Evaluated Configuration Guide

597
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
597
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Evaluated Configuration Guide

  1. 1. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/1/2006 Prepared for: Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 Prepared By: En Pointe Technologies, Inc. 8310 Capital of Texas Highway, Ste. 305 Austin, TX 78731
  2. 2. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Table of Contents 1 Usage Guidance................................................................................................................3 1.1 Usage Assumptions....................................................................................................3 1.1.1 Access.................................................................................................................3 1.1.2 Access Scope......................................................................................................3 1.1.3 Dynamic..............................................................................................................3 1.1.4 User Processes....................................................................................................3 1.1.5 Manage................................................................................................................3 1.1.6 No Evil Administrators.......................................................................................3 1.1.7 No Trust..............................................................................................................3 1.1.8 Location .............................................................................................................3 1.1.9 Protection ...........................................................................................................4 2 Installation/Configuration Guidance.................................................................................5 2.1 Installation Prerequisites............................................................................................5 2.1.1 IDP Sensor..........................................................................................................5 2.1.2 NSM Server........................................................................................................5 2.1.3 NSM UI...............................................................................................................6 2.2 Installation Procedures...............................................................................................6 2.2.1 IDP Sensor..........................................................................................................6 2.2.2 NSM Server........................................................................................................7 2.2.3 NSM UI.............................................................................................................13 2.3 Configuration Procedures........................................................................................22 2.3.1 IDP Sensor........................................................................................................22 2.3.2 NSM Server......................................................................................................24 2.3.3 NSM UI.............................................................................................................70 3 Appendix A.....................................................................................................................71 3.1 Software Identification.............................................................................................71 3.1.1 NSM UI.............................................................................................................71 3.1.2 NSM Server......................................................................................................72 3.1.3 IDP Sensor........................................................................................................74 4 Appendix B: ACM Wizard.............................................................................................76 4.1 ACM Home Page.....................................................................................................76 4.2 ACM Wizard Main Page.........................................................................................78 4.2.1 Setup.................................................................................................................80 4.2.2 Mode.................................................................................................................84 4.2.3 Networking.......................................................................................................85 4.2.4 System.............................................................................................................128 4.2.5 Management....................................................................................................140 4.2.6 Done................................................................................................................144 Rev B.2 8/3/2006 Page 2 of 151
  3. 3. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 1 Usage Guidance Performance of the security functions claimed for IDP and NSM is dependent on specific assumptions about the security environment in which both IDP and NSM will be installed and implemented. The following list of assumptions must be met in order for IDP & NSM to be considered in its evaluated configuration. 1.1 Usage Assumptions 1.1.1 Access It is assumed that both IDP and NSM have access to all the IT System data it needs to perform its functions. This is accomplished by ensuring that the IDP sensor is correctly connected to the network(s) to be monitored and that NSM is correctly connected to and can communicate with IDP. [A.ACCESS] 1.1.2 Access Scope It is assumed that the IDP appliance implemented is appropriately scalable to the IT Systems within the network in which the IDP appliance monitors. [A.ASCOPE] 1.1.3 Dynamic It is assumed that the IDP appliance will be managed in a manner that allows it to appropriately address changes to the IT Systems that it monitors. [A.DYNMIC] 1.1.4 User Processes It is assumed that the IDP Sensor, NSM Server, and NSM UI are installed on dedicated systems that do not contain any user processes that are not required to operate IDP or NSM. [A.USER_PROCESSES] 1.1.5 Manage It is assumed that there will be one or more competent individuals assigned to manage both IDP and NSM and the security of the information they contain. [A.MANAGE] 1.1.6 No Evil Administrators It is assumed that the authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided within the documentation provided for both IDP and NSM. [A.NOEVIL] 1.1.7 No Trust It is assumed that both IDP and NSM can only be accessed by authorized users. [A.NOTRST] 1.1.8 Location Rev B.2 8/3/2006 Page 3 of 151
  4. 4. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide It is assumed that the processing resources of both the IDP Sensor and the NSM Server will be located within controlled access facilities, which will prevent unauthorized physical access. [A.LOCATE] 1.1.9 Protection It is assumed that the hardware and software critical to security policy enforcement for both the IDP Sensor and NSM Server will be protected from unauthorized physical modification. [A.PROTCT] Rev B.2 8/3/2006 Page 4 of 151
  5. 5. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2 Installation/Configuration Guidance There are specific installation and initialization requirements that must be met in order for IDP and NSM to operate in its evaluated configuration. Administrators must perform the steps described in this guidance document before implementing IDP and NSM in an operational environment so that each of the security functions can properly function. NOTE: All of the software files required to install NetScreen-Security Manager are located on the NetScreen-Security Manager installation CD or on the Internet at the Juniper Networks corporate support web site. 2.1 Installation Prerequisites The following prerequisites must be accommodated prior to installing IDP or NSM. 2.1.1 IDP Sensor The IDP Sensor requires one or more of the following IDP appliances:  IDP 50  IDP 200  IDP 600-C  IDP 600-F  IDP 1000-C  IDP 1100-F 2.1.2 NSM Server The NSM Server requires a server meeting or exceeding the following hardware requirements:  CPU: Sun Microsystems UltraSPARC IIi 500MHz (or higher), OR Linux 1GHz (x86) processor (or higher)  Memory: 1GB (or higher); 2GB+ (depending on the number of managed devices and configuration size)  Swap Space: 4 GB for both GUI Server and Device Server  Storage: IDE Hard Disk Drive with 10K rpm (minimum); 15K rpm (recommended); 18 GB disk space (minimum); 40 GB disk space (recommended)  Network Connection 100MBps NIC Ethernet adapter  Other Server must be dedicated to running NetScreen-Security Manager. The NSM Server also requires one of the following operating systems to be installed on the server: NOTE: The latest available operating system security patches and service packs must be installed prior to installing the NSM Server or Client software.  Solaris 8 Rev B.2 8/3/2006 Page 5 of 151
