Juniper NetScreen-IDP 3.0 Quick start guide

  • Hello! I am an AI chatbot trained to assist you with the Juniper NetScreen-IDP 3.0 Quick start guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
QUICKSTART GUIDE
NetScreen-IDP 3.0
V/N 3.0 P/N 093-1509-000 Rev. B
2 | Juniper Networks, Inc.
Customer Support
Toll Free: 800-638-8296, idp-support@juniper.net
Copyright Notice
Copyright © 2005 Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen
logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT,
NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200,
NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client,
NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC,
GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and
registered trademarks are the property of their respective companies.
Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for
any purpose, without receiving written permission from:
Juniper Networks, Inc.
ATTN: General Counsel
1194 N. Mathilda Ave.
Sunnyvale, CA 94089-1206
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to
comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to
provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct
the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual
generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation
instructions, it may cause interference with radio and television reception. This equipment has been tested and found
to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules.
These specifications are designed to provide reasonable protection against such interference in a residential
installation. However, there is no guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can be determined by turning
the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following
measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Consult the dealer or an experienced radio/TV technician for help.
Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET
FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED
HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Enterprise Security Profiler
Use of the Enterprise Security Profiler may subject users in certain countries to obligations under applicable laws and
regulations, including data protection laws. Juniper Networks makes no representation or warranty that your use of
this feature will comply with all applicable laws and regulations and you are encouraged to seek advice of counsel to
understand your obligations, if any, under applicable laws and regulations.
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 3
CONTENTS
OVERVIEW ......................................................................................4
C
HOOSE A DEPLOYMENT MODE...........................................................6
I
NSTALL THE IDP MANAGEMENT SERVER................................................11
C
ONNECT TO THE IDP APPLIANCE ......................................................14
C
ONFIGURE THE IDP SENSOR ............................................................17
C
ONNECT IDP TO YOUR NETWORK.....................................................20
C
ONNECT THE NS-IDP-BYP (OPTIONAL)...............................................22
BSMI WARNING ...................................................................................... 25
INSTALL THE USER INTERFACE ..............................................................26
A
DD NETWORK COMPONENTS ...........................................................28
I
NSTALL A SECURITY POLICY ...............................................................29
R
UN THE PROFILER ..........................................................................30
U
PDATE YOUR ATTACK OBJECTS .........................................................31
N
ETSCREEN-IDP QUICKSHEET ............................................................32
4 | Juniper Networks, Inc.
OVERVIEW
This guide describes how to install version 3.0 of the Juniper Networks
NetScreen-Intrusion Detection and Prevention (IDP) system for non-high
availability (HA) configurations that use the NetScreen-IDP 10, 100, 500, or 1000
appliances. This guide also describes how to use an NS-IDP-BYP (Bypass Unit)
with your NetScreen-IDP 10, 100, 500, or 1000 system.
For instructions on installing HA configurations, please see the High Availability
QuickStart Guide 3.0. For IDP upgrades, please contact customer support.
IDP Sensor Package Contents
Each NetScreen-IDP Sensor package contains:
An IDP appliance
•A bezel
An accessory box containing:
1 North American power cable
2 Ethernet cables (blue cables)
2 LC-LC fiber cables (IDP 500 & 1000 only)
2 Crossover Ethernet cables (orange cables)
1 Null modem Serial cable (gray cable)
A documentation box containing:
Product data sheet
Release Notes, NetScreen-IDP 3.0
IDP Management Package Contents
Each NetScreen-IDP Management package contains:
Installation CD, NetScreen-IDP 3.0
Product Documentation CD, NetScreen-IDP 3.0
QuickStart Guide, NetScreen-IDP 3.0
High Availability QuickStart Guide, NetScreen-IDP 3.0
Release Notes, NetScreen-IDP 3.0
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 5
The Installation Process
The installation process consists of 11 steps:
1. Choose a Deployment Mode. In this step, you choose a deployment
mode for the IDP system.
2. Install the IDP Management Server. In this step, you install the
Management Server software.
3. Connect to the IDP Appliance. In this step, you connect your system
to the IDP appliance using a serial or network connection.
4. Configure the IDP Sensor. In this step, you configure the IDP Sensor
software that is pre-installed on the IDP appliance.
5. Connect IDP to Your Network. In this step, you connect the IDP
appliance to your network.
6. Connect the NS-IDP-BYP (optional). In this step, you connect the
IDP Bypass Unit to your network and to the IDP appliance.
