Identity-based Application and Network Profiling · Identity-Based Application and Network Profiling Introduction When Juniper Networks Unified Access Control (UAC) is used in conjunction

Application Note

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089 USA408.745.20001.888 JUNIPERwww.juniper.net

Identity-Based Application and Network ProfilingUsing UAC in Conjunction with NSM, IDP and Infranet Enforcers Permits User-Identified Application and Network Profiling

Part Number: 350113-001 Nov 2007

Copyright ©2007, Juniper Networks, Inc.2

Identity-Based Application and Network Profiling

Table of ContentsIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Description and Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

About Juniper Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Copyright ©2007, Juniper Networks, Inc. 3


IntroductionWhen Juniper Networks Unified Access Control (UAC) is used in conjunction with Juniper Networks NetScreen-Security Manager (NSM) and Juniper Networks Infranet Enforcers, you gain user-identified visibility into your network traffic . With the addition of an Intrusion Detection and Prevention (IDP) system, whether standalone or integrated, you can gain an even deeper insight into your network by being able to correlate user identity with application and network profiling data collected by the IDP . Previously, profiler data was identified strictly by a combination of IP addresses, ports, and applications, but no user identity information was included . The identity of the user responsible for generating the traffic obtained by the profiler was difficult to determine without a significant correlation effort . Using UAC, however, the IDP application and network profile is tagged with the username and roles of the user that generated the profiled traffic .

ScopeThis application note describes how to configure NSM, the Infranet Enforcers, and the IDP to provide user-identified application and network profiler information .

Design ConsiderationsTo generate identity-based profiler data, you need the following:

Hardware Requirements

Server platform capable of running NSM version 2007 .2R1 or greater (or Juniper Networks •NSMXpress appliance)

Infranet Enforcer(s) capable of running Juniper Networks ScreenOS version 6 .0 .0R1 or greater•

Juniper Networks Infranet Controller models IC4000 or IC6000•

IDP standalone (IDP50/200/600/1100) or firewall-integrated (Juniper Networks Integrated •Security Gateways [ISG] 1000/2000)

Software Requirements

NetScreen-Security Manager version 2007 .2R1 or greater•

ScreenOS version 6 .0 .0R1 or greater•

Infranet Controller version 2 .0R3 or greater•

IDP software v4 .1R1a or greater•

Description and Deployment ScenarioIn order to use this new feature you must complete a couple of steps . First, the Infranet Enforcers, and the IDP systems used to gather profiling information, must be under control of NSM . Before adding the devices to NSM, you must make a change to the NSM Device Server configuration:

Edit the /var/netscreen/DevSvr/devSvr.cfg file .

Look for the following line in the file and change it from:

devSvrManager.uac_correlation_enabled 0

to

devSvrManager.uac_correlation_enabled 1

After making this change, you will need to restart the NSM Device Server . You can either reboot the NSM server, or execute the command /usr/netscreen/DevSvr/bin/devSvr.sh restart.



After modifying the NSM Device Server configuration, you can add your Infranet Enforcer and IDP devices to NSM . Be aware that without at least one Infranet Enforcer configured to send traffic logs to NSM, you will not be able to correlate user-identity with profiler data . This is because NSM receives the user, role, and IP address information from the Infranet Enforcer traffic log data . As such, user-identified profiling should be done using an ISG platform with the integrated IDP module(s) . Using the ISG as both an Infranet Enforcer and IDP ensures that the traffic log data matches that collected by the profiler and permits NSM to identify—by user—all application and network profile information . Though possible to use a standalone IDP in conjunction with separate Infranet Enforcers, this is not ideal, as the IDP profiler may collect application and network data that cannot be correlated because the user’s traffic did not pass through an Infranet Enforcer .

To get the Infranet Enforcer traffic logs into NSM, you must complete three steps: (1) add the Infranet Enforcer to NSM, (2) enable traffic logging on the Infranet Enforcer, and (3) enable logging on any Infranet policy for which you want traffic data captured to NSM . For a step-by-step configuration example, see the “Identity-based Traffic Logging and Reporting ” application note .

Next, you must add the IDP to NSM . While this procedure is covered in detail in numerous other documents, below is a brief step-by-step guide on how to do it . Within NSM, open the Device Manager > Security Devices window, click on the plus sign (+), and select Device from the pull down menu .

Figure 1: Log View Creation

Enter the Device Name for your IDP (this is only for NSM), then click Next . Specify the IP Address of the IDP, along with the Admin Username and Password and the root password of the device; then click Next . Once contact is made, click Next to accept the IDP’s SSH key . Finally, once the device information has been auto-detected, click Next to add the IDP into NSM .



