• No results found

Identity-Based Application and Network Profiling

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Identity-Based Application and Network Profiling"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA

408.745.2000 1.888 JUNIPER

Identity-Based Application and

Network Profiling

(2)

Table of Contents

Introduction . . . . 3

Scope . . . . 3

Design Considerations . . . . 3

Description and Deployment Scenario . . . . 3

Summary . . . .11

(3)

Introduction

When Juniper Networks Unified Access Control (UAC) is used in conjunction with Juniper Networks NetScreen-Security Manager (NSM) and Juniper Networks Infranet Enforcers, you gain user-identified visibility into your network traffic . With the addition of an Intrusion Detection and Prevention (IDP) system, whether standalone or integrated, you can gain an even deeper insight into your network by being able to correlate user identity with application and network profiling data collected by the IDP . Previously, profiler data was identified strictly by a combination of IP addresses, ports, and applications, but no user identity information was included . The identity of the user responsible for generating the traffic obtained by the profiler was difficult to determine without a significant correlation effort . Using UAC, however, the IDP application and network profile is tagged with the username and roles of the user that generated the profiled traffic .

Scope

This application note describes how to configure NSM, the Infranet Enforcers, and the IDP to provide user-identified application and network profiler information .

Design Considerations

To generate identity-based profiler data, you need the following: Hardware Requirements

Server platform capable of running NSM version 2007 .2R1 or greater (or Juniper Networks •

NSMXpress appliance)

Infranet Enforcer(s) capable of running Juniper Networks ScreenOS version 6 .0 .0R1 or greater •

Juniper Networks Infranet Controller models IC4000 or IC6000 •

IDP standalone (IDP50/200/600/1100) or firewall-integrated (Juniper Networks Integrated •

Security Gateways [ISG] 1000/2000) Software Requirements

NetScreen-Security Manager version 2007 .2R1 or greater •

ScreenOS version 6 .0 .0R1 or greater •

Infranet Controller version 2 .0R3 or greater •

IDP software v4 .1R1a or greater •

Description and Deployment Scenario

In order to use this new feature you must complete a couple of steps . First, the Infranet Enforcers, and the IDP systems used to gather profiling information, must be under control of NSM . Before adding the devices to NSM, you must make a change to the NSM Device Server configuration: Edit the /var/netscreen/DevSvr/devSvr.cfg file .

Look for the following line in the file and change it from:

devSvrManager.uac_correlation_enabled 0

to

devSvrManager.uac_correlation_enabled 1

After making this change, you will need to restart the NSM Device Server . You can either reboot the

(4)

After modifying the NSM Device Server configuration, you can add your Infranet Enforcer and IDP devices to NSM . Be aware that without at least one Infranet Enforcer configured to send traffic logs to NSM, you will not be able to correlate user-identity with profiler data . This is because NSM receives the user, role, and IP address information from the Infranet Enforcer traffic log data . As such, user-identified profiling should be done using an ISG platform with the integrated IDP module(s) . Using the ISG as both an Infranet Enforcer and IDP ensures that the traffic log data matches that collected by the profiler and permits NSM to identify—by user—all application and network profile information . Though possible to use a standalone IDP in conjunction with separate Infranet Enforcers, this is not ideal, as the IDP profiler may collect application and network data that cannot be correlated because the user’s traffic did not pass through an Infranet Enforcer .

To get the Infranet Enforcer traffic logs into NSM, you must complete three steps: (1) add the Infranet Enforcer to NSM, (2) enable traffic logging on the Infranet Enforcer, and (3) enable logging on any Infranet policy for which you want traffic data captured to NSM . For a step-by-step configuration example, see the “Identity-based Traffic Logging and Reporting ” application note .

Next, you must add the IDP to NSM . While this procedure is covered in detail in numerous other documents, below is a brief step-by-step guide on how to do it . Within NSM, open the Device

Manager > Security Devices window, click on the plus sign (+), and select Device from the pull

down menu .

Figure 1: Log View Creation

(5)

Figure 2: IDP Addition to NSM

After adding the IDP to NSM, you will most likely need to import the device’s configuration into NSM . You can verify whether or not this needs to be done by mousing over the IDP in the Security Devices view . Note the value for Configuration State . If it indicates that an import is needed, perform the next step; otherwise you can skip it . Even if the Configuration State shows Managed, performing an import will not harm anything .

