• No results found

Identity-Based Traffic Logging and Reporting

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Identity-Based Traffic Logging and Reporting"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA

408.745.2000 1.888 JUNIPER

www.juniper.net

Identity-Based Traffic Logging

and Reporting

Using UAC in Conjunction with NSM and Infranet Enforcers to

Give Additional, User-Identified Visibility into Network Traffic

(2)

Table of Contents

Introduction . . . . 3

Scope . . . . 3

Design Considerations . . . . 3

Description and Deployment Scenario . . . . 3

Summary . . . . 10

(3)

Copyright ©2007, Juniper Networks, Inc. 3

Introduction

The combination of Juniper Networks Unified Access Control (UAC) and Juniper Networks NetScreen-Security Manager (NSM) gives you a more enlightening look at your network traffic . With the addition of an Infranet Controller to an existing Juniper firewall deployment, network traffic can be easily identified by the user who created it . Previously, network traffic was identified strictly by a combination of IP addresses and ports . The identity of the user responsible for the network traffic was difficult to obtain without a significant correlation effort . Now traffic within the NSM traffic log can be tagged with the username and roles of the user who generated that traffic .

Scope

This application note will describe how to configure NSM and the Infranet Enforcers to provide user-identified traffic logs and UAC-specific reports .

Design Considerations

To generate identity-based traffic logs, you need the following: Hardware Requirements

Server platform capable of running NSM version 2007 .2R1 or greater (or NSMXpress •

appliance)

Infranet Enforcer(s) capable of running ScreenOS version 6 .0 .0R1 or greater •

Infranet Controller models IC4000 or IC6000 •

Software Requirements

NetScreen-Security Manager version 2007 .2R1 or greater •

ScreenOS version 6 .0 .0R1 or greater •

Infranet Controller version 2 .0R3 or greater •

Description and Deployment Scenario

In order to use this new feature, you must complete a couple of steps . First and perhaps most obvious, any Infranet Enforcers for which you want to see profiling information must be under the control of NSM .

To add an Infranet Enforcer to NSM, use the NSM Graphical User Interface (GUI) and navigate to

Device Manager > Security Devices (Figure 1) . From there, click the + sign to add a device . Then

simply follow the Add Device wizard to add the Infranet Enforcer to NSM .

(4)

Once added to NSM, the Infranet Enforcer should appear under the list of Security Devices . You can verify the device’s operational state by mousing over the device icon in the NSM GUI (Figure 2) .

Figure 2: Device Operational Status

Once NSM has successfully connected to the Infranet Enforcer, you need to enable traffic logging on the Infranet Enforcer . This can be accomplished either through the enforcer Web interface or the command line . In the Web interface, navigate to Configuration > Admin > NSM and check the Traffic Logs checkbox (Figure 3) . Click the Apply button to save the changes . The CLI command to perform the same function is: set nsmgmt report log traffic enable.

(5)

Copyright ©2007, Juniper Networks, Inc. 5 In addition to enabling the traffic logs, you must enable logging on any Infranet policy for which you want traffic data captured to NSM . Again, this can be accomplished either through the enforcer Web interface or the command line . In the Web interface, navigate to Policies, click on the Edit link for the Infranet policy you wish to change, click the checkbox next to Logging, and then click OK . Your Infranet policies should show the blue Logging icon in the Options column . In the CLI, add the

log keyword to all Infranet policies as in: set policy id 9 from “Trust” to “hr” “Any”

“Any” “ANY” permit infranet-auth log .

Figure 4: Enforcer Logging Policies

In Infranet Controller software version 2 .1 and above, there is a configuration option on the controller that can prevent logging from taking place . Under the UAC > Infranet Enforcer > Resource Access

> [POLICY] > ScreenOS Options section, you have the ability to configure which ScreenOS policy

options will be enabled on the Infranet Enforcer . If you were to select the options as shown in Figure 5, no logging would take place for any resource to which this policy applies . This can be quite confusing because logging appears to be enabled on the Infranet Enforcer, but will be subsequently disable by the controller .

