User manual JUNIPER NETWORKS NETWORK AND SECURITY MANAGER 2010.4 CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01

[. . . ] Network and Security Manager Configuring Intrusion Detection and Prevention Devices Guide Release 2010. 4 Published: 2010-11-17 Revision 01 Copyright © 2010, Juniper Networks, Inc. Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www. juniper. net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto. [. . . ] NOTE: The default URL from which to obtain updates is https://services. netscreen. com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo. dat. If you encounter connection errors, ensure this setting has not been inadvertently changed. NSM restores the URL in the Download URL for ScreenOS Devices text box. Click OK. To push an IDP detector engine update from the NSM GUI server to IDP devices From the NSM main menu, select Devices > IDP Detector Engine > Load IDP Detector Engine for ScreenOS and complete the wizard steps. NOTE: Updating the IDP detector engine on a device does not require a reboot of the device. 64 Copyright © 2010, Juniper Networks, Inc. Chapter 5: Working with Attack Objects Table 35: IDP Detector Engine and NSM Attack Database Update Procedures (continued) Task To push predefined attack object updates from the NSM GUI server to IDP devices Procedure 1. From the NSM main menu, select Devices > Configuration > Update Device Config. 2. Select the devices that you want to push configuration updates to and to set update job options on. NOTE: Only the attack objects that are used in IDP rules for the device are pushed from the GUI server to the device. To schedule regular updates 1. Log in to the NSM GUI server command line. 2. Create a shell script called attackupdates. sh with the following contents: · Set the NSMUSER environment variable with an NSM domain/user pair. Example: export NSMUSER=domain/user · Set the NSMPASSWD environment variable with an NSM password. The command for setting environment variables depends on your OS and shell. Example: export NSMPASSWD=password · Specify a guiSvrCli command string. Example: /usr/netscreen/GuiSvr/utils/guiSvrCli. sh --update-attacks --post-action --update-devices --skip 4. Make the script executable by the user associated with the cron job: chmod 700 attackupdates. sh 5. Add an entry for the shell script: minutes_after_hour hour * * * /usr/netscreen/GuiSvr/utils/attackupdates. sh During the update, the guiSvrCli utility updates the attack object database, then performs the post actions. After updating and executing actions, the system generates an exit status code of 0 (no errors) or 1 (errors). Related Documentation · Attack Objects in Intrusion Detection and Prevention Security Policies Overview on page 63 Viewing Predefined Attack Objects (NSM Procedure) Working with Attack Groups (NSM Procedure) on page 66 · · Viewing Predefined Attack Objects (NSM Procedure) Purpose Juniper Networks Security Center (J-Security Center) develops predefined attack objects and attack object groups for IDP rulebase rules. Copyright © 2010, Juniper Networks, Inc. 65 Configuring Intrusion Detection and Prevention Devices Guide In most cases, the predefined attack objects are the only attack objects you need to protect your network. The predefined attack object list in the NSM Object Manager provides the following summary of each attack object: · · · · · · Name of the attack object Severity of the attack: critical, major, minor, warning, info Category Keywords Common Vulnerabilities and Exposures database (CVE) number Security Focus Bugtraq database number Action To view predefined attack object details: 1. In the Object Manager, click Attack Objects > IDP Objects to display the IDP Objects dialog box. 2. Click either the Predefined Attacks or Predefined Attack Groups tab to view the predefined attack object list. 3. Double-click the table row entry for the attack object to display its details. NOTE: You cannot create, edit, or delete predefined attack objects. Related Documentation · Attack Objects in Intrusion Detection and Prevention Security Policies Overview on page 63 Working with Attack Groups (NSM Procedure) on page 66 Loading J-Security-Center Updates (NSM Procedure) on page 64 Viewing Predefined Attack Objects (NSM Procedure) · · · Working with Attack Groups (NSM Procedure) NSM groups are administrative objects that facilitate configuration and monitoring tasks. You can add attack groups or individual attack objects to IDP rulebase rules and Exempt rulebase rules. · · Creating Dynamic Groups on page 67 Creating Static Groups on page 68 66 Copyright © 2010, Juniper Networks, Inc. Chapter 5: Working with Attack Objects Creating Dynamic Groups A dynamic group contains attack objects that are automatically added or deleted based on specified criteria for the group. The NSM Object Manager includes predefined dynamic groups that work with recommended attack objects, predefined attack objects, the recommended security policy, and predefined policy templates. When you run an NSM attack database update job, the process automatically performs the following tasks: · For all new attack objects, compares the predefined attributes of each attack object to each dynamic group criteria and adds the attack objects that match. [. . . ] NOTE: The data that you can display in each report is limited by the amount of log information available. Data point count Typically, the top 50 occurrences of each data type are displayed in each report. You can configure a report to display more or fewer data points depending upon the level of detail you need. For example, if you want to obtain a more precise view of the top occurrences of events, you would configure a lower data point count (such as 25). NOTE: The minimum data point count that you can configure in all reports is 5; the maximum data point count is 200. Chart type Select from the following choices: · · · · Horizontal bar (default) Pie Line Vertical bar Save Report In In the first selection box, specify whether to save in the My Reports or Shared Reports node. [. . . ]