7. Install the User Interface. In this step, you install the User Interface
(UI).
8. Add Network Components. In this step, you add the IDP Sensor as a
Network Object in the IDP system.
9. Install a Security Policy. In this step, you install a Security Policy on
the IDP Sensor.
10.Run the Profiler. In this step, you configure and run the Profiler.
11.Update Your Attack Objects. In this step, you update your Attack
Object database to ensure that you are fully protected against the latest
attacks.
The NetScreen-IDP Installation CD includes the software required to install the
IDP Management Server, the IDP Sensor, and the User Interface for all IDP
appliances.
The NS-IDP-BYP is preconfigured to work with NetScreen-IDP 10, 100, 500, and
1000 appliances running IDP 2.1 or 3.0 Sensor software; no additional
configuration is required.
6 | Juniper Networks, Inc.
Step 1
CHOOSE A DEPLOYMENT MODE
The first step in setting up NetScreen-IDP on your network is to decide on a
deployment mode. The figures on pages 7-10 illustrate the five deployment modes
and their primary advantages and disadvantages.
IDP Appliance Placement
You can place the IDP appliance in front of your firewall, behind your firewall
(recommended), or anywhere on your network.
You should choose a location for your IDP appliance based on your existing
network hardware and the networks you want to protect. The examples provided
in this guide place the IDP appliance behind the firewall or router.
IDP Deployment Modes
For configurations without high availability, you can deploy the IDP Sensor as an
active gateway or as a passive sniffer.
Active Gateway. Active Gateway modes take full advantage of IDP
attack prevention capabilities and MultiMethod Detection mechanisms.
Choose bridge, proxy-ARP, transparent, or router mode.
Passive Sniffer. To use IDP as a passive IDS system without
prevention capabilities, deploy IDP in passive sniffer mode to monitor
and log network traffic. If the Sensor is attached to a network switch,
you must configure the switch to mirror all traffic to that port. IDP
defaults to sniffer mode.
Examine the examples on the following pages to determine which deployment
mode to use for your network. When you have chosen a deployment mode,
proceed to “Install the IDP Management Server” on page 11.
NS-IDP-BYP (Bridge or Transparent Mode Only)
The IDP Bypass Unit is a fail-open network device for your IDP system. If traffic
flow through the IDP appliance is disrupted, the Bypass Unit can automatically
reroute traffic. To use a Bypass Unit for fail-open protection with a NetScreen-
IDP appliance, you must deploy the IDP Sensor in bridge or transparent mode.
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 7
Sniffer Mode
Advantages Disadvantages
Seamless replacement of current IDS
Minimal network changes
Does not create an additional point-of-
failure gateway
Can monitor and log suspicious network
activity
•Passive monitoring with limited
prevention only
Must use a hub or the span port of a
switch
Cannot use NS-IDP-BYP for fail-open
protection
IDP
Firewall
Hub or
Switch
Protected Network
Eth2 IP 2.2.2.7
Management Network
Hub or Switch
straight-through cable
mirror/span port if a switch
1.1.1.1
2.2.2.1
(Management Interface)
Client1
IP 2.2.2.2
Client2
IP 2.2.2.3
Client3
IP 2.2.2.5
Client4
UI installed
IP 2.2.2.6
Management
Server
IP 2.2.2.4
Server1
IP 1.1.1.2
GW 1.1.1.1
Server3
IP 1.1.1.4
GW 1.1.1.1
Server2
IP 1.1.1.3
GW 1.1.1.1
Eth0 (Sniffing Interface)
8 | Juniper Networks, Inc.
Router Mode
Advantages Disadvantages
Can reliably respond to and prevent
attacks
Can connect IP networks with different
address spaces
Affects layer-3 IP networks (routing
tables)
Cannot use NS-IDP-BYP for fail-open
protection
IDP
Firewall
Hub or
Switch
Eth0 192.168.0.1 (Forwarding Interface)
Default GW 192.168.0.2
Eth1 1.1.1.1 (Forwarding Interface)
Protected Network
Eth2 2.2.2.7 (Management Interface)
Management Network
Hub or Switch
2.2.2.1
192.168.0.2
crossover
cable
straight-through
cable
Server1
IP 1.1.1.2
GW 1.1.1.1
Server3
IP 1.1.1.4
GW 1.1.1.1
Server2
IP 1.1.1.3
GW 1.1.1.1
Client1
IP 2.2.2.2
Client2
IP 2.2.2.3
Client3
IP 2.2.2.5
Client4
UI installed
IP 2.2.2.6
Management
Server
IP 2.2.2.4
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 9
Bridge Mode and Transparent Mode
Advantages Disadvantages
Can reliably respond to and prevent attacks
Simple, transparent deployment
Allows layer-2 broadcasts (DHCP, etc.)