Figure 3: IDP Status

To import the IDP configuration into NSM, right-click on the IDP device icon and select Import Device from the menu . After a few moments, NSM should report the successful importation of the IDP configuration . You can again check the status of the IDP, which should now show its Configuration

(6)

Figure 4: IDP Configuration Import into NSM

Once the IDP is in a Managed state, it’s time to configure it for profiling . Open the IDP configuration for editing by double-clicking the IDP icon in the Security Devices list . In the Info pane, select a

Security Policy from the pull-down menu . You can use a pre-defined Security Policy, or you will have

to create your own (not discussed here) .

(7)

Next, go to the Profiler Settings pane . There are several tabs here that you will need to configure . First, check the Enable Profiling checkbox on the General tab .

(8)

On the Tracked Hosts tab, select those hosts that you want the profiler to pay attention to . The list of

Tracked Hosts must be defined separately in the Object Manager section of NSM .

(9)

On the Contexts to Profile tab, select all Contexts unless you have a specific reason not to . Consult the IDP and NSM documentation for further information about these selections . After completing this tab, click OK to save the Profiler configuration .

Figure 8: Selecting Contexts to Profile

To start the Profiler, right-click on the IDP device icon in the Security Device list and select IDP

Profiler > Start Profiler from the pull-down menu . The pop-up window allows you to change any

(10)

To see the Profiler logs, navigate to the Security Monitor > Profiler menu within the NSM main window . The Application Profiler will be the default view . It’s possible that this table won’t contain the User and Role columns that you’re after, so you’ll have to add them . Select View > Choose

Columns from the menus at the top of the NSM window, check the User and Role checkboxes, and

move them to a position of your liking .

Figure 10: Adjusting Column Settings

Your Application Profiler view should now look something like the picture below . The User column will reflect the username of the person that generated the traffic associated with that particular Profiler entry, and the Role column will show the UAC roles to which that user was mapped . All other traditional Profiler information is there, and now it’s correlated to a user .

(11)

The Network Profiler view looks similar .

Figure 12: Network Profiler View

Summary

(12)

Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. CORPORATE HEADQUARTERS

AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICA Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000

Fax: 408.745.2100 www.juniper.net

EAST COAST OFFICE Juniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978.589.5800 Fax: 978.589.0800

ASIA PACIFIC REGIONAL SALES HEADQUARTERS Juniper Networks (Hong Kong) Ltd.

26/F, Cityplaza One 1111 King’s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 EUROPE, MIDDLE EAST, AFRICA

REGIONAL SALES HEADQUARTERS Juniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44.(0).1372.385500 Fax: 44.(0).1372.385501

To purchase Juniper Networks solutions, please

contact your Juniper Networks sales representative

at 1-866-298-6428 or authorized reseller.

About Juniper Networks

References

Download now ( PDF - 12 Page - 549.30 KB )

Related documents

Pathways for the amplification of agroecology in African sustainable urban agriculture

In this work, we report some case studies inspired by the activities carried out by the Slow Food Association in Africa and demonstrate the importance of agroecological models

Eye Gaze Patterns Reflect How Young Fraction Learners Approach Numerical Comparisons

Of the four conditions in the task, two required only a single comparison between either numerators or denomi- nators. We took high accuracy on both of these conditions as an

Chapter 4 Corporate Taxation

additional investment, they also reduce his opportunity cost of allowing the firm to retain profits for further investment. Thus, if the total corporate and personal tax burden on

Lifestyle and Behavioral Changes Improving Urinary Urgency, Frequency and Urge Incontinence

Strengthen your Pelvic Floor Muscles with Kegel Exercise: Most bladder control problems are caused by weak pelvic muscles.. These pelvic floor muscles attach to the bones of the

The Carbon Balance of Two Contrasting Mountain Forest Ecosystems in Switzerland: Similar Annual Trends, but Seasonal Differences

Climatic conditions at the La¨geren (A, C, E) and the Davos site (B, D, F) during the observation period from 2005 to 2009: Monthly precipitation sums (A, B), monthly mean

Biologically Inspired Design A Primer

DESIGN PROCESS 11 Determining the basic need Determining the type of product Consideration of product type User investigation Product principle design Determining type of

Ultracolor Plus. 7 new. colours. High-performance, antiefflorescence,

From an analysis carried out using an electronic microscope (SEM), note that, compared with a Portland cement-based binder in a normal cementitious grouting mortar, the special