Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 530-027294-01, Revision 1

Security Threat Response Manager

STRM Users Guide

Release 2008.2 R2

2 

Copyright Notice

Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this

document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks

assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves

the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A

digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the

equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and

used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential

area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following

information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it

is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has

been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These

specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that

interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be

determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV

technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET

THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE

SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

STRM Users Guide

Release 2008.2 R2

Revision History

September 2008—Revision 1

The information in this document is current as of the date listed in the revision history.

CONTENTS

ABOUT THIS GUIDE

Conventions 1

Technical Documentation 1

Contacting Customer Support 2

1 ABOUT STRM

Logging In to STRM 3

Dashboard 4

Offense Manager 5

Event Viewer 5

Flow Viewer 6

Assets 6

Network Surveillance 8

Reports 9

Using STRM 9

Sorting Results 9

Refreshing the Interface 10

Pausing the Interface 10

Investigating IP Addresses 10

Viewing STRM Time 11

Accessing On-line Help 11

STRM Administration Console 11

2 USING THE DASHBOARD

About the Dashboard 13

Using the Dashboard 15

Network Surveillance 16

Traffic 16

TopN 17

Offense Manager 18

Offenses 18

Attackers and Targets 19

Categories 19

Event Viewer 20

Events Over Time 20

Events By Severity 20

Top Devices 21

Reports 22

Enterprise Security State 22

Enterprise Vulnerability State 23

System Summary 24

Adding Items 24

3 MANAGING YOUR NETWORK ACTIVITY

Using the Network Surveillance Menu 25

Global Views 25

Asset Map 26

Bookmarks 27

QRL Options 27

Viewing Network Activity 28

Interpreting the Graphs 28

Changing the View 30

Changing Flow Attributes 32

Changing Traffic Location 33

Investigating Traffic Using TopN 34

Viewing the TopN Information 34

Investigating Traffic 35

Investigating Flows 36

4 MANAGING SENTRIES

About Sentries 40

Types of Sentries 40

Viewing Sentries 42

Creating a Sentry 43

Creating a Security/Policy Sentry 44

Creating a Behavior Sentry 49

Creating an Anomaly Sentry 56

Creating a Threshold Sentry 61

Creating a Custom Sentry 66

Editing a Sentry 72

5 INVESTIGATING OFFENSES

Using the Offense Manager 78

Managing My Offenses 78

Managing Offenses 79

Viewing Offenses 79

Searching Offenses 88

Removing Offenses 90

Assigning Offenses to Users 92

Viewing Offense By Category 93

Managing Offenses By Attacker 97

Viewing Offenses by Attacker 97

Searching Attackers 104

Managing Offenses By Targets 106

Viewing Offenses By Targets 106

Searching Targets 112

Managing Offenses By Networks 114

Viewing Offenses By Networks 114

Searching Networks 124

Marking an Item For Follow-Up 125

Adding Notes 125

Configuring Notification 126

Managing Network Anomalies 127

Viewing Network Anomaly Offenses 127

Closing Offenses 129

Forwarding Network Anomaly Offenses 130

Exporting Offenses 131

6 USING THE EVENT VIEWER

Using the Event Viewer Interface 134

Using the Toolbar 134

Using the Right-Click Menu Options 134

Viewing Events 135

Viewing Normalized Events 135

Viewing Raw Events 139

Viewing Aggregate Normalized Events 140

Searching Events 145

Deleting Saved Searches 148

Viewing the Associated Offense 148

Modifying Event Mapping 149

Tuning False Positives 151

Exporting Events 152

7 USING THE FLOW VIEWER

Using the Flow Viewer Interface 154

Using the Toolbar 154

Using the Right-Click Menu Options 154

Viewing Flows 155

Viewing Aggregated Flows 158

Using the Search 164

Searching Flows 164

Deleting Saved Searches 167

Exporting Flows 167

8 MANAGING ASSETS

Searching Asset Profiles 169

Adding an Asset Profile 175

Editing an Asset 176

Deleting Assets 178

Deleting an Asset 178

Deleting All Assets 178

Importing Asset Profiles 179

Exporting Assets 180

9 MANAGING REPORTS

Using the Reports Interface 182

Using the Navigation Menu 182

Using the Toolbar 183

Viewing Reports 183

Grouping Reports 184

Creating a Group 185

Editing a Group 186

Copying a Template to Another Group 186

Deleting a Template From a Group 187

Assigning a Report to a Group 188

Creating a Report 188

Creating a Template 189

Configuring Charts 196

Selecting a Graph Type 214

Using Default Report Templates 216

Generating a Report 217

Duplicating a Report 217

Sharing a Report 218

Branding Your Report 218

10 USING TNC RECOMMENDATIONS

Configuring TNC Recommendations 221

Removing TNC Recommendations 223

A GLOSSARY

INDEX

STRM Users Guide

ABOUT THIS GUIDE

The STRM Users Guide provides information on managing STRM including the

Dashboard, Offense Manager, Reports, Event Viewer, and Network Surveillance

interfaces.