  6. 6. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide  Solaris 9  Red Hat Enterprise Linux (ES/AS) 3.0-Update 5 or 4.0-Update 1 2.1.3 NSM UI The NSM UI requires the following minimum hardware, operating system, and software components: Hardware  IBM® compatible PC  400MHz Pentium® II or equivalent (minimum)  700 MHz Pentium II or equivalent (recommended)  RAM: 256 MB (minimum)  512 MB or above (recommended)  384kbps (DSL) or LAN connection - minimum bandwidth required to connect to the NetScreen-Security Manager management system. Operating System NOTE: The latest available operating system security patches and service packs must be installed prior to installing the NSM Server or Client software.  Microsoft Windows XP  Microsoft Windows NT® Workstation/Server 4.0, Service Pack 6a or higher  Microsoft Windows 2000 Server, Advanced Server, or Professional editions  Red Hat Enterprise Linux ES 3.0 or 4.0  Red Hat Enterprise Linux AS  US English versions only Software Components  Java Runtime Environment (JRE) version 1.4.2 2.2 Installation Procedures 2.2.1 IDP Sensor The IDP appliance is delivered with the IDP Sensor software version 4.0 pre-installed on the IDP appliance. However, new versions of the IDP Sensor software may be made available online or via CD-ROM. In order to upgrade the IDP Sensor software to the most current, follow the procedures detailed in the “Updating IDP Sensor Software” section in Chapter 6 of the “IDP 50, 200, 600, 1100 Installer’s Guide”, version 4.0. Rev B.2 8/3/2006 Page 6 of 151
  7. 7. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.2.2 NSM Server To install the NSM Server, perform the following steps: NOTE: This section assumes that an operating system as identified within section 2.1.2 has already been installed. 1. Log on to the operating system using the “root” account configured during the installation process of the operating system. 2. Change the current directory to the path containing the NSM Server installation script. 3. Execute the NSM Server installation script. sh nsm2006.1_servers_linux_x86.sh 4. A prompt is displayed asking which servers to install. Type “3” and press Enter to confirm installing both the GUI Server and Device Server on the same system. Creating staging directory...ok ########## PERFORMING PRE-INSTALLATION TASKS ########## Running preinstallcheck... Checking if platform is valid...............................ok Checking for correct intended platform......................ok Checking if all needed binaries are present.................ok Checking for platform-specific binaries.....................ok Checking for PostgreSQL.....................................ok Checking if user is root....................................ok Checking if user root exists................................ok Checking if system meets RAM requirement....................ok Checking for sufficient disk space..........................ok Checking if RPM binary is the minimum version ..............ok Noting OS name..............................................ok Stopping any running servers ########## GATHERING INFORMATION ########## 1) Install Device Server only 2) Install GUI Server only 3) Install both Device Server and GUI Server Enter selection (1-3) []> 3 Rev B.2 8/3/2006 Page 7 of 151
  8. 8. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 5. A prompt is displayed asking if the machine will participate in an HA cluster. Press Enter to accept the default value of “n”. ########## GENERAL SERVER SETUP DETAILS ########## Will this machine participate in an HA cluster? (y/n) [n]> 6. A prompt is displayed asking to provide the directory path in which the Device Server data will be stored. Press Enter to accept the default value of “/var/netscreen/DevSvr”. ########## DEVICE SERVER SETUP DETAILS ########## The Device Server stores all of the user data under a single directory. By default, this directory is /var/netscreen/DevSvr. Because the user data (including logs and policies) can grow to be quite large, it is sometimes desirable to place this data in another partition. Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets. Enter data directory location [/var/netscreen/DevSvr]> 7. A prompt is displayed asking to provide the directory path in which the GUI Server data will be stored. Press Enter to accept the default value of “/var/netscreen/GuiSvr”. ########## GUI SERVER SETUP DETAILS ########## The GUI Server stores all of the user data under a single directory. By default, this directory is /var/netscreen/GuiSvr. Because the user data (including database data and policies) can grow to be quite large, it is sometimes desirable to place this data in another partition. Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets. Enter data directory location [/var/netscreen/GuiSvr]> 8. A prompt is displayed asking to provide the directory path in which the GUI Server database logs will be stored. Press Enter to accept the default value of “/var/netscreen/GuiSvr/xdb/log”. The GUI Server stores all of the database logs under a single directory. Rev B.2 8/3/2006 Page 8 of 151
  9. 9. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide By default, this directory is /var/netscreen/GuiSvr/xdb/log. Because the database log can grow to be quite large, it is sometimes desirable to place this log in another partition. Please enter an alternative location for this log if so desired, or press ENTER for the location specified in the brackets. Enter database log directory location [/var/netscreen/GuiSvr/xdb/log]> 9. A prompt is displayed asking to provide the IP address for the management interface that will be used to communicate with the IDP appliance(s). Type in the IP address of the management interface and press Enter. Enter the management IP address of this server []> 10.10.10.50 Setting GUI Server address and port to 10.10.10.50:7801 for Device Server 10. A prompt is displayed asking to provide and confirm the password that will be used for authenticating to the “super” user. Type in the password and press Enter. Then retype the password and press Enter to confirm the password defined. Please enter a password for the 'super' user Enter password (password will not display as you type)> Please enter again for verification Enter password (password will not display as you type)> 11. A prompt is displayed asking if a Statistical Report Server will be used with this GUI Server. Press Enter to accept the default value “n”. Will a Statistical Report Server be used with this GUI Server? (y/n) [n]> 12. A prompt is displayed asking if the server processes need to be restarted automatically in case of a failure. Press Enter to accept the default value “y”. ########## HIGH AVAILABILITY (HA) SETUP DETAILS ########## Will server processes need to be restarted automatically in case of a failure? (y/n) [y]> 13. A prompt is displayed asking if this machine will require local database backups. Press Enter to accept the default value “y”. ########## BACKUP SETUP DETAILS ########## Rev B.2 8/3/2006 Page 9 of 151
  10. 10. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Will this machine require local database backups? (y/n) [y]> 14. A prompt is displayed asking what hour of the day to start the database backup. Press Enter to accept the default value “02”. Enter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 = 2pm ...)[02]> 15. A prompt is displayed asking if the daily backup will need to be sent to a remote machine. Press Enter to accept the default value “n”. Will daily backups need to be sent to a remote machine? (y/n) [n]> 16. A prompt is displayed asking to enter the number of backups to keep. Press Enter to accept the default value “7”. Enter number of database backups to keep [7]> 17. A prompt is displayed asking to enter the rsync command timeout. The default timeout is 1800. Press Enter to accept the default value “1800”. Enter the rsync command timeout [1800]> 18. A prompt is displayed asking to specify the location of the database backup directory. Press Enter to accept the default value “/var/netscreen/dbbackup”. Enter database backup directory [/var/netscreen/dbbackup]> 19. A prompt is displayed asking to specify the full path to the rsync program installed. Press Enter to accept the default value “/usr/bin/rsync”. The database backup server(s) requires that you have previously installed the rsync program. Enter the full path to rsync [/usr/bin/rsync]> 20. A prompt is displayed asking for the Postgres DevSvr Db port which is by default “5432”. Press Enter to accept the same default value, like wise Postgres DevSvr Db super user with a default name of “nsm” is prompted. Accept the default name for which you will be prompted to give a password and also verification is asked with respect to the password entered. Rev B.2 8/3/2006 Page 10 of 151
