Q S G UICK

Transcription

Q S G UICK

High Availability
QUICKSTART GUIDE
IDP 3.1
V/N 3.1 P/N 093-1625-000 Revsion A
For more assistance with Juniper Networks products, visit:
www.juniper.net/support
Juniper Networks occasionally provides maintenance releases (updates and upgrades) for
ScreenOS firmware. To have access to these releases, you must register your NetScreen
device with Juniper Networks at the above web address.
Copyright © 2005 Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the
NetScreen logo, NetScreen-Global Pro, ScreenOS, and GigaScreen are registered
trademarks of Juniper Networks, Inc. in the United States and other countries.
The following are trademarks of Juniper Networks, Inc.: Deep Inspection, ERX, ESP,
Instant Virtual Extranet, Internet Processor, J-Protect, JUNOS, JUNOScope, JUNOScript,
JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320, M-series, MMD,
NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50,
NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200,
NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500,
NetScreen-IDP 1000, IDP 50, IDP 200, IDP 600, IDP 1100, ISG 1000, ISG 2000,
NetScreen-Global Pro Express, NetScreen-Remote Security Client,
NetScreen-Remote VPN Client, NetScreen-SA 1000 Series, NetScreen-SA 3000 Series,
NetScreen-SA 5000 Series, NetScreen-SA Central Manager, NetScreen Secure Access,
NetScreen-SM 3000, NetScreen-Security Manager, GigaScreen ASIC, GigaScreen-II ASIC,
NMC-RX, SDX, Stateful Signature, T320, T640, and T-series. All other trademarks and
registered trademarks are the property of their respective companies.
Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without receiving written permission from:
Juniper Networks, Inc.
ATTN: General Counsel
1194 N. Mathilda Ave.
Sunnyvale, CA 94089
U.S.A.
www.juniper.net
Enterprise Security Profiler
Use of the Enterprise Security Profiler may subject users in certain countries to obligations
under applicable laws and regulations, including data protection laws. Juniper Networks
makes no representation or warranty that your use of this feature will comply with all
applicable laws and regulations and you are encouraged to seek advice of counsel to
understand your obligations, if any, under applicable laws and regulations.
2 | Juniper Networks, Inc.
CONTENTS
OVERVIEW ......................................................................................4
CHOOSE A DEPLOYMENT MODE ..........................................................6
INSTALL THE IDP MANAGEMENT SERVER ................................................14
CONNECT TO THE IDP APPLIANCE ......................................................16
CONFIGURE THE IDP SENSOR ............................................................18
CONNECT IDP TO YOUR NETWORK .....................................................20
CONFIGURE YOUR NETWORK SWITCH ..................................................22
INSTALL THE USER INTERFACE ..............................................................23
ADD NETWORK COMPONENTS ...........................................................25
INSTALL A SECURITY POLICY ...............................................................26
CREATE THE HA CLUSTER ..................................................................28
UPDATE YOUR ATTACK OBJECTS .........................................................31
IDP QUICKSHEET ............................................................................32
HA QuickStart Guide, Juniper Networks IDP 3.1 | 3
OVERVIEW
This guide details how to install version 3.1 of the Juniper Networks Intrusion
Detection and Prevention (IDP) system for high availability (HA) solutions that use
IDP 100, 500, or 1000 appliances. For help with non-HA configurations, see the
QuickStart Guide, IDP 3.1. For help with IDP upgrades, contact customer support.
IDP Sensor Package Contents
Each IDP Sensor package contains:
• An IDP appliance
• A bezel
• An accessory box containing:
– 1 North American power cable
– 2 Ethernet cables (blue cables)
– 2 LC-LC fiber cables (IDP 500 & 1000 only)
– 2 Crossover Ethernet cables (orange cables)
– 1 Null modem Serial cable (gray cable)
• A documentation box containing:
– Product data sheet
– Release Notes
IDP Management Package Contents
Each IDP Management package contains:
• Installation CD
• Product Documentation CD
• QuickStart Guide
• High Availability QuickStart Guide
• Release Notes
The IDP Installation CD includes the software required to install or configure the
IDP Management Server, the IDP Sensor, and the User Interface.
The Installation Process
Because all networks are different, Juniper Networks recommends that you install
one IDP Sensor at a time. When you have successfully installed a Sensor and are
receiving log records, you can configure and connect additional Sensors to your
network.
The installation process consists of the following 12 steps:
1. Choose a Deployment Mode. In this step, you choose a deployment mode for
your IDP system and an HA solution.
2. Install the IDP Management Server. In this step, you install the
Management Server software.
3. Connect to the IDP Appliance. In this step, you connect your system to the
IDP appliance using a serial or network connection.
4. Configure the IDP Sensor. In this step, you configure the Sensor software that
is pre-installed on the IDP appliance.
5. Connect IDP to Your Network. In this step, you connect the Sensor to your
network.
6. Configure Your Network Switch (Standalone HA only). In this step, you
configure your network switch to pass multicast or unicast MAC traffic to the
Sensor.
7. Install the User Interface. In this step, you install the User Interface (UI).
8. Add Network Components. In this step, you add the IDP Sensor as a Network
Object in the IDP system.
9. Install a Security Policy. In this step, you install a Security Policy on the
Sensor.
10.Run the Profiler. In this step, you configure and run the Profiler.
