Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Administration Manual

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 530-025612-01, Revision 1

Security Threat Response Manager

STRM Administration Guide

Release 2008.2

2 

Copyright Notice

Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this

document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks

assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves

the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A

digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the

equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and

used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential

area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following

information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it

is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has

been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These

specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that

interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be

determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV

technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET

THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE

SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

STRM Administration Guide

Release 2008.2

Revision History

June 2008—Revision 1

The information in this document is current as of the date listed in the revision history.

CONTENTS

ABOUT THIS GUIDE

Audience 1

Conventions 1

Technical Documentation 1

Documentation Feedback 1

Requesting Support 2

1 OVERVIEW

About the Interface 3

Accessing the Administration Console 4

Using the Interface 4

Deploying Changes 5

Viewing STRM Audit Logs 5

Logged Actions 5

Viewing the Log File 8

2 MANAGING USERS

Managing Roles 11

Creating a Role 11

Editing a Role 14

Managing User Accounts 15

Creating a User Account 15

Editing a User Account 17

Disabling a User Account 17

Authenticating Users 18

3 SETTING UP STRM

Managing Your License Keys 21

Updating your License Key 22

Exporting Your License Key Information 23

Creating Your Network Hierarchy 24

Considerations 24

Defining Your Network Hierarchy 25

Scheduling Automatic Updates 28

Scheduling Automatic Updates 29

Updating Your Files On-Demand 30

Configuring STRM Settings 31

Configuring System Notifications 36

Configuring the Console Settings 39

Starting and Stopping STRM 41

Resetting SIM 41

Accessing the Embedded SNMP Agent 42

Configuring Access Settings 43

Configuring Firewall Access 43

Updating Your Host Set-up 45

Configuring Interface Roles 46

Changing Passwords 47

Updating System Time 48

4 MANAGING BACKUP AND RECOVERY

Managing Backup Archives 53

Viewing Back Up Archives 53

Importing an Archive 54

Deleting a Backup Archive 55

Backing Up Your Information 56

Scheduling Your Backup 56

Initiating a Backup 58

Restoring Your Configuration Information 59

5 USING THE DEPLOYMENT EDITOR

About the Deployment Editor 62

Accessing the Deployment Editor 63

Using the Editor 63

Creating Your Deployment 65

Before you Begin 65

Editing Deployment Editor Preferences 66

Building Your Flow View 66

Adding STRM Components 67

Connecting Components 69

Connecting Deployments 70

Renaming Components 73

Building Your Event View 73

Adding Components 75

Connecting Components 77

Forwarding Normalized Events 77

Renaming Components 80

Managing Your System View 80

Setting Up Managed Hosts 81

Using NAT with STRM 87

Configuring a Managed Host 91

Assigning a Component to a Host 91

Configuring Host Context 92

Configuring STRM Components 95

Configuring a Flow Collector 95

Configuring a Flow Processor 98

Configuring a Classification Engine 104

Configuring an Update Daemon 106

Configuring a Flow Writer 108

Configuring an Event Collector 109

Configuring an Event Processor 110

Configuring the Magistrate 112

6 MANAGING FLOW SOURCES

About Flow Sources 115

NetFlow 115

sFlow 116

J-Flow 117

Packeteer 117

Flowlog File 118

Managing Flow Sources 118

Adding a Flow Source 118

Editing a Flow Source 120

Enabling/Disabling a Flow Source 121

Deleting a Flow Source 122

Managing Flow Source Aliases 122

Adding a Flow Source Alias 122

Editing a Flow Source Alias 123

Deleting a Flow Source Alias 124

7 MANAGING SENTRIES

About Sentries 125

Viewing Sentries 126

Editing Sentry Details 127

Managing Packages 132

Creating a Sentry Package 132

Editing a Sentry Package 134

Managing Logic Units 135

Creating a Logic Unit 135

Editing a Logic Unit 138

8 MANAGING VIEWS

Using STRM Views 139

About Views 139

About Global Views 140

Defining Unique Objects 141

Managing Ports View 142

Default Ports Views 142

Adding a Ports Object 142

Editing a Ports Object 144

Managing Application Views 146

Default Application Views 146

Adding an Applications Object 147

Editing an Applications Object 149

