Table of Contents
Advertisement
You can also specify that any undesirable actions must occur for a particular
period of time before an alert generates. For example, you can configure a sentry
indicating that a mail server must communicate with a large number of additional
hosts for several minutes before an alert generates. This type of sentry generates
an alert when the activity ceases.
A behavior sentry is useful if your graph displays a consistent or repetitive amount
of traffic. For example, if your graph displays the number of hosts accessing a busy
server, you can monitor the number of non-responsive flows across the entire
network or the number of hosts communicating at the top level of the network.
Anomaly
An Anomaly sentry monitors your deployment for abnormal activity. The algorithm
detects the existence of new or unknown traffic, which is traffic that suddenly
ceases or a percentage change in the amount of time an object is active. For
example, if an area of your network never communicates with Asia starts
communicating with hosts in that country, an alert generates. An Anomaly sentry is
activity-based and not volume-based. For example, a host that communicates for 6
minutes out of 1 hour would be active for 16% of the time.
An Anomaly sentry is useful in the following situations:
Monitoring traffic for users who are configuring access to network equipment
•
such as switches and routers.
Monitoring remote access to servers to test for uncommon protocols.
•
Monitoring internal flow and failure from devices.
•
Security/Policy
A Security/Policy sentry monitors your deployment for security/policy violations. A
Security/Policy sentry monitors your network for policy compliance at the network
or application level. This sentry type also monitors violations on usage-based
policies, which restricts or allows use of specific applications or network areas. A
Security/Policy sentry can also specify situations when application usage is
allowed. For example, if you create a sentry that allows only web traffic to the web
server group and other groups generate web traffic, the sentry generates an alert.
The Security/Policy sentry is a derivative of the Threshold sentry but with a
threshold of one. If any traffic is detected that meets the sentry criteria, an alert
generates. For example, if you apply a Security/Policy sentry to the threats view for
a worm object, and a single packet/flow is classified for that worm object, an event
generates. The events that are generated from Security/Policy sentries are sent to
the Event Processor, which correlates the sentry event with asset profile data and
with the events received from external sources (if applicable).
The Security/Policy sentry also allows you to select an auto learn option, which
enables STRM to learn system activity until a configured time. Once the time has
expired, the sentry generates an alert when any object that was not present during
the learning time becomes active.
STRM Users Guide
About Sentries
41
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1
- Juniper NETWORKS STRM - TECHNICAL NOTE REV 6-2008
- Juniper JUNOS - NETWORK OPERATION GUIDE REV1
- Juniper JUNOSE 11.1.0 - REV 4-29-2010
- Juniper MEDIA FLOW CONTROLLER 2.0.5 - S REV 15-11-2010
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - INSTALLATION REV1
- Juniper E SERIES BROADBAND SERVICES ROUTERS 11.3.X - E120 AND E320 MODULE GUIDE REV 01-10-2010
- Juniper E SERIES BROADBAND SERVICES ROUTERS 11.3.X - E120 AND E320 HARDWARE GUIDE REV 9-29-2010
- Juniper E SERIES BROADBAND SERVICES ROUTERS 11.3.X - ERX MODULE GUIDE REV 27-9-2010