No changes to routing tables or network equipment
Can use NS-IDP-BYP for fail-open protection
Can forward non-IP traffic (transparent mode only)
IDP
Firewall
Hub or Switch
Eth2 2.2.2.7 (Management Interface)
Management Network
Hub or Switch
2.2.2.1
Client1
IP 2.2.2.2
Client2
IP 2.2.2.3
Client3
IP 2.2.2.5
Client4
UI installed
IP 2.2.2.6
Management
Server
IP 2.2.2.4
crossover
cable
straight-through
cable
Server1
IP 1.1.1.2
GW 1.1.1.1
Server3
IP 1.1.1.4
GW 1.1.1.1
Server2
IP 1.1.1.3
GW 1.1.1.1
Eth0 no ip address (Forwarding Interface)
1.1.1.1
Eth1 no ip address (Forwarding Interface)
Protected Network
10 | Juniper Networks, Inc.
Proxy-ARP Mode
When you have chosen a deployment mode for your IDP system, proceed to
“Install the IDP Management Server” on page 11.
Advantages Disadvantages
Can reliably respond to and prevent
attacks
Simple, transparent deployment
Network nodes may need to update
cached ARP entries
Cannot use NS-IDP-BYP for fail-open
protection
IDP
Firewall
Hub or
Switch
Eth0 1.1.1.254 (Forwarding Interface)
Eth1 1.1.1.5 (Forwarding Interface)
Protected Network
Eth2 2.2.2.7 (Management Interface)
Management Network
Hub or Switch
2.2.2.1
1.1.1.1
crossover
cable
straight-through
cable
Server1
IP 1.1.1.2
GW 1.1.1.1
Server3
IP 1.1.1.4
GW 1.1.1.1
Server2
IP 1.1.1.3
GW 1.1.1.1
Client1
IP 2.2.2.2
Client2
IP 2.2.2.3
Client3
IP 2.2.2.5
Client4
UI installed
IP 2.2.2.6
Management
Server
IP 2.2.2.4
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 11
Step 2
INSTALL THE IDP MANAGEMENT SERVER
In this step, you install the NetScreen-IDP Management Server software that
controls your IDP appliances. You can install the Management Server software
on a secure and trusted Red Hat Linux 7.2 or 8, RHEL AS/ES/WS 3, or Solaris 8
or 9 computer.
The remaining instructions in this step describe how to install the Management
Server on a separate computer.
When installing the Management Server, Juniper Networks recommends using a
system that has a minimum of 1 GB RAM. An example Management Server
system uses the following specifications:
CPU: Quad Intel(R) Xeon(TM), 2.40GHz
Cache size: 512 KB
MemTotal: 2GB
Hard Disk: 32.5 GB
Before installing the Management Server, ensure that the following are installed
on the computer:
gzip compression software — This is installed by default on RedHat
systems. For Solaris systems, you can download the gzip package for
your processor and OS version from http://www.sunfreeware.com. Once
you have downloaded the gzip package (do not download the source code
file), install the software with the pkgadd command; for example,
pkgadd -d gzip-1.3.5-sol8-sparc-local.
Note: You can install the Management Server software directly on the NetScreen-IDP
100. This configuration is for simple networking environments, such as a small office.
This configuration is often easier to install, but can negatively impact Sensor
performance. If you are using multiple Sensors or are operating in a production
environment, Juniper Networks strongly recommends that you install the Management
Server software on another machine. You cannot install the Management Server
software on the NetScreen-IDP 10 , 500, or 1000 appliance, or the NS-IDP-BYP Unit.
If you choose to install the Management Server software on a NetScreen-IDP 100
appliance, skip to Step 3 on page 14.
12 | Juniper Networks, Inc.
uudecode to decode the payloads contained in the installation file —
This is installed by default on Solaris systems. For RedHat systems, you
can install this utility from the Management Server CD by entering the
following command:
rpm -Uvh sharutils-4.2.1-8.7.x.i386.rpm.
Installing the Management Server
1. Ensure that the computer you install the Management Server on is:
Plugged in to a power source and powered on
Connected to a serial console or monitor and keyboard
–A secure and trusted Red Hat Linux 7.2 or 8, RHEL AS/ES/WS 3,
or Solaris 8 or 9 computer
2. Insert the IDP Installation CD into the drive on the Management
Server.