11.Create the HA Cluster. In this step, you configure and add multiple Sensors to
your network to create an HA Cluster.
12.Update Your Attack Objects. In this step, you update your Attack Object
database to ensure that you are fully protected from the latest attacks.
IDP Appliance Placement
You can place the IDP appliances in your HA cluster in front of your firewall, behind
your firewall (recommended), or anywhere on your network.
You should choose a location for your IDP appliances based on your existing network
hardware and the networks you want to protect. The examples provided in this
guide place the IDP appliances behind the firewall or router.
Step 1
CHOOSE A DEPLOYMENT MODE
The first step in setting up the IDP system on your network is to determine where
you want to install the IDP appliance and which high availability deployment mode
you want to use for failure protection or load balancing.
Choosing a High Availability Deployment Mode
You must deploy the IDP appliances in bridge, router, transparent, or proxy-ARP
mode to enable a high availability solution. The network diagrams on pages 9-13
illustrate example configurations for each deployment mode. Examine the examples
to determine which deployment mode works best with your network:
• To use a forwarding interface as a management interface, you can assign the
interface an IP address. However, because of security risks, Juniper Networks
does not recommend this option. Instead, use a dedicated interface for
management—this option decreases the risk that an attacker might be able to
communicate directly with the IDP Sensor.
• You can use any interface on the IDP appliance as a forwarding interface.
However, to increase performance, Juniper Networks recommends that you
assign forwarding interfaces to those interfaces that share a network driver.
Use eth0 and eth1, or use eth2 and eth3 as forwarding interfaces.
• The diagrams provided in this guide are examples only; you can choose to use
different interfaces for forwarding, management, and state-sync depending on
your IDP appliance (100/500/1000) and your existing network configuration.
Note: The IDP system defaults to sniffer mode. You must configure the IDP appliance
to use bridge, router, transparent, or proxy-ARP mode to enable high availability.
Choosing a High Availability Solution
Each deployment mode supports one or more HA solutions (standalone or external).
For more details on deployment modes and HA solutions, see the “High Availability
Solutions” chapter in the Intrusion Detection and Prevention Concepts & Examples
Guide.
In proxy-ARP and router modes, if you are using multiple subnets in your protected
network, you must configure static routes on the IDP appliance to these subnets.
Without static routes, incoming traffic to those subnets can be lost. Alternatively,
you can create a static route from the IDP appliance to an internal gateway that
contains inbound routes to the protected subnets.
Standalone High Availability (Proxy-ARP & Router Modes)
This HA solution can support 2 to 16 IDP appliances in a load-sharing or hot
standby configuration with no additional hardware. You can configure standalone
HA solutions using the Appliance Configuration Manager (ACM) in Step 4.
For maximum failover protection, you can deploy an HA cluster of IDP appliances in
proxy-ARP mode behind Juniper Networks FW/VPN devices that use an active/
active configuration. When using Juniper Networks FW/VPN devices with IDP
appliances:
• Your Juniper Networks FW/VPN devices must support NSRP (NS-50
firewalls and higher models) and run ScreenOS 4.0.0 or higher. NS-5XT, NS5XP, and NS-25 firewalls do not support NSRP and cannot be used for IDP
high availability. Juniper Networks recommends that you use NS-208 or
higher models for an active/active configuration with an IDP HA cluster.
• You must configure NSRP for your Juniper Networks FW/VPN devices as
active/active, and configure two virtual security devices (vsd) for each Juniper
Networks firewall (master and primary backup).
• For each physical interface (including trust zone and untrust zone), you must
assign a unique IP address to each vsd. This interface is the virtual security
interface (vsi). Each Juniper Networks firewall must use the same settings for
each vsi; however, you can use different manage IP addresses.
• When you configure the Sensor using the ACM in Step 4:
– The gateway for node 1 is the trusted vsi of the first vsd.
– The gateway for node 2 is the trusted vsi of the second vsd.
– The gateway for hosts on the protected network can be the trusted vsi of
the first or second vsd.
External High Availability (Bridge, Transparent, & Router Modes)
This HA solution can support 2 to 16 IDP appliances in load-balancing or hot
standby configuration but requires external hardware. You can configure external
HA solutions using the ACM in Step 4.
When using bridge or transparent mode for external IDP high availability:
• Your Juniper Networks FW/VPN devices must support NSRP (see above), and
you must configure NSRP for your Juniper Networks FW/VPN devices as
active/passive.
• You must assign the management interface an IP address:
– If you are using a forwarding interface as a management interface, you
must use a stealth interface for the forwarding interface that does not
connect to the IDP Management Server.
– If you are not using a forwarding interface as a management interface
(the management interface is a dedicated interface), you can use a
stealth interface for all forwarding interfaces on the IDP appliance.
Multicast or Unicast Forwarding [Standalone HA only]
The Standalone HA solution can use two different forwarding options to send and
receive traffic: unicast or multicast. You choose one of these forwarding options
based on your existing network hardware and configuration.
To use a standalone HA solution, review your existing network hardware and use
the table below to determine the best forwarding method to use. You are prompted
