Juniper IDP 1100 Installer's Manual

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 093-1721-000, Rev B

Intrusion Detection and Prevention

Installer’s Guide

IDP 50, 200, 600, 1100

Release 3.2, Rev. B

Copyright Notice

Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other

trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective

owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for

any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication

without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A

digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the

equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and

used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential

area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency

energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This

equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC

rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no

guarantee that interference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user

is encouraged to try to correct the interference by one or more of the following measures:

 Reorient or relocate the receiving antenna.

 Increase the separation between the equipment and receiver.

 Consult the dealer or an experienced radio/TV technician for help.

 Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED

WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED

WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Writer: Mark Schlagenhauf

Editor:

Table of Contents  iii

Table of Contents

About This Guide xi

Audience.........................................................................................................xi

Conventions....................................................................................................xi

Documentation..............................................................................................xii

Release Notes..........................................................................................xii

Online Help.............................................................................................xii

Web Access............................................................................................xiii

Comments About the Documentation...........................................................xiii

Contacting Customer Support .......................................................................xiii

Chapter 1 Hardware Overview 1

IDP Sensors......................................................................................................1

IDP 50 Sensor............................................................................................1

IDP 200 Sensor..........................................................................................1

IDP 600C Sensor .......................................................................................2

IDP 600F Sensor........................................................................................2

IDP 1100C Sensor .....................................................................................3

IDP 1100F Sensor......................................................................................3

Sensor Components.........................................................................................3

Traffic Ports (Forwarding Interfaces) .........................................................4

NIC Bypass Mode (Internal Bypass).....................................................4

NIC Bypass and Cable Choices............................................................4

Peer Port Modulation (PPM)................................................................5

Management Interfaces.............................................................................5

Hard Drives and CD-ROM Drives...............................................................6

Power Supplies..........................................................................................6

LED Definitions................................................................................................6

System Status LEDs...................................................................................6

Management and High Availability Port LEDs............................................8

Traffic Port LEDs .......................................................................................9

Copper Traffic Port LEDs.....................................................................9

Fiber Traffic Port LEDs (IDP 600F and 1100F only)...........................10

Hard Drive, CD-ROM Drive, and Power Supply LEDs (Back Panel) ..........10

Chapter 2 Planning an Installation 11

IDP Configuration Basics................................................................................11

IDP System Components.........................................................................11

Steps for installing and configuring an IDP system..................................11

IDP Sensor Placement....................................................................................12

IDP Sensor Deployment Mode .......................................................................12

IDP Individual Deployment Modes ..........................................................12

Sniffer Mode (Passive Mode).............................................................13

Transparent Mode (Inline Active Mode).............................................14

iv  Table of Contents

IDP 50, 200, 600, 1100 Installer’s Guide

Chapter 3 Installing the Sensor 15

General Installation Guidelines.......................................................................15

Rack Mounting the IDP Sensor.......................................................................16

Connecting Power..........................................................................................18

Connecting Management Ports ......................................................................19

Use the Serial Console Port to Change the MGT Port IP Address..............19

Ethernet Management Port......................................................................20

Chapter 4 Configuring the IDP Sensor 23

Before You Begin ...........................................................................................23

Connecting to the IDP Sensor ........................................................................25

Connecting Directly.................................................................................25

Connecting Remotely ..............................................................................25

Configuring the IDP Sensor with ACM............................................................26

Connecting the IDP Sensor to Your Network..................................................26

Connecting the Management Port ...........................................................26

Connecting Forwarding Interfaces...........................................................26

Connecting the High Availability Port ......................................................26

Chapter 5 Installing the IDP Management Server Software 27

Pre-Installation Requirements........................................................................27

Hardware Requirements..........................................................................27

Red Hat Linux Server........................................................................27

Sun Solaris Server .............................................................................27

Software Requirements...........................................................................28

Operating System .............................................................................28

Partition Information..................................................................28

Other Software Requirements...........................................................28

Red Hat RPMs ............................................................................28

Sun Solaris Packages ..................................................................29

Installing the Management Server..................................................................29

Chapter 6 Installing and Running the User Interface 31

Installing the UI..............................................................................................31

