Professional Documents
Culture Documents
Although Juniper Networks has attempted to provide accurate information in this guide, Juniper Networks does not warrant or guarantee the accuracy of the information provided
herein. Third party product descriptions and related technical details provided in this document are for information purposes only and such products are not supported by Juniper
Networks. All information provided in this guide is provided “as is”, with all faults, and without warranty of any kind, either expressed or implied or statutory. Juniper Networks
and its suppliers hereby disclaim all warranties related to this guide and the information contained herein, whether expressed or implied of statutory including, without limitation,
those of merchantability, fitness for a particular purpose and noninfringement, or arising from a course of dealing, usage, or trade practice.
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Design Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Requirements and Recommended Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Juniper’s Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Major Components of the Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
IC Series Unified Access Control Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
EX Series Ethernet Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
STRM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Challenges and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Traffic Inspection and Coordinated Threat Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Centralized Security Management, Visibility, and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Network and Security Devices Generating Events/Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Secure Threat Response Manager Operational Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Monitoring the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Enterprise Security State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Enterprise Vulnerability State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Most Severe and Most Recent Offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Top Attackers and Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Offense Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Implementation Guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Coordinated Threat Control Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Create a Onetime Password on the IDP Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure a Route to the IC Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure the IDP Series Policies for Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Configure IDP Sensor on the IC Series Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure a Remediation Role for Restricted Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure the Sensor Event Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Enable the IDP Series and IC Series Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Network and Security Device Integration with STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configure J-Flow on the STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure NSM Log Export to the STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure IC Series Device for Log Forwarding to the STRM Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Send Flow Records to STRM Series from Junos OS Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Troubleshoot STRM Series Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Troubleshooting Coordinated Threat Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Connectivity Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Policies and Roles Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Failure of Logs to Appear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Loss of Signal or Signaling Event Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Appendix A: Layer 2 Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configure 802.1X on Each Port of the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configure for Guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Enable 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Use UAC Manager in Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Enable 802.1X via Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Appendix B: Overlay Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Junos OS Enforcer—SRX Series Services Gateway as an UAC Enforcement Point . . . . . . . . . . . . . . . . . . . . . . . . . 28
About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table of Figures
Figure 1: Verizon data breach statistics, 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2: Architecture overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 3: Coordinated threat control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 4: Example of STRM Series dashboard view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 5: Example of offense investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 6: Event analysis window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 7: Configure IC Series routing table entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 8: NSM console configuration policies display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 9: New Sensor screen display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 10: Event Option—any IDP signal screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 11: STRM Series sensor devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 12: Protocol configuration parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 13: Editing a sensor device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 14: Configuring IC Series UAC Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 15: Flow surce configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 16: Device log action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 17: IC Series UAC Appliances device syslog configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 18: Defining the RADIUS server screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 19: Screen for configuring 802.1X on each port of the switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 20: Screen for configuring a guest VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 21: Screen enabling 802.1X authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 22: Sample EX Series 802.1X commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 23: Screen used to select ports to enable .1X on device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Introduction
The increased velocity of business has forced corporations to face security challenges that years ago were not even
considered. In today’s competitive markets, the desire to be closer to the customer and hire employees to work
outside of headquarters are two major factors for the increase in the number of branch offices worldwide. Because
branch office workers need access to the same set of applications as do headquarters and campus employees, there
is an increased demand on applications and network performance, and most importantly, a greater demand for
enterprise-wide, distributed security.
One of the biggest challenges involves a security issue that has taken center stage and threatens the very existence
of the enterprise. In 2008, the “outside-in” attacks have been eclipsed by the insider threat, both in terms of the
sheer number of incidents and also the associated dollar figure for damage that can result from this type of breach.
The average dollar figure for damage due to an insider attack has grown by over 108 percent in just 12 months (Feb.
2009). Therefore, more than ever, security policies and measures must be enhanced to mitigate insider threats.
Regardless of the motivation behind an employee committing the “insider threat,” the results can be devastating to
the organization, to the shareholders, and to an individual if their credentials are involved in the breach. Attacks occur
quickly and are usually over within hours to days. Unfortunately, the detection of an attack has historically not been
as fast, often taking weeks or even months to detect. This is particularly challenging because the breach has been
committed and the breached data is long gone before the breach is ever discovered and acted upon by the organization.
Years Minutes
Months 0% Minutes Years 0% Hours
7% 11% 2% 3%
Days
14%
Weeks
18%
Weeks
18%
Hours
36%
Days Months
28% 63%
Today’s enterprise security is typically designed around a strong perimeter protecting the enterprise from external
attacks. However, enterprises usually overlook the seriousness of internal attacks with minimal, if any protection.