to specify the forwarding method for the standalone HA solution during the Sensor
configuration process described in “Configure the IDP Sensor” on page 18.
IF YOUR
NETWORK
SWITCH
SUPPORTS...
IN ROUTER MODE
IN PROXY-ARP MODE
Layer 3 devices (routers, servers) Layer-3 devices (routers, servers)
...can learn
...cannot learn
multicast ARP
multicast ARP
Unicast traffic to YES
YES (Best)
multiple ports
aNot
Multicast traffic YES
to multiple ports
Recommended
...can learn
...cannot learn
multicast ARP
multicast ARP
YES
YES (Best)
YES
aNot
Recommended
a.To use a network switch that supports only multicast (and not unicast) with network devices that
cannot pass multicast ARPs, you must manually configure static ARP entries for devices that cannot
pass multicast ARPs.
You can use the mcasttest utility (available from the Juniper Networks customer
Support Web site) to automatically determine which devices on your network do not
support multicast ARP traffic. From the Sensor command line, type mcasttest -h
for a list of options, or see the mcasttest man page for more details.
When you have chosen a deployment mode, HA solution, and forwarding method (if
necessary) proceed to “Install the IDP Management Server” on page 14.
Proxy-ARP Mode, Standalone HA with Multicast
Firewall 10.0.113.254
External Network
10.0.113.0/24
Cluster IP 10.0.113.4
Cluster MAC 01:00:00:00:00:10
Eth0 10.0.113.1
GW 10.0.113.254
Node 1
idpHA1
Eth2 192.168.0.1
Eth1 10.0.113.17
Eth0 10.0.113.2
GW 10.0.113.254
State Sync
192.168.0.0/24
Node 2
idpHA2
Eth2 192.168.0.2
Eth1 10.0.113.18
Eth0 10.0.113.3
GW 10.0.113.254
Node 3
idpHA3
Eth2 192.168.0.3
Eth1 10.0.113.19
Cluster MAC 01:00:00:00:00:11
Protected Network
10.0.113.0/24
Server1
IP 10.0.113.21
GW 10.0.113.254
Advantages
Server2
IP 10.0.113.22
GW 10.0.113.254
Server3
IP 10.0.113.23
GW 10.0.113.254
Server4
IP 10.0.113.24
GW 10.0.113.254
Disadvantages
• Supports standalone HA solutions
• Network nodes may need to update
cached ARP entries
• Reliably responds to and prevents attacks
• Simple, transparent deployment
Router Mode, Standalone HA with Multicast
Firewall 10.0.113.14
External Network
10.0.113.0/28
Cluster MAC 01:00:00:00:01:00
Eth0 10.0.113.1
GW 10.0.113.14
Node 1
idpHA1
Eth2 192.168.0.1
Eth1 10.0.113.17
Eth0 10.0.113.2
GW 10.0.113.14
Node 2
idpHA2
Eth2 192.168.0.2
Eth1 10.0.113.18
State Sync
192.168.0.0/24
Eth0 10.0.113.3
GW 10.0.113.14
Node 3
idpHA3
Eth2 192.168.0.3
Eth1 10.0.113.19
Cluster MAC 01:00:00:00:01:01
Protected Network
10.0.113.16/28
Server1
IP 10.0.113.21
GW 10.0.113.20
Advantages
Server2
IP 10.0.113.22
GW 10.0.113.20
Server3
IP 10.0.113.23
GW 10.0.113.20
Server4
IP 10.0.113.24
GW 10.0.113.20
Disadvantages
• Supports standalone HA solutions
• Requires re-subnetting one or more
networks
• Connects IP networks with different
address spaces
Proxy-ARP Mode, Standalone HA with Juniper Networks FW/
VPN Devices (Active/Active)
Router
GW 10.156.113.254
External Network
10.156.113.0/24
Untrusted
GW 10.156.113.254
Eth3 10.156.113.204
Eth3:1 10.156.113.205
Manage IP 10.156.113.201
Untrusted
GW 10.156.113.254
Eth3 10.156.113.204
Eth3:1 10.156.113.205
Manage IP 10.156.113.202
Hub
HA
active/active
Trusted
Eth1 10.2.1.9
Eth1:1 10.2.1.10
Manage IP 10.2.1.11
Trusted
Eth1 10.2.1.9
Eth1:1 10.2.1.10
Manage IP 10.2.1.12
Node 1
Eth1 10.2.1.2
GW 10.2.1.9
Node 2
Cluster IP 10.2.1.1
Cluster MAC 01:00:00:02:00:00
idpHA1
Eth2
192.168.0.1
State Sync
192.168.0.0/24
idpHA2
Eth2
192.168.0.2
Eth0 10.2.1.17
Eth1 10.2.1.4
GW 10.2.1.10
Eth0 10.2.1.19
Cluster MAC 01:00:00:01:00:00
Hub
Protected Network
10.2.1.0/24
Server1
IP 10.2.1.20
GW 10.2.1.10 or
GW 10.2.1.9
Server2
IP 10.2.1.21
GW 10.2.1.10 or
GW 10.2.1.9
Server3
IP 10.2.1.22
GW 10.2.1.10 or
GW 10.2.1.9
Server4
IP 10.2.1.23
GW 10.2.1.10 or
GW 10.2.1.9
Bridge or Transparent Mode, External HA with Juniper
Networks FW/VPN Devices (Active/Passive)
Router 10.2.0.254
External Network 10.2.0.0/24
Untrusted 10.2.0.2
GW 10.2.0.254
HA
active/passive
Untrusted 10.2.0.2
GW 10.2.0.254
NetScreen
Firewall
Trusted 10.2.1.12
Trusted 10.2.1.12
IDP
Node 1
Eth0 Stealth
GW 10.2.1.12
State Sync
192.168.0.0/24
Eth0 Stealth
GW 10.2.1.12
IDP
Node 2
idpHA2
idpHA1
Eth3 10.2.1.22
Management
NetScreen
Firewall
Eth1 Stealth
Eth2
192.168.0.1
Eth2
192.168.0.2
Eth1 Stealth Eth3 10.2.1.23
Management
Protected Network 10.2.1.0/24
Server1
IP 10.2.1.2
GW 10.2.1.12
Server2
IP 10.2.1.3
GW 10.2.1.12
Server3
IP 10.2.1.4
GW 10.2.1.12
Management Server
IP 10.2.1.5
GW 10.2.1.12
This diagram displays a dedicated management interface with IP address for each
IDP appliance. In bridge mode, both forwarding interfaces for each IDP appliance
are stealth interfaces, indicating that they do not have an assigned IP address.
Advantages
Disadvantages
• Simple, transparent deployment
• No changes to routing tables or network
equipment
• Hot standby mode only
• Must use NS-50 or higher
Router Mode, External with Load Balancers
Firewall 10.0.113.254
External Network 10.0.10.0/24
10.2.10.1
10.2.0.1
10.2.0.2
Load Balancer
State Sync
192.168.0.0/24
IDP
Node 1
idpHA1
Eth0 10.2.0.12
Eth0 10.2.0.11
Eth1 10.2.1.11
Eth2
192.168.0.2
Eth2
192.168.0.1
Eth1 10.2.1.12
IDP
Node 2
idpHA2
Load Balancer
10.2.1.1
10.2.1.2
10.2.20.1
Protected Network 10.2.20.0/24
Server1
IP 10.2.20.2
GW 10.2.20.1
Server2
IP 10.2.20.3
GW 10.2.20.1
Advantages
Server3
IP 10.2.20.4
GW 10.2.20.1
Management Server
IP 10.2.20.5
GW 10.2.20.1
Disadvantages
• Reliably responds to and prevents
attacks
When you have chosen a deployment mode for your IDP system, proceed to “Install
the IDP Management Server” on page 14.
Step 2
INSTALL THE IDP MANAGEMENT SERVER
In this step, you can install the IDP Management Server software that controls your
IDP appliances. Because you are using multiple IDP appliances, you must install
the Management Server software on a secure and trusted Red Hat Linux 7.2 or 8,
RHEL AS/ES/WS 3, or Solaris 8 or 9 computer. Juniper Networks recommends
