Juniper Security Threat Response Manager User manual

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 530-025608-01, Revision 1

Security Threat Response Manager

Configuring DSMs

Release 2008.2

2 

Copyright Notice

Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this

document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks

assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves

the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A

digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the

equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and

used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential

area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following

information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it

is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has

been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These

specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that

interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be

determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV

technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET

THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE

SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Configuring DSMs

Release 2008.2

Revision History

June 2008—Revision 1

The information in this document is current as of the date listed in the revision history.

 1

1

About This Guide 1

3

Overview 3

5

3Com 8800 Series Switch 5

7

Ambiron TrustWave ipAngel 7

9

Apache HTTP Server 9

11

Apple Mac OS X 11

13

Array Network SSL VPN 13

15

F5 Networks BigIP 15

17

Blue Coat SG 17

19

Check Point FireWall-1 19

25

Check Point Provider-1 25

29

Cisco ACS 29

31

Cisco ASA 31

33

Cisco CatOS for Catalyst Switches 33

35

Cisco CSA 35

37

Cisco FWSM 37

39

Cisco IDS/IPS 39

41

Cisco NAC Device 41

43

Cisco IOS 43

45

Cisco Pix 45

47

Cisco VPN 3000 Concentrator 47

49

CyberGuard Firewall/VPN Appliance 49

51

2 

Enterasys Dragon 51

55

Enterasys Matrix Router 55

57

Enterasys Matrix N-Series 57

59

Extreme Networks ExtremeWare 59

61

ForeScout CounterACT 61

63

Fortinet FortiGate 63

65

Generic Authorization Server 65

69

Generic Firewall 69

73

IBM AIX 5L 73

75

IBM Proventia Management SiteProtector 75

77

ISS Proventia 77

79

Juniper DX Application Acceleration Platform 79

81

Juniper EX-Series Ethernet Switch 81

83

Juniper NetScreen IDP 83

85

Juniper Networks Secure Access 85

89

Juniper Infranet Controller 89

91

Juniper NetScreen Firewall 91

93

Juniper NSM 93

95

Juniper Router 95

97

Juniper Steel-Belted RADUIS 97

99

Linux DHCP 99

101

Linux IPtables 101

103

Linux Login Messages 103

 3

105

McAfee Intrushield 105

107

McAfee ePolicy Orchestrator 107

109

MetaInfo MetaIP 109

111

Microsoft Exchange Server 111

113

Microsoft DHCP Server 113

115

Microsoft IAS Server 115

117

Microsoft IIS 117

119

Microsoft SQL Server 119

121

Microsoft Windows Security Event Log 121

123

Niksun 123

125

Nokia Firewall 125

129

Nortel ARN 129

131

Nortel Application Switch 131

133

Nortel Contivity 5000 133

135

Nortel Contivity Firewall/VPN 135

137

Nortel Switched Firewall 5100 137

141

Nortel Switched Firewall 6000 141

145

Nortel VPN Gateway 145

147

OpenBSD 147

149

Open Source SNORT 149

151

Oracle Audit Records 151

155

Oracle DB Listener 155

159

4 

ProFTPd 159

161

Samhain 161

165

Secure Computing Sidewinder 165

167

Sun Solaris 167

169

Sun Solaris DHCP 169

171

SonicWALL 171

173

Sun Solaris Sendmail 173

175

Sourcefire Intrusion Sensor 175

177

Squid Web Proxy 177

179

Symantec SGS 179

181

Symantec System Center 181

183

Symark PowerBroker 183

185

Tipping Point Intrusion Prevention System 185

187

TippingPoint X505/X506 Device 187

189

TopLayer 189

191

Trend Micro InterScan VirusWall 191

193

Tripwire 193

195

Universal DSM 195

207

Vericept Content 360 DSM 207

209

Supported DSMs 209

Configuring DSMs

ABOUT THIS GUIDE

The Configuring DSMs Guide provides you with information for configuring sensor

devices (DSMs) and integrating the DSMs with STRM or STRM Log Management.

Conventions Table 1 lists conventions that are used throughout this guide.

Technical

Documentation

You can access technical documentation, technical notes, and release notes

directly from the Juniper networks Support Web site at

http://

www.juniper.net/support/.

Documentation

Feedback

We encourage you to provide feedback, comments, and suggestions so that we

can improve the documentation. Send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at

http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be

sure to include the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version

Table 1 Icons

Icon Type Description

Information note Information that describes important features or

instructions.

Caution Information that alerts you to potential loss of

data or potential damage to an application,

system, device, or network.

Warning Information that alerts you to potential personal

injury.

Configuring DSMs

2 ABOUT THIS GUIDE

Requesting

Support

• Open a support case using the Case Management link at

http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,

Canada, or Mexico) or 1-408-745-9500 (from elsewhere).

Configuring DSMs Guide

1

OVERVIEW

You can configure STRM or STRM Log Management to log and correlate events

received from external sources such as security equipment (for example,

firewalls), and network equipment (for example, switches and routers). Device

Support Modules (DSMs) allows you to integrate STRM or STRM Log

Management with these external devices. Unless otherwise noted, all references

to STRM refer to both STRM and STRM Log Management.

You can configure the Event Collector to collect security events from various types

of security devices in your network. The Event Collector gathers events from local

and remote devices. The Event Collector then normalizes and bundles the events

and sends the events to the Event Processor.

All events are correlated and security and policy offenses are created based on

correlation rules. These offenses are displayed is the Offense Manager. For more

information on the Offense Manager interface, see the STRM Users Guide.

