Table of Contents
Advertisement
Network and Security Manager Administration Guide
Example of Unique Events
700
host), ports (non-IP protocols, TCP/UDP ports, RPC programs), and Layer-7 data that
uniquely identifies hosts, applications, commands, users, and filenames.
The Profiler is supported in all IDP modes and in HA configurations, and it queries and
correlates information from multiple devices.
To use the Profiler, you must first configure the networks and hosts on your internal
network that you want to monitor. The device monitors traffic at the network and
application levels. You can use this data to investigate and analyze potential problems
in the network and to resolve security incidents.
During profiling, the device records network activity at Layer-3, Layer-4, and Layer-7 and
stores this information in a searchable database called the Profiler DB. The device uses
session creation, session teardown, and protocol contexts to generate this database,
which defines all unique activities occurring on your network. Unique activities include
attempts, probes, and successful connections. The device logs normal events only once,
and it logs all unique events as often as they occur. A normal event is an event that
reoccurs frequently and does not change. A unique event is an event that is new,
unexpected, or does not match the normal traffic patterns of your network.
For example, you allow users to use a laptop to connect to the corporate network while
working in a conference room.
Normal Event. Wendy holds a meeting every Tuesday at 4:00 PM in conference room
A. Every meeting, she connects her laptop to the network and accesses documents
on the primary fileserver. Because the same event occurs multiple times, the device
logs the event once and includes a timestamp that indicates the first and last times
Wendy accessed the network from conference room A.
Unique Event. The device logs changes from normal activity as a unique event in the
Profiler.
During one of Wendy's Tuesday meetings, she discovers she needs a document that
resides on the Engineering server. She connects to that server and downloads the
needed files. Because this connection differs from her usual activity, the device logs
it as a unique event and records the IP and MAC addresses for both Wendy's laptop
and the Engineering server.
The device also logs other unique qualifiers, such user name and e-mail address for
each individual that participated in the connection. If Wendy is out sick and another
person logs into her laptop to run the meeting, the device records the connection as
a unique event because the user name has changed.
To see all normal and unique events on your network, you configure and start the Profiler
on multiple devices. This enables the Profiler to aggregate and display a complete view
of your internal network.
NOTE: Profiler DBs remain on individual devices even if the devices restart.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