using a system with a minimum of 1 GB RAM. An example Management Server
system uses following specifications:
• CPU: Quad Intel(R) Xeon(TM), 2.40GHz
• Cache size: 512 KB
• MemTotal: 2GB
• Hard Disk: 32.5 GB
Before installing the Management Server, ensure that the following are installed on
the computer:
• gzip compression software — This is installed by default on RedHat
systems. For Solaris systems, you can download the gzip package for your
processor and OS version from http://www.sunfreeware.com. Once you
have downloaded the gzip package (do not download the source code file),
install the software with the pkgadd command; for example, pkgadd -d
gzip-1.3.5-sol8-sparc-local.
• uudecode to decode the payloads contained in the installation file — This is
installed by default on Solaris systems. For RedHat systems, you can
install this utility from the Management Server CD by entering the
following command: rpm -Uvh sharutils-4.2.1-8.7.x.i386.rpm.
Installing the IDP Management Server
1. Ensure that the computer you are installing the Management Server on is:
– Plugged in to a power source and powered on
– Connected to a serial console or monitor and keyboard
– A secure and trusted Red Hat Linux 7.2 or 8, RHEL AS/ES/WS 3, or
Solaris 8 or 9 computer.
2. Insert the IDP Installation CD into the drive on the Management Server.
3. Log in to the computer as root. If you are already logged in as a user other than
root, become root by typing: su -. At the password prompt, enter the root
password for the computer.
Note: The Management Server installation process is case-sensitive. You must
follow the menu selections exactly as shown in the script help text.
4. Create an idp group with the user idp as the only member.
For Linux, type the command: useradd idp
For Solaris, type the commands:
groupadd idp
useradd -g idp idp
5. Mount the IDP Installation CD following the system manufacturer’s instructions.
6. Change to the Management Server directory using the cd command.
For Linux: cd /mnt/cdrom/Mgt-Svr/Linux
For Solaris: cd /cdrom/cdrom0/Mgt-Svr/Solaris
7. Run the Management Server install script by entering the appropriate command.
For Linux: ./mgtsvr_linux_3_1.sh
For Solaris: ./mgtsvr_solaris_3_1.sh
The installation automatically begins.
8. When prompted, specify the directory that IDP uses to store the Management
Server data files.
9. When prompted, specify a password for the IDP Management Server admin
account. Confirm password.
Note: The admin account authenticates communication between the Management
Server and the User Interface (UI). You are asked for this password again when you
log in to the UI in “Install the User Interface” on page 23.
The installation proceeds automatically. Several messages display. After the
installation is complete, the Management Server processes automatically start.
Management Server IP Address
During the Sensor configuration process, establishcommunication between the
Management Server and the Sensor using IP address of the Management Server.
When you have successfully installed the Management Server, proceed to “Connect
to the IDP Appliance” on page 16.
Step 3
CONNECT TO THE IDP APPLIANCE
In this step, you connect to the IDP appliance and prepare to configure the preinstalled Sensor software. You can connect using one of these methods:
• Connect a standalone computer to IDP appliance eth2 (management)
port. In this method, you change the IP address of a standalone computer to
an IP address that is on the 192.168.1.0/24 network. Then, you connect the
standalone computer to the IDP appliance and use the default settings for
Ethernet access to configure the Sensor software.
• Connect a serial console or keyboard/monitor to IDP appliance. In
this method, you assign the IDP appliance an IP address that is on your
network. Then, you connect a serial console or keyboard and monitor to the
IDP appliance and configure Ethernet access by choosing an Ethernet port, IP
address, and default route. After you have configured Ethernet access, you
connect the IDP appliance to your network and configure the Sensor software
from a computer on your network.
Choose a method and follow the appropriate instructions below. When you have
established Ethernet access to the IDP appliance, you can configure the Sensor
software using the Appliance Configuration Manager (ACM), the Web-based IDP
configuration tool. The configuration process is described in “Configure the IDP
Sensor” on page 18. Use the illustrations provided on the back cover of this guide to
locate the Ethernet, fiber, and serial ports for the IDP appliance.
Using a Standalone Computer
1. Connect a standalone computer, such as a laptop, to the IDP appliance eth2 port.
To connect directly to the appliance, use a cross-over cable. To connect to the
appliance over a hub or switch, use a straight-through cable.
2. Change the IP address of the standalone computer to 192.168.1.2. To change
an IP address, see your computer’s operating system documentation.
3. On the connected computer, open a Web browser. Enter the URL of the ACM
wizard as https://192.168.1.1. Because the ACM uses a secure form of
HTTP, you MUST enter https:// before the IP address.
4. Enter the default user name and password:
username: root
password: abc123
The ACM wizard automatically displays.
Proceed to “Configure the IDP Sensor” on page 18.
Using a Serial Console or Keyboard/Monitor
1. Connect to the IDP appliance.
– For serial console connections, connect a serial console to the IDP
appliance Serial port and configure the terminal software to use
parameters 8-N-1, 9600. For Windows, use HyperTerminal. For Linux,
use minicom.
– For keyboard and monitor connections, connect a keyboard and monitor
to the IDP appliance.
2. Log in to the IDP appliance:
login: root
password: abc123
The Ethernet configuration script automatically runs. Follow the instructions in
the script’s help text to configure Ethernet access to the IDP appliance.