Installing on a Windows Host..................................................................31

Installing on a Red Hat Linux Host...........................................................31

Running the UI...............................................................................................32

Windows.................................................................................................32

Linux.......................................................................................................32

Chapter 7 Updating Software on the Sensor 33

Updating IDP Sensor Software.......................................................................33

Re-Imaging the IDP Sensor ............................................................................34

Chapter 8 Servicing the Device 35

Removing and Installing a Power Supply (IDP 200, 600, and 1100 Only)......35

To Remove a Power Supply or Blank.......................................................35

To Install a Power Supply ........................................................................37

Removing and Installing a SCSI Hard Drive (IDP 600 and 1100 Only) ...........38

To Remove a SCSI Hard Drive.................................................................38

To Install a SCSI Hard Drive.....................................................................41

Table of Contents

 v

Connecting and Disconnecting Fiber Cables (IDP 600F and 1100F Only) ......42

Chapter 9 Advanced Configuration 45

Advanced Deployment Modes .......................................................................45

Router Mode .....................................................................................47

IDP High Availability (HA) Deployment Modes...............................................48

Appendix A Specifications 49

IDP 50 Technical Specifications .....................................................................49

IDP 200 Technical Specifications ...................................................................50

IDP 600 Technical Specifications ...................................................................51

IDP 1100 Technical Specifications .................................................................51

Safety Compliance.........................................................................................52

EMI Compliance.............................................................................................52

Immunity.......................................................................................................53

Index.......................................................................................................................... 55

vi  Table of Contents

IDP 50, 200, 600, 1100 Installer’s Guide

List of Figures  vii

List of Figures

Figure 1: IDP 50 Front Panel ..........................................................................1

Figure 2: IDP 200 Front Panel ........................................................................2

Figure 3: IDP 600C Front Panel......................................................................2

Figure 4: IDP 600F Front Panel ......................................................................2

Figure 5: IDP 1100C Front Panel....................................................................3

Figure 6: IDP 1100F Front Panel ....................................................................3

Figure 7: Copper and Fiber Ports....................................................................4

Figure 8: IDP 50 System Status LEDs..............................................................7

Figure 9: IDP 200, 600, 1100 System Status LEDs..........................................7

Figure 10:MGT and HA ports with LEDs...........................................................8

Figure 11:Copper and Fiber Ports with LEDs...................................................9

Figure 12:Rail with Hinged Rear Bracket .......................................................17

Figure 13:2U Device Mid-Mount Bracket........................................................18

Figure 14:1U Device (IDP 50) Mid-Mount Bracket..........................................18

Figure 15:Power Supply Handles in Open and Closed Positions ....................36

Figure 16:Power Supply Partially Removed...................................................37

Figure 17:Hard Drive Latch in Closed Position...............................................39

Figure 18:Hard Drive Latch in Open Position, Handle Released.....................39

Figure 19:Hard Drive Handle Down...............................................................40

Figure 20:Drive Partially Removed................................................................40

Figure 21:Drive Partially Inserted ..................................................................41

Figure 22:Hard Drive Latch in Closed Position...............................................42

viii  List of Figures

IDP 50, 200, 600, 1100 Installer’s Guide

List of Tables  ix

List of Tables

Table 1: Notice Icons....................................................................................xi

Table 2: Font Conventions Used in Code Examples......................................xi

Table 3: IDP Sensor Drives............................................................................6

Table 4: IDP Sensor Power Supplies..............................................................6

Table 5: IDP Sensor System Status LED Definitions.......................................7

Table 6: IDP Sensor Management and High Availability Port LED Definitions8

Table 7: Copper Traffic Port LED Definitions.................................................9

Table 8: Fiber Traffic Port LED Definitions ..................................................10

Table 9: Hard Drive, CD-ROM Drive, and Power Supply LED Definitions ....10

Table 10: Information Needed for ACM Configuration...................................23

Table 11: Physical Specifications...................................................................49

Table 12: AC Power Specifications ................................................................49

Table 13: Power Cord Specifications .............................................................49

Table 14: Environmental Specifications.........................................................50