Figure 2: IDP Addition to NSM

After adding the IDP to NSM, you will most likely need to import the device’s configuration into NSM . You can verify whether or not this needs to be done by mousing over the IDP in the Security Devices view . Note the value for Configuration State . If it indicates that an import is needed, perform the next step; otherwise you can skip it . Even if the Configuration State shows Managed, performing an import will not harm anything .

Figure 3: IDP Status

To import the IDP configuration into NSM, right-click on the IDP device icon and select Import Device from the menu . After a few moments, NSM should report the successful importation of the IDP configuration . You can again check the status of the IDP, which should now show its Configuration State as Managed .



Figure 4: IDP Configuration Import into NSM

Once the IDP is in a Managed state, it’s time to configure it for profiling . Open the IDP configuration for editing by double-clicking the IDP icon in the Security Devices list . In the Info pane, select a Security Policy from the pull-down menu . You can use a pre-defined Security Policy, or you will have to create your own (not discussed here) .

Figure 5: Configure IDP Security Policy



Next, go to the Profiler Settings pane . There are several tabs here that you will need to configure . First, check the Enable Profiling checkbox on the General tab .

Figure 6: Enable Profiling



On the Tracked Hosts tab, select those hosts that you want the profiler to pay attention to . The list of Tracked Hosts must be defined separately in the Object Manager section of NSM .

Figure 7: Selecting Tracked Hosts



On the Contexts to Profile tab, select all Contexts unless you have a specific reason not to . Consult the IDP and NSM documentation for further information about these selections . After completing this tab, click OK to save the Profiler configuration .

Figure 8: Selecting Contexts to Profile

To start the Profiler, right-click on the IDP device icon in the Security Device list and select IDP Profiler > Start Profiler from the pull-down menu . The pop-up window allows you to change any of the Profiler settings that you just made (you don’t need to change anything) . Click OK to start the Profiler . You should receive a Job Information window showing that the Profiler has started .

Figure 9: Starting the Profiler



To see the Profiler logs, navigate to the Security Monitor > Profiler menu within the NSM main window . The Application Profiler will be the default view . It’s possible that this table won’t contain the User and Role columns that you’re after, so you’ll have to add them . Select View > Choose Columns from the menus at the top of the NSM window, check the User and Role checkboxes, and move them to a position of your liking .

Figure 10: Adjusting Column Settings

Your Application Profiler view should now look something like the picture below . The User column will reflect the username of the person that generated the traffic associated with that particular Profiler entry, and the Role column will show the UAC roles to which that user was mapped . All other traditional Profiler information is there, and now it’s correlated to a user .

Figure 11: Application Profiler View



The Network Profiler view looks similar .

Figure 12: Network Profiler View

Summary The latest versions of NSM, Infranet Enforcers, IDP and UAC, working together as an integrated solution, enable you to perform application and network profiling that is specific to an individual user . This user-indentified profiling information provides you with valuable insight into the state of your network and application usage .

12

Copyright 2007 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOS and JUNOSe are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

CORPORATE HEADQUARTERS AND SALES HEADQUARTERS FOR NORTH AND SOUTH AMERICAJuniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100www.juniper.net

EAST COAST OFFICEJuniper Networks, Inc. 10 Technology Park Drive Westford, MA 01886-3146 USA Phone: 978.589.5800 Fax: 978.589.0800

ASIA PACIFIC REGIONAL SALES HEADQUARTERSJuniper Networks (Hong Kong) Ltd. 26/F, Cityplaza One1111 King’s RoadTaikoo Shing, Hong KongPhone: 852.2332.3636 Fax: 852.2574.7803

EUROPE, MIDDLE EAST, AFRICA REGIONAL SALES HEADQUARTERSJuniper Networks (UK) Limited Building 1 Aviator Park Station Road Addlestone Surrey, KT15 2PG, U.K. Phone: 44.(0).1372.385500 Fax: 44.(0).1372.385501

To purchase Juniper Networks solutions, please contact your Juniper Networks sales representative

at 1-866-298-6428 or authorized reseller.


12

About Juniper NetworksJuniper Networks, Inc . is the leader in high-performance networking . Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network . This fuels high-performance businesses . Additional information can be found at www .juniper .net .

Documents

Identity-based Application and Network Profiling · Identity-Based Application and Network Profiling Introduction When Juniper Networks Unified Access Control (UAC) is used in conjunction