  11. 11. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide ########## DEVSVR DB SETUP DETAILS ########## Enter Postgres DevSvr Db port [5432]> Postgres DevSvr Db port set to 5432 Enter Postgres DevSvr Db super user [nsm]> Postgres DevSvr Db super user set to 'nsm' Enter Postgres DevSvr Db password for user 'nsm' Enter password (password will not display as you type)> Please enter again for verification Enter password (password will not display as you type)> Postgres DevSvr Db password set for 'nsm' 21. A prompt is displayed asking if the servers should be started after the installation has completed. Type “y” and press Enter. ########## POST-INSTALLATION OPTIONS ########## Start server(s) when finished? (y/n) []> y 22. A prompt is displayed asking to confirm the set of configurations that have just been applied. Type “y” and press Enter to accept the configurations. Otherwise, type “n” to repeat steps 6 - 23. ########## CONFIRMATION ########## About to proceed with the following actions: - Install Device Server - Install GUI Server - Install High Availability Server - This machine does not participate in an HA cluster - Store Device Server data in /var/netscreen/DevSvr - Store GUI Server data in /var/netscreen/GuiSvr - Store GUI Server database log in /var/netscreen/GuiSvr/xdb/log - Use IP address 10.10.10.50 for management - Connect to GUI Server at 10.10.10.50:7801 - Set password for 'super' user - Servers will be restarted automatically in case of a failure - Local database backups are enabled - Start backups at 02 - Daily backups will not be sent to a remote machine - Number of database backups to keep: 7 - Logging is disabled: n - Create database backup in /var/netscreen/dbbackup - Use rsync program at /usr/bin/rsync - Postgres DevSvr Db Server port: 5432 - Postgres DevSvr Db super user: nsm Rev B.2 8/3/2006 Page 11 of 151
  12. 12. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide - Postgres DevSvr Db password set for ‘nsm’ - Start server(s) when finished: Yes Are the above actions correct? (y/n)> y 23. After the configuration has been accepted, the installation process begins. If the installation is completed successfully, then you will see test similar to the text provided below. If the installation process does not complete successfully, then you should ensure that you have correctly satisfied all of the installation prerequisites identified in section 2.1 and then re-execute the installation script. ########## EXTRACTING PAYLOADS ########## Extracting payload..........................................ok Decompressing payload.......................................ok ########## PERFORMING INSTALLATION TASKS ########## ----- INSTALLING Device Server ----- Looking for existing RPM package............................ok Removing DevSvr files from default location.................ok Installing Device Server RPM................................ok Unpacking DevSvr............................................ok Installing JRE..............................................ok Creating var directory......................................ok Creating /var/netscreen/dbbackup............................ok Putting NSROOT into start scripts...........................ok Filling in Device Server config file(s).....................ok Setting permissions for Device Server.......................ok ----------Setting up PostgreSQL for DevSvr-------------- Changing password for user nsm. New UNIX password: BAD PASSWORD: it is based on a dictionary word Retype new UNIX password: Passwd: all authentication tokens updated successfully. Setting up PostgreSQL for DevSvr. . . ........................ok Installation of Device Server complete. ----- INSTALLING GUI Server ----- Looking for existing RPM package............................ok Removing GuiSvr files from default location.................ok Installing GUI Server RPM...................................ok Installing JRE..............................................ok Creating var directory......................................ok Putting NSROOT into start scripts...........................ok Filling in GUI Server config file(s)........................ok Setting permissions for GUI Server..........................ok Running generateMPK utility.................................ok Running fingerprintMPK utility..............................ok Installation of GUI Server complete. Rev B.2 8/3/2006 Page 12 of 151
  13. 13. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide ----- INSTALLING HA Server ----- Looking for existing RPM package............................ok Removing HaSvr files from default location..................ok Installing HA Server RPM....................................ok Creating var directory......................................ok Putting NSROOT into start scripts...........................ok Filling in HA Server config file(s).........................ok Setting permissions for HA Server...........................ok Installation of HA Server complete. ----- SETTING START SCRIPTS ----- Enabling Device Server start script.........................ok Enabling GUI Server start script............................ok Enabling HA Server start script.............................ok ########## PERFORMING POST-INSTALLATION TASKS ########## Running nacnCertGeneration..................................ok Running idpCertGeneration...................................ok Removing staging directory..................................ok Starting GUI Server.........................................ok Starting Device Server......................................ok Starting HA Server..........................................ok NOTES: - Installation log is stored in /usr/netscreen/DevSvr/var/errorLog/netmgtInstallLog. 20060613094753 - This is the GUI Server fingerprint: 38:09:B8:7A:3E:21:0B:FC:D8:20:8B:B4:3A:AC:7E:76:F3:4A:8A:56 You will need this for verification purposes when logging into the GUI Server. Please make a note of it. - To enable firmware updates to ScreenOS 4.x devices, the TFTP server on this machine needs to be enabled. - To enable firmware updates to ScreenOS 4.x devices, the TFTP server on this machine must have its root directory set to ‘/usr/netscreen/DevSvr/var/cache’ [root@nsm ~]# 2.2.3 NSM UI To install the NSM UI, perform the following steps: 1. Log on to the operating system using the “root” or “administrator” account configured during the installation process of the operating system. Rev B.2 8/3/2006 Page 13 of 151
  14. 14. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2. Open a terminal window or command prompt, if it is not already open. 3. Insert the NSM CD or download NSM Client application from Juniper Networks, Inc. website: 4. Change the current directory to the path containing the NSM UI installation file: For Windows: d: (Assuming that D: is the drive letter associated with the CD device) or, C:tempdir (Assuming that C:tempdir is the location where NSM UI installation was downloaded to) 5. Execute the NSM UI installation file: For Windows: nsm2006.1_ui_win_x86.exe 6. The “Introduction” screen is displayed, as identified in the figure below. Click on “Next” to continue. Rev B.2 8/3/2006 Page 14 of 151
  15. 15. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 15 of 151
  16. 16. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 7. The “License Agreement” screen is displayed, as identified in the figure below. Read through the agreement and select “I accept the terms of the License Agreement”, if it is agreed. Then click on “Next” to continue. Rev B.2 8/3/2006 Page 16 of 151
  17. 17. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 8. The “Choose Install Folder” screen is displayed, as identified in the figure below. Click on “Next” to accept the default value and continue. NOTE: The installation path identified above is based on a Windows installation. See below for the default values of each operating system. Windows: C:Program FilesNetScreen-Security Manager Rev B.2 8/3/2006 Page 17 of 151
  18. 18. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 9. The “Choose Shortcut Folder” screen is displayed, as identified in the figure below. Click on “Next” to accept the default value and continue. Rev B.2 8/3/2006 Page 18 of 151
  19. 19. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 10. The “Pre-Installation Summary” screen is displayed, as identified in the figure below. Click on “Install” to confirm the installation options selected and continue with the installation process. Rev B.2 8/3/2006 Page 19 of 151
  20. 20. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 11. The “Installing NetScreen-Security Manager” screen is displayed, as identified in the figure below. Remain patient until the indicator at the bottom of the screen becomes completely green, indicating that the installation is now complete. Rev B.2 8/3/2006 Page 20 of 151
  21. 21. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 12. The “Install Complete” screen is then displayed, as identified in the figure below. Click on “Done” to exit the NSM UI installer. Rev B.2 8/3/2006 Page 21 of 151