Managing Remote Networks View 151

Default Remote Networks Views 151

Adding a Remote Networks Object 151

Editing a Remote Networks Object 153

Managing Remote Services Views 154

Default Remote Services Views 154

Adding a Remote Services Object 155

Editing a Remote Services Object 156

Managing Collector Views 158

Adding a Flow Collector Object 158

Editing a Flow Collector Object 159

Managing Custom Views 161

About Custom Views 161

Editing Custom Views 170

Editing the Equation 171

Enabling and Disabling Views 172

Using Best Practices 174

9 CONFIGURING RULES

Viewing Rules 176

Enabling/Disabling Rules 177

Creating a Rule 177

Event Rule Tests 194

Offense Rule Tests 203

Copying a Rule 208

Deleting a Rule 208

Grouping Rules 209

Viewing Groups 209

Creating a Group 209

Editing a Group 211

Copying an Item to Another Group(s) 211

Deleting an Item from a Group 213

Assigning an Item to a Group 213

Editing Building Blocks 213

10 DISCOVERING SERVERS

11 FORWARDING SYSLOG DATA

Adding a Syslog Destination 219

Editing a Syslog Destination 220

Delete a Syslog Destination 221

A JUNIPER NETWORKS MIB

B ENTERPRISE TEMPLATE DEFAULTS

Default Sentries 237

Default Custom Views 245

IP Tracking Group 245

Threats Group 246

Attacker Target Analysis Group 249

Target Analysis Group 250

Policy Violations Group 251

ASN Source Group 252

ASN Destination Group 252

IFIndexIn Group 252

IFIndexOut Group 252

QoS Group 252

Flow Shape Group 253

Default Rules 254

Default Building Blocks 266

C UNIVERSITY TEMPLATE DEFAULTS

Default Sentries 281

Default Custom Views 289

IP Tracking Group 289

Threats Group 290

Attacker Target Analysis Group 293

Target Analysis Group 294

Policy Violations Group 295

ASN Source Group 296

ASN Destination Group 296

IFIndexIn Group 296

IFIndexOut Group 296

QoS Group 296

Flow Shape Group 297

Default Rules 298

Default Building Blocks 310

D ISP TEMPLATE DEFAULTS

Default Sentries 325

Default Custom Views 328

IP Tracking Group 328

Threats Group 329

Attacker Target Analysis Group 332

Target Analysis Group 333

Policy Violations Group 334

ASN Source Group 335

ASN Destination Group 335

IFIndexIn Group 335

QoS Group 335

Flow Shape Group 336

Default Rules 337

Default Building Blocks 346

INDEX

STRM Administration Guide

ABOUT THIS GUIDE

The STRM Administration Guide provides you with information for managing

STRM functionality requiring administrative access.

Audience This guide is intended for the system administrator responsible for setting up

STRM in your network. This guide assumes that you have STRM administrative

access and a knowledge of your corporate network and networking technologies.

Conventions Table 1 lists conventions that are used throughout this guide.

Technical

Documentation

You can access technical documentation, technical notes, and release notes

directly from the Juniper networks Support Web site at

http://

www.juniper.net/support/.

Documentation

Feedback

We encourage you to provide feedback, comments, and suggestions so that we

can improve the documentation. Send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at

http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be

sure to include the following information with your comments:

• Document name

• Document part number

Table 1 Icons

Icon Type Description

Information note Information that describes important features or

instructions.

Caution Information that alerts you to potential loss of

data or potential damage to an application,

system, device, or network.

Warning Information that alerts you to potential personal

injury.

STRM Administration Guide

2 ABOUT THIS GUIDE

• Page number

• Software release version

Requesting

Support

• Open a support case using the Case Management link at

http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,

Canada, or Mexico) or 1-408-745-9500 (from elsewhere).

STRM Administration Guide

1

OVERVIEW

This chapter provides an overview of the STRM Administration Console and

STRM administrative functionality including:

• About the Interface

• Accessing the Administration Console

• Using the Interface

• Deploying Changes

• Viewing STRM Audit Logs

About the Interface You must have administrative privileges to access the Administration Console. The

STRM Administration Console provides access to following administrative

functionality:

• Manage users. See Chapter 2 Managing Users.

• Manage STRM. See Chapter 3 Setting Up STRM.

• Backup and recover your data. See Chapter 4 Managing Backup and

Recovery.

• Manage your deployment views. See Chapter 5 Using the Deployment Editor.

• Managing flow sources. See Chapter 6 Managing Flow Sources.

• Configure sentries. See Chapter 7 Managing Sentries.

• Configure views. See Chapter 8 Managing Views.

• Configure syslog forwarding. See Chapter 11 Forwarding Syslog Data.

