Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1, SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 User manual

  • Hello! I am an AI chatbot trained to assist you with the Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - REV1 User manual. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-027294-01, Revision 1
Security Threat Response Manager
STRM Users Guide
Release 2008.2 R2
2 î‚„
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
STRM Users Guide
Release 2008.2 R2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
September 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
CONTENTS
ABOUT THIS GUIDE
Conventions 1
Technical Documentation 1
Contacting Customer Support 2
1 ABOUT STRM
Logging In to STRM 3
Dashboard 4
Offense Manager 5
Event Viewer 5
Flow Viewer 6
Assets 6
Network Surveillance 8
Reports 9
Using STRM 9
Sorting Results 9
Refreshing the Interface 10
Pausing the Interface 10
Investigating IP Addresses 10
Viewing STRM Time 11
Accessing On-line Help 11
STRM Administration Console 11
2 USING THE DASHBOARD
About the Dashboard 13
Using the Dashboard 15
Network Surveillance 16
Traffic 16
TopN 17
Offense Manager 18
Offenses 18
Attackers and Targets 19
Categories 19
Event Viewer 20
Events Over Time 20
Events By Severity 20
Top Devices 21
Reports 22
Enterprise Security State 22
Enterprise Vulnerability State 23
System Summary 24
Adding Items 24
3 MANAGING YOUR NETWORK ACTIVITY
Using the Network Surveillance Menu 25
Global Views 25
Asset Map 26
Bookmarks 27
QRL Options 27
Viewing Network Activity 28
Interpreting the Graphs 28
Changing the View 30
Changing Flow Attributes 32
Changing Traffic Location 33
Investigating Traffic Using TopN 34
Viewing the TopN Information 34
Investigating Traffic 35
Investigating Flows 36
4 MANAGING SENTRIES
About Sentries 40
Types of Sentries 40
Viewing Sentries 42
Creating a Sentry 43
Creating a Security/Policy Sentry 44
Creating a Behavior Sentry 49
Creating an Anomaly Sentry 56
Creating a Threshold Sentry 61
Creating a Custom Sentry 66
Editing a Sentry 72
5 INVESTIGATING OFFENSES
Using the Offense Manager 78
Managing My Offenses 78
Managing Offenses 79
Viewing Offenses 79
Searching Offenses 88
Removing Offenses 90
Assigning Offenses to Users 92
Viewing Offense By Category 93
Managing Offenses By Attacker 97
Viewing Offenses by Attacker 97
Searching Attackers 104
Managing Offenses By Targets 106
Viewing Offenses By Targets 106
Searching Targets 112
Managing Offenses By Networks 114
Viewing Offenses By Networks 114
Searching Networks 124
Marking an Item For Follow-Up 125
Adding Notes 125
Configuring Notification 126
Managing Network Anomalies 127
Viewing Network Anomaly Offenses 127
Closing Offenses 129
Forwarding Network Anomaly Offenses 130
Exporting Offenses 131
6 USING THE EVENT VIEWER
Using the Event Viewer Interface 134
Using the Toolbar 134
Using the Right-Click Menu Options 134
Viewing Events 135
Viewing Normalized Events 135
Viewing Raw Events 139
Viewing Aggregate Normalized Events 140
Searching Events 145
Searching Events 145
Deleting Saved Searches 148
Viewing the Associated Offense 148
Modifying Event Mapping 149
Tuning False Positives 151
Exporting Events 152
7 USING THE FLOW VIEWER
Using the Flow Viewer Interface 154
Using the Toolbar 154
Using the Right-Click Menu Options 154
Viewing Flows 155
Viewing Flows 155
Viewing Aggregated Flows 158
Using the Search 164
Searching Flows 164
Deleting Saved Searches 167
Exporting Flows 167
8 MANAGING ASSETS
Searching Asset Profiles 169
Adding an Asset Profile 175
Editing an Asset 176
Deleting Assets 178
Deleting an Asset 178
Deleting All Assets 178
Importing Asset Profiles 179
Exporting Assets 180
9 MANAGING REPORTS
Using the Reports Interface 182
Using the Navigation Menu 182
Using the Toolbar 183
Viewing Reports 183
Grouping Reports 184
Creating a Group 185
Editing a Group 186
Copying a Template to Another Group 186
Deleting a Template From a Group 187
Assigning a Report to a Group 188
Creating a Report 188
Creating a Template 189
Configuring Charts 196
Selecting a Graph Type 214
Using Default Report Templates 216
Generating a Report 217
Duplicating a Report 217
Sharing a Report 218
Branding Your Report 218
10 USING TNC RECOMMENDATIONS
Configuring TNC Recommendations 221
Removing TNC Recommendations 223
A GLOSSARY
INDEX
STRM Users Guide
ABOUT THIS GUIDE
The STRM Users Guide provides information on managing STRM including the
Dashboard, Offense Manager, Reports, Event Viewer, and Network Surveillance
interfaces.