3. When prompted, select the network card you want to configure. The default
configuration for that network card appears.
– To accept the default configuration, type n and press Enter to continue.
– To reconfigure the network card, type y. Assign an IP address and
netmask to the network card. Be sure to use an IP address that is
reachable by the computer you will use to configure the Sensor software.
Press Enter to continue.
4. When prompted, set a default route by pressing y. Enter the default route for the
computer that you will use to configure the Sensor software. Press Enter.
5. Use the Ethernet port you just configured to connect the IDP appliance to your
network. To connect directly to another computer, use a cross-over cable. To
connect to a hub or switch, use a straight-through cable.
6. Using the computer that is on your network, open a Web browser. Enter the IP
address you chose in the configuration script. Because the ACM uses a secure
form of HTTP, you MUST enter https:// before the IP address.
7. Enter the default user name and password:
username: root
password: abc123
The ACM wizard automatically displays. Proceed to “Configure the IDP Sensor”
on page 18.
Step 4
CONFIGURE THE IDP SENSOR
In this step, you configure the IDP Sensor software that is pre-installed on the IDP
appliance to work with your network. Using the Appliance Configuration Manager
(ACM), a Web-based software tool, you follow the on-screen instructions as the ACM
wizard leads you through the eight-section configuration process. To view the ACM
online help, click the
icon in the upper right corner.
Note: The ACM supports Mozilla 1.0.1 and IE 6.0 Web browsers. If the font size is too
small or difficult to read in your Mozilla Web browser, increase the font size to 150%.
The table below summarizes the information you should have available:
Note: During the configuration process, you choose a One-Time Password (OTP) and
are given a VIN for your Sensor. Because you are prompted for this information again
in “Add Network Components” on page 25, you might want to record the VIN.
Section
Configuration Information
Setup
• IDP Sensor host and domain name
• IDP Sensor root and admin passwords (default is abc123)
• Management Server password for the User Interface
Mode
• Deployment mode: router, bridge, transparent, or proxy-ARP (no
sniffer mode)
• Enable/choose high availability (standalone or external)
Networking
•
•
•
•
•
•
High Availability
Because you are using a high availability solution, you must:
• Choose and configure the state-sync interface on the appliance
• Configure external or standalone high availability
Speed and duplex settings for IDP appliance interfaces
Enable/configure VLAN interfaces
Enable/configure virtual routers
Management interface
Forwarding interfaces
Routing table (In proxy-ARP and router mode, if you are using multiple
subnets in your protected network, you must configure static routes
on the IDP appliance to these subnets. Without these static routes,
incoming traffic to those subnets can be lost. Alternatively, you can
create a static route from the IDP appliance to an internal gateway
that contains inbound routes to the protected subnets.)
Section
Configuration Information
System
•
•
•
•
•
•
Management
• IP address of the Management Server for this Sensor and OTP
• Sensor VIN __________________________________ (case sensitive)
• Enable/configure ACM access
Confirm and Exit
View the current configuration and then:
• Save all changes
• Apply the configuration to the IDP appliance
• Reboot the IDP appliance
Enable/configure DNS
Set Time and Time Zone
Enable/configure NTP
Enable/configure RADIUS
Enable/configure SNMP
Enable/configure SSH access
Download
Download the Sensor configuration file (idpconf.cfg) to a specified
Configuration File location.
After you save and apply a configuration to the IDP Sensor, you can download the
current configuration file to a separate location. When you configure additional IDP
appliances for your HA cluster, you can upload the saved configuration file to
quickly configure each Sensor. To download the configuration file:
1. From the ACM main menu, select File Download Manager. The File Download
Manager page appears.
2. Select idpconf.cfg in the file pull-down menu.
3. Specify the download location on the local computer and then click OK.
Exit the ACM by closing the Web browser window. You can now disconnect the
serial console, keyboard and monitor, or other standalone computer from the IDP
appliance. If you changed the IP address of a standalone computer to access the
ACM, be sure to change it back to its original IP address.
Proceed to “Connect IDP to Your Network” on page 20.
Note: Because all networks are different, Juniper Networks recommends that you
install one IDP Sensor at a time. When you have successfully installed a Sensor and
are receiving log records, you can configure and connect additional Sensors to your
network.
Step 5
CONNECT IDP TO YOUR NETWORK
In this step, you connect the IDP appliance to your network using the provided
cables and the Ethernet ports (interfaces) on the IDP appliance.
To connect to a switch or hub, use the straight-through Ethernet cable. To connect to
a firewall or router, use the crossover Ethernet cable. The necessary cables are
included with the IDP system.
An example configuration, showing Ethernet ports and their intended connections,
is shown below (your configuration may differ):
Can also be
management
interface
to protected network
Forwarding
Interface
eth2
Forwarding
Interface
eth3
Optional
IDP 100
eth0
Forwarding
Interface
eth1
Forwarding
Interface
to external network
to external network
Forwarding
Interface
eth2
Forwarding
Interface
eth3
Can also be
management
interface
Optional
Optional
IDP 500
IDP 1000
eth0
Forwarding
Interface
to external network
eth1
Forwarding
Interface
to external network
Optional
The State-Sync Interface
The State-Sync interface is used to share state information between IDP Sensors in
