Académique Documents
Professionnel Documents
Culture Documents
Release
8.0
Published: 2013-11-15
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos Pulse Secure Access Service Intrusion Detection and Prevention Sensors
Release 8.0
Copyright © 2013, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
Part 1 Overview
Chapter 1 IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
About IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
IDP Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Part 2 Configuration
Chapter 2 IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuring the Secure Access Service to Interoperate with IDP . . . . . . . . . . . . . . . 9
Interaction Between the IC Series and IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Configuring IDP Sensor Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Part 3 Administration
Chapter 3 Quarantined Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Identifying and Managing Quarantined Users Manually . . . . . . . . . . . . . . . . . . . . . 15
Chapter 4 Sensor Event Polices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Defining Automatic Response Sensor Event Policies . . . . . . . . . . . . . . . . . . . . . . . 17
Part 4 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Part 3 Administration
Chapter 3 Quarantined Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 3: Managing Quarantined Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
• MAG Series
• SA Series
Documentation Conventions
Caution Indicates a situation that might result in loss of data or hardware damage.
Laser warning Alerts you to the risk of personal injury from a laser.
Table 2 on page x defines the text and syntax conventions used in this guide.
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.
• Junos OS CLI User Guide
• Identifies RFC and Internet draft titles.
• RFC 1997, BGP Communities Attribute
Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform • The console port is labeled CONSOLE.
components.
< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]
GUI Conventions
Bold text like this Represents graphical user interface (GUI) • In the Logical Interfaces box, select
items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Overview
• IDP on page 3
IDP
About IDP
Securing intranet work application and resource traffic is vital to protecting your network
from hostile outside intrusion. You can add levels of application security to your remote
access network by integrating a Juniper Networks Secure Access Service with a Juniper
Networks Intrusion Detection and Prevention (IDP) Sensor. The IDP device may provide
the following types of protection in this solution (some forms of protection depend upon
the specific configuration):
The IDP sensor monitors the network on which the IDP system is installed. The sensor’s
primary task is to detect suspicious and anomalous network traffic based on specific
rules defined in IDP rulebases.
The IDP device provides the following types of protection (some forms of protection
depend upon the specific configuration):
• Protects against attacks from user to application and from application to user (from
a server-side endpoint)
• Detects and blocks zero day attacks through the use of anomaly detection
NOTE: An IDP Sensor can send logs to one Secure Access Service only.
However, the Secure Access Service can receive logs from more than one
IDP Sensor.
You do not need a special license from Juniper Networks to enable interaction between
the Secure Access Service and the IDP.
Using the Secure Access Service admin console, you can configure and manage interaction
attributes between the Secure Access Service and an IDP, including the following:
• Global configuration parameters such as the IDP hostname or IP address, the TCP port
over which the sensor communicates with the Secure Access Service, and the one-time
password the Secure Access Service and IDP use to authenticate with one another.
• Dynamically changing the IDP configuration from the Secure Access Service and alerting
the IDP of changes in the IP address pool available to remote users.
The IDP sits behind the Secure Access Service on your internal network and monitors
traffic flowing from the Secure Access Service into the LAN. Any abnormal events detected
by the IDP Sensor are reported to the Secure Access Service, which you configure to take
appropriate action based on the severity level of the reported events. The IDP Sensor
performs reporting functions in addition to any normal logging the IDP has been configured
to undertake.
You can use an IDP Sensor on the Secure Access Service cluster, if the cluster is configured
with a virtual IP (VIP) address.
• Customer use of the Secure Access Service for extended enterprise access and IDP
for security of all perimeter traffic including but not limited to traffic from the Secure
Access Service. The following figure illustrates this scenario, in which the Secure Access
Service is deployed in the DMZ or on the LAN and the IDP is deployed in-line behind
the firewall and in front of the LAN.
• In the second deployment scenario, IDP is only used to protect traffic that comes
through the Secure Access Service but not in-line with other perimeter traffic. The
following figure illustrates this deployment scenario.
Configuration
• IDP on page 9
IDP
The IDP Sensor is a powerful tool to counter users who initiate attacks. Integration with
the Secure Access Service allows you to configure automatic responses as well as
manually monitor and manage users.