Conventions Table 1 lists conventions that are used throughout this guide.
Technical
Documentation
You can access technical documentation, technical notes, and release notes
directly from the Juniper Networks support web site at https://juniper.net/support.
Once you access the Juniper Networks support web site, locate the product and
software release for which you require documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Juniper Networks documentation to:
documentation@juniper.net.
Include the following information with your comments:
• Document title
• Page number
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
STRM Users Guide
2 ABOUT THIS GUIDE
Contacting
Customer Support
To help you resolve any issues that you may encounter when installing or
maintaining STRM, you can contact Customer Support as follows:
• Log a support request 24/7: https://juniper.net/support/
For access to the Juniper Networks support web site, please contact Customer
Support.
• Access Juniper Networks support and Self-Service support using e-mail:
• Telephone assistance: 1-800-638-8296.
STRM Users Guide
1
ABOUT STRM
STRM is a network security management platform that provides situational
awareness and compliance support through the combination of flow-based
network knowledge, security event correlation, and asset-based vulnerability
assessment. This chapter provides an overview of the STRM interface including:
• Logging In to STRM
• Dashboard
• Offense Manager
• Event Viewer
• Flow Viewer
• Assets
• Network Surveillance
• Network Surveillance
• Reports
• Using STRM
• STRM Administration Console
Note: When navigating STRM, do not use the browser Back button. Use the
navigation options available with STRM to navigate the interface.
Logging In to STRM To login to STRM:
Step 1 Open your web browser.
Step 2 Log in to STRM:
https://<
IP Address>
Where <
IP Address> is the IP address of the STRM system. The default values
are:
Username: admin
Password: <root password>
Where
<root password> is the password assigned to STRM during the
installation process. For more information, see the STRM Installation Guide.
STRM Users Guide
4 ABOUT STRM
Step 3 Click Login To STRM.
For your STRM Console, a default license key provides you access to the interface
for 5 weeks. A window appears providing the date that the temporary license key
will expire. For information on installing a permanent license key, see the STRM
Administration Guide.
Dashboard The Dashboard tab is the default interface that appears when you log in to STRM.
The Dashboard tab provides summary and detailed information on offenses
occurring on your network, your network overall security and vulnerability state, as
well as in depth views into your network traffic behavior. The Dashboard is
customizable on a per user basis to focus on individual user’s security or network
operations responsibilities.
Note: For more information on using the Dashboard, see Chapter 2 Using the
Dashboard.
STRM Users Guide
Offense Manager 5
Offense Manager The Offense Manager tab provides a view into all offenses occurring on your
network. From the Offense Manager, you can investigate an offense to determine
the root cause of an issue. You can also resolve the issue.
Note: For more information on Offense Manager, see Chapter 5 Investigating
Offenses.
Event Viewer The Event Viewer allows you to view event logs being sent to STRM in real-time,
or through powerful searches. The Event Viewer is a powerful tool for performing
in-depth investigations on event data. It is also useful for quickly identifying false
positives and tuning STRM.
Note: For more information, see Chapter 6 Using the Event Viewer.
STRM Users Guide
6 ABOUT STRM
Flow Viewer The Flow Viewer tab allows you to monitor and investigate flow data in real-time or
perform advanced searches. A flow is a communication session between two
hosts. Viewing flow information allows you to determine how the traffic is
communicated, what was communicated (if the content capture option is enabled),
and includes such details as when, who, how much, protocols, ASN values, IfIndex
values, or priorities.
Note: For more information, see Chapter 7 Using the Flow Viewer.