Table 15: Physical Specifications...................................................................50

Table 16: AC Power Specifications ................................................................50

Table 17: Power Cord Specifications .............................................................50

Table 18: Environmental Specifications.........................................................50

Table 19: Physical Specifications...................................................................51

Table 20: AC Power Specifications ................................................................51

Table 21: Power Cord Specifications .............................................................51

Table 22: Environmental Specifications.........................................................51

Table 23: Physical Specifications...................................................................51

Table 24: AC Power Specifications ................................................................52

Table 25: Power Cord Specifications .............................................................52

Table 26: Environmental Specifications.........................................................52

x  List of Tables

IDP 50, 200, 600, 1100 Installer’s Guide

Audience  xi

About This Guide

This Installer’s Guide describes the physical features of Juniper Networks Intrusion

Detection and Prevention (IDP) Solution: the IDP 50, IDP 200, IDP 600C, IDP 600F,

IDP 1100C, and 1100F Sensors. It also explains how to install and configure the IDP

system.

Audience

This guide is intended for experienced system and network specialists.

Conventions

Table 1 defines notice icons used in this guide, and Table 2 defines text conventions

used throughout the book.

The term “Sensor” is used to denote an IDP 50, 200, 600, or 1100 appliance.

Table 2: Font Conventions Used in Code Examples

Table 1: Notice Icons

Icon Meaning Description

NOTE: Informational note Indicates important features or instructions.

Caution Indicates that you may risk losing data or

damaging your hardware.

Warning Alerts you to the risk of personal injury.

Font Meaning

Regular

System output

Italic

Variables or placeholders in system output

Bold

User input

Bold italic Variables or placeholders in user input

IDP 50, 200, 600, 1100 Installer’s Guide

xii  Documentation

Documentation

The Installer’s Guide is shipped in the box with all new IDP Sensors. This guide

provides the basic procedures for getting your IDP system up and running.

With each major software release, Juniper Networks provides the IDP

Documentation CD. The documentation CD contains the document set in PDF

format. The documentation is also available on the Web at

http://www.juniper.net/techpubs/software/management/idp/.

The IDP document set comprises the following books:

 Intrusion Detection and Prevention Concepts & Examples Guide – Explains basic

concepts of the IDP system and provides examples of how to use the system.

 IDP 50, 200, 600, 1100 Installer’s Guide (this manual) – Describes the hardware

components of the IDP 50, 200, 600, and 1100 Sensors. Provides instructions

for rack-mounting, cabling, basic configuration, management server

installation, and user interface installation.

 NetScreen Safety Guide - Contains safety warnings and instructions for installing

and using network devices.

 Hardware Guide (650) – Contains important safety and compliance information

about the NetScreen-IDP 10 (650) Sensor.

 Hardware Guide (1650) – Contains important safety and compliance information

about the NetScreen-IDP 100 and 500 (1650) Sensors.

 Hardware Guide (1750) – Contains important safety and compliance information

about the NetScreen-IDP 10, 100, 500, and 1000 (1750) Sensors.

 QuickStart Guide, IDP 3.2 - QuickStart instructions for the NetScreen-IDP 10,

100, 500, and 1000.

 QuickStart Guide, IDP 3.2, High Availability - QuickStart instructions for the

NetScreen-IDP 10, 100, 500, and 1000 set up in High Availability (HA) mode.

Release Notes

Release notes are available on the Web at

http://www.juniper.net/techpubs/software/management/idp/.

In the Release Notes, you will find the latest information about features, changes,

known problems and resolved problems. If the information in the Release Notes

differs from the information found in the documentation set, follow the Release

Notes.

Online Help

The IDP Appliance Configuration Manager (ACM) contains online help. The online

help provides explanations for sensor configuration options.

Comments About the Documentation  xiii

About This Guide

The IDP User Interface (UI) contains online help. The online help provides

instructions for using the UI as well as step-by-step directions for performing

common tasks.

