Juniper Networks Intrusion Detection and Prevention IDP 75, 250, 800, and 8200 Installation Guide Releases 4.1r2a and 4.2 April 2008 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.
Copyright Notice Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice.
Table of Contents About This Guide xi Audience......................................................................................................... xi Conventions.................................................................................................... xi Documentation .............................................................................................. xii Web Access for Documentation............................................................... xii Requesting Technical Support ..
IDP 75, 250, 800, and 8200 Installation Guide Mounting Using Device Rack Rails........................................................... 18 Mounting Using Midmount Brackets ........................................................ 19 Connecting Power.......................................................................................... 20 Chapter 4 Configuring the IDP Sensor 21 Initial Configuration Options ..........................................................................
Table of Contents IDP 800 Technical Specifications ................................................................... 50 IDP 8200 Technical Specifications .................................................................51 Safety Compliance ......................................................................................... 52 EMI Compliance............................................................................................. 52 Immunity ........................................................
IDP 75, 250, 800, and 8200 Installation Guide vi Table of Contents
List of Figures Figure 1: