Page 2
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3
REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 5
(including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and current versions of Junos OS. By integrating management of all Juniper Networks security devices, NSM enhances the overall security of the Internet gateway.
Page 48
Release Notes differs from the information found in the documentation set, follow the Release Notes. Release notes are included on the corresponding software CD and are available on the Juniper Networks website. Network and Security Provides details about configuring the device features for all Manager Configuring supported Infranet Controllers.
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Introduction to Network and Security Manager Juniper Networks Network and Security Manager (NSM) gives you complete control over your network. Using NSM, you can configure all your Juniper Networks devices from one location, at one time. This chapter contains the following sections:...
Firewall and IDP (ScreenOS/IDP) Devices on page 13 Devices Running Junos OS on page 16 SSL VPN Secure Access Products on page 20 Juniper Networks IC Series Unified Access Control Appliances on page 21 Extranet Devices on page 21 Firewall and IDP (ScreenOS/IDP) Devices...
Devices running Junos OS and managed by NSM are listed in the following sections: Juniper Networks J Series Services Routers and SRX Series Services Gateways on page 16 Juniper Networks M Series Multiservice Edge Routers and MX Series Ethernet Services Routers on page 18 Juniper Networks EX Series Ethernet Switches on page 19 NOTE: NSM only supports the domestic version of the Junos OS and not the export version.
Juniper Networks SRX5800–Modular Junos OS Release 9.5, 9.6, 10.1 Juniper Networks M Series Multiservice Edge Routers and MX Series Ethernet Services Routers Table 9 on page 18 lists the M Series and MX Series Routers, and the versions of Junos OS that NSM supports.
Juniper Networks MX960 with IDP Junos OS Release 9.4, 9.5, 9.6, 10.0, 10.1 services Juniper Networks EX Series Ethernet Switches Table 10 on page 19 lists the Ethernet Switches and the versions of Junos OS that NSM supports. Table 10: EX Series Ethernet Switches NSM Supports...
Chapter 1: Introduction to Network and Security Manager Juniper Networks IC Series Unified Access Control Appliances In a Unified Access Control (UAC) solution, Infranet Controller (IC) products provide policy management. ScreenOS firewalls can provide the enforcement points. Table 12 on page 21 lists the Infranet Controller products and firmware versions supported by NSM 2010.3.
Network-Security Manager. Device families introduced in Release 2008.1 and later are described by schemas that are maintained on a schema repository owned by Juniper Networks. These schemas can be added dynamically to NSM. These devices include:...
Creating an Information Banner on page 57 Configuring Devices Overview To manage Juniper Networks devices that already exist on your network, you can import their device configurations into NSM. Each imported device appears in the NSM UI, where you can view or make changes to the device, such as change settings in the device configuration, edit the security policy for the device, and upgrade device firmware.
Network and Security Manager Administration Guide NOTE: Juniper Networks also offers security devices with Intrusion Detection and Prevention (IDP) capability. For details on how to enable IDP functionality on these devices, see “Configuring IDP-Capable Devices Overview” on page 45. Importing Existing Devices For networks with deployed devices, if you have already designed, staged, and set up a working physical device, you don’t need to repeat that process;...
For details on adding devices, see “Adding Devices” on page 97. Modeling New Devices For new networks or networks that do not use a previously deployed Juniper Networks device, you should review your network topology thoroughly and design a security system that works for your organization.
When deployed inline in your network, Juniper Networks Intrusion Detection and Prevention (IDP) technology can detect—and stop—attacks. Unlike IDS, IDP uses multiple methods to detect attacks against your network and prevent attackers from gaining access and doing damage.
CHAPTER 3 Configuring Role-Based Administration This chapter details how to use the Juniper Networks Network and Security Manager (NSM) role-based administration (RBA) feature to configure domains, administrators, and roles to manage your network. Your organization probably already has an existing permission structure that is defined by job titles, responsibilities, and geographical access to your security devices.
CHAPTER 4 Adding Devices This chapter provides information about adding Juniper Networks devices to your network. These devices can include routers and switches, as well as the security devices that protect your network against malicious traffic. Juniper Networks Network and Security Manager (NSM) can manage all Juniper Networks devices running ScreenOS 5.x and later, IDP 4.0 and later, Junos 9.0 and later, IC 2.2 or...
Chapter 4: Adding Devices Unified Access Control (Infranet Controller) devices—The policy management server of the Juniper Networks LAN access control solution. SSL VPN (Secure Access) devices. Virtual Chassis—Stacked EX Series devices functioning as one logical EX Series switch or an SRX cluster represented in NSM as a virtual chassis.