Once the IDP Sensor has been set up, you can specify the events you want the IDP to
watch for and the actions that the Secure Access Service takes once a particular event
has been noted and reported.
There are two locations on the Secure Access Service where you can specify actions to
be taken in response to users that perform attacks:
• Sensor Event policies page—Define the policy on this page to generate an automatic
response to users who perform attacks.
• Users page—Manually identify and quarantine or disable users on the System > Status
> Active Users page, which lists users who have performed attacks.
The Secure Access Service incorporates and displays the attack information received
from the IDP sensor on the System > Status > Active Users page. Based on the attackers
IP address and port number, the Secure Access Service can uniquely identify the user’s
session.
You can choose automatic or manual actions for attacks detected by the IDP sensor. For
manual action, you look up the information available on the Active Users page and decide
on an action. For automatic action, you configure the action in advance when you define
your IDP policies.
The Sensors tab allows you to specify the system settings the Secure Access Service
uses to establish a connection to a Juniper Network’s Intrusion Detection and Prevention
(IDP) device.
Use the System > Configuration > Sensors > Sensors tab to perform a number of tasks
related to configuring and managing interaction between the Secure Access Service and
an IDP Sensor. The main Sensor page displays the sensor, the network address, the state
(enabled), the version, and the status of any configured sensors.
Creating a New IDP Sensor Entry In IDP versions prior to 5.0, the Secure Access Service
sends only the user IP address. With version 5.0, the Secure Access Service sends session
information including the user, user role and IP address.
To enable or disable existing IDP Sensor entries on the Secure Access Service:
NOTE: To use the IDP sensor with the Secure Access Service you must
enable logging for the applicable policies.
2. Click New Sensor. The admin console displays the New Sensor page.
• Name—A name the Secure Access Service uses to identify the new connection
entry
• Port—The TCP port on the IDP Sensor to which the Secure Access Service listens
when receiving application and resource attack alert messages
NOTE: The hostname, TCP port, and one-time password must already
be configured on the IDP Sensor before this configuration can be
successful.
4. Under Monitoring Options, specify IP addresses to monitor and the minimum alert
severity level the IDP Sensor will record and submit to the Secure Access Service:
• In the Addresses to Monitor field, specify individual IP addresses and address ranges,
one entry per line. IDP reports attack information only for the IP addresses that you
specify. If you want IDP to report all events to the Secure Access Service, enter
0.0.0.0/0. If you want IDP to report only selected events, enter <default> to permit
IDP to report events for events with source IPs that have an active user session on
the Secure Access Service, and /or enter one or more addresses or address ranges
for any endpoint that you want the IDP sensor to report.
• Select one of the severity options available in the Severity filter drop down list. The
severity level is a number on a scale from 1 to 5, where 1 is informational and 5 is
critical. This option represents the severity of messages the IDP should send to the
Secure Access Service.
To enable or disable existing IDP Sensor entries on the Secure Access Service:
2. Select the checkbox next to one or more IDP Sensor entries you want to enable or
disable.
3. Click Enable or Disable to enable or disable the specified IDP Sensor entries,
respectively.
You can delete existing IDP Sensor entries that define a connection between the Secure
Access Service and an IDP Sensor.
To delete one or more existing IDP Sensor entries from the Secure Access Service:
2. Select the checkbox next to the IDP Sensor entry or entries you want to delete.
3. Click Delete and then confirm that you want to delete the sensor entry or entries.
When the connection to an IDP Sensor is down, you can use the admin console on the
Secure Access Service to re-establish the connection. You can also use the admin console
to refresh the status of existing connections between the Secure Access Service and the
IDP Sensor.
If you need to re-establish communication with an IDP Sensor, you must generate a new
One-time Password.
2. Select the checkbox next to the IDP Sensor to which you want to reconnect.
3. Click Reconnect.
The admin console displays a message informing you that the Secure Access Service
is currently attempting to re-establish connection to the specified IDP Sensor. This
page automatically refreshes each second during the reconnection process. Otherwise,
the connection status page automatically refreshes once every 30 seconds.
To refresh and display the connection status for the specified IDP Sensor:
2. Select the checkbox next to one or more IDP Sensor entries for which you want to
display current connection status.
