2. Juniper
  3. SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1, Security Threat Response Manager User manual

  • Hello! I am an AI chatbot trained to assist you with the Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-025608-01, Revision 1
Security Threat Response Manager
Configuring DSMs
Release 2008.2
2
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Configuring DSMs
Release 2008.2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
June 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
1
1
About This Guide 1
3
Overview 3
5
3Com 8800 Series Switch 5
7
Ambiron TrustWave ipAngel 7
9
Apache HTTP Server 9
11
Apple Mac OS X 11
13
Array Network SSL VPN 13
15
F5 Networks BigIP 15
17
Blue Coat SG 17
19
Check Point FireWall-1 19
25
Check Point Provider-1 25
29
Cisco ACS 29
31
Cisco ASA 31
33
Cisco CatOS for Catalyst Switches 33
35
Cisco CSA 35
37
Cisco FWSM 37
39
Cisco IDS/IPS 39
41
Cisco NAC Device 41
43
Cisco IOS 43
45
Cisco Pix 45
47
Cisco VPN 3000 Concentrator 47
49
CyberGuard Firewall/VPN Appliance 49
51
2
Enterasys Dragon 51
55
Enterasys Matrix Router 55
57
Enterasys Matrix N-Series 57
59
Extreme Networks ExtremeWare 59
61
ForeScout CounterACT 61
63
Fortinet FortiGate 63
65
Generic Authorization Server 65
69
Generic Firewall 69
73
IBM AIX 5L 73
75
IBM Proventia Management SiteProtector 75
77
ISS Proventia 77
79
Juniper DX Application Acceleration Platform 79
81
Juniper EX-Series Ethernet Switch 81
83
Juniper NetScreen IDP 83
85
Juniper Networks Secure Access 85
89
Juniper Infranet Controller 89
91
Juniper NetScreen Firewall 91
93
Juniper NSM 93
95
Juniper Router 95
97
Juniper Steel-Belted RADUIS 97
99
Linux DHCP 99
101
Linux IPtables 101
103
Linux Login Messages 103
3
105
McAfee Intrushield 105
107
McAfee ePolicy Orchestrator 107
109
MetaInfo MetaIP 109
111
Microsoft Exchange Server 111
113
Microsoft DHCP Server 113
115
Microsoft IAS Server 115
117
Microsoft IIS 117
119
Microsoft SQL Server 119
121
Microsoft Windows Security Event Log 121
123
Niksun 123
125
Nokia Firewall 125
129
Nortel ARN 129
131
Nortel Application Switch 131
133
Nortel Contivity 5000 133
135
Nortel Contivity Firewall/VPN 135
137
Nortel Switched Firewall 5100 137
141
Nortel Switched Firewall 6000 141
145
Nortel VPN Gateway 145
147
OpenBSD 147
149
Open Source SNORT 149
151
Oracle Audit Records 151
155
Oracle DB Listener 155
159
4
ProFTPd 159
161
Samhain 161
165
Secure Computing Sidewinder 165
167
Sun Solaris 167
169
Sun Solaris DHCP 169
171
SonicWALL 171
173
Sun Solaris Sendmail 173
175
Sourcefire Intrusion Sensor 175
177
Squid Web Proxy 177
179
Symantec SGS 179
181
Symantec System Center 181
183
Symark PowerBroker 183
185
Tipping Point Intrusion Prevention System 185
187
TippingPoint X505/X506 Device 187
189
TopLayer 189
191
Trend Micro InterScan VirusWall 191
193
Tripwire 193
195
Universal DSM 195
207
Vericept Content 360 DSM 207
209
Supported DSMs 209
Configuring DSMs
ABOUT THIS GUIDE
The Configuring DSMs Guide provides you with information for configuring sensor
devices (DSMs) and integrating the DSMs with STRM or STRM Log Management.
Conventions Table 1 lists conventions that are used throughout this guide.
Technical
Documentation
You can access technical documentation, technical notes, and release notes
directly from the Juniper networks Support Web site at
http://
www.juniper.net/support/.
Documentation
Feedback
We encourage you to provide feedback, comments, and suggestions so that we
can improve the documentation. Send your comments to
techpubs-comments@juniper.net, or fill out the documentation feedback form at
http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be
sure to include the following information with your comments:
Document name
Document part number
Page number
Software release version
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
Configuring DSMs
2 ABOUT THIS GUIDE
Requesting
Support
Open a support case using the Case Management link at
http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,
Canada, or Mexico) or 1-408-745-9500 (from elsewhere).
Configuring DSMs Guide
1
OVERVIEW
You can configure STRM or STRM Log Management to log and correlate events
received from external sources such as security equipment (for example,
firewalls), and network equipment (for example, switches and routers). Device
Support Modules (DSMs) allows you to integrate STRM or STRM Log
Management with these external devices. Unless otherwise noted, all references
to STRM refer to both STRM and STRM Log Management.
You can configure the Event Collector to collect security events from various types
of security devices in your network. The Event Collector gathers events from local
and remote devices. The Event Collector then normalizes and bundles the events
and sends the events to the Event Processor.
All events are correlated and security and policy offenses are created based on
correlation rules. These offenses are displayed is the Offense Manager. For more
information on the Offense Manager interface, see the STRM Users Guide.
Note: Before you configure STRM to collect security information from devices, you
must set-up your deployment, including off-site sources or targets, using the
deployment editor. For more information on the deployment editor, see the STRM
Administration Guide.
To configure STRM to receive events from devices, you must:
Step 1 Configure the device to send events to STRM.