  22. 22. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3 Configuration Procedures The following subsections provide instructions for configuring the IDP Sensor, NSM Server, and NSM UI components. The configuration procedures should be performed in the order in which they are presented, unless specific steps reference to perform other procedures outside of this order. 2.3.1 IDP Sensor Configuring the IDP appliance involves connecting to the IDP appliance, as described in section 2.3.1.1 below, and running the Appliance Configuration Manager (ACM) wizard, as further described in section 4 below. 2.3.1.1 Connect to the IDP Appliance To connect with and configure the IDP appliance, you may establish a connection either by connecting through the management port or through the console. The following subsections describe how to connect to the IDP appliance using both methods. 2.3.1.1.1 Using the Management Port To connect to the IDP appliance using the management port, perform the following steps: 1. Locate the management port for your IDP appliance. The management port is identified as the following for each respective evaluated IDP appliance:  IDP 50 - MGT  IDP 200 - MGT  IDP 1000-C - MGT  IDP 1100-F - MGT  IDP 600-C MGT  IDP 600-F MGT 2. Connect a standalone computer, such as a laptop, to the IDP appliance management port, as identified above. To connect directly to the appliance, use a crossover cable. To connect to the appliance over a hub or switch, use a straight-through cable. 3. Change the IP address of the standalone computer to 192.168.1.2, with the subnet mask being 255.255.255.0 and the gateway being 192.168.1.1. For instructions on changing your IP address, see your computer’s operating system documentation. Rev B.2 8/3/2006 Page 22 of 151
  23. 23. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4. On the connected computer, open a Web browser. Enter the URL of the ACM wizard as https://192.168.1.1. Because the ACM uses a secure form of HTTP, you MUST enter https:// before the IP address. 5. Enter the default user name (root) and password (abc123). When the ACM wizard appears, proceed to section 4 below. 2.3.1.1.2 Using the Console To connect to the IDP appliance using the console, perform the following steps: 1. Connect to the IDP appliance. The console can be accessed through either the serial port or the keyboard and monitor connections: a. For serial console connections, connect a serial console to the IDP appliance Serial port and configure the terminal software to use parameters 8-N-1, 9600. For Windows, use HyperTerminal. For Linux, use minicom. b. For keyboard and monitor connections, connect a keyboard and monitor to the IDP appliance. 2. Log in to the IDP appliance using the default user name (root) and password (abc123). The Ethernet configuration script automatically runs. Follow the instructions in the script’s help text to configure Ethernet access to the IDP appliance. 3. When prompted, select the network card you want to configure. The default configuration for that network card appears. a. To accept the default configuration, type n and press Enter to continue. b. To reconfigure the network card, type y. Assign an IP address and netmask to the network card. Be sure to use an IP address that is reachable by the computer you will use to configure the Sensor software. Press Enter to continue. 4. When prompted, set a default route by pressing y. Enter the default route for the computer that you will use to configure the Sensor software. Press Enter. 5. Perform the procedures above in section 2.3.1.1.1 to connect to the management port just configured, and run the ACM wizard. Rev B.2 8/3/2006 Page 23 of 151
  24. 24. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2 NSM Server 2.3.2.1 Authenticate to the NSM Server Before any configuration can be applied to the NSM Server, you must first authenticate to the NSM Server using the NSM UI installed. To authenticate, perform the following steps. 1. Open the shortcut selected in the “Choose Shortcut Folder” screen for the NSM UI installation (see item 2.2.3 in section 2.2.3). 2. If this is the first time that the NSM UI is run, a prompt will display with the RSA fingerprint of the NSM server. Verify this fingerprint with the fingerprint previously documented in step 23 of section 2.2.2 of this document. Click “Accept” if correct. 3. The NSM UI Login prompt is displayed, as identified in the figure below. Enter the administrator name in the “Login:” field, the password in the “Password:” field, and the IP address or hostname of the NSM Server in the “Server:” field. Then left-click on “OK”. NOTE: If this is your first time authenticating to the NSM Server, you will need to use the “super” administrator account with the password specified in step 2.2.2 of section 2.2.2 above. Rev B.2 8/3/2006 Page 24 of 151
  25. 25. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4. The NSM UI is then displayed, as identified in the figure below. The default display is the Log Viewer module display. However, the NSM UI remembers the last screen in focus the next time the same user authenticates. Rev B.2 8/3/2006 Page 25 of 151
  26. 26. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.2 Configure Events to Log To ensure that all auditable events required are selected to be recorded, perform the following steps: 1. Left-click on the “Audit Log Viewer” module. 2. Left-click on the “Edit” menu bar. 3. Left-click on “Set Auditable Activity”. 4. Left-click on the check box next to each of the following “Read only” auditable events that are not already selected with a check mark: a. View Admins FAU_GEN.1: Access to the TOE and System data b. View Audit Logs FAU_GEN.1 [FAU_SAR.1]: Reading of information from the audit records FAU_GEN.1: Access to the TOE and System data c. View Devices, FAU_GEN.1: Access to System Device Groups, & Templates d. View Device FAU_GEN.1: Access to the TOE and System data Config e. View Device FAU_GEN.1: Access to the TOE and System data Logs f. View Admin FAU_GEN.1: Access to the TOE and System data Roles g. View IDP FAU_GEN.1: Access to the TOE and System data Rulebase h. View Backdoor FAU_GEN.1: Access to the TOE and System data Rulebase i. View Security FAU_GEN.1: Access to the TOE and System data Policies j. View Action FAU_GEN.1: Access to the TOE and System data Attributes k. View FAU_GEN.1: Access to the TOE and System data SYNProtector Rulebase Rev B.2 8/3/2006 Page 26 of 151
  27. 27. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide l. View Traffic FAU_GEN.1: Access to the TOE and System data Signature Rulebase m. View Network FAU_GEN.1: Access to the TOE and System data Honeypot Rulebase n. View Auditable FAU_GEN.1: Access to the TOE and System data Activities 5. Left-click on the “Read-write” tab next to the “Read only” tab. 6. Left-click on the check box next to each of the following “Read-write” auditable events that are not already selected with a check mark: NOTE: While all Read-write auditable events are selected, by default, the Read-write auditable events below must remain selected with a check mark to comply with the evaluated configuration. a. Create Admins FAU_GEN.1: Access to the TOE and System data FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data b. Edit Admins FAU_GEN.1: Access to the TOE and System data FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data c. Delete Admins FAU_GEN.1: Access to the TOE and System data FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data d. Update Device FAU_GEN.1: Access to the TOE and System data Config FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data e. Hide & Unhide FAU_GEN.1: Access to the TOE and System data Device Log FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data Rev B.2 8/3/2006 Page 27 of 151
  28. 28. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide f. Purge Device FAU_GEN.1: Access to the TOE and System data Logs FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data g. Create Security FAU_GEN.1: Access to the TOE and System data Policies FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data h. Delete Rulebases FAU_GEN.1: Access to the TOE and System data FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data i. Delete Security FAU_GEN.1: Access to the TOE and System data Policies FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data j. Create Admin FAU_GEN.1: Access to the TOE and System data Roles FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data FAU_GEN.1 [FMT_SMR.1]: Modifications to the group of users that are part of a role. k. Edit Admin Roles FAU_GEN.1: Access to the TOE and System data FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data FAU_GEN.1 [FMT_SMR.1]: Modifications to the group of users that are part of a role. Rev B.2 8/3/2006 Page 28 of 151