All configuration updates using the Administration Console are saved to a staging

area. Once all changes are complete, you can deploy the configuration changes or

all configuration settings to the remainder of your deployment.

STRM Administration Guide

4 OVERVIEW

Accessing the

Administration

Console

You can access the STRM Administration Console through the main STRM

interface. To access the Administration Console, click Config in the main STRM

interface. The Administration Console appears.

Using the Interface The Administration Console provides several tab and menu options that allow you

to configure STRM including:

• System Configuration - Provides access to administrative functionality, such

as, user management, automatic updates, license key, network hierarchy,

sentries, STRM settings, system notifications, backup and recovery and

Console configuration.

• Views Configuration - Provides access to STRM views.

• SIM Configuration - Provides access to scanners, sensor device

management, syslog forwarding, and reset the SIM model.

• Flow Configuration - Provides access to flow source configuration, such as

NetFlow.

The Administration Console also includes several menu options including:

Table 1-1 Administrative Console Menu Options

Menu Option Sub-Menu Description

File Close Closes the Administration Console.

Configurations Deployment Editor Opens the deployment editor

interface.

Deploy configuration

changes

Deploys any configuration changes

from the current session to your

deployment.

Deploy All Deploys all configuration settings to

your deployment.

System STRM Start Starts the STRM application.

STRM Stop Stops the STRM application.

STRM Administration Guide

Deploying Changes 5

The Administration Console provides several toolbar options including:

Deploying Changes Once you update your configuration settings using the Administration Console,

you must save those changes to the staging area. You must either manually

deploy all changes using the Deploy menu option or, upon exit, a window appears

prompting you to deploy changes before you exit. All deployed changes are then

enforced throughout your deployment.

Using the Administration Console menu, you can deploy changes as follows:

• Deploy All - Deploys all configuration settings to your deployment.

• Deploy configuration changes - Deploys any configuration changes from the

current session to your deployment.

Viewing STRM

Audit Logs

Changes made by STRM users are recorded in the audit logs. You can view the

audit logs to monitor changes to STRM and the users performing those changes.

All audit logs are stored in plain text and are archived and compressed once the

audit log file reaches a size of 200 MB. The current log file is named

audit.log.

Once the file reaches a size of 200 MB, the file is compressed and renamed as

follows:

audit.1.gz, audit.2.gz, etc with the file number incrementing each

time a log file is archived. STRM stores up to 50 archived log files.

This section provides information on using the audit logs including:

• Logged Actions

• Viewing the Log File

Logged Actions STRM logs the following categories of actions in the audit log file:

STRM Restart Restarts the STRM application.

Help Help and Support Opens user documentation.

About STRM

Administration Console

Displays version information.

Table 1-2 Administration Console Toolbar Options

Icon Description

Opens the deployment editor interface.

Deploys all changes made through the Administration Console.

Table 1-1 Administrative Console Menu Options (continued)

Menu Option Sub-Menu Description

STRM Administration Guide

6 OVERVIEW

Table 1-3 Logged Actions

Category Action

User Authentication Log in to STRM

User Authentication Log out of STRM

Administrator Authentication Log in to the STRM Administration Console

Administrator Authentication Log out of the STRM Administration Console

Root Login Log in to STRM, as root

Log out of STRM, as root

Rules Adding a rule

Deleting a rule

Editing a rule

Sentry Adding a sentry

Editing a sentry

Deleting a sentry

Editing a sentry package

Editing sentry logic

User Accounts Adding an account

Editing an account

Deleting an account

User Roles Adding a role

Editing a role

Deleting a role

Sensor Devices Adding a sensor device

Editing a sensor device

Deleting a sensor device

Adding a sensor device group

Editing a sensor device group

Deleting a sensor device group

Sensor Device Extension Adding an sensor device extension

Editing the sensor device extension

Deleting a sensor device extension

Uploading a sensor device extension

successfully

Downloading a sensor device extension

Reporting a sensor device extension

Modifying a sensor devices association to a

device or device type.