Assets STRM automatically discovers assets (servers and hosts) operating on your
network, based on passive QFlow data as well as vulnerability data allowing STRM
to build an asset profile. Asset profiles display what services are running on each
asset. This profile data is used for correlation purposes to help reduce false
positives, for example, if an attack occurs trying to exploit a specific service
running on a specific asset, STRM can determine if the asset is vulnerable to this
attack by correlating the attack to the asset profile. Using the Assets tab, you can
view all the learned assets or search for specific assets to view there profiles.
STRM Users Guide
Assets 7
Note: For more information, see Chapter 8 Managing Assets.
STRM Users Guide
8 ABOUT STRM
Network
Surveillance
The Network Surveillance tab is a real-time network behavioral and anomaly
monitoring interface that allows you to monitor the traffic on your network and how
your network is behaving. The Network Surveillance tab displays what areas of
your network are producing the most traffic, what applications are running, and
what types of threatening or out of policy traffic are present on your network.
Using the Network Surveillance interface, you can:
• Sentries are a technology that monitors traffic seen in any Network Surveillance
view, such as apps, network , asset groups and geographies, and alert on
normal behavior. Using the Network Surveillance interface, you can add
sentries to any view you are monitoring. The alerts that sentries create can be
correlated with events sent from other security and infrastructure devices to
create offenses, viewed within the Offense Manager.
• View and investigate your network activity. For more information, see Chapter 3
Managing Your Network Activity.
Note: For more information on using the Network Surveillance interface, see
Chapter 3 Managing Your Network Activity.
STRM Users Guide
Reports 9
Reports Reports is a flexible and robust reporting package that allows you to create,
distribute, and manage reports for any data within STRM. Reports allows you to
create customized reports for operational and executive use by combining any
combination of information (such as, security or network) into a single report. You
can also use the many pre-installed report templates included with STRM.
The Reports tab also allows you to brand your reports with your customized logos
enabling you to support various unique logos for each report. This is beneficial for
distributing reporting to different audiences.
Note: For more information on Reports, see Chapter 9 Managing Reports.
Using STRM Using STRM, you can:
• Sort the results. See Sorting Results.
• Refresh the interface. See Refreshing the Interface.
• Pause the current display. See Pausing the Interface.
• Further investigate an IP address. See Investigating IP Addresses.
• View the time of the STRM Console. See Viewing STRM Time.
• Access the on-line Help. See Accessing On-line Help.
Sorting Results In the Event Viewer, Offense Manager, Flow Viewer, and Reports interfaces, you
can sort the resulting tables by clicking on a column heading. A single click of the
desired column sorts the results in descending order and a second click on the
heading sorts the results in ascending order. An arrow at the top of the column
indicates the direction of the sort.
For example, if you wish to sort the events by Name, click the Name heading. An
arrow appears in the column heading to indicate the results are sorted in
descending order.
STRM Users Guide
10 ABOUT STRM
Click the Name column heading again if you wish to sort the information in
ascending order.
Refreshing the
Interface
Several STRM interfaces, including the Event Viewer, Offense Manager, Flow
Viewer, and the Dashboard allow you to refresh the interface. This refresh option is
located in the right corner of the interface. The timer indicates the amount of time
since the interface was refreshed. To refresh the interface, click the refresh
icon.
Pausing the Interface You can use the refresh timer, located on the right, to pause the current display. To
pause the interface, click the pause icon . The timer flashes red to indicate the
current display is paused. Click the icon again to restart the timer.
Investigating IP
Addresses
You can use the right-mouse button (right-click) on any IP address or asset name
to access additional menus, which allow you to further investigate that IP address
or asset. For more information on assets, see the STRM Administration Guide.
The menu options include:
Note: For information on customizing the right-click menu, see the Customizing
the Right-Click Menu Technical Note.
Table 1-1 Additional Options
Menu Sub-Menu Description
Navigate View Network
Location
Opens the Network Surveillance interface
displaying the network activity for the
network that the selected IP address is
associated with.
View Attacker
Summary
Displays the attacker summary window that
displays all offenses associated with the
selected attacker.
View Target
Summary
Displays the target summary window that
displays all offenses associated to the
selected target.
Information DNS Lookup Searches for DNS entries based on the IP
address.
WHOIS Lookup Searches for the registered owner of a
remote IP address (Default system server:
whois.crsnic.net.)