  29. 29. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide l. Delete Admin FAU_GEN.1: Access to the TOE and System data Roles FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data FAU_GEN.1 [FMT_SMR.1]: Modifications to the group of users that are part of a role. m. Attack Update FAU_GEN.1: Access to the TOE and System data FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data n. Modify FAU_GEN.1: Access to the TOE and System data policylookup FAU_GEN.1 [FMT_MOF.1]: All modifications in Table the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data o. Create/Edit IDP FAU_GEN.1: Access to the TOE and System data Rulebase FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data p. Create/Edit FAU_GEN.1: Access to the TOE and System data Backdoor FAU_GEN.1 [FMT_MOF.1]: All modifications in Rulebase the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data q. Edit Security FAU_GEN.1: Access to the TOE and System data Policies FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data Rev B.2 8/3/2006 Page 29 of 151
  30. 30. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide r. Modify Action FAU_GEN.1: Access to the TOE and System data Attributes FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data s. Create/Edit SYN/ FAU_GEN.1: Access to the TOE and System data Protector FAU_GEN.1 [FMT_MOF.1]: All modifications in Rulebase the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data t. Create/Edit FAU_GEN.1: Access to the TOE and System data Traffic Signature FAU_GEN.1 [FMT_MOF.1]: All modifications in Rulebase the behavior of the functions of the TSF. FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data u. Create/Edit FAU_GEN.1: Access to the TOE and System data Network FAU_GEN.1 [FMT_MOF.1]: All modifications in Honeypot the behavior of the functions of the TSF. Rulebase FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data 7. Left-click on “OK” to confirm and save the selections. Rev B.2 8/3/2006 Page 30 of 151
  31. 31. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.3 Configure NSM to Communicate with IDP Before configuring communication to the IDP appliance, ensure that the procedures identified above for connecting to and configuring the IDP appliance have been performed. Also ensure that the IDP appliance is powered on and that the management port is correctly configured and connected to communicate with the NSM Server. To establish a communication path between the NSM Server and the IDP appliance, the following steps must be performed: 1. Left-click on the plus sign (+) next to the “Device Manager” module to expand the components within that module. 2. Left-click on the “Security Devices” component. 3. Left-click on the plus sign (+) within the “Security Device Tree” tab that is displayed to the right of the modules tree. 4. Left-click on “Device”. 5. Type in a name for the IDP appliance in the “Device Name” field. 6. Select the default option displayed “Device is Reachable (i.e. Static IP Address)” Rev B.2 8/3/2006 Page 31 of 151
  32. 32. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 7. Left-click on “Next” to continue. Rev B.2 8/3/2006 Page 32 of 151
  33. 33. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 8. Type in the IP Address of the management port for the IDP appliance within the “IP Address” field. 9. Type in “admin” in the “Name” field. 10. Type in the password created for the admin user in the “Password” field. NOTE: This is the password specified for the admin account in section 4.2.1.1. 11. Type in the password created for the root user in the “Super user Password for IDP Device” field. NOTE: This is the password specified for the root account in section 4.2.1.1. 12. Select the default selection, “SSH Version 2”, in the “Connect To Device With:” field. 13. Select the default selection, “22”, in the “Port Number” field. 14. Left-click on “Next” to continue. Rev B.2 8/3/2006 Page 33 of 151
  34. 34. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 15. Verify the SSH Key displayed by connecting to the console of the IDP appliance, as described in section 2.3.1.1.2, and typing the following commands: cd /etc/ssh ssh-keygen -l -f ssh_host_dsa_key.pub 16. If the key presented as a result from performing the commands above matches the key displayed in “Verify Device Authenticity” window, then left-click on “Next” to confirm the device’s authenticity. Rev B.2 8/3/2006 Page 34 of 151
  35. 35. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 17. The Add Device wizard will now attempt to auto detect the settings configured on the IDP appliance. When the detection is complete, the “Finish” button will be enabled. Left-click on “Finish” to complete the process for adding the IDP appliance. 18. The Add Device wizard will now display a text box indicating that the device is currently being added. Rev B.2 8/3/2006 Page 35 of 151
  36. 36. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 36 of 151
  37. 37. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 19. When the Add Device wizard is complete, the NSM UI will brought back into focus and the IDP appliance just added will now be displayed within the “Security Devices Tree” tab. Rev B.2 8/3/2006 Page 37 of 151
  38. 38. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.4 Import IDP Device Configuration Before any changes can be made to the IDP appliance configuration, the configuration of the IDP appliance must first be imported into the NSM Server. This is accomplished by performing the following steps: 1. Within the “Security Devices Tree” tab, right-click on the IDP device added in section 2.3.2.3 above, and left-click on “Import Device”. Rev B.2 8/3/2006 Page 38 of 151
  39. 39. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2. The configuration pertaining to the IDP appliance added will be imported. When the importing process is complete, a result will be returned indicating “Device imported successfully”, as identified in the figure below. Left-click on “Close” to exit the Import Device wizard. Rev B.2 8/3/2006 Page 39 of 151
  40. 40. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.5 Update IDP Detector Engine The IDP Detector Engine 1. While in the “Device Manager” module view, select “IDP Detector Engine > Load IDP Detector Engine” from the “Devices” menu bar. Rev B.2 8/3/2006 Page 40 of 151
  41. 41. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2. A confirmation prompt is displayed, reminding the user to save any changes to the IDP appliance configuration before proceeding. Left-click on “Next” to continue. Rev B.2 8/3/2006 Page 41 of 151
  42. 42. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3. Select the check box next to the IDP appliance added in section 2.3.2.3 above. Left-click on “Finish” to continue. Rev B.2 8/3/2006 Page 42 of 151
  43. 43. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4. A “Job Information” window is displayed, indicating that the operation has completed successfully. Left-click on “Close” to exit the IDP Detector Engine wizard. Rev B.2 8/3/2006 Page 43 of 151
  44. 44. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.6 Install Attack Signature Updates 1. While in the “Device Manager” module view, select “View/Update NSM Attack Database” from the “Tools” menu bar. Rev B.2 8/3/2006 Page 44 of 151
  45. 45. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2. A confirmation prompt is displayed, reminding the user to save any changes to the IDP appliance configuration before proceeding. Left-click on “Next” to continue. Rev B.2 8/3/2006 Page 45 of 151
  46. 46. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3. A summary prompt is displayed, identifying both the current version. Rev B.2 8/3/2006 Page 46 of 151
  47. 47. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 47 of 151
  48. 48. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.7 Create Policies to Monitor/Protect Networks 1. Right-click on the “Security Policies” module and left-click on “New Policy…” Rev B.2 8/3/2006 Page 48 of 151
  49. 49. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2. Type in a name for the IDP policy within the “Policy Name” field. After entering the Name in the “Policy Name” field the “Next” button gets enabled. Left- click on the “Next” button and you will be taken to the below window. Rev B.2 8/3/2006 Page 49 of 151
  50. 50. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Un-check the “Firewall/VPN Devices” statement and tick the checkbox having the statement “Stand Alone IDP Devices” as shown below. Rev B.2 8/3/2006 Page 50 of 151
  51. 51. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 51 of 151
  52. 52. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3. Select “Use IDP Template”, then select a template available within the “Name” selection box and left-click on “OK”. Once a Name is selected from the drop down box, the Next button gets enabled. Left- click on the “Next” button Rev B.2 8/3/2006 Page 52 of 151
  53. 53. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Left-click on the “Next” button. Rev B.2 8/3/2006 Page 53 of 151
  54. 54. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Click on the “Finish” button. Rev B.2 8/3/2006 Page 54 of 151