an HA Cluster. When you install the first IDP appliance in the HA cluster, you do
not need to use the state-sync interface. As you configure and connect additional
IDP appliances to your network, however, you connect their state-sync interfaces to
each other. This process is described in “Create the HA Cluster” on page 28.
After you have successfully connected the IDP appliance to your network:
• If you are using standalone high availability, proceed to “Configure Your
Network Switch” on page 22.
• If you are using external high availability, proceed to “Install the User
Interface” on page 23.
Step 6
CONFIGURE YOUR NETWORK SWITCH
[STANDALONE HA ONLY] In this step, you configure your network switches to
pass multicast or unicast MAC packets and heartbeats to the HA Cluster, as
specified in the IDP Sensor configuration. For instructions on configuring your
switches, please see the “High Availability Solutions” chapter in the Intrusion
Detection and Prevention Concepts & Examples Guide or consult your switch
manufacturer’s operating manual.
Cluster IPs and MACs
The nodes in an HA Cluster receive incoming packets via a Cluster IP address,
which is mapped to a multicast or unicast Cluster MAC address to enable all
Sensors to receive a copy of all network traffic. You must manually configure your
network switches to pass multicast or unicast MAC traffic to the IDP appliances in
the HA cluster.
Note: Switches that cannot pass multicast or unicast MAC traffic cannot be used
for a standalone HA configuration and are not supported.
Heartbeats
The nodes in an HA Cluster communicate with each other using a heartbeat
protocol, which uses a multicast IP address. Switches can automatically “learn”
about the heartbeat protocol using the Internet Group Management Protocol
(IGMP). You must enable IGMP on your network switch to pass heartbeats between
IDP appliances in the HA cluster.
Note: Switches that do not support IGMP cannot be used for a standalone HA
configuration and are not supported.
When you have successfully configured your network switches to pass multicast or
unicast packets and heartbeats, proceed to “Install the User Interface” on page 23.
Step 7
INSTALL THE USER INTERFACE
In this step, you install the IDP User Interface (UI). The IDP Installation CD
includes two versions of the UI installation: Windows and Red Hat Linux.
You must install the UI on a system with a minimum of 512 MB of RAM; the
UI does not run on systems with less than 512 MB RAM.
Note: The User Interface installation cannot be canceled from the initial install
screen. You must click OK to reach the Introduction screen, then click Cancel to exit.
Installing on a Windows Host
You can install the UI on a computer running Windows 2000, NT, or XP.
1. Ensure that you are an Administrator user for the computer on which you are
installing the UI. For instructions on adding users to the Administrator group,
please see your OS manual.
2. Insert the IDP Installation CD into the CD drive of the client machine.
If Autoplay is enabled, the installation starts automatically. If Autoplay is
disabled, run the install application install.exe from your CD-ROM drive.
3. Follow the directions in the dialog boxes to install the UI.
Installing on a Red Hat Linux Host
You can install the UI on a computer running Red Hat Linux 7.2 or 8 or RHEL AS/
ES/WS 3:
1. Insert the IDP Installation CD into the CD drive of the client machine and mount
the CD following the manufacturer’s instructions.
2. In a command shell, run ./install.bin from the /mnt/cdrom/UI/Linux
directory of your CD-ROM drive.
3. Follow the directions in the dialog boxes to install the UI. When prompted for a
Web browser, you can change the default location of your Web browser. Click
Choose to display the Web browser dialog box.
4. In the Enter patch or folder name field, enter the full path to the Web browser
application and then click Update. A list of directories and files for the specified
location appears. Specify your Web browser using one of the following methods:
– Choose your Web browser from the list and then click OK, or
– In the Enter file name field, enter the name of the Web browser and
then click OK.
Opening the User Interface
When you open the User Interface, specify the following information to log in:
• Host Name. Use the name of your IDP Management Server.
• User Name. Use the default user name admin.
• Password. Use the password you specified when you installed the
Management Server.
When you have installed the UI, proceed to “Add Network Components” on page 25.
Step 8
ADD NETWORK COMPONENTS
Network Objects represent the components of your network, such as individual host
machines, servers, and subnets. You must add the IDP Sensor as a Network Object
before the IDP system is functional. You can also create Network Objects for the
network components you want to protect.
Adding the IDP Sensor as a Network Object
1. In the Navigation tree, select Objects > Network Objects.
2. Choose File > New Object from the menu bar and then click OK.
3. Select Sensor and then click OK to display the Sensor Editor. Enter the
information about the Sensor, including a unique name. Use the VIN and OneTime Password from “Configure the IDP Sensor” on page 18.
Click the Interfaces tab to specify which IDP interfaces are external. You can also
add anti-spoofing information using the Anti Spoof tab.
4. Click OK. A confirmation dialog box appears, prompting you to register your new
Sensor with the Juniper Networks customer support Web site. Click the
registration link to register the Sensor (registration is required for Attack Object
updates).
5. From the toolbar, click
to save the new IDP Sensor object. The IDP Sensor
Network Object is added to the Network Object database.
6. Choose File > New Cluster from the menu bar to display the Cluster Editor.
Enter a unique name for the cluster. In the Members box, select the IDP Sensor