OS. For example, NSM no longer supports devices running 4.x or earlier versions of ScreenOS. If you are not running a supported version, you must upgrade your devices before adding them into the management system. Contact Juniper Networks customer support for details.
Table 20 on page 110 and Table 21 on page 110 summarize the port, interface, and zone bindings provided by the ScreenOS port modes. Port numbers are as labeled on the Juniper Networks security device chassis. The Trust-Untrust mode entries represent the default port modes.
Click Next to have NSM import settings already present on the Sensor. Click Finish to complete the add operation. An IDP 4.1 or later sensor is also updated with the Juniper Networks Recommended policy. IDP 4.0 Sensors cannot use the Recommended policy.
Page 184
Network and Security Manager Administration Guide Updating the device also pushes the Juniper Networks Recommended policy to the device. After update is complete, the device status displays as “Managed”, indicating that the device has connected and the management system has successfully pushed the device configuration.
A Virtual System (vsys) is a virtual device that exists within a physical security device. The vsys device functions as a completely separate security device. The physical device, called the root device, can contain multiple vsys devices. The following Juniper Networks security devices can be root devices:...
NOTE: You can model many ScreenOS devices, but you cannot activate many devices except when using the Rapid Deployment process. Juniper Networks provides CSV templates in Microsoft Excel format for each type of CSV file. These templates are located in the utils subdirectory where you have stored the...
Configuring Devices The Device Manager module in Network and Security Manager (NSM) enables you to configure the managed Juniper Networks devices in your network. You can edit configurations after you add and import a managed device, or create configurations when you model a device.
Execute device-specific troubleshooting commands. Use the technical support service that allows packaged collections of information for remote analysis by Juniper Networks Technical Assistance Center (JTAC). Reboot the device. The view of the configuration from NSM might also be missing data configured in large binary files.
Updating Devices This chapter explains how to update the running configuration (the configuration on the device) with the modeled configuration (the configuration in the Juniper Networks Network and Security Manager (NSM) UI). This chapter also describes the events that can require you to update your device, as well as NSM tools that help you to track, verify, and preview the update process.
Upgrading the Device Software Version Upgrading the operating system is a three-step process: Download the new software image file from the Juniper Networks website to your computer running the client UI. Copy the image file to a repository on the GUI server using the NSM Software Manager, which you access from the Device Manager launchpad by selecting Manage Device Software (Select Tools >...
Verify the details and click Finish. NOTE: Do not change the name of the image file. The name of the image file must be exactly the same as the filename that you download from Juniper Networks, for example, ns5xp.4.0.3r2.0 sensor_4_1r1.sh When upgrading multiple device types, ensure that you have loaded the same version of the image file for each type of device on the Device Server.
NSM does not support OS downgrades; you cannot use NSM to install an earlier version of Juniper Networks OS than is currently running on the device. You must use the Web UI or CLI commands to downgrade a managed device, and then add the device to NSM again.
You must first obtain a license key from your value-added reseller (VAR) or from Juniper Networks. Then you can use the NSM UI to install the license key on the managed device.
Controller device checks third-party applications on endpoints for compliance with the predefined rules you configure in a Host Checker policy. Uploading ESAP Packages To upload the Endpoint Security Assessment Plug-in from the Juniper Networks Customer Support Center to your NSM client computer, follow these steps: Open the following page: https://www.juniper.net/customers/csc/software/ive/...
NSM automatically chooses one of the cluster members. Activating Subscription Services To use some Juniper Networks services, such as internal AV or Deep Inspection Signature Service, you must activate the service on the device by first registering the device, and then obtaining the subscription for the service.
To prepare for a local update, you manually download the attack objects files from the Attack Object Database server (managed by Juniper Networks), then copy these files to a local directory on the GUI Server. Then, during the local update, you specify the path to these files.
Page 337
Chapter 7: Managing Devices Obtain the attack update data file from the Juniper Networks Web site. Browse to https:/ /services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat Copy and paste the content from the URL into a text file called NSM-SecurityUpdateInfo.dat Make sure the file has no HTML tags, RTF tags, or control characters. Use a text editor to make sure there are no control characters in the file.
(managed by Juniper Networks), then specify the action you want the server to take. For a successful update, the device configuration must be “In-Sync”, meaning that the device is connected and that no configuration differences exist between the configuration on the physical device and the modeled configuration in NSM, or “Sync Pending”, meaning...