  55. 55. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4. When the policy has been successfully created, the NSM UI will brought back into focus and the security policy just created will now be displayed within the “Security Policies” screen. Rev B.2 8/3/2006 Page 55 of 151
  56. 56. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.8 Apply Policies to the IDP Appliance 1. Left-click on the “Security Devices” component within the “Device Manager” module. 2. Right-click on the IDP appliance added in section 2.3.2.3 above and left-click on “Policy > Assign Policy…”. Rev B.2 8/3/2006 Page 56 of 151
  57. 57. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3. Select the IDP policy created in section 2.3.2.7 above within the “Security Policy Name” field. 4. Left-click on “OK’ to apply the policy to the IDP appliance. Rev B.2 8/3/2006 Page 57 of 151
  58. 58. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 5. When the operation has successfully completed, the NSM UI will brought back into focus with the IDP appliance displayed within the “Security Devices Tree” tab. Rev B.2 8/3/2006 Page 58 of 151
  59. 59. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.9 Update the Configuration to the IDP Appliance 1. While in the “Security Devices” view of the “Device Manager” module, right- click on the IDP appliance added in section 2.3.2.3 above and left-click on “Update Device”. Rev B.2 8/3/2006 Page 59 of 151
  60. 60. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2. Confirm the default option selected, “Restart IDP Profiler after Device Update” and left-click on “OK”. NOTE: It is not mandatory to request the IDP Profiler to restart after the device update. 3. When the device update is complete, a confirmation screen is displayed. Left- click on “Close” to exit the Update Device wizard. Rev B.2 8/3/2006 Page 60 of 151
  61. 61. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.10 Configure Authentication Failure Handling 1. While in the “Security Devices” view of the “Device Manager” module, left-click on “Preferences” from the “Tools” menu bar. Once you click on “Preferences” the following window appears. Rev B.2 8/3/2006 Page 61 of 151
  62. 62. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 62 of 151
  63. 63. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2. Left-click on “System Properties”. 3. Set the numerical value in the “Consecutive, failed login attempts until blocked” field to a value other than zero. NOTE: The default value of 10 in considered being a reasonable value for ensuring convenience of users in the event of a mistake, while also preventing multiple unsuccessful authentication attempts for cases where an attacker may attempt to brute force an account. 4. Left-click on “OK’ to accept the new value, save the change, and exit the Preferences screen. Rev B.2 8/3/2006 Page 63 of 151
  64. 64. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 2.3.2.11 Create an Administrator 1. While in the “Security Devices” view of the “Device Manager” module, left-click on “Manage Administrators and Domains” from the “Tools” menu bar. Rev B.2 8/3/2006 Page 64 of 151
  65. 65. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 5. Left-click on the plus sign (+) to create a new administrator. Rev B.2 8/3/2006 Page 65 of 151
  66. 66. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 6. Type in a name for the new administrator within the “Name” field. 7. Enter information into the other available fields. NOTE: The only field required to be completed is the “Name” field. Therefore, the remaining fields are optional and do not have to be completed to create an administrator, if they are not needed. Rev B.2 8/3/2006 Page 66 of 151
  67. 67. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 8. Left-click on the “Authorization” tab. 9. Left-click on the “Set Password…” button. 10. Type in the password to be used for the new administrator within the “Enter a new password:” and “Confirm new password:” fields. NOTE: The password provided must be between 9-64 characters in length. Rev B.2 8/3/2006 Page 67 of 151
  68. 68. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 11. Left-click on the “Permissions” tab. 12. Left-click on the plus sign (+) to assign a role to the new administrator. 13. Select the role to be assigned to the administrator from one of the available roles within the “Role” selection box. Rev B.2 8/3/2006 Page 68 of 151
  69. 69. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 14. Select the check box next to the Domain that the new administrator will be assigned to and left-click on “OK” to accept the selection. The default domain is the global domain. 15. The focus is then returned back to the New Administrator wizard. Left-click on “OK” to accept the configurations applied and create the new administrator defined. Rev B.2 8/3/2006 Page 69 of 151
  70. 70. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 16. The focus is then returned back to the Manage Administrators and Domains screen. Left-click on “OK” to exit the Manage Administrators and Domains screen. 2.3.3 NSM UI No configuration steps are necessary since all configurations that affect the NSM UI are only configurable and enforceable from the NSM Server. Rev B.2 8/3/2006 Page 70 of 151
  71. 71. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3 Appendix A 3.1 Software Identification 3.1.1 NSM UI 1. Open the shortcut selected in the “Choose Shortcut Folder” screen for the NSM UI installation (see item 2.2.3 in section 2.2.3). 2. The NSM UI Login prompt is displayed, as identified in the figure below. Verify that the version and build identified in the bottom left-hand corner of NSM UI Login prompt matches the version indicated for the NSM UI within the Security Target. Rev B.2 8/3/2006 Page 71 of 151
  72. 72. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3.1.2 NSM Server 1. Authenticate to the NSM Server using the steps provided in section 2.3.2.1. 2. When the NSM UI is displayed, left-click on “About NetScreen-Security Manager” from the “Help” menu bar. Rev B.2 8/3/2006 Page 72 of 151
  73. 73. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3. The “About Juniper Networks - NSM” prompt is displayed. Verify that the version and build identified in the bottom left-hand corner of the “About Juniper Networks - NSM” prompt matches the version indicated for the NSM Server within the Security Target. Rev B.2 8/3/2006 Page 73 of 151
  74. 74. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 3.1.3 IDP Sensor 1. From within the NSM UI, left-click on the plus sign (+) next to the “Device Manager” module to expand the components within that module. 2. Left-click on the “Security Devices” component. 3. Right-click on the IDP appliance added in section 2.3.2.3 above, and left-click on “Edit”. Rev B.2 8/3/2006 Page 74 of 151
  75. 75. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4. The IDP appliance properties are displayed. Verify that the version and build identified in the “Detector Version” field matches the version indicated for the IDP Sensor within the Security Target. Rev B.2 8/3/2006 Page 75 of 151
  76. 76. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4 Appendix B: ACM Wizard 4.1 ACM Home Page When you first navigate to the IDP appliance through a web browser, you are presented with the ACM home page as identified in the figure below. From here, you can view and apply the current IDP configuration, download or upload the IDP configuration, or reconfigure the IDP appliance using the ACM wizard. Additionally, individual links are also presented beneath the “ACM menu” section which allows you to browse to a specific configuration page within the ACM wizard. Rev B.2 8/3/2006 Page 76 of 151
  77. 77. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 77 of 151
  78. 78. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2 ACM Wizard Main Page Once the ACM Wizard is invoked, you are redirected to the ACM wizard page as identified in the figure below. From here, you can start the configuration process by clicking on “Start Configuration Wizard”, or you can import an existing configuration file by specifying the location of the existing configuration file and clicking on “Upload Config Template”. Rev B.2 8/3/2006 Page 78 of 151
  79. 79. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 79 of 151
  80. 80. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.1 Setup The Setup section of the ACM wizard allows you to:  specify the password for the root and admin accounts on the IDP Sensor, and to  specify a Fully Qualified Domain Name (FQDN) for the IDP appliance. 4.2.1.1 Choose Sensor Passwords The “Choose Sensor Passwords” page provides the ability to change the password for both the root and admin accounts, as identified in the figure below. WARNING: While changing the default passwords is optional on this page, it is required by the evaluated configuration that you change the root and admin passwords from their default value of (abc123). NOTE: As indicated in the figure below, the password chosen must be between 6-20 characters in length. Rev B.2 8/3/2006 Page 80 of 151