you want in the HA cluster. Click OK.
Note: As you configure and connect additional IDP Sensors (described in “Create
the HA Cluster” on page 28), you can add them to the HA cluster.
Step 9
INSTALL A SECURITY POLICY
Before the IDP system can begin protecting your network, you must install a
Security Policy on the Sensor. You should also verify that the Sensor is correctly
connected to your network by sending other types of traffic through the IDP
appliance. You can either use the default Security Policy created by Juniper
Networks, or you can create a new, custom Security Policy for your network.
Installing a Security Policy Using a Template
1. Select the Security Policy component in the navigation tree and choose File >
New Policy from the menu bar.
2. In the New Security Policy dialog box, select Use Template and choose a
template from the menu. You can use the inline_template created by Juniper
Networks, create a new, custom Security Policy template for your network, or use
the getting_started template, which is designed to help you fine-tune your IDP
system (see the “Fine-Tuning” chapter in the Intrusion Detection and Prevention
Concepts & Examples Guide for help with customizing this template to your
network).
3. Click OK to display the Security Policy template. Customize the template to your
network and specify the Sensor on which to install the Security Policy.
4. Choose Policy > Install from the menu bar to install the new Security Policy on
your Sensor. The Security Policy begins generating log records for security events
immediately. Open the Log Viewer to ensure that you are receiving logs.
Note: As you configure and connect additional IDP Sensors (described in “Create
the HA Cluster” on page 28), you add them to the Cluster and push the Security
Policy again to verify the new Sensor.
Verifying Sensor Connectivity
Perform these connectivity tests for each Sensor you add to the HA Cluster:
• Test connectivity to the IDP Management Server: From a computer on the
protected network, ping the Management Server IP address.
• Test connectivity to external networks: Use a computer on the protected
network to browse the Internet or send/receive email.
When you have verified that the Sensor is operating normally, proceed to “Run the
Profiler” on page 27.
Step 10
RUN THE PROFILER
Configure and run the Profiler to create a snapshot of the devices and activity on
your network.
To configure and run the Profiler:
1. Select the Profiler component in the Navigation Tree. Click Click here to
configure profiler in the main display area of the UI.
2. Select your Sensor from the Device pull-down menu in the Profile
Configuration dialog box.
3. Configure the Profiler:
– On the Tracked Hosts tab, select the network objects you want the
Profiler to collect detailed information about. These should be the
objects representing your internal network.
– On the Exclusion tab, select any individual objects you want the
Profiler to exclude from the groups you selected on the Internal Hosts
tab.
– On the Profiles tab, select Context Objects to profile all contexts.
– Leave the settings on the Alert and Miscellaneous tabs as-is.
4. Click OK. A dialog box appears asking if you want to start or restart the
Profiler. Click Yes. The Profile Action window appears.
5. Select Start and the Sensor you want to start profiling, then click Go.
After the Profiler is running, click Close.
6. Click Click here to synchronize profiler data. The Profile Action
window appears.
7. Select Sync and the check box next to the name of your Sensor and then
click Go. After the synchronization is complete, click Close.
8. Click Click here to view profiler data to verify that you are collecting Profiler
information about your network.
When you have configured the Profiler, proceed to the final configuration step,
“Create the HA Cluster” on page 28.
Step 11
CREATE THE HA CLUSTER
The HA cluster is a group of 2 to 16 IDP Sensors that provides failover protection. In
this step, you create the HA cluster by configuring additional IDP appliances for HA
and then connecting them to your network.
For each appliance you want to include in your existing HA Cluster:
1. Connect to the IDP appliance and prepare to configure the Sensor software
(repeat “Connect to the IDP Appliance” on page 16).
2. Configure the Sensor software using the saved configuration file. From the ACM
main menu, select Upload and replace ACM configuration file to display the
File Upload Manager page. Then, specify the location of the saved configuration
file on the local computer (idpconf.cfg) and click OK to upload. The ACM loads the
saved configuration information to help you configure the current Sensor.
Using the ACM wizard, repeat the steps in “Configure the IDP Sensor” on
page 18. The ACM fills in each data field with information from the uploaded
configuration file; however, you must specify the following information:
– Sensor host and domain name
– Sensor root and admin passwords
– Sensor fully qualified domain name (FQDN)
– One-time password (OTP)
You do not need to change the VIN; the ACM automatically overwrites the VIN
number of the saved configuration with the VIN number of the current Sensor.
3. Connect the IDP appliance to your network (repeat “Connect IDP to Your
Network” on page 20).
4. Connect the appliance to other appliances via the state-sync interface. Using the
state-sync interfaces that you selected when you configured the Sensor, connect
the IDP appliances to each other to form the HA cluster:
– To deploy two IDP appliances, use a crossover cable to connect the
appliances via the state-sync interface.
– To deploy more than two IDP appliances, use straight-through cables
and a switch to connect the state-sync interfaces of all appliances.
As you add Sensors to the HA Cluster, remember to verify that each node is
operating normally.
5. Add the Sensor as a Network Object using the UI and include in the Cluster
Object (repeat “Add Network Components” on page 25).