3. Log in to the computer as
root. If you are already logged in as a user
other than root, become root by typing: su -. At the password prompt,
enter the root password for the computer.
4. Create an
idp group with the user idp as the only member.
For Linux, type the command: useradd idp
For Solaris, type the commands:
groupadd idp
useradd -g idp idp
5. Mount the IDP Installation CD following the operating system
manufacturer’s instructions.
6. Change to the Management Server directory using the
cd command.
For Linux: cd /mnt/cdrom/Mgt-Svr/Linux
For Solaris: cd /cdrom/cdrom0/Mgt-Svr/Solaris
7. Run the Management Server install script by typing the appropriate
command:
For Linux: ./mgtsvr_linux_3_0.sh
Note: The Management Server installation process is case-sensitive. You must follow
the menu selections exactly as shown in the script help text.
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 13
For Solaris: ./mgtsvr_solaris_3_0.sh
The installation automatically begins.
8. When prompted, specify the directory that IDP uses to store the
Management Server data files.
9. When prompted, specify a password for the IDP Management Server
admin account. Confirm the password.
The installation proceeds automatically. Several messages appear to
confirm the installation progress. After the installation is complete, the
Management Server processes start automatically.
Management Server IP Address
During the Sensor configuration process, you must establish the communication
between the Management Server and the Sensor by providing the IP address of
the Management Server computer. For quick reference, write the Management
Server IP address in the table below:
When you have successfully installed the Management Server, proceed to
“Connect to the IDP Appliance” on page 14.
Note: The admin account authenticates communication between the Management
Server and the User Interface (UI). You are asked for this password again when you
log in to the UI in “Install the User Interface” on page 26.
Management Server IP Address
14 | Juniper Networks, Inc.
Step 3
CONNECT TO THE IDP APPLIANCE
In this step, you connect to the NetScreen-IDP appliance and prepare to
configure the Sensor software that is installed on it. You can connect to the IDP
appliance using one of the following methods:
Connect a standalone computer to IDP appliance eth2
(management) port. In this method, you change the IP address of a
standalone computer to an IP address that is on the 192.168.1.0/24
network. Then, you connect the standalone computer to the IDP
appliance and use the default settings for Ethernet access to configure
the Sensor software.
Connect a serial console or keyboard/monitor to IDP appliance.
In this method, you assign the IDP appliance an IP address that is on
your network. Then, you connect a serial console or keyboard and
monitor to the IDP appliance and configure Ethernet access by choosing
an Ethernet port, IP address, and default route. After you have
configured Ethernet access, you connect the IDP appliance to your
network and configure the Sensor software from a computer on your
network.
Choose a method and follow the appropriate instructions below. When you have
established Ethernet access to the IDP appliance, you can configure the Sensor
software using the Appliance Configuration Manager (ACM), the Web-based IDP
configuration tool. The configuration process is described in “Configure the IDP
Sensor” on page 17.
Use the illustrations provided on the back cover of this guide to locate the
Ethernet, fiber, and serial ports for the IDP appliance.
Using a Standalone Computer
1. Connect a standalone computer, such as a laptop, to the IDP appliance
eth2 port. To connect directly to the appliance, use a crossover cable. To
connect to the appliance over a hub or switch, use a straight-through
cable.
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 15
2. Change the IP address of the standalone computer to 192.168.1.2.
For instructions on changing your IP address, see your computer’s
operating system documentation.
3. On the connected computer, open a Web browser. Enter the URL of the
ACM wizard as https://192.168.1.1. Because the ACM uses a
secure form of HTTP, you MUST enter https:// before the IP address.
4. Enter the default user name (root) and password (abc123).
When the ACM wizard appears, proceed to “Configure the IDP Sensor”
on page 17.
Using a Serial Console or Keyboard/Monitor
1. Connect to the IDP appliance:
For serial console connections, connect a serial console to the IDP
appliance Serial port and configure the terminal software to use
parameters 8-N-1, 9600. For Windows, use HyperTerminal. For
Linux, use minicom.
For keyboard and monitor connections, connect a keyboard and
monitor to the IDP appliance.
2. Log in to the IDP appliance as root with the password abc123.
The Ethernet configuration script automatically runs. Follow the
instructions in the script’s help text to configure Ethernet access to the
IDP appliance.
3. When prompted, select the network card you want to configure. The
default configuration for that network card appears.
To accept the default configuration, type n and press Enter to
continue.