  81. 81. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 81 of 151
  82. 82. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.1.2 Choose Sensor FQDN The “Choose Sensor FQDN” page provides the ability to change or set the FQDN for the IDP Appliance, as identified in the figure below. Rev B.2 8/3/2006 Page 82 of 151
  83. 83. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 83 of 151
  84. 84. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.2 Mode The Mode section of the ACM wizard allows you to:  specify the deployment mode that is to be used by the IDP Sensor. 4.2.2.1 Choose Deployment Mode The “Choose Deployment Mode” page provides the ability to specify which deployment mode to be used by the IDP Sensor, as identified in the figure below. As indicated, the modes available for deployment include:  Sniffer Mode  Bridge Mode  Proxy-Arp Mode  Transparent Mode  Router Mode NOTE: The configuration screens within the next section vary based on the deployment mode chosen here. For the additional mode-specific configurations, see section 4.2.3.2 below. Rev B.2 8/3/2006 Page 84 of 151
  85. 85. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3 Networking The Networking section of the ACM wizard allows you to:  configure the network interface hardware installed on your IDP appliance, Rev B.2 8/3/2006 Page 85 of 151
  86. 86. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide  configure deployment mode-specific configurations,  configure the routing table, and  configure DNS. 4.2.3.1 Choose Network Interface Hardware The “Choose Network Interface Hardware” page provides the ability to specify the transmission mode to be used by the network interfaces installed on your IDP appliance, as identified in the figure below. By default, the transmission mode is set to “auto”. Rev B.2 8/3/2006 Page 86 of 151
  87. 87. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 87 of 151
  88. 88. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2 Deployment Mode Specific Configurations This section provides the additional configuration pages available within the Networking section that are specific to the deployment mode chosen in section 4.2.2.1 above. 4.2.3.2.1 Sniffer Mode If Sniffer mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed. 4.2.3.2.1.1 Configure the Management Interface The “Configure the Management Interface” page provides the ability to choose the management interface to be used and the IP address and netmask to be assigned to the management interface, as identified in the figure below. Rev B.2 8/3/2006 Page 88 of 151
  89. 89. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 89 of 151
  90. 90. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.1.2 Choose Sniffer Interface(s) The “Choose Sniffer Interface(s)” page provides the ability to choose one or more interfaces to be used for sniffing network traffic, as identified in the figure below. Rev B.2 8/3/2006 Page 90 of 151
  91. 91. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 91 of 151
  92. 92. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.1.3 Choose Reset Interface The “Choose Reset Interface” page provides the ability to choose the interface to be used for resetting live connections, as identified in the figure below. Rev B.2 8/3/2006 Page 92 of 151
  93. 93. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 93 of 151
  94. 94. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.2 Bridge Mode If Bridge mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed. 4.2.3.2.2.1 Configure VLANs and Virtual Routers The “Configure VLANs and Virtual Routers” page provides the ability to enable 802.1Q VLAN tags and/or multiple virtual routers, as identified in the figure below. Rev B.2 8/3/2006 Page 94 of 151
  95. 95. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 95 of 151
  96. 96. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.2.2 Configure the Management Interface The “Configure the Management Interface” page provides the ability to choose the management interface to be used and the IP address and netmask to be assigned to the management interface, as identified in the figure below. Rev B.2 8/3/2006 Page 96 of 151
  97. 97. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 97 of 151
  98. 98. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.2.3 Configure Forwarding Interfaces The “Choose Forwarding Interfaces” page provides the ability to choose the interfaces that will be used to forward traffic, as identified in the figure below. NOTE: You must configure at least two interfaces. Rev B.2 8/3/2006 Page 98 of 151
  99. 99. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 99 of 151
  100. 100. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.2.4 Configure Bridge Interfaces The “Configure Bridge Interfaces” page provides the ability to specify the IP address and netmask for the forwarding interfaces defined in section 4.2.3.2.2.3 or to specify Stealth mode in cases where no IP address is assigned to the forwarding interface, as identified in the figure below. Rev B.2 8/3/2006 Page 100 of 151
  101. 101. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 101 of 151
  102. 102. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.3 Proxy-ARP Mode If Proxy-Arp mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed. 4.2.3.2.3.1 Configure VLANs and Virtual Routers The “Configure VLANs and Virtual Routers” page provides the ability to enable 802.1Q VLAN tags and/or multiple virtual routers, as identified in the figure below. Rev B.2 8/3/2006 Page 102 of 151
  103. 103. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 103 of 151
  104. 104. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.3.2 Configure the Management Interface The “Configure the Management Interface” page provides the ability to choose the management interface to be used and the IP address and netmask to be assigned to the management interface, as identified in the figure below. Rev B.2 8/3/2006 Page 104 of 151
  105. 105. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 105 of 151
  106. 106. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.3.3 Configure Forwarding Interfaces The “Choose Forwarding Interfaces” page provides the ability to choose the interfaces that will be used to forward traffic, as identified in the figure below. NOTE: You must configure at least two interfaces. Rev B.2 8/3/2006 Page 106 of 151
  107. 107. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 107 of 151
  108. 108. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.3.4 Configure Proxy-ARP Interfaces The “Configure Proxy-ARP Interfaces” page provides the ability to specify the IP address and netmask for the forwarding interfaces defined in section 4.2.3.2.3.3, as identified in the figure below. Rev B.2 8/3/2006 Page 108 of 151
  109. 109. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 109 of 151
  110. 110. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.4 Transparent Mode If Transparent mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed. 4.2.3.2.4.1 Configure VLANs and Virtual Routers The “Configure VLANs and Virtual Routers” page provides the ability to enable multiple virtual routers, as identified in the figure below. Rev B.2 8/3/2006 Page 110 of 151
  111. 111. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 111 of 151
  112. 112. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.4.2 Configure the Management Interface The “Configure the Management Interface” page provides the ability to choose the management interface to be used and the IP address and netmask to be assigned to the management interface, as identified in the figure below. Rev B.2 8/3/2006 Page 112 of 151
  113. 113. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 113 of 151
  114. 114. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.4.3 Configure Forwarding Interfaces The “Choose Forwarding Interfaces” page provides the ability to choose the interfaces that will be used to forward traffic, as identified in the figure below. NOTE: You must configure at least two interfaces. Rev B.2 8/3/2006 Page 114 of 151
  115. 115. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 115 of 151
  116. 116. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.5 Router Mode If Router mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed. 4.2.3.2.5.1 Configure VLANs and Virtual Routers The “Configure VLANs and Virtual Routers” page provides the ability to enable 802.1Q VLAN tags and/or multiple virtual routers, as identified in the figure below. Rev B.2 8/3/2006 Page 116 of 151
  117. 117. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 117 of 151
  118. 118. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.5.2 Configure the Management Interface The “Configure the Management Interface” page provides the ability to choose the management interface to be used and the IP address and netmask to be assigned to the management interface, as identified in the figure below. Rev B.2 8/3/2006 Page 118 of 151