Click OK. Reactivating Wireless Connections You can deploy a Juniper Networks NetScreen-5GT Wireless security device running ScreenOS 5.0.0-WLAN as a wireless access point (WAP). When you make changes to the wireless settings for the security device, you must update the device with your changes before the new settings take effect.
Junos devices This mechanism does not apply to ScreenOS or IDP devices. The latest device schema is placed by Juniper Networks on the Juniper Update Server, which is a publicly available server. From there, schema upgrade is a two-stage process:...
NSM. To set these permissions, in the NSM server CLI, enter the following command: % chmod 777 filename Access to the Juniper Update server uses your Juniper Networks Download Center credentials—the credentials you use to download software from the www.juniper.net Web site.
To create a Deep Inspection (DI) Profile object, you add predefined attack object groups (created by Juniper Networks) and your own custom attack object groups to the Profile object. After creating the DI Profile, you add the Profile object in the Rule Option column of a firewall rule.
A Deep Inspection (DI) Profile object contains predefined attack object groups (created by Juniper Networks), and your own custom attack object groups. After creating the DI Profile, you add the Profile object in the Rule Option column of a firewall rule.
The Predefined Attack Group tab displays the following predefined attack groups: All — a list of all attack objects, organized in the categories described below. Recommended — a list of all attack object objects that Juniper Networks considers to be serious threats, organized into categories.
Updating Predefined IDP Attack Objects and Groups Juniper Networks updates the predefined attack objects and groups on a regular basis with newly-discovered attack patterns. You can update the attack object database on your security devices by downloading the new attacks and groups to the NSM GUI Server, then installing the new database on your devices.
Page 409
Add Recommended Filter to include only attacks designated to be the most serious threats to the dynamic group. In the future, Juniper Networks will designate only attacks it considers to be serious threats as Recommended. These settings will be updated with new attack object updates.
Page 445
After you define the VSA values, the security device can query those values when a user logs on to the device. You must load a Juniper Networks dictionary file to enable the RADIUS server to support NSM-specific attributes as administrator privileges, user groups, and remote L2TP and XAuth IP address, and DNS and WINS server address assignments.
3 seconds to 4 seconds. You also assign its two backup servers the IP addresses 10.20.1.110 and 10.20.1.120. In addition, you load the Juniper Networks dictionary file on the RADIUS server so that it can support queries for the following vendor-specific attributes (VSAs): user groups, administrator privileges, remote L2TP and XAuth settings.
Page 452
Network and Security Manager Administration Guide On the RADIUS server, load the Juniper Networks dictionary file and define auth user accounts. Use the Juniper Networks user group VSA to create the user group auth_grp2 and apply it to the auth user accounts that you want to add to that group.
You can also use firewall rules to control the shape of your network traffic as it passes through the firewall or to log specific network events. Multicast rules permit multicast control traffic, such as IGMP or PIM-SM messages, to cross Juniper Networks security devices. Multicast rules permit multicast control traffic only; to permit data traffic (both unicast and multicast) to pass between zones, you must configure firewall rules.
Juniper Networks provides predefined attack objects that you can use in IDP rules. You can also configure your own custom attack objects. NOTE: Juniper Networks updates predefined attack objects on a regular basis to keep current with newly-discovered attacks.
Infranet Authentication—Use this option to enable specified RAS users to connect using a Juniper Networks Infranet Controller. An unauthenticated user trying to access a UAC protected resource via HTTP, is usually redirected to a URL of an authenticating IC. The redirect URL is a global parameter specified per controller.
Page 518
Recommended IDP takes the action recommended by Juniper Networks. With IDP 4.1 and later, attack objects have a recommended action associated with them. If a packet triggers more than one attack object, IDP applies the most secure of the recommended actions.
You can copy, paste, drag and drop any of these shared objects into the transaction rule. Juniper Networks M Series and MX Series routers running Junos 9.5 and later can be managed in two modes: Central Policy management (CPM) and In-Device management.
The translation can include IP addresses as well as port numbers. The types of NAT policies that are supported on Juniper Networks devices are: Source NAT policy, Destination NAT policy, and Static NAT policy.
Destination NAT policy is used to allow hosts from public network to communicate with private network through the translation of the destination IP address within a packet that is entering the Juniper Networks device. For more information on destination NAT, http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/ junos-security-swconfig-security/jd0e90828.html#jd0e90837...
About VPNs With Network and Security Manager (NSM), you can use basic networking principles and your Juniper Networks security devices to create VPNs that connect your headquarters with your branch offices and your remote users with your protected networks. NSM supports tunnel and transport modes for AutoKey IKE, Manual Key, L2TP, and L2TP-over-AutoKey IKE VPNS in policy or route-based configurations.