Note: Before you configure STRM to collect security information from devices, you

must set-up your deployment, including off-site sources or targets, using the

deployment editor. For more information on the deployment editor, see the STRM

Administration Guide.

To configure STRM to receive events from devices, you must:

Step 1 Configure the device to send events to STRM.

Step 2 Configure STRM to receive events from specific devices. For more information,

see the Managing Sensor Devices Guide.

Configuring DSMs Guide

2

3COM 8800 SERIES SWITCH

A STRM 3Com 8800 Series Switch DSM accepts events using syslog. STRM

records all relevant status and network condition events. Before configuring a

3Com 8800 Series Switch device in STRM, you must configure your device to

send syslog events to STRM.

To configure the device to send syslog events to STRM:

Step 1 Log in to the 3Com 8800 Series Switch interface.

Step 2 Enable the information center.

info-center enable

Step 3 Configure the host with the IP address of your STRM system as the loghost, the

severity level threshold value as informational, and the output language to English.

info-center loghost <ip_address> facility <severity> language

english

Where:

<ip_address> is the IP address of your STRM system.

<severity> is the facility severity.

Step 4 Configure the ARP and IP information modules to log.

info-center source arp channel loghost log level informational

info-center source ip channel loghost log level informational

You are now ready to configure the sensor device within the STRM interface. To

configure STRM to receive events from a 3Com 8800 Series Switch, you must

select the 3Com 8800 Series Switch option from the Sensor Device Type

drop-down list box. For more information on configuring sensor devices, see the

Managing Sensor Devices Guide.

Configuring DSMs Guide

3

AMBIRON TRUSTWAVE ipANGEL

A STRM Ambiron TrustWave ipAngel DSM accepts events using syslog. STRM

records all Snort-based events from the ipAngel console.

Before you configure STRM to integrate with ipAngel, you must forward your cache

and access logs to your STRM system. For information on forwarding device logs

to STRM, see your vendor documentation.

You are now ready to configure the sensor device within the STRM interface. To

configure STRM to receive events from a ipAngle device, choose one of the

following options, depending on which version of STRM you are using:

• Select ATW IpAngel from the Sensor Device Type drop-down list box.

• Select Ambiron TrustWave ipAngel Intrusion Prevention System (IPS) from

the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor

Devices Guide.

Configuring DSMs Guide

4

APACHE HTTP SERVER

A STRM Apache HTTP Server DSM accepts Apache events using syslog. You can

integrate Apache versions 1.3 and above with STRM. STRM records all relevant

HTTP status events.

Note: The procedure in this section applies to Apache DSMs operating on a

Unix/Linux platforms only.

Before you configure STRM to integrate with Apache, you must:

Step 1 Open the Apache configuration file.

Step 2 Add the following below the log format definitions:

LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" qradar

Step 3 Add the following line below the LogFormat entry to write to syslog:

CustomLog “|/usr/bin/logger -t httpd -p <facility>.<priority>” qradar

Where:

<facility> is a syslog facility, for example, local0.

<priority> is a syslog priority, for example, info or notice.

For example:

CustomLog “|/usr/bin/logger -t httpd -p local1.info” qradar

Note: Verify that the hostname lookups is disabled. To verify, enter

HostnameLookups off

Step 4 Open the syslog.conf file.

Step 5 Add the following line:

Where:

<facility> is the syslog facility, for example, local0. This value must match the

value entered in Step 3.

<priority> is the syslog priority, for example, info or notice. This value must

match the value entered in Step 3.

<TAB> indicates you must press the TAB key.

<host> indicates the STRM managed host.

Configuring DSMs Guide

10 APACHE HTTP SERVER

Step 6 Restart syslog:

/etc/init.d/syslog restart

Step 7 Restart Apache.

You are now ready to configure the sensor device within the STRM interface. To

configure STRM to receive events from an Apache device, you must select the

Open Source Apache Webserver option from the Sensor Device Type

drop-down list box. For more information on configuring sensor devices, see the

Managing Sensor Devices Guide.

For more information on Apache, see http://www.apache.org/.

Configuring DSMs Guide

5

APPLE MAC OS X

A STRM Apple Mac OS X DSM accepts events using syslog. STRM records all

relevant firewall, web server access, web server error, privilege escalation, and

informational events.

Before you configure STRM to integrate with Mac OS X, you must:

Step 1 Log in as a root user.

Step 2 Open the /etc/syslog.conf file.

Step 3 Add the following line to the top of the file. Make sure all other lines remain intact:

*.*@<IP address>

Where <IP address> is the IP address of the STRM system.

Step 4 Save and exit the file.

Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are

enforced:

sudo killall - HUP syslogd

You are now ready to configure the sensor device within the STRM interface. To

configure STRM to receive events from a Mac OS X server, you must select the

Mac OS X option from the Sensor Device Type drop-down list box. For more

information on configuring sensor devices, see the Managing Sensor Devices

Guide.

See your Mac OS X documentation for more information.

Configuring DSMs Guide

6

ARRAY NETWORK SSL VPN

The STRM Array Networks SSL VPN DSM collects events from an ArrayVPN

appliance using syslog. For details of configuring ArrayVPN appliances for remote

syslog, please consult Array Networks documentation.

Once you configure syslog to forward events to STRM, you are now ready to

configure the sensor device within the STRM interface. To configure STRM to

receive events from a Array Networks SSL VPN device, choose one of the

following options:

• If you are using STRM 6.0, you must select ArrayNetworks SSL VPN from the

Sensor Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, you must select Array Networks SSL

VPN Access Gateway from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor

Devices Guide.

Page is loading ...

Juniper Security Threat Response Manager User manual

This manual is also suitable for

Juniper Security Threat Response Manager User manual

Related papers

Other documents