Because these internal attacks are generated from within the trusted walls of the distributed enterprise, it is
no surprise that reputable businesses do not want to advertise these internal breaches to the outside world. A
company’s reputation is at stake. Therefore, most security breaches that news organizations are privy to are external
attacks and not internal ones.
Scope
This paper specifically highlights one of the most important aspects of Juniper Networks® Adaptive Threat
Management Solutions—insider threat protection—and emphasizes implementation around centralized
management and integration among Juniper Networks devices. This paper also explains how enterprise customers
can mitigate insider threats by implementing such products as Juniper Networks SRX Series Services Gateways,
Juniper Networks EX Series Ethernet Switches, Juniper Networks Unified Access Control, Juniper Networks IDP
Series Intrusion Detection and Prevention Appliances, Juniper Networks STRM Series Security Threat Response
Managers, and Juniper Networks Network and Security Manager.
Target Audience
• Network security architects
• Security engineers
Design Considerations
This section covers the key design considerations for mitigating insider threats, which is an integral part of Juniper
Networks Adaptive Threat Management Solutions. For further details regarding these solutions, refer to the Adaptive
Threat Management Reference Architecture document.
Most branch offices and campuses connect directly to headquarters through either a private WAN link or through a
VPN over the Internet, or they choose to deploy VPN over a private WAN link. In addition, as more and more branch
offices connect directly to the Internet to leverage fast and inexpensive broadband connections, they demand a
new set of security features that can protect them from internal threats. Note that most employees (workers) who
access their corporate network via the Internet are concentrated within the branch and campus environment. This
is the point at which a corporation must enforce stringent corporate security policies to its trusted users. However,
these trusted users also pose serious threats to their own corporate network due to file sharing, video streaming,
attachments, and so on.
Figure 2 depicts a sample reference network showing Juniper Networks security and access control devices such as:
• Juniper Networks ISG Series Integrated Security Gateways
• SRX Series Services Gateways
• Juniper Networks SSG Series Secure Services Gateways
• EX Series Ethernet Switches
• Juniper Networks IC Series Unified Access Control Appliances
• IDP Series Intrusion Detection and Prevention Appliances
• STRM Series Security Threat Response Managers
• Network and Security Manager
All of these security and access control devices address insider threat mitigation. See Table 1 for requirements and
recommended devices. This sample reference network consists of a small data center that connects to the Internet,
a large campus location, and a branch location.
As illustrated in the figure, a Juniper Networks ISG Series Integrated Security Gateway acts as the firewall protecting
the network perimeter. The IDP Series Intrusion Detection and Prevention Appliance and IC Series Unified Access
Control Appliance sit behind the ISG Series Integrated Security Gateway. The EX Series Ethernet switches sit behind the
IDP Series connecting to the rest of the LAN network. The management tools that connect to the network to monitor
and manage the various devices include the STRM Series and Juniper Networks Network and Security Manager (NSM).
Figure 2 illustrates a process in which a user within the branch office, using his laptop, attempts to log on to his
corporate network via the Internet. The user attempts to access applications that reside in the data center and is
required to log in through the IC Series Unified Access Control Appliances via the UAC Agent (or using UAC’s agentless
mode). However, prior to gaining full access to the desired applications, the user’s security posture is validated against
corporate security policies via the Host Checker, which is built into the UAC Agent (and agentless mode).
The IC Series UAC Appliances, acting as a RADIUS server, perform 802.1X authentication and authorization for
endpoints, using their robust AAA capabilities to interoperate with the organization’s existing AAA appliances and
backend data stores and databases. Layer 2 authentication and enforcement is used to control network access
policies at the edge of the network via an 802.1X-enabled switch or access point such as an EX Series switch,
enabling administrators to enforce an access control policy on a heterogeneous switch and wireless infrastructure.
SRX Series Secure Services Gateways for the branch provide Unified Access Control enforcement by applying
dynamic access control policies at Layer 3 based on user identity, endpoint integrity, and location.
The access control policies are provisioned by the IC Series, which validates user identity, endpoint identity, and
network location, and determines appropriate resource access for the end user. UAC denies users access to the
network until their user credentials and endpoint integrity status have been validated. A user who does not meet
security criteria (as shown in Figure 1) is denied access because his credentials are not valid, or his endpoint health
does not meet the corporation’s required security criteria.