Conventions Table 1 lists conventions that are used throughout this guide.

Technical

Documentation

You can access technical documentation, technical notes, and release notes

directly from the Juniper Networks support web site at https://juniper.net/support.

Once you access the Juniper Networks support web site, locate the product and

software release for which you require documentation.

Your comments are important to us. Please send your e-mail comments about this

guide or any of the Juniper Networks documentation to:

documentation@juniper.net.

Include the following information with your comments:

• Document title

• Page number

Table 1 Icons

Icon Type Description

Information note Information that describes important features or

instructions.

Caution Information that alerts you to potential loss of

data or potential damage to an application,

system, device, or network.

Warning Information that alerts you to potential personal

injury.

STRM Users Guide

2 ABOUT THIS GUIDE

Contacting

Customer Support

To help you resolve any issues that you may encounter when installing or

maintaining STRM, you can contact Customer Support as follows:

• Log a support request 24/7: https://juniper.net/support/

For access to the Juniper Networks support web site, please contact Customer

Support.

• Access Juniper Networks support and Self-Service support using e-mail:

[email protected]

• Telephone assistance: 1-800-638-8296.

STRM Users Guide

1

ABOUT STRM

STRM is a network security management platform that provides situational

awareness and compliance support through the combination of flow-based

network knowledge, security event correlation, and asset-based vulnerability

assessment. This chapter provides an overview of the STRM interface including:

• Logging In to STRM

• Dashboard

• Offense Manager

• Event Viewer

• Flow Viewer

• Assets

• Network Surveillance

• Reports

• Using STRM

• STRM Administration Console

Note: When navigating STRM, do not use the browser Back button. Use the

navigation options available with STRM to navigate the interface.

Logging In to STRM To login to STRM:

Step 1 Open your web browser.

Step 2 Log in to STRM:

https://<

IP Address>

Where <

IP Address> is the IP address of the STRM system. The default values

are:

Username: admin

Password: <root password>

Where

<root password> is the password assigned to STRM during the

installation process. For more information, see the STRM Installation Guide.

STRM Users Guide

4 ABOUT STRM

Step 3 Click Login To STRM.

For your STRM Console, a default license key provides you access to the interface

for 5 weeks. A window appears providing the date that the temporary license key

will expire. For information on installing a permanent license key, see the STRM

Administration Guide.

Dashboard The Dashboard tab is the default interface that appears when you log in to STRM.

The Dashboard tab provides summary and detailed information on offenses

occurring on your network, your network overall security and vulnerability state, as

well as in depth views into your network traffic behavior. The Dashboard is

customizable on a per user basis to focus on individual user’s security or network

operations responsibilities.

Note: For more information on using the Dashboard, see Chapter 2 Using the

Dashboard.

STRM Users Guide

Offense Manager 5

Offense Manager The Offense Manager tab provides a view into all offenses occurring on your

network. From the Offense Manager, you can investigate an offense to determine

the root cause of an issue. You can also resolve the issue.

Note: For more information on Offense Manager, see Chapter 5 Investigating

Offenses.

Event Viewer The Event Viewer allows you to view event logs being sent to STRM in real-time,

or through powerful searches. The Event Viewer is a powerful tool for performing

in-depth investigations on event data. It is also useful for quickly identifying false

positives and tuning STRM.

Note: For more information, see Chapter 6 Using the Event Viewer.

STRM Users Guide

6 ABOUT STRM

Flow Viewer The Flow Viewer tab allows you to monitor and investigate flow data in real-time or

perform advanced searches. A flow is a communication session between two

hosts. Viewing flow information allows you to determine how the traffic is

communicated, what was communicated (if the content capture option is enabled),

and includes such details as when, who, how much, protocols, ASN values, IfIndex

values, or priorities.