STRM Administration Guide

Viewing STRM Audit Logs 7

Protocol Configuration Adding a protocol configuration

Deleting a protocol configuration

Editing a protocol configuration

Flow Sources Adding a flow source

Editing a flow source

Deleting a flow source

Offense Manager Hiding an offense

Closing an offense

Closing all offenses

TNC Recommendations Creating a recommendation

Editing a recommendation

Deleting a recommendation

Syslog Forwarding Adding a syslog forwarding

Deleting a syslog forwarding

Editing a syslog forwarding

Reports Adding a template

Deleting a template

Editing a template

Executing a template

Deleting a report

Groups Adding a group

Deleting a group

Editing a group

Backup and Recovery Editing the configuration

Initiating the backup

Completing the backup

Failing the backup

Deleting the backup

Synchronizing the backup

Cancelling the backup

Initiating the restore

Uploading a backup

Uploading an invalid backup

Deleting the backup

Table 1-3 Logged Actions

Category Action

STRM Administration Guide

8 OVERVIEW

Viewing the Log File To view the audit logs:

Step 1 Log in to STRM as root.

Step 2 Go to the following directory:

/var/log/audit

Step 3 Open the desired audit log file.

Each entry in the log file displays using the following format:

Note: The maximum size of any audit message (not including date, time, and host

name) is 1024 characters.

<date_time> <host name> <user>@<IP address> (thread ID)

[<category>] [<sub-category>] [<action>] <payload>

Where:

<date_time> is the date and time of the activity in the format: Month Date

HH:MM:SS.

<host name> is the host name of the Console where this activity was logged.

<user> is the name of the user that performed the action.

<IP address> is the IP address of the user that performed the action.

(thread ID) is the identifier of the Java thread that logged this activity.

<category> is the high-level category of this activity.

<sub-category> is the low-level category of this activity.

<action> is the activity that occurred.

<payload> is the complete record that has changed, if any. This may include a

user record or an event rule.

For example:

Nov 6 12:22:31 localhost.localdomain [email protected]

(Session) [Authentication] [User] [Login]

Scanner Adding a scanner

Deleting a scanner

Editing a scanner

Scanner Schedule Adding a schedule

Editing a schedule

Deleting a schedule

Asset Deleting all assets

License Adding a license key.

Editing a license key.

Table 1-3 Logged Actions

Category Action

STRM Administration Guide

Viewing STRM Audit Logs 9

Nov 6 12:22:31 localhost.localdomain [email protected] (0)

[Configuration] [User Account] [Account Modified]

username=james, password=/oJDuXP7YXUYQ, networks=ALL,

[email protected], userrole=Admin

Nov 13 10:14:44 localhost.localdomain [email protected] (0)

[Configuration] [FlowSource] [FlowSourceModified] Flowsource(

name="tim", enabled="true", deployed="false",

asymmetrical="false", targetQflow=DeployedComponent(id=3),

flowsourceType=FlowsourceType(id=6),

flowsourceConfig=FlowsourceConfig(id=1))

STRM Administration Guide

2

MANAGING USERS

This chapter provides information on managing STRM users including:

• Managing Roles

• Managing User Accounts

• Authenticating Users

You can add or remove user accounts for all users that you wish to access STRM.

Each user is associated with a role, which determines the privileges the user has

to functionality and information within STRM. You can also restrict or allow access

to areas of the network.

Managing Roles You must create a role before you can create user accounts. By default, STRM

provides a default administrative role, which provides access to all areas of STRM.

A user that has been assigned administrative privileges (including the default

administrative role) cannot edit their own account. Another administrative user

must make any desired changes.

Using the Administration Console, you can:

• Create a role. See Creating a Role.

• Edit a role. See Editing a Role

Creating a Role To create a role:

Step 1 In the Administration Console, click the System Configuration tab.

The System Configuration panel appears.

Step 2 Click the User Roles icon.

The Manage User Roles window appears.

Step 3 Click Create Role.

STRM Administration Guide

12 MANAGING USERS

Step 4 Enter values for the parameters. You must select at least one permission to

proceed.

Table 2-1 Create Roles Parameters

Parameter Description

Role Name Specify the name of the role. The name can be up to 15

characters in length and must only contain integers and

letters.

Administrator Select the check box if you wish to grant this user

administrative access to the STRM interface. Within the

administrator role, you can grant additional access to the

following:

• System Administrator - Select this check box if you wish

to allow users access to all areas of STRM except Views.

Also users with this access are not able to edit other

administrator accounts.

• Administrator Manager - Select this check box if you

wish to allow users the ability to create and edit other

administrative user accounts. If you select this check box,

the System Administrator check box is automatically

selected.

• Views Administrator - Select this check box if you wish

to allow users the ability to create, edit, or delete Views.

For example, the Application View and the Ports View.

Page is loading ...

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Administration Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Administration Manual

Related papers

Other documents