Web Access

To view the documentation on the Web, go to:

http://www.juniper.net/techpubs/software/management/idp/

Comments About the Documentation

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation to better meet your needs. Please e-mail your

comments to:

 techpubs-comments@juniper.net

Along with your comments, be sure to indicate:

 Document name

 Document part number (located under the Juniper Networks address on the

title page)

 Page number

 Hardware platform and/or software release version

Contacting Customer Support

For technical support, contact Juniper Networks at support@juniper.net, or at

1-888-314-JTAC (within the United States) or +1-408-745-9500 (from outside the

United States).

IDP 50, 200, 600, 1100 Installer’s Guide

xiv  Contacting Customer Support

IDP Sensors  1

Chapter 1

Hardware Overview

This chapter provides detailed descriptions of the Juniper Networks IDP Sensors

and their components.

 IDP Sensors

 Sensor Components on page 3

 LED Definitions on page 6

IDP Sensors

IDP 50 Sensor

The IDP 50 Sensor is optimal for small networks or low-speed network segments. It

features:

 2 copper Ethernet ports (10/100/1000 Mbps)

 1 Dedicated Management port

 1 Serial Console port

Figure 1: IDP 50 Front Panel

IDP 200 Sensor

The IDP 200 Sensor is optimal for medium central sites or large branch offices. It

features:

 8 copper Ethernet ports (10/100/1000 Mbps)

 1 Dedicated Management port

 1 Dedicated High Availability port

 1 Serial Console port

IDP 50, 200, 600, 1100 Installer’s Guide

2  IDP Sensors

Figure 2: IDP 200 Front Panel

IDP 600C Sensor

The IDP 600C Sensor is optimal for medium-to-large central sites or high-traffic

areas. It features:

 10 copper Ethernet ports (10/100/1000 Mbps)

 1 Dedicated Management port

 1 Dedicated High Availability port

 1 Serial Console port

Figure 3: IDP 600C Front Panel

IDP 600F Sensor

The IDP 600F Sensor is optimal for medium-to-large central sites or high-traffic

areas. It features:

 8 fiber Ethernet ports (sx Gigabit)

 2 copper Ethernet ports (10/100/1000 Mbps)

 1 Dedicated Management port

 1 Dedicated High Availability port

 1 Serial Console port

Figure 4: IDP 600F Front Panel

Sensor Components  3

Chapter 1: Hardware Overview

IDP 1100C Sensor

The IDP 1100C Sensor is optimal for large central sites or high-traffic areas. It

features:

 10 copper Ethernet ports (10/100/1000 Mbps)

 1 Dedicated Management port

 1 Dedicated High Availability port

 1 Serial Console port

Figure 5: IDP 1100C Front Panel

IDP 1100F Sensor

The IDP 1100F Sensor is optimal for large central sites or high-traffic areas. It

features:

 8 fiber Ethernet ports (sx Gigabit)

 2 copper Ethernet ports (10/100/1000 Mbps)

 1 Dedicated Management port

 1 Dedicated High Availability port

 1 Serial Console port

Figure 6: IDP 1100F Front Panel

Sensor Components

This section describes the components and indicator LEDs of the IDP 50, 200, 600,

and 1100 Sensors.

IDP 50, 200, 600, 1100 Installer’s Guide

4  Sensor Components

Traffic Ports (Forwarding Interfaces)

The IDP 50, 200, 600, and 1100 have traffic ports (forwarding interfaces) located on

the right side of each device. Some devices have copper ports only, while others

have a mixture of copper and fiber.

Figure 7: Copper and Fiber Ports

NIC Bypass Mode (Internal Bypass)

Copper ports on the IDP 50, 200, 600, and 1100 all have built-in port bypass. Port

bypass only works if the sensor is configured for transparent mode. If a Sensor fails

while in transparent mode, the pair of ports will automatically fail into a

“connected” state, and traffic will flow through them to and from the rest of the

network, without being analyzed.

NIC Bypass works using a watchdog timer. Each pair of ports has a timer. The

Sensor sends each timer a reset signal every second. If a timer does not receive a

reset signal for three seconds, bypass activates. After bypass activates, the timer

continues listening for a reset signal. When the timer receives a reset signal, bypass

deactivates automatically and the Sensor goes back to normal operation.