REMOTE USER
INTERNET EX4200
line
SSG Series/ SRX5600
SRX Series
STRM Series
Juniper’s Solution
Today’s networks need to effectively handle unmanaged devices and branch/guest users attempting network
access, as well as address support for unmanaged devices and a session-specific access control policy for each
user. Juniper Networks Unified Access Control combines user identity and device security state information with
network location to create a unique, session-specific access control policy for each user that is enforced throughout
the network. UAC can be applied at Layer 2 using any vendor’s 802.1X-enabled wireless access points and switches,
including EX Series Ethernet Switches, or at Layer 3 using any Juniper Networks firewall (such as the SSG Series,
SRX Series, or ISG Series gateways), or a combination of both.
Unified Access Control enables businesses to establish and enforce policies that grant users differentiated network
access based on their roles. For instance, full-time employees may have unrestricted access, while partners and
contractors may be able to reach designated servers, and guests may have limited-bandwidth Internet access.
Individual devices can also be scrutinized to ensure compliance with security standards. For example, if a laptop
does not contain the latest antivirus software, the user may be directed to a quarantine VLAN and given the option
to update the computer’s security software or be denied access altogether. The UAC solution delivers rich policy
enforcement capabilities that extend to the network edge. Securing intranet application and resource traffic is vital to
protecting your network from insider threats. Coordinated Threat Control, which integrates an IDP Series appliance
into the UAC solution, adds application security to detect internal threats generated from branch and campus users
who are authenticated through UAC, and works with UAC to identity the threat—enabling a focused, surgical access
control response to mitigate the threat of the specific offending user or device.
Firewalls
Juniper Networks firewalls—including the SRX Series Services Gateways, ISG Series Integrated Security Gateways,
and SSG Series Secure Services Gateways—deliver high-performance network security to protect all types of
enterprises and networks from unauthorized access as well as from network and application-level attacks. The
enforcement of Juniper’s firewall capabilities can be dynamically changed according to user, role, location, and
endpoint information. SRX Series for the branch and the SSG Series support a complete set of optional unified threat
management (UTM) features such as intrusion prevention system (IPS), antivirus (anti-spyware, anti-phishing, anti-
adware), anti-spam, and Web filtering to protect against a wide range of content-borne threats such as:
• Worms and viruses
• Trojans, spyware. adware, and keyloggers
• Malware
• Phishing attacks
• Day zero threats
The SRX Series for the branch and SSG Series platforms, together with Juniper Networks Unified Access Control,
can apply these UTM features on a per-user/per-session basis to unify the application of access and security policies
for comprehensive network access and threat control.
STRM
Juniper Networks STRM Series Security Threat Response Managers are a network security management platform
that provides situational awareness and compliance support through the combination of flow-based network
knowledge, security event correlation, and asset-based vulnerability assessment.
STRM Series appliances are designed to respond to the right threats at the right time through effective analysis
of networks, events, and audit log files. The STRM Series has the ability to identify environmental anomalies in
the network, an attack path, and the source of a threat. The STRM Series provides network remediation for threat
responses across all security products.
STRM Series appliances use two drivers, Security Information Management (SIM) and Security Event Management
(SEM), for security analysis of external and internal threats. SIM provides reporting and analysis of data from
host systems, applications, and security devices to support security policy compliance management, internal
threat management, and regulatory compliance initiatives. SEM improves security incident response capabilities
by processing data from security devices and network devices, helping network administrators provide effective
responses to external and internal threats.
CAMPUS HQ
WIRED/WIRELESS
IC Series DATA CENTER
Application
IDP Series
INTERNET
EX Series
Wireless L2
Access Switch
Point
User
Offense Investigation
The STRM Series enables an administrator to investigate potential threats and attacks by allowing you to save an
attack report and then perform a quarantine/analysis investigation.
The STRM Series allows you to investigate any reported offense with necessary data from all security devices for
forensic analysis. Following are the two steps for offense investigation.
From the most Recent Offenses or from the Offense Manager tab, double-click the offense to access a more detailed
report. The following is a sample of the offense report (Offense 3) for reference. The offense report provides a
summary of such information as attacker source, attacker location, attack target, magnitude of the attack, and
primary events. Figure 5 shows an example of offense investigation.
The report also provides drill-down capability for forensic analysis of the offense. For further analysis, click the
Events icon and open an event detail screen to analyze relevant events reported from all security devices. You can
further customize the search using different filters and time intervals. Figure 6 shows an example of event analysis.
Implementation Guidelines
This section enables solution implementation by describing device configuration of all associated network
components and then showing readers how to verify operation of the solution. This section specifically focuses on
coordinated threat control configuration and troubleshooting practices. See Appendix A for configuration instructions
for providing Layer 2 enforcement using the EX Series Ethernet Switches; see Appendix B for configuration steps for
the IC Series and SRX Series in order to create overlay enforcement.
2. Initially configure the count to 1. This invokes the role switching with one event. This can be modified once a
base has been configured and coordinated threat control has been operating for a period of time.