Verifying HA Cluster Connectivity
You can verify the status of the HA cluster using the sctop command line utility or
the Device Monitor in the UI.
HA Status from the Command Line
You can verify HA Cluster connectivity using sctop commands at the Sensor
command line. Perform the following connectivity test after you have added the
second Sensor to the HA Cluster and repeat for each subsequent Sensor added:
1. From the Sensor command line, type: sctop. The sctop menu appears.
2. Type w to select HA status. Node and Cluster statistics for the Sensor appear.
– An UP status indicates that the node is functioning normally.
– A DOWN status can indicate that the node is not sending heartbeats,
not receiving heartbeats, or that there is a switch problem.
Note: Test all nodes in the HA cluster. Each node should report the same status information.
HA Status in the UI
You can also verify HA cluster connectivity in the Device Monitor component of the
UI. In the UI navigation tree, select the Device Monitor and locate the IDP Sensors
using the HA configuration. The icon in the Cluster column for each Sensor
indicates the status of the HA cluster:
• The icon
indicates the cluster is functioning normally.
• The icon
indicates the cluster is experiencing problems.This can
indicate that one or more Sensors in the cluster are not functional, or that one
or more processes on the Sensor are overloaded.
• The icon
indicates that the cluster is non-functional.
Reconfiguring Standalone HA Clusters
To reconfigure your Standalone HA configuration using the ACM:
1. For all cluster nodes except the first node, stop the IDP processes. From the
Sensor command line, type: service idp stop
You must also stop sctop processes, if running. From the Sensor command line,
type: quit sctop
2. Use the ACM on the first cluster node to change the Standalone HA
configuration as desired, then save and apply the configuration.
3. Use the ACM on all other cluster nodes to change the Standalone HA
configuration to match the configuration on the first node, then save and apply
the configuration.
All cluster nodes should now be running the IDP processes. To verify the status of
the cluster, see “Verifying HA Cluster Connectivity” on page 29.
Step 12
UPDATE YOUR ATTACK OBJECTS
Remember to update your Attack Objects frequently. Juniper Networks provides
new signature and protocol anomaly Attack Objects each week. Updates can
include:
• Additional signature and protocol anomaly Attack Objects
• Modification of descriptions or severities for existing Attack Objects
• Removal of obsolete Attack Objects
To update your Attack Object database, use the automated Attack Update Client.
The Attack Update Client searches your existing Attack Object database and
automatically downloads new or modified Attack Objects. From the menu bar of the
User Interface, select Tools > Update Attacks and follow the instructions in the
Attack Update Client wizard to update your Attack Object database.
Congratulations!
You have successfully installed the IDP system on your network.
Additional Resources
• For further instructions on using your IDP system, use the Online Help in the
User Interface.
• For details on Standalone and external HA configurations, see the “High
Availability Solutions” chapter in the Intrusion Detection and Prevention
Concepts & Examples Guide. This chapter also includes information on switch
compatibility and configuration.
• For detailed, step-by-step instructions on fine-tuning your IDP system, see the
“Fine-Tuning” chapter in the Intrusion Detection and Prevention Concepts &
Examples Guide.
Problems?
You can contact Juniper Networks customer support, as well as accessing general
information about known issues, IDP versions, and the IDP FAQ, by visiting the
Juniper Networks Support Web site at www.juniper.net/support/.
IDP QUICKSHEET
eth2
Serial Port
eth0
Power
eth3
IDP 100
1
DB-15 Video
Interface
Keyboard Mouse
eth1
Connector Connector
Serial Port
eth2
IDP 500
IDP 1000
Usernames &
Passwords
eth0
1
DB-15 Video
Interface
2
USB
Connector
eth3
Power
2
Keyboard Mouse
eth1
Connector Connector
USB
Connector
Sensor Login &
Configure
username: root
password: abc123
Management
Server Login
username: admin
password: you set this password during the Management Server
configuration process
URL
https://192.168.1.1; this is also the default IP address of eth2, the
management interface. Because the ACM uses HTTPS, you MUST enter
https:// before the IP address.
Accessing
To configure the Sensor, you must use a computer that is on the same
network as the IDP appliance.
Management
Server
IDP 100, 500,
1000
Required: install on a separate computer running Red Hat Linux 7 or 8,
RHEL AS/ES/WS 3, or Solaris 8 or 9.
Interfaces & IPs
Management
interface: default is eth2; cannot use stealth.
IP address: must be unique
Forwarding
interface: any interface; can use multiple interfaces. Use crossover
cable to connect to a firewall or router; use straight-through cable to
connect to a hub or switch.
IP address: must be unique. If using Juniper Networks FW/VPN devices,
must use a stealth interface.
State-Sync
interface: any unused interface; must use one interface
IP address: must be unique
Cluster MAC
Forwarding interfaces on each Sensor use a MAC multicast or unicast
address so each Sensor receives a copy of the traffic.
Cluster IP
Forwarding interfaces on each Sensor use an IP multicast or unicast
address so each Sensor can send heartbeats.
Appliance
Configuration
Manager
HA

Q S G UICK

Transcription

Similar documents

kabasa idp settlement

The possibilities of identity federation through trust

Lightning Fast Search Solutions for the Enterprise

Blank IDP Outline

tgs ip phone - TGS Enterprise Networks

Medical Check-up dates for

Helen Masters, Victorian Department of Education and

How to fill out the Unit Request for Independent

Mosul - ACTED

Baroid IDP SYSTEM 360TM Unit - Givens International Drilling