Security Manager for Juniper Networks IDP

Release Notes

Date Published: September 2011

 
 

 

Security Manager for Juniper Networks IDP allows you to monitor Juniper Networks Intrusion Detection and Prevention (IDP) Appliances in your environment. This module provides knowledge so you can proactively manage Juniper Networks IDP appliances and identify issues before they become critical.

Security Manager for Juniper Networks IDP monitors syslog messages generated by Juniper Networks IDP appliances and collects events that may indicate configuration changes or attacks, so you can quickly take corrective or preventative action. For example, Security Manager for Juniper Networks IDP enables you to perform the following tasks:

  • Detect protocol anomalies that violate published Requests for Comments (RFCs)
  • Identify traffic patterns that may indicate possible attacks
  • Monitor application signatures that match application policies
  • Notify when system or threshold alarms occur
  • Monitor system and network start, stop, or restart events

Security Manager for Juniper Networks IDP also collects events from logs and stores them in secure repositories so you can archive this data, create reports for management or auditing purposes, and analyze critical events to research issues. Security Manager for Juniper Networks IDP collects all log messages you configure your Juniper Networks IDP appliances to send. Security Manager for Juniper Networks IDP supports both data forwarded directly from the IDP Series appliance and IDP data forwarded from the Network and Security Manager (NSM) client.

NetIQ often makes improvements to modules in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Security Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and the Security Manager user group.

This document outlines why you should install this module, lists installation requirements, and identifies known issues.

Return to Top

Supported Products

For the most recently updated list of supported software versions and the availability of module updates, visit the Security Manager Supported Products page. Unless noted otherwise, this module supports all updates, hotfixes, and service packs for the releases listed below. If you encounter problems using this module with a later version of your application, contact NetIQ Technical Support.

This release supports the following Juniper Networks Intrusion Detection and Prevention Appliances with IDP OS 5.1 installed:

  • IDP75
  • IDP200
  • IDP250
  • IDP600
  • IDP800
  • IDP1100
  • IDP8200

In addition, this release also supports the following versions of the Network and Security Manager (NSM) client software used to configure IDP appliances:

  • Network and Security Manager 2007.1
  • Network and Security Manager 2007.2
  • Network and Security Manager 2007.3
  • Network and Security Manager 2008.1
  • Network and Security Manager 2008.2
  • Network and Security Manager 2009.1
  • Network and Security Manager 2009.2
  • Network and Security Manager 2010.1
  • Network and Security Manager 2010.2
  • Network and Security Manager 2010.3
  • Network and Security Manager 2010.4
  • Network and Security Manager 2011.1

Return to Top

Why Install This Module?

Security Manager for Juniper Networks IDP provides support for received data from monitored Juniper Networks IDP appliances. The volume and type of data that Security Manager for Juniper Networks IDP collects is determined by the configuration of the appliance and the policies you have created for the appliance.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors.
Operating System All supported Windows agent platforms.
Software
  • Ensure you have Security Manager 6.5 or later installed.
  • Ensure you have the latest version of the Security Manager Self-Monitoring module installed. This module is required for optimum functionality of the product.

Return to Top

Installing This Module

Install the module using the Module Installer utility. For more information about installing modules, see the User Guide for NetIQ Security Manager.

You can verify successful installation of the module in the Module Installer. After the installation completes, verify the Status column indicates the module is current and the module version listed in the Installed Version column is the same as the version in the Available Version column.

After you install the module, run the Configuration Wizard to configure Security Manager for Juniper Networks IDP. For more information about using the Configuration Wizard, see the User Guide for NetIQ Security Manager.

Return to Top

Configuring Juniper Networks IDP Appliances for Remote Logging

After you install the module, you must configure all Juniper Networks IDP appliances in your environment to send messages to a remote syslog server where the Windows agent computer can access the logs.

Juniper Networks IDP users use the NSM client to configure logging. You can configure an IDP Series appliance to forward syslog data directly to a remote syslog server, configure NSM to forward IDP data to the syslog server, or configure both to forward data.

Note
If you configure an IDP appliance to forward syslog data directly, the appliance does not forward data in the Traffic, Profiler, or Alarm categories to the syslog server. If you configure NSM to forward IDP data, NSM forwards data in those categories, as well as data in the Predefined and Config categories, which the IDP appliance also forwards directly.

You can use any agent computer to monitor Juniper Networks IDP logs, including a central computer or a remote agent. For more information about configuring and using Juniper Networks IDP appliances and the NSM client, see the Juniper Networks IDP Series and NSM product documentation.

Configure an IDP Appliance to Directly Forward Syslog Data

After installing the module, you can configure the IDP appliance to send data to a remote syslog server where Security Manager can monitor that data.

Note
After you configure the syslog server you want to use, you may need to push a configuration change from the NSM client to the IDP appliance for the changes to take effect. For information about pushing configuration changes in NSM, see the Juniper Networks NSM documentation.

To configure the Juniper Networks IDP appliance to forward data to a remote syslog server:

  1. Start a Web browser on a computer with access to the NSM user interface.
  2. In the navigation tree, click the Configure panel.
  3. Expand the Device Manager module.
  4. Double-click the IDP Series appliance.
  5. In the device configuration editor, click Report Settings.
  6. Select Enable Syslog.
  7. In the Syslog Server IP, Syslog Server Port, and Protocol fields, specify the IP address, port number, and protocol you want to use to forward the IDP data. The default port number and protocol are 514 and UDP.
  8. If you want to forward packet logs to the syslog server, select Include packet data in log.
  9. Click OK.