3. Configure the signal to replace the role for this session only. This assumes that the quarantine action will be
caught and investigated. If the event indeed occurred, the enterprise network has been protected. If the event
was benign and becomes a simple matter of educating the user, then this configuration will not prevent the user
from trying to access the network in the future.
4. Apply the rule to all appropriate roles (typically all roles).
Figure 12 illustrates a Network and Security Manager sample configuration. NSM is a predefined Device Support
Module (DSM), which means that the STRM Series will recognize the log formats that are sent.
Note: NSM is also given a credibility of 5. This number is a confidence level used to refine and consolidate the log
messages from all devices and sensors. The default is 5; the range is 1 through 10.
Click Configure>SIM Configuration>Protocol Configuration to display the Network and Security Manager
configuration window. This configuration defines ports and the IP addresses that the STRM Series expects as source
addresses for this sensor’s log events (see Figure 13). The IP address matches the additional configuration under
sensors.
Figure 13 illustrates a Network and Security Manager sensor configuration example. The Sensor Device Type—
Network and Security Manager is predefined. The Credibility factor ranges from 1 to 10.
The IC Series sensor configuration is similar to the NSM configuration. When adding a device from the Sensor menu,
there is a predefined IC Series appliance. Its protocol and thus its fields are prescribed by the syslog specification.
Log events have a credibility of 5.
forwarding-options {
sampling {
input {
family inet {
rate 1;
run-length 1;
}
}
output {
cflowd 1.4.39.11 {
port 9995;
source-address 1.4.39.1;
version 5;
services {
flow-monitoring;
The second critical reason for errors is the variance in ports used by various devices. Most devices use syslog
(514/tcp/udp). Naturally the ports and flows between the sensors and flow collectors must be opened by firewalls.
Confirm this in the firewall policies.
Connectivity Issues
There are many tools for connectivity problems as one would expect from any sophisticated networking device—
pinging, traceroute, and packet tracing (using ethereal freeware on PCs and laptops, using tcpdump on IC Series and
IDP Series devices). All of these are available in one command form or another on Juniper Networks devices.
The previous command displays the status of the connection between the SRX Series and the IC Series device, as
well as statistics to help debug connections to the IC Series device.
The previous command displays a summary of the authentication table entries configured from the IC Series
appliance. Authentication tables store mappings between Junos OS traffic flows and UAC roles. The IC Series uses
the roles specified in the mappings to help determine the UAC policies to apply to the Junos OS flows.
The following command displays a summary of all UAC policies defined in the IC Series for this enforcer.
The following command displays a summary of the authentication table entries configured from the IC Series
appliance. Authentication tables store mappings between Junos OS traffic flows and UAC roles.
Summary
To effectively protect today’s enterprise, network administrators, IT managers, and network security specialists
must have insight into the multiple types and levels of evolving threats that impact the integral elements of
their networks—including perimeter, critical resources, and remote access. Juniper Networks Adaptive Threat
Management Solutions are dynamic and high-performance security solutions that adapt to changing risks. By
leveraging a cooperative system of tightly integrated security products, these solutions provide network-wide
visibility and control that adapt and secure the network against constantly evolving threats. By providing centralized
security management and enterprise-wide visibility and control with multi-layered security, these industry-leading
security solutions enable network administrators to protect their perimeter, critical resources, and remote access
by users and devices to prevent threats from compromising their organization’s revenue, reputation, and intellectual
property.
Insider threat protection is a critical part of Juniper Networks Adaptive Threat Management Solutions—enabling
enterprises to solve major security issues such as securing and authorizing LAN access, inspecting malicious traffic,
and protecting the enterprise from insider attacks. This solution leverages features built into Juniper Networks
products such as L3-7 access control and UTM on firewalls, intrusion prevention, and coordinated threat control
capabilities of the UAC solution and IDP Series, in addition to the centralized security management capabilities of
NSM and the STRM Series—all working together to provide network-wide protection. The implementation steps
described in this paper provide a highly adaptive solution that enables network and security administrators to truly
implement high-performance, comprehensive threat protection across their distributed enterprise.
Figure 19: Screen for configuring 802.1X on each port of the switch
Examples
Figure 21 illustrates a graphical example of EX 802.1X commands.
Specify the Junos OS interface to which the IC Series device should connect.
3. Specify the password that the SRX Series device should use to initiate secure communications with the
IC Series device.
Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions,
Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland please contact your Juniper Networks
1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park representative at 1-866-298-6428 or
Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland
authorized reseller.
Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600
or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737
Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601
www.juniper.net
Copyright 2010 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos,
NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their respective
owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
29