intrusion Detection and Prevention Device Management Overview on page 5 Copyright © 2010, Juniper Networks, Inc.
  • Page 130 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.
  • Page 131 PART 3 Managing Intrusion Detection and Prevention Devices Managing Security Policies in Intrusion Detection and Prevention Devices on page 117 Managing Profiler Settings in Intrusion Detection and Prevention Devices on page 123 Copyright © 2010, Juniper Networks, Inc.
  • Page 132 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 133: Devices

    Manager Administration Guide. Related Topics Intrusion Detection and Prevention Devices and Security Policies Overview on page 31 Validating a Security Policy (NSM Procedure) on page 118 Troubleshooting Security Policy Validation Errors (NSM Procedure) on page 118 Copyright © 2010, Juniper Networks, Inc.

  • Page 134: Validating A Security Policy (Nsm Procedure)

    Remember that the service binding specifies the service and port that the attack uses. Because two different protocols are specified, IDP cannot match attacks for the attack object. To resolve this problem, set Service to Default. Copyright © 2010, Juniper Networks, Inc.

  • Page 135: Pushing Security Policy Updates To An Idp Device (Nsm Procedure)

    Devices Options dialog box. Select the devices that you want to push configuration updates to and to set update job options on. Table 53 on page 120 describes devices update job options. Click OK. Copyright © 2010, Juniper Networks, Inc.
  • Page 136 Restarts the profiler when the device gets updated. Update IDP Rulebase Only Updates IDP rulebase only. Don’t Show This Dialog Does not allow this dialog box to appear again. For more information, see the IDP Concepts & Examples Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 137: Troubleshooting Configuration Push Errors (Nsm Procedure)

    The device does not have a valid license. Unlicensed devices do not accept policy uploads. Related Topics NSM and Intrusion Detection and Prevention Device Management Overview on page 5 Pushing Security Policy Updates to an IDP Device (NSM Procedure) on page 119 Copyright © 2010, Juniper Networks, Inc.

  • Page 138: Disabling Rules (Nsm Procedure)

    Security Manager Administration Guide. Related Topics Intrusion Detection and Prevention Devices and Security Policies Overview on page 31 Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM Procedure) on page 117 Copyright © 2010, Juniper Networks, Inc.

  • Page 139: Managing Profiler Settings In Intrusion Detection And Prevention

    Profiler. In the Stop Profiler dialog box, select the appropriate devices, and then click OK. Alternatively, you can right-click any device from the Device Manager, and select IDP Profiler > Stop Profiler. Related Topics Configuring Profiler Options (NSM Procedure) on page 13 Copyright © 2010, Juniper Networks, Inc.
  • Page 140 Configuring Intrusion Detection and Prevention Devices Guide Modifying Profiler Settings (NSM Procedure) on page 25 Copyright © 2010, Juniper Networks, Inc.

  • Page 141: Monitoring Intrusion Detection And Prevention Devices

    PART 4 Monitoring Intrusion Detection and Prevention Devices Working with NSM Logs and Reports on page 127 Working with Intrusion Detection and Prevention Reporter Reports on page 139 Copyright © 2010, Juniper Networks, Inc.
  • Page 142 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 143: Working With Nsm Logs And Reports

    This section includes the following primary sections: 1. IDP Logs on page 128 2. Using NSM Log Investigator on page 128 3. Using NSM Audit Log Viewer on page 128 Copyright © 2010, Juniper Networks, Inc.

  • Page 144: Idp Logs

    Table 57: NSM Audit Log Viewer Table Column Description Time Generated The time the object was changed. The Audit Log Viewer displays log entries in order of time generated by Greenwich Mean Time (GMT). Copyright © 2010, Juniper Networks, Inc.
  • Page 145 Audit Log table and view details in the Device View table, which is displayed below the Audit Log Viewer table. Table 59 on page 130 describes the Device View table. Copyright © 2010, Juniper Networks, Inc.

  • Page 146: Viewing Device Status

    Unique name assigned to the device in NSM. Domain Domain in NSM in which the device is managed. Platform Model number of the device. OS Version Operating system firmware version running on the device. Copyright © 2010, Juniper Networks, Inc.
  • Page 147 Managed, Sync Pending—Completion of the Update Device directive is suspended and waiting for the device to reconnect. This state occurs only for ScreenOS devices that have the Update When Device Connects option selected during the device update. Copyright © 2010, Juniper Networks, Inc.
  • Page 148 Out Of Sync—The inventory information in the NSM database is not synchronized with the software on the device. N/A—The connected device is a ScreenOS or IDP device, or the device is not connected and imported. Copyright © 2010, Juniper Networks, Inc.

  • Page 149: Viewing Nsm Predefined Reports

    Top 20 Targets Prevented (last 24 hours) IP addresses that have most frequently prevented attacks during the last 24 hours. All Attacks by Severity (last 24 hours) Number of attacks by severity level (set in attack objects). Copyright © 2010, Juniper Networks, Inc.
  • Page 150 Table 62 on page 134 describes Profiler predefined reports. These reports are related to activity by hosts in your network. Table 62: NSM Profiler Predefined Reports Report Description Top 10 Peers by Count Ten source and destination IP addresses that appeared most frequently in the Profiler logs. Copyright © 2010, Juniper Networks, Inc.

  • Page 151: Creating Nsm Custom Reports

    Select File > Save As. Use pre-defined report as a template and example, complete the configuration options, and click OK to save the new report settings. Table 64 on page 136 describes configuration options. Copyright © 2010, Juniper Networks, Inc.
  • Page 152 The columns you selected on the General tab are passed through. Select the column Report with the cursor to display the corresponding Filter Settings controls. Filter Settings Specify filter values related to column settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 153: Configuring Log Suppression

    The default is 10 seconds. Maximum number of logs that Determines the limit for logs stored on the IDP device. The default is 50,000. The minimum can be stored value is 1,000. The maximum is 65,535. Copyright © 2010, Juniper Networks, Inc.
  • Page 154 The minimum value is 100; the maximum is 1,000 packets. The maximum is 65,535. Related Topics NSM Logs and Reports Overview on page 127 Configuring Syslog Collection (NSM Procedure) on page 80 Copyright © 2010, Juniper Networks, Inc.

  • Page 155: Working With Intrusion Detection And Prevention Reporter Reports

    For more information on using IDP Reporter, see the IDP Reporter User’s Guide. Related Topics NSM Logs and Reports Overview on page 127 Creating NSM Custom Reports on page 135 Copyright © 2010, Juniper Networks, Inc.
  • Page 156 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 157: Index

    PART 5 Index Index on page 143 Copyright © 2010, Juniper Networks, Inc.
  • Page 158 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 159: Index

    Index customer support..............xiv contacting JTAC..............xiv Security..................13 support, technical See technical support technical support contacting JTAC..............xiv Copyright © 2010, Juniper Networks, Inc.
  • Page 160 Configuring Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Network and security manager 2010.3

Table of Contents