Figure 5: ScreenOS Options Configuration

That completes the configuration for getting the traffic logs into NSM . In order to see the additional information provided by UAC, you will need to create a custom Traffic Log Viewer (or you could modify the existing one) . To create a new Log Viewer, navigate within NSM to Log Viewer >

Predefined > 5-Traffic, right-click and select Save As…

(6)

In the Save View dialog box, enter a new name (Infranet Traffic) for the view and save the view to the Others folder .

Figure 7: Saving the Log View

After creating the view, navigate to the Log Viewer > Others and click on Infranet Traffic . You will see a traffic log identical to the predefined one that you just copied . It’s now time to make modifications to the view so that you can see the additional information . At the top of the NSM window, go to the View menu and select Choose Columns…

Figure 8: Choose Columns

In the Column Settings dialog box, scroll down to the bottom and check the box next to Roles and

User . For both Roles and User, select them and click Move Up several times until User is just below Alert and Roles is just below User, then click OK . You can, of course, customize this view any way

(7)

Copyright ©2007, Juniper Networks, Inc. 7

Figure 9: Add User Column

Your Infranet Traffic log view should now look something like the picture below . The User column will reflect the username of the person who generated the traffic associated with that particular log entry, and the Roles column will show the UAC roles to which that user was mapped .

(8)

In addition to the username and role correlation in the traffic logs, there are three additional canned UAC reports available in NSM . To find these reports, navigate to Report Manager > UAC Reports .

Figure 11: UAC Reports

This is the Time Graph of UAC Session Logs . October 9th was an especially busy day compared to the others .

(9)

Copyright ©2007, Juniper Networks, Inc. 9 Below is the Top 20 Destinations for UAC Logs . There are two local protected resources (172 .33 .1 .1 and 172 .32 .1 .1), and the rest is Internet traffic .

Figure 13: Top 20 Destinations for UAC

Finally there is the Top 20 Enforcers (Devices) for UAC Logs report . With only two enforcers configured, this isn’t a very impressive report, but becomes more useful the more enforcers it is reporting on .

(10)

Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. CORPORATE HEADQUARTERS

AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000

Fax: 408.745.2100 www.juniper.net

EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978.589.5800 Fax: 978.589.0800

ASIA PACIFIC REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd.

26/F, Cityplaza One 1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 EUROPE, MIDDLE EAST, AFRICA

REGIONAL SALES HEADQUARTERS Juniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44.(0).1372.385500 Fax: 44.(0).1372.385501

To purchase Juniper Networks solutions, please

contact your Juniper Networks sales representative

at 1-866-298-6428 or authorized reseller.

Summary

Following the examples in this application note and using the latest versions of NSM, Infranet Enforcers and UAC, you can now identify, track and report on network traffic by user and user role .

About Juniper Networks

References

Download now ( PDF - 10 Page - 370.73 KB )

Related documents

Lecture 12: Heterogeneous Nucleation: a surface catalyzed process

• Heterogeneous nucleation forms at preferential sites such as phase boundaries, surfaces (of container, bottles, etc.) or impurities like dust. At such preferential sites,

Quick Start Guide 6.3

Note: navigate to, “My Matrix > My Listings”, select the checkbox beside one listing then click the, “Reverse Prospect” button to view information on who has sent your

December Web Tools. Administrator s Guide. Supporting Fabric OS v7.1.0

To save the switch configuration using Web Tools, in the Switch Explorer window click Configure > Switch Admin, and then select the Configure > Upload/Download subtab and

Quick Start Tutorial Metric version

To reset the camera, select View > Zoom and Navigate > Reset Camera , or click the Reset Camera button on the Zoom and Navigate toolbar... Quick

Accounts Receivable Reference Guide

11 Navigate to the Apply subtab > Credits subtab, and check Apply checkbox next to each credit memo. you want

Documentation. HiPath TAPI 120 V2.0 Installation and Configuration. Communication for the open minded. Administrator Documentation

> To save entries, click Apply (to configure parameters in other tabs for example) or OK (to exit the configuration dialog and save changes).

HiPath 3000/5000 HiPath TAPI 120 V2.0. Installation and Configuration

> To save entries, click Apply (to configure parameters in other tabs for example) or OK (to exit the configuration dialog and save changes).. > A confirmation message appears

ASA 8.x: Renew and Install the SSL Certificate with ASDM

Select the pending certificate request under Configuration > Device Management > Identity Certificates, as shown in Figure 6, and click Install.. In the Install