To reconfigure the network card, type y. Assign an IP address and
netmask to the network card. Be sure to use an IP address that is
reachable by the computer you will use to configure the Sensor
software. Press Enter to continue.
4. When prompted, set a default route by pressing y. Enter the default
route for the computer that you will use to configure the Sensor
software. Press Enter.
16 | Juniper Networks, Inc.
5. Use the Ethernet port you just configured to connect the IDP appliance
to your network. To connect directly to another computer, use a cross-
over cable. To connect to a hub or switch, use a straight-through cable.
6. Using the computer that is on your network, open a Web browser. Enter
the IP address you chose in the configuration script. Because the ACM
uses a secure form of HTTP, you MUST enter https:// before the IP
address.
7. Enter the default user name (root) and password (abc123).
When the ACM wizard appears, proceed to “Configure the IDP Sensor”
on page 17.
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 17
Step 4
CONFIGURE THE IDP SENSOR
In this step, you configure the NetScreen-IDP Sensor software that is pre-
installed on the IDP appliance to work with your network.
Using the Appliance Configuration Manager (ACM), a Web-based tool, follow the
on-screen instructions as the ACM wizard leads you through the six-section
configuration process.
To view the ACM online help, click the icon in the upper right corner.
The table summarizes the information you should have available:
Note: The ACM supports Mozilla 1.0.1 and IE 6.0 Web browsers. If the font
size is too small or difficult to read in your Mozilla Web browser, increase the
font size to 150%.
Note: During the configuration process, you choose a One-Time Password
(OTP) and are given a VIN for your Sensor. Because you are prompted for this
information again in “Add Network Components” on page 28, you might want
to record the VIN.
Section Configuration Information
Setup IDP Sensor host and domain name
IDP Sensor root and admin passwords (default is
abc123)
Install Management Server Locally (Optional)
Management Server password for the User Interface
Mode Deployment mode: sniffer, router, bridge, transparent,
or proxy-ARP
Enable Bypass Unit (Optional)
Enable/choose high availability solution
18 | Juniper Networks, Inc.
After you have saved and applied a configuration to the IDP Sensor, exit the
ACM by closing the Web browser window.
Networking Speed and duplex settings for IDP appliance
interfaces
Enable/configure VLAN interfaces
Enable/configure virtual routers
Management interface
Forwarding interfaces (The IDP 10 appliance is limited
to a total of four forwarding interfaces.)
Routing table (In proxy-ARP or router mode, if you are
using multiple subnets in your protected network, you
must configure static routes on the IDP appliance to
these subnets. Without these static routes, incoming
traffic to those subnets can be lost. Alternatively, you
can create a static route from the IDP appliance to an
internal gateway that contains inbound routes to the
protected subnets.)
System Enable/configure DNS
Set Time and Time Zone
Enable/configure NTP
Enable/configure RADIUS
Enable/configure SNMP
Enable/configure SSH access
Management • IP address of the Management Server for this Sensor
and OTP
•Sensor VIN
________________________________________
Enable/configure ACM access
Done View the current configuration and then:
Save all changes
Apply the configuration to the IDP appliance
Reboot the IDP appliance
Section Configuration Information
QuickStart Guide, Juniper Networks NetScreen-IDP 3.0 | 19
You can now disconnect the serial console, keyboard and monitor, or other
standalone computer from the IDP appliance. If you changed the IP address of a
standalone computer to access the ACM, be sure to change it back to its original
IP address.
Proceed to “Connect IDP to Your Network” on page 20.
20 | Juniper Networks, Inc.
Step 5
CONNECT IDP TO YOUR NETWORK
In this step, you connect the NetScreen-IDP appliance to your network using the
provided cables and the Ethernet ports (interfaces) on the IDP appliance.
To connect to a switch or hub, use the straight-through Ethernet cable; to connect
to a firewall or router, use the crossover Ethernet cable (cables are included with
your system).
The two example configurations below display the Ethernet ports and their
intended connections (your configuration may differ):
to external network
to external network
to protected network
to protected network
eth1
Forwarding
Interface
Forwarding
Interface
eth3
Forwarding
Interface
eth2
eth0
Forwarding
Interface
Can also be
management
interface
Optional
Optional
IDP 100
to external network
to external network
to protected network
to protected network
eth1
Forwarding
Interface
Forwarding
Interface
eth3
Forwarding
Interface
eth2
eth0
Forwarding
Interface
Can also be
management
interface
Optional
Optional
IDP 500
IDP 1000
/