Table of Contents
Advertisement
Network and Security Manager Administration Guide
Proactively Updating Your Network
Reacting to Vulnerability Announcements
718
network. Additionally, your devices collect and store the user name and other important
information for each application. These profiling activities provide you with an inventory
of operating-system and software applications, versions, and the components that use
them.
You can use this information to proactively update your network or respond quickly to
vulnerability announcements.
To eliminate security holes, you should update your software applications regularly.
Some guidelines:
Research known vulnerabilities. Compare the information in the Profiler with a software
vulnerability database, such as Security Focus at
Common Vulnerabilities and Exposures (CVE) at
Plan to patch. After you identify your vulnerable systems, schedule a regular
maintenance time to keep downtime and disruption to a minimum.
Even if your network components do not require security patches or updates, they might
use default configurations. Many network device vendors use a common phrase, the
vendor name, or other simple word as the default password for accessing the
administration interface of their device. Because these passwords can be guessed easily,
the vendor recommends that users change the default password immediately. However,
for convenience, some users leave the default configuration password, unknowingly
opening a security hole in the network. The Profiler captures user information that you
can use to see who is logging in to network devices so you can verify that they are from
trusted IP addresses.
New network attacks and exploits are discovered every day. When new security patches
are issued, use the Profiler to quickly identify which systems are running the affected
software version, then patch them appropriately.
For large networks, it is difficult to patch everything immediately. Plan your patching
process by prioritizing based on the importance of the resources. Critical, high-risk, and
heavily used resources should be patched first, while less important, minimally used
resources might be able to wait.
Example: Identifying Vulnerable Components
For example, Microsoft announces a vulnerability in version 6.0 of the Microsoft Internet
Informations Services (IIS). To quickly identify all network components running the
vulnerable version:
Select the Protocol Profiler to see the applications running on the network.
1.
In the Context Filter data table, select HTTP Header Servers. The value data table
2.
lists all Web servers currently running. The network uses the following Web servers:
http://www.securityfocus.com/bid
http://www.cve.mitre.org/cve/
Copyright © 2010, Juniper Networks, Inc.
or
.
Advertisement
Table of Contents