Bypass mode only activates if the Sensor fails (power loss, system crash). If the

Sensor (or Sensor software) is shut down gracefully, Internal Bypass is

deactivated and traffic does not flow through the device. Use of service idp

stop, shutdown -r now, or shutdown -h stop in the CLI all produce a graceful

shutdown and deactivates Internal Bypass.

The fiber Gigabit ports are standard interfaces and do not incorporate the

integrated bypass feature. Automatic bypass is available for fiber ports via

third-party devices.

NIC Bypass and Cable Choices

When NIC Bypass activates, it physically connects the pair of forwarding interfaces

to each other, with a crossover. From the network’s point of view, the two cables

connected to the Sensor have become one, long crossover cable.

If you are connecting devices that support auto-MDIX, then you can use whatever

cables you want, because auto-MDIX will negotiate the correct connection.

However, if neither of the devices support auto-MDIX, then you need to take special

care to choose the right cables.

Sensor Components  5

Chapter 1: Hardware Overview

Imagine the two devices, one connected to one Sensor port and the other

connected to the other Sensor port, are instead connected directly together. Would

you use a straight-through cable or a cross-over cable?

If the two devices would be connected with a straight-through cable, then use one

straight-through cable and one cross-over cable to connect the Sensor to these

devices. When NIC Bypass kicks in, this will have the result of creating one, long

straight-through cable connecting the devices.

If the two devices would be connected with a cross-over cable, then use two

straight-through cables to connect the Sensor to these two devices. When NIC

Bypass kicks in, this will have the result of creating one, long cross-over cable

connecting the devices.

Peer Port Modulation (PPM)

When Peer Port Modulation is enabled, if any of the interfaces in a virtual router

become unavailable, the Sensor deactivates all the interfaces in that virtual router.

All devices connected to the virtual router will detect a port failure and must be

configured to take appropriate action.

You cannot enable NIC Bypass and Peer Port Modulation on the same Sensor.

PPM works somewhat differently on the IDP 50, 200, 600, and 1100 than it did on

the IDP 10, 100, 500, and 1000.

On the older IDP Sensors (10, 100, 500, 1000):

 PPM does not work on fiber interfaces

 PPM works by changing the interface speed/duplex settings to 10

mbps/half-duplex, not by turning off the interfaces. Because of this, interface

speeds have to be hardcoded (could not be auto) on both the Sensor and on the

attached switches.

On the newer IDP Sensors (50, 200, 600, 1100):

 PPM works on both copper and fiber interfaces

 PPM works by turning off appropriate interfaces. Because of this, interface

speeds can be set to auto on the Sensor and on attached switches.

Management Interfaces

These interfaces are provided on all IDP Sensors.

Serial Console (CONSOLE)

The Console port provides access, via a DB-9 serial port, to the Sensor’s command

line interface (CLI).

IDP 50, 200, 600, 1100 Installer’s Guide

6  LED Definitions

Management Port (MGT)

The Management port provides access, via 10/100/1000 Mbps Ethernet, to the

Sensor. The Appliance Configuration Manager (ACM) is accessed via the

Management Port (https://<Sensor_IP_Address>.

Hard Drives and CD-ROM Drives

Table 3: IDP Sensor Drives

Power Supplies

Table 4: IDP Sensor Power Supplies

LED Definitions

This section describes the LEDs for the following IDP Sensor components:

 System status

 Management and High Availability port

 Traffic port

 Disk drive, CD-ROM drive, and power supply (back panel)

System Status LEDs

The IDP 50 Sensor has three system status lights on the front panel: PWR, HD, and

OVERHEAT.

IDP Sensor Hard Drives and CD-ROM Drives

50 1 CD-ROM drive

1 internal hard drive

200 1 CD-ROM drive

1 internal hard drive

600 and 1100 1 CD-ROM drive

2 externally accessible hot-swappable SCSI RAID

1 mirrored hard drives

IDP Sensor Power Supplies

50 1 fixed power supply

200 1 removable power supply

Empty bay for second, optional power supply

600 and 1100 2 removable hot-swappable power supplies

Page is loading ...

Juniper IDP 1100 Installer's Manual

This manual is also suitable for

Juniper IDP 1100 Installer's Manual

Related papers

Other documents