(cannot exceed the maximum number of allowed Phase 1 SAs or the maximum number of VPN tunnels allowed on the Juniper Networks security device platform). For details on group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.
To create a static route, you must manually create a route for each tunnel on each device. For VPNs with more than just a few devices, Juniper Networks highly recommends using a dynamic routing protocol to automatically determine the best route for VPN traffic: To route between different networks over the Internet, use Border Gateway Protocol (BGP);...
For details on how Group IKE IDs work, see “Configuring Group IKE IDS” on page 557. For details on determining the ASN1-DN container and wildcard values for Group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide. FQDN—Use a Fully Qualified Domain Name when the gateway is a dynamic IP address.
Automatically populate the next-hop tunnel binding table (NHTB table) and the route table when multiple VPN tunnels are bound to a single tunnel interface. For details on VPN monitoring at the device level, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.
Page 639
Configure the RADIUS Server. On the RADIUS server, load the Juniper Networks dictionary file and define Xauth user accounts. Use the Juniper Networks user group VSA to create the user group xa_grp2 and apply it to the auth user accounts that you want to add to that group.
SNMP enabled, in order that the maximum number of links are discovered. Check for NSM schema updates if some Juniper Networks devices are not discovered. Expand the range of the included subnets and ensure that all relevant routers are SNMP enabled if IP addresses for end-point devices connected to a switch are not discovered.
In map view, each network element is represented by an icon indicating whether the element is a Juniper Networks product and whether it is managed by NSM. Each device type is represented by a unique icon on the map. Managed and unmanaged devices appear as different colored icons.
Links View on page 631 Free Ports View on page 631 Devices View The NSM Topology Manager provides a tabular view of all the discovered Juniper Networks devices in the network along with relevant details about each device. The table Devices lists details about the Juniper Network devices and other third party routers and switches.
Free Ports topology discovery engine. If the administrative status of a device port is down, it is considered a free port. The managed status of a Juniper Networks device is indicated in Device Status column. You can save the information in the table as comma-separated values in a file.
Realtime Monitoring The Realtime Monitor module includes four views that you can use to monitor the status and traffic statistics for all the managed Juniper Networks devices in your network in real time. To access, monitor, and configure the NSM management system, you use the Server Manager module.
Protocol) clusters in your network. If you implement NSRP for the purpose of deploying clusters in your Juniper Networks security system, you can use the NSRP Monitor to view and troubleshoot the status of security devices in clusters within the domain you are working in.
NSRP Monitor to get an at-a-glance status of your Juniper Networks systems that are in clusters. These systems include both the NetScreen-500 and the NetScreen-1000. To launch the NSRP Monitor, click NSRP Monitor.
You can forward multiple log entries with different severity levels to the same log destination. Juniper Networks assigns a predefined severity level in the firmware of each Juniper Networks device. However, these severity levels are not the same as the severity levels that appear in the log entries viewed in an NSM UI module.
Use the General settings to select the severity levels of the log entries you want to forward to a specific location. Juniper Networks assigns a predefined severity level for each event that generates a log entry on a managed device; using NSM, you can configure a device to send log entries with specific severity levels to specific destinations.
Use the Report Manager module in Network and Security Manager to generate and view reports summarizing log and alarms generated by the managed Juniper Networks devices in your network. You can use these reports to track and analyze log incidents, network traffic, and potential attacks.
Page 874
Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP)—including HTTP webmail—and Post Office Protocol version 3 (POP3) traffic. Juniper Networks offers an internal AV scanning solution. Access Point Name. An APN is an IE included in the header of a GTP packet that provides information on how to reach a network.
Page 883
The policy management component of Juniper Networks UAC solution. Infranet Enforcer The policy enforcement point or firewall within a Juniper Networks UAC solution. Internet Control ICMP is a network-layer protocol that does not carry user data, but does encapsulate its Message Protocol messages in IP datagrams.
Page 891
Secure Access Device A Juniper Networks SSL VPN appliance. Secure Copy (SCP) A method of transferring files between a remote client and a security device using the SSH protocol.
(although future versions of NSM may support these commands). To use an unmanaged device command, you must connect locally to the Juniper Networks security device. Table 120 on page 849 details each unmanaged command.
This appendix describes actions required for a security administrator to properly secure the Network and Security Manager (NSM) system and NSM User Interface to be in compliance with the Common Criteria EAL2 security target for Juniper Networks IDP 4.0 functionality.