Step 2 Configure STRM to receive events from specific devices. For more information,
see the Managing Sensor Devices Guide.
Configuring DSMs Guide
2
3COM 8800 SERIES SWITCH
A STRM 3Com 8800 Series Switch DSM accepts events using syslog. STRM
records all relevant status and network condition events. Before configuring a
3Com 8800 Series Switch device in STRM, you must configure your device to
send syslog events to STRM.
To configure the device to send syslog events to STRM:
Step 1 Log in to the 3Com 8800 Series Switch interface.
Step 2 Enable the information center.
info-center enable
Step 3 Configure the host with the IP address of your STRM system as the loghost, the
severity level threshold value as informational, and the output language to English.
info-center loghost <ip_address> facility <severity> language
english
Where:
<ip_address> is the IP address of your STRM system.
<severity> is the facility severity.
Step 4 Configure the ARP and IP information modules to log.
info-center source arp channel loghost log level informational
info-center source ip channel loghost log level informational
You are now ready to configure the sensor device within the STRM interface. To
configure STRM to receive events from a 3Com 8800 Series Switch, you must
select the 3Com 8800 Series Switch option from the Sensor Device Type
drop-down list box. For more information on configuring sensor devices, see the
Managing Sensor Devices Guide.
Configuring DSMs Guide
3
AMBIRON TRUSTWAVE ipANGEL
A STRM Ambiron TrustWave ipAngel DSM accepts events using syslog. STRM
records all Snort-based events from the ipAngel console.
Before you configure STRM to integrate with ipAngel, you must forward your cache
and access logs to your STRM system. For information on forwarding device logs
to STRM, see your vendor documentation.
You are now ready to configure the sensor device within the STRM interface. To
configure STRM to receive events from a ipAngle device, choose one of the
following options, depending on which version of STRM you are using:
Select ATW IpAngel from the Sensor Device Type drop-down list box.
Select Ambiron TrustWave ipAngel Intrusion Prevention System (IPS) from
the Sensor Device Type drop-down list box.
For more information on configuring sensor devices, see the Managing Sensor
Devices Guide.
Configuring DSMs Guide
4
APACHE HTTP SERVER
A STRM Apache HTTP Server DSM accepts Apache events using syslog. You can
integrate Apache versions 1.3 and above with STRM. STRM records all relevant
HTTP status events.
Note: The procedure in this section applies to Apache DSMs operating on a
Unix/Linux platforms only.
Before you configure STRM to integrate with Apache, you must:
Step 1 Open the Apache configuration file.
Step 2 Add the following below the log format definitions:
LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" qradar
Step 3 Add the following line below the LogFormat entry to write to syslog:
CustomLog “|/usr/bin/logger -t httpd -p <facility>.<priority>” qradar
Where:
<facility> is a syslog facility, for example, local0.
<priority> is a syslog priority, for example, info or notice.
For example:
CustomLog “|/usr/bin/logger -t httpd -p local1.info” qradar
Note: Verify that the hostname lookups is disabled. To verify, enter
HostnameLookups off
Step 4 Open the syslog.conf file.
Step 5 Add the following line:
<facility>.<priority> <TAB><TAB>@<host>
Where:
<facility> is the syslog facility, for example, local0. This value must match the
value entered in Step 3.
<priority> is the syslog priority, for example, info or notice. This value must
match the value entered in Step 3.
<TAB> indicates you must press the TAB key.
<host> indicates the STRM managed host.
Configuring DSMs Guide
10 APACHE HTTP SERVER
Step 6 Restart syslog:
/etc/init.d/syslog restart
Step 7 Restart Apache.
You are now ready to configure the sensor device within the STRM interface. To
configure STRM to receive events from an Apache device, you must select the
Open Source Apache Webserver option from the Sensor Device Type
drop-down list box. For more information on configuring sensor devices, see the
Managing Sensor Devices Guide.
For more information on Apache, see http://www.apache.org/.
Configuring DSMs Guide
5
APPLE MAC OS X
A STRM Apple Mac OS X DSM accepts events using syslog. STRM records all
relevant firewall, web server access, web server error, privilege escalation, and
informational events.
Before you configure STRM to integrate with Mac OS X, you must:
Step 1 Log in as a root user.
Step 2 Open the /etc/syslog.conf file.
Step 3 Add the following line to the top of the file. Make sure all other lines remain intact:
*.*@<IP address>
Where <IP address> is the IP address of the STRM system.
Step 4 Save and exit the file.
Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are
enforced:
sudo killall - HUP syslogd
You are now ready to configure the sensor device within the STRM interface. To
configure STRM to receive events from a Mac OS X server, you must select the
Mac OS X option from the Sensor Device Type drop-down list box. For more
information on configuring sensor devices, see the Managing Sensor Devices
Guide.
See your Mac OS X documentation for more information.
Configuring DSMs Guide
6
ARRAY NETWORK SSL VPN
The STRM Array Networks SSL VPN DSM collects events from an ArrayVPN
appliance using syslog. For details of configuring ArrayVPN appliances for remote
syslog, please consult Array Networks documentation.
Once you configure syslog to forward events to STRM, you are now ready to
configure the sensor device within the STRM interface. To configure STRM to
receive events from a Array Networks SSL VPN device, choose one of the
following options:
If you are using STRM 6.0, you must select ArrayNetworks SSL VPN from the
Sensor Device Type drop-down list box.
If you are using STRM 6.0.1 and above, you must select Array Networks SSL
VPN Access Gateway from the Sensor Device Type drop-down list box.
For more information on configuring sensor devices, see the Managing Sensor
Devices Guide.
/