3. Click Refresh.
Administration
• Quarantined Users on page 15
• Sensor Event Polices on page 17
Quarantined Users
When the Secure Access Service quarantines a user based on an attack, you can display
and manage the states by locating the user link in the System > Status > Active Users
page.
• An enabled Quarantined option button on the specific user’s page. If the user is not
quarantined, the option button is disabled.
You can manage quarantined users from either the admin GUI or by logging in as a user
with administrative rights on the local authentication server.
2. Locate the quarantined user from the Authentication > Auth. Servers > System Local
on the admin GUI or from the Admin Users window on the local authentication server.
You must be logged in to the local authentication server as an administrator user in
order to see the Admin User option.
3. Click the username link. The user page opens, showing a number of options.
All Sensor events are logged at System > Log/Monitoring > Sensors > Log.
Use the System > Configuration > Sensors > Sensor Event Policies tab to specify one or
more rules that specify the action(s) the Secure Access Service takes when it receives
attack alert messages from an IDP Sensor.
1. In the admin console, select System > Configuration > Sensors > Sensor Event Policies.
• Click Events to edit an existing event or create a new type of event and add it to the
options in the Events drop-down list:
For example, to check for all critical/highest severity level attacks, enter the
following expression:
idp.severity >= 4
To check for all critical/highest severity level attacks for HTTP traffic, enter the
following expression:
c. When you have finished entering the expressions you want to apply to this event,
click Add Expression.
d. Click Close.
4. In the Count this many times section, specify a number between 1 and 256 to determine
the number of times an event must occur before action is taken.
5. In the ...then perform this action section, specify one of the following actions:
• Ignore (just log the event)—Specifies that the Secure Access Service should log
the event, but take no further action against the user profile to which this rule applies.
This option is best used to deal with very minor “informational” attack alert messages
that come from the IDP Sensor.
• Disable user account—Specifies that the Secure Access Service should disable the
user profile associated with this attack alert message, thus rendering the client
unable to sign in to the Secure Access Service until the administrator re-enables
the user account. (This option is only applicable for users who have a local Secure
Access Service user account.)
• Replace user’s role with this one—Specifies that the role applied to this user’s
profile should change to the role you select from the associated dropdown list. This
new role remains assigned to the user profile until the session terminates. This
feature allows you to assign a user to a specific controlled role of your choice, based
on specific IDP events. For example, if the user performs attacks, you might assign
the user to a restricted role that limits the user’s access and activities.
• Policy applies to SELECTED roles—To apply this policy only to users who are
mapped to roles in the Selected roles list. Make sure to add roles to this list from
the Available roles list.
• Policy applies to all roles OTHER THAN those selected below—To apply this policy
to all users except for those who are mapped to the roles in the Selected roles list.
Make sure to add roles to this list from the Available roles list.
Related • Configuring the Secure Access Service to Interoperate with IDP on page 9
Documentation
Index
• Index on page 21
P
Index parentheses, in syntax descriptions..................................xi
S
sensor policies for IDP, configuring...................................10
Symbols
support, technical See technical support
#, comments in configuration statements.....................xi
syntax conventions...................................................................x
( ), in syntax descriptions.......................................................xi
< >, in syntax descriptions......................................................x
T
[ ], in configuration statements...........................................xi
technical support
{ }, in configuration statements..........................................xi
contacting JTAC................................................................xi
| (pipe), in syntax descriptions............................................xi
B
braces, in configuration statements..................................xi
brackets
angle, in syntax descriptions.........................................x
square, in configuration statements.........................xi
C
comments, in configuration statements.........................xi
conventions
text and syntax...................................................................x
curly braces, in configuration statements.......................xi
customer support.....................................................................xi
contacting JTAC................................................................xi
D
documentation
comments on....................................................................xi
F
font conventions........................................................................x
I
IDP configuration.......................................................................3
IDP deployment examples....................................................4
IDP interaction............................................................................9
IDP sensor policies..................................................................10
IDP, automatic response........................................................17
IDP, interoperability..................................................................9
IDP, quarantining users manually......................................15
IDP, using with UAC...................................................................3