Note: For more information, see Chapter 7 Using the Flow Viewer.

Assets STRM automatically discovers assets (servers and hosts) operating on your

network, based on passive QFlow data as well as vulnerability data allowing STRM

to build an asset profile. Asset profiles display what services are running on each

asset. This profile data is used for correlation purposes to help reduce false

positives, for example, if an attack occurs trying to exploit a specific service

running on a specific asset, STRM can determine if the asset is vulnerable to this

attack by correlating the attack to the asset profile. Using the Assets tab, you can

view all the learned assets or search for specific assets to view there profiles.

STRM Users Guide

Assets 7

Note: For more information, see Chapter 8 Managing Assets.

STRM Users Guide

8 ABOUT STRM

Network

Surveillance

The Network Surveillance tab is a real-time network behavioral and anomaly

monitoring interface that allows you to monitor the traffic on your network and how

your network is behaving. The Network Surveillance tab displays what areas of

your network are producing the most traffic, what applications are running, and

what types of threatening or out of policy traffic are present on your network.

Using the Network Surveillance interface, you can:

• Sentries are a technology that monitors traffic seen in any Network Surveillance

view, such as apps, network , asset groups and geographies, and alert on

normal behavior. Using the Network Surveillance interface, you can add

sentries to any view you are monitoring. The alerts that sentries create can be

correlated with events sent from other security and infrastructure devices to

create offenses, viewed within the Offense Manager.

• View and investigate your network activity. For more information, see Chapter 3

Managing Your Network Activity.

Note: For more information on using the Network Surveillance interface, see

Chapter 3 Managing Your Network Activity.

STRM Users Guide

Reports 9

Reports Reports is a flexible and robust reporting package that allows you to create,

distribute, and manage reports for any data within STRM. Reports allows you to

create customized reports for operational and executive use by combining any

combination of information (such as, security or network) into a single report. You

can also use the many pre-installed report templates included with STRM.

The Reports tab also allows you to brand your reports with your customized logos

enabling you to support various unique logos for each report. This is beneficial for

distributing reporting to different audiences.

Note: For more information on Reports, see Chapter 9 Managing Reports.

Using STRM Using STRM, you can:

• Sort the results. See Sorting Results.

• Refresh the interface. See Refreshing the Interface.

• Pause the current display. See Pausing the Interface.

• Further investigate an IP address. See Investigating IP Addresses.

• View the time of the STRM Console. See Viewing STRM Time.

• Access the on-line Help. See Accessing On-line Help.

Sorting Results In the Event Viewer, Offense Manager, Flow Viewer, and Reports interfaces, you

can sort the resulting tables by clicking on a column heading. A single click of the

desired column sorts the results in descending order and a second click on the

heading sorts the results in ascending order. An arrow at the top of the column

indicates the direction of the sort.

For example, if you wish to sort the events by Name, click the Name heading. An

arrow appears in the column heading to indicate the results are sorted in

descending order.

STRM Users Guide

10 ABOUT STRM

Click the Name column heading again if you wish to sort the information in

ascending order.

Refreshing the

Interface

Several STRM interfaces, including the Event Viewer, Offense Manager, Flow

Viewer, and the Dashboard allow you to refresh the interface. This refresh option is

located in the right corner of the interface. The timer indicates the amount of time

since the interface was refreshed. To refresh the interface, click the refresh

icon.

Pausing the Interface You can use the refresh timer, located on the right, to pause the current display. To

pause the interface, click the pause icon . The timer flashes red to indicate the

current display is paused. Click the icon again to restart the timer.

Investigating IP

Addresses

You can use the right-mouse button (right-click) on any IP address or asset name

to access additional menus, which allow you to further investigate that IP address

or asset. For more information on assets, see the STRM Administration Guide.

The menu options include:

Note: For information on customizing the right-click menu, see the Customizing

the Right-Click Menu Technical Note.

Table 1-1 Additional Options

Menu Sub-Menu Description

Navigate View Network

Location

Opens the Network Surveillance interface

displaying the network activity for the

network that the selected IP address is

associated with.

View Attacker

Summary

Displays the attacker summary window that

displays all offenses associated with the

selected attacker.

View Target

Summary

Displays the target summary window that

displays all offenses associated to the

selected target.

Information DNS Lookup Searches for DNS entries based on the IP

address.

WHOIS Lookup Searches for the registered owner of a

remote IP address (Default system server:

whois.crsnic.net.)