Create a Syslog Server Object in NSM

If you do not want to directly forward syslog data from an IDP appliance, you can also enable the NSM product to forward data from the IDP appliance to a remote syslog server. Using NSM, you create a new syslog server object and then configure the types of data you want NSM to forward to the syslog server. You can either configure NSM to forward syslog data by IDP appliance or by policy.

Note
If you configure your IDP appliances to forward syslog data directly to the remote syslog server, you do not need to configure logging in NSM. However, you can configure the IDP appliance and NSM to both forward data to the syslog server if appropriate for your environment.

To configure NSM to forward Juniper Networks IDP data to a remote syslog server:

  1. Start a Web browser on a computer with access to the NSM user interface.
  2. In the navigation tree, click the Administer panel.
  3. Expand the Action Manager module.
  4. Click Action Parameters.
  5. Under Syslog, click + to add a new syslog server.
  6. In the Syslog Server and Syslog Server IP fields, specify the name and IP address of the syslog server to which you want NSM to send data.
  7. In the Syslog Server Facility field, specify how you want to categorize the messages sent to the syslog server.
  8. Click OK.
  9. Click OK.

Configuring NSM Logging by Device

If you use NSM to forward data, you can configure logging globally, sending all data of one or more categories and severities for all monitored Juniper Networks IDP appliances.

To define logging criteria globally for all Juniper Networks IDP appliances:

  1. In the Administer panel, click Action Manager > Device Log Action Criteria.
  2. Select a category of data you want to forward to the syslog server.
  3. If you want to only forward data in a particular subcategory, clear any subcategories you do not want to log.
  4. In the Severity tab, select the specific severities of data you want to forward.
  5. In the Actions tab, select Send Syslog Messages.
  6. In Specified Syslog Servers, add the remote syslog server you want to receive the data.
  7. Repeat Steps 2 through 6 for each category and subcategory for which you want to log data.
  8. Click OK.

Configuring NSM Logging Using Policies

If using NSM to forward data, you can also use the Policy Manager module in NSM to configure the product to forward only data matching a specific set of rules, regardless of the IDP appliance from which it originates.

To define logging criteria for Juniper Networks IDP appliances using policies:

  1. In the navigation tree, click the Configure panel.
  2. Expand the Policy Manager module.
  3. Click the policy you want to configure to forward syslog data from IDP appliances.
  4. In the right pane, click the tab of the rule set you want to configure.
  5. Right-click the Notification column for a rule you want to log data.
  6. Select Logging.
  7. Click the Log Actions tab.
  8. Select Send Syslog Messages.
  9. In Specified Syslog Servers, add the remote syslog server you want to receive the data.
  10. Click OK.
  11. Repeat Steps 2 through 10 for each rule you want to configure to forward log data.

Return to Top

Configuring the Module

Configure Security Manager for Juniper Networks IDP using the Configuration Wizard. First use the Configuration Wizard to specify the Security Manager agent or agents you want to use to remotely monitor your Juniper Networks IDP environment, then specify the Juniper Networks IDP appliances you want to monitor. Click Finish when you have specified the agents you want to use and appliances you want to monitor.

For more information about using the Configuration Wizard, see the User Guide for NetIQ Security Manager.

Return to Top

Juniper Networks IDP Event Fields Used by Security Manager

Security Manager for Juniper Networks IDP collects various fields from the data received from monitored Juniper Networks IDP appliances. The following table lists the Juniper Networks IDP data fields most commonly used by Security Manager and maps those fields to the corresponding names and values used for real-time alerting, log archival, and Forensic Analysis. You can use these fields to create processing rules or Forensic Analysis queries tailored to your specific environment. For more information about creating processing rules, see the Programming Guide for NetIQ Security Manager.

Real-Time Parameter Name/Number Log Archive Field Name Forensic Analysis Column Name
$Message message Message
N/A common.category Data Category
$sourcename analyzer.model Platform
$eventtime detecttime N/A
1 classification.origin Source Name
2 classification.name Native Classification
3 assessment.impact.severity Severity
4 action Action
5 analyzer.node.name Network Node
6 analyzer.node.address.address Network Node Address
7 source.node.name Source Node
8 source.node.address.address Source Address
9 source.user.userid.name Source User
10 source.service.port Source Port
11 source.interface Source Interface
12 source.interface.type N/A
13 target.node.name Target Node
14 target.node.address.address Target Address
15 target.object.path N/A
16 target.process.name Target Process
17 target.service.protocol Target Protocol
18 target.service.port Target Port
19 event.sequence.id N/A
20 rule name Rule/Signature Name
21 rule_number Rule/Signature ID
22 size.count N/A
23 session name Session Name
24 status.description Status Description
25 userfield_string_001 Interface Alias
26 userfield_string_002 VLAN ID
27 userfield_string_003 NAT Src Addr
28 userfield_string_004 NAT Src Port
29 userfield_string_005 NAT Dest Addr
30 userfield_string_006 NAT Dest Port
31 userfield_string_007 Rulebase
32 userfield_string_008 Rule Domain
33 userfield_string_009 Rule Version
34 userfield_string_010 Policy

Return to Top

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

Return to Top