Table of Contents
Advertisement
Configuring IDP-Capable Devices Overview
Common Criteria EAL2 Compliance
Copyright © 2010, Juniper Networks, Inc.
Although firewalls provide basic protection, they are not designed to detect all attacks.
Advanced attack methods often elude firewall detection by embedding an attack within
permitted traffic or by using attack vectors that are outside the firewall's detection
capability.
When deployed inline in your network, Juniper Networks Intrusion Detection and Prevention
(IDP) technology can detect—and stop—attacks. Unlike IDS, IDP uses multiple methods
to detect attacks against your network and prevent attackers from gaining access and
doing damage. IDP can drop malicious packets or connections before the attacks can
enter your network. IDP is designed to reduce false positives and ensure that only actual
malicious traffic is detected and stopped. You can also deploy IDP as a passive sniffer,
similar to a traditional IDS, but with greater accuracy and manageability.
All Juniper Networks IDP Sensors meet the Common Criteria requirements for Common
Criteria EAL2. This section describes actions that are required for a security administrator
to properly secure the NSM system and NSM User Interface to be in compliance with the
Common Criteria EAL2 security target for Juniper Networks NetScreen-IDP 4.x.
The NSM system consists of the Device Server and the GUI Server; the NSM User Interface
is a client application used to access information stored in the NSM system.
Guidance for Intended Usage
The NSM system must be installed on dedicated systems. These dedicated systems
must not contain user processes that are not required to operate the NSM software.
Guidance for Personnel
The following items are also required for Common Criteria EAL2 compliance:
There must be one or more competent individuals assigned to manage the NSM system
and User Interface, and the security of the information that they contain.
The authorized administrators must not be careless, willfully negligent, or hostile and
must follow and abide by the instructions provided by the NSM documentation.
The NSM system and User Interface must be accessed only by authorized users.
Guidance for Physical Protection
The processing resources of the NSM system and User Interface must be located within
facilities with controlled access which prevents unauthorized physical access.
Supported IDP-Capable Devices
NSM supports IDP on standalone IDP Series Intrusion Detection and Prevention Appliances
(IDP 10, 50, 100, 200, 500, 600C, 600F, 1000, 1100C, and 1100F); as part of ISG2000
and ISG1000 security systems running ScreenOS 5.0.0-IDP1 or ScreenOS 5.4 and later;
as well as J Series, SRX Series, and MX Series devices.
Chapter 2: Planning Your Virtual Network
45
Advertisement
Table of Contents