STRM Users Guide

STRM Administration Console 11

Viewing STRM Time The right corner of the STRM interface displays STRM time, which is the time of

the STRM Console. The STRM Console time synchronizes all STRM appliances

within the STRM deployment, and is used to determine the time events were

received from other devices for proper time sync correlation.

Accessing On-line

Help

You can access the STRM on-line Help through the main STRM interface. To

access the on-line Help, click Help > Help Contents. The Help interface appears.

STRM

Administration

Console

The STRM Administration Console is a client-based application that provides

administrative users access to administrative functionality including:

• System Configuration - Allows you configure system wide STRM settings

including, users, thresholds, system settings, network hierarchy, authentication,

sentries, or automatic updates.

• Access the deployment editor - Allows you to manage the individual

components of your STRM and SIM deployment.

• Configure views - Allows you to manage your views.

Port Scan Performs a NMAP scan of the selected IP

address. This option is only available if

NMAP is installed on your system. For more

information on installing NMAP, see your

vendor documentation.

Asset Profile Displays asset profile information. This menu

option is only available when profile data has

been acquired either actively (through a

scan) or passively (through flow sources).

For information, see the STRM

Administration Guide.

Search Flows Allows you search for flows. For information,

see

Chapter 7 Using the Flow Viewer.

Resolver Actions View Resolver

Actions

Displays the Resolver Actions applied to this

IP address.

Add Resolver

Action

Executes the Add Resolver process. This

option is available when a Resolver is online

and able to resolve any protocol. However,

since a TCP Reset Resolver is effective for

TCP-based communications only, you

cannot execute a TCP Reset Resolver from

TNC

Recommendations

Allows you to restrict or deny network access

to users based on user name or other

credentials.

For more information, see

Chapter 10 Using

TNC Recommendations

.

Table 1-1 Additional Options (continued)

Menu Sub-Menu Description

STRM Users Guide

12 ABOUT STRM

• Managing vulnerability assessment and scanners - Allows you to schedule

scans to keep your vulnerability assessment data up-to-date.

• Configure sensor devices - Allows you to configure sensor devices, which

provide events to your deployment through DSMs.

• Configure flow sources - Allows you to configure flow sources, such as,

NetFlow or Packeteer.

All configuration updates using the Administration Console are saved to a staging

area. Once all changes are complete, you can deploy the configuration changes or

all configuration settings to the remainder of your deployment.

For more information regarding the STRM Administration Console, see the STRM

Administration Guide.

STRM Users Guide

2

USING THE DASHBOARD

The Dashboard allows you to create a customized portal to monitor any data

STRM collects, to which you have access. The Dashboard is the default view

when you log in to STRM and allows you to monitor several areas of your network

at the same time. Normal activity, vulnerabilities, and suspicious behaviors can be

investigated directly from the Dashboard. All information displayed on the

Dashboard is current and provides you with a real-time portal into the status of

your network traffic and assets. You can detach an item and monitor the item

directly from your desktop.

This chapter includes:

• About the Dashboard

• Network Surveillance

• Offense Manager

• Event Viewer

• Reports

• Enterprise Security State

• Enterprise Vulnerability State

• System Summary

• Adding Items

About the

Dashboard

The Dashboard allows you to monitor your overall network behavior, security and

vulnerability posture, top targeted assets, top attackers, and worst and most recent

security offenses - all from one window.

By default, for non-administrative users, the Dashboard is empty. For

administrative users, the Dashboard displays the following:

• System Summary

• Events - Average Events Per Second

• Offenses - New Offense Count

• Most Severe Offenses

STRM Users Guide

14 USING THE DASHBOARD

• Most Recent Offenses

• Local Networks - Inbound Bytes

• Local Networks - Outbound Bytes

• Top Category Types

• Top Attackers

Note: The items that appear on your Dashboard depends on the access you have

been granted. For more information on user roles, see the STRM Administration

Guide.

The content that appears on the Dashboard is user-specific. You can design the

Dashboard as you wish, as the changes made within a STRM session affect only

your system. The next time you log in, STRM reflects your last Dashboard

configuration.

You can move and position items to meet your requirements. You can stack items

in one panel or distribute them evenly within the three panels. When positioning

items, each item automatically resizes in proportion to the panel. The Dashboard

interface refreshes regularly to display the most recent information.

Page is loading ...

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1 User manual

This manual is also suitable for

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1 User manual

Related papers

Other documents