  119. 119. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 119 of 151
  120. 120. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.5.3 Configure Forwarding Interfaces The “Choose Forwarding Interfaces” page provides the ability to choose the interfaces that will be used to forward traffic, as identified in the figure below. NOTE: You must configure at least two interfaces. Rev B.2 8/3/2006 Page 120 of 151
  121. 121. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 121 of 151
  122. 122. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.2.5.4 Configure Router Interfaces The “Configure Router Interfaces” page provides the ability to specify the IP address and netmask for the forwarding interfaces defined in section 4.2.3.2.5.3, as identified in the figure below. Rev B.2 8/3/2006 Page 122 of 151
  123. 123. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 123 of 151
  124. 124. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.3 Choose Routing Table The “Configure Routing Table” page provides the ability to specify one or multiple routes to be used by the network interfaces installed on your IDP appliance, as identified in the figure below. As a minimum, the default route should be specified for the network pertaining to the management interface. Rev B.2 8/3/2006 Page 124 of 151
  125. 125. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 125 of 151
  126. 126. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.3.4 Configure DNS The “Configure DNS” page provides the ability to enable and configure DNS information, such as Domain Name, Domain Search, and up to three different Name servers, as identified in the figure below. Rev B.2 8/3/2006 Page 126 of 151
  127. 127. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 127 of 151
  128. 128. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.4 System The System section of the ACM wizard allows you to:  configure the date, time, and time zone,  configure NTP settings,  configure Radius settings,  configure SNMP settings, and  configure SSH access settings. 4.2.4.1 Configure Date/Time The “Configure Date/Time” page provides the ability to enable and configure the date, time, and time zone for the IDP appliance, as identified in the figure below. Rev B.2 8/3/2006 Page 128 of 151
  129. 129. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 129 of 151
  130. 130. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.4.2 Configure NTP The “Configure NTP” page provides the ability to enable NTP and configure the ability to synch time with up to three different NTP servers, as identified in the figure below. Rev B.2 8/3/2006 Page 130 of 151
  131. 131. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 131 of 151
  132. 132. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.4.3 Configure Radius The “Configure Radius” page provides the ability to enable and configure Radius information, such as the Radius server IP, Radius server port, the shared secret and external User ID, as identified in the figure below. Rev B.2 8/3/2006 Page 132 of 151
  133. 133. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 133 of 151
  134. 134. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.4.4 Configure SNMP The “Configure SNMP” page provides the ability to enable and configure SNMP information, such as the read only community, system location, and system contact, as identified in the figure below. Rev B.2 8/3/2006 Page 134 of 151
  135. 135. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 135 of 151
  136. 136. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.4.5 Configure SSH Access The “Configure SSH Access” page provides the ability to enable remote access via SSH and to configure networks that are restricted access to initiate communication via SSH, as identified in the figure below. The “Restrict Networks” button for configuring restricted access is further described below in section 4.2.4.5.1. Rev B.2 8/3/2006 Page 136 of 151
  137. 137. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 137 of 151
  138. 138. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.4.5.1 Restrict Networks When the “Restrict Networks” button is clicked from the “Configure SSH Access” page, an additional “Configure SSH Access” page is displayed providing the ability to specify networks that should be allowed to establish a connection via SSH, as identified in the figure below. When no networks are defined and SSH is enabled, access to establish a connection via SSH is granted to any network. When specific network(s) are defined and SSH is enabled, only the network(s) specified are allowed access to establish a connection via SSH and all other network not specifically defined are denied access. Rev B.2 8/3/2006 Page 138 of 151
  139. 139. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 139 of 151
  140. 140. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.5 Management The Management section of the ACM wizard allows you to:  configure NSM server communication settings, and  configure settings that restrict access to the ACM interface. 4.2.5.1 Configure Access to the IDP ACM The “Configure Access to the IDP ACM” page provides the ability to enable access to the ACM and to configure networks that are restricted access to initiate communication to ACM, as identified in the figure below. The “Restrict Networks” button for configuring restricted access is further described below in section 4.2.5.1.1. Rev B.2 8/3/2006 Page 140 of 151
  141. 141. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 141 of 151
  142. 142. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.5.1.1 Restrict Networks When the “Restrict Networks” button is clicked from the “Configure Access to the IDP ACM” page, an additional “Configure Access to the IDP ACM” page is displayed providing the ability to specify networks that should be allowed to establish a connection to ACM, as identified in the figure below. When no networks are defined and ACM is enabled, access to establish a connection to ACM is granted to any network. When specific network(s) are defined and ACM is enabled, only the network(s) specified are allowed access to establish a connection to ACM and all other network not specifically defined are denied access. Rev B.2 8/3/2006 Page 142 of 151
  143. 143. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 143 of 151
  144. 144. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.6 Done The Done section of the ACM wizard allows you to:  view, save, and apply the settings selected through the previous ACM wizard pages. 4.2.6.1 Brief Configuration Report The “Brief Configuration Report” page is the default page displayed within the Done section and provides the ability to view a brief summary of, save, and apply the settings selected through the previous ACM wizard pages, as identified in the figure below. NOTE: While only a brief view of the configuration defined is displayed, all configurations that have been defined are saved and applied when “Save Only” or “Save & Apply” is selected. Rev B.2 8/3/2006 Page 144 of 151
  145. 145. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 145 of 151
  146. 146. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.6.2 Detailed Configuration Report By selecting the “Detailed Configuration Report” button from the “Brief Configuration Report” page, the “Detailed Configuration Report” page is displayed which provides the ability to view a detailed summary of, save, and apply the settings selected through the previous ACM wizard pages, as identified in the figure below. Note: The entire page could not be captured in the figure below. However, all information that is displayed in addition the information in the Brief Configuration Report” page is identified within the figure below. Rev B.2 8/3/2006 Page 146 of 151
  147. 147. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.6.3 Save Only By selecting the “Save Only” option and clicking the “Confirm Configuration” button from either the “Brief Configuration Report” page or “Detailed Configuration Report” Rev B.2 8/3/2006 Page 147 of 151
  148. 148. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide page, the “Configuration Saved” page is displayed which confirms having saved the settings selected through the previous ACM wizard pages, as identified in the figure below. Rev B.2 8/3/2006 Page 148 of 151
  149. 149. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 149 of 151
  150. 150. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide 4.2.6.4 Save & Apply By selecting the “Save & Apply” option and clicking the “Confirm Configuration” button from either the “Brief Configuration Report” page or “Detailed Configuration Report” page, the “Configuration Saved & Applied” page is displayed which confirms having saved and applied the settings selected through the previous ACM wizard pages, as identified in the figure below. Rev B.2 8/3/2006 Page 150 of 151
  151. 151. Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide Rev B.2 8/3/2006 Page 151 of 151

×