STRM Users Guide
STRM Administration Console 11
Viewing STRM Time The right corner of the STRM interface displays STRM time, which is the time of
the STRM Console. The STRM Console time synchronizes all STRM appliances
within the STRM deployment, and is used to determine the time events were
received from other devices for proper time sync correlation.
Accessing On-line
Help
You can access the STRM on-line Help through the main STRM interface. To
access the on-line Help, click Help > Help Contents. The Help interface appears.
STRM
Administration
Console
The STRM Administration Console is a client-based application that provides
administrative users access to administrative functionality including:
• System Configuration - Allows you configure system wide STRM settings
including, users, thresholds, system settings, network hierarchy, authentication,
sentries, or automatic updates.
• Access the deployment editor - Allows you to manage the individual
components of your STRM and SIM deployment.
• Configure views - Allows you to manage your views.
Port Scan Performs a NMAP scan of the selected IP
address. This option is only available if
NMAP is installed on your system. For more
information on installing NMAP, see your
vendor documentation.
Asset Profile Displays asset profile information. This menu
option is only available when profile data has
been acquired either actively (through a
scan) or passively (through flow sources).
For information, see the STRM
Administration Guide.
Search Flows Allows you search for flows. For information,
see
Chapter 7 Using the Flow Viewer.
Resolver Actions View Resolver
Actions
Displays the Resolver Actions applied to this
IP address.
Add Resolver
Action
Executes the Add Resolver process. This
option is available when a Resolver is online
and able to resolve any protocol. However,
since a TCP Reset Resolver is effective for
TCP-based communications only, you
cannot execute a TCP Reset Resolver from
TNC
Recommendations
Allows you to restrict or deny network access
to users based on user name or other
credentials.
For more information, see
Chapter 10 Using
TNC Recommendations
.
Table 1-1 Additional Options (continued)
Menu Sub-Menu Description
STRM Users Guide
12 ABOUT STRM
• Managing vulnerability assessment and scanners - Allows you to schedule
scans to keep your vulnerability assessment data up-to-date.
• Configure sensor devices - Allows you to configure sensor devices, which
provide events to your deployment through DSMs.
• Configure flow sources - Allows you to configure flow sources, such as,
NetFlow or Packeteer.
All configuration updates using the Administration Console are saved to a staging
area. Once all changes are complete, you can deploy the configuration changes or
all configuration settings to the remainder of your deployment.
For more information regarding the STRM Administration Console, see the STRM
Administration Guide.
STRM Users Guide
2
USING THE DASHBOARD
The Dashboard allows you to create a customized portal to monitor any data
STRM collects, to which you have access. The Dashboard is the default view
when you log in to STRM and allows you to monitor several areas of your network
at the same time. Normal activity, vulnerabilities, and suspicious behaviors can be
investigated directly from the Dashboard. All information displayed on the
Dashboard is current and provides you with a real-time portal into the status of
your network traffic and assets. You can detach an item and monitor the item
directly from your desktop.
This chapter includes:
• About the Dashboard
• Network Surveillance
• Offense Manager
• Event Viewer
• Reports
• Enterprise Security State
• Enterprise Security State
• Enterprise Vulnerability State
• System Summary
• Adding Items
About the
Dashboard
The Dashboard allows you to monitor your overall network behavior, security and
vulnerability posture, top targeted assets, top attackers, and worst and most recent
security offenses - all from one window.
By default, for non-administrative users, the Dashboard is empty. For
administrative users, the Dashboard displays the following:
• System Summary
• Events - Average Events Per Second
• Offenses - New Offense Count
• Most Severe Offenses
STRM Users Guide
14 USING THE DASHBOARD
• Most Recent Offenses
• Local Networks - Inbound Bytes
• Local Networks - Outbound Bytes
• Top Category Types
• Top Attackers
Note: The items that appear on your Dashboard depends on the access you have
been granted. For more information on user roles, see the STRM Administration
Guide.
The content that appears on the Dashboard is user-specific. You can design the
Dashboard as you wish, as the changes made within a STRM session affect only
your system. The next time you log in, STRM reflects your last Dashboard
configuration.
You can move and position items to meet your requirements. You can stack items
in one panel or distribute them evenly within the three panels. When positioning
items, each item automatically resizes in proportion to the panel. The Dashboard
interface refreshes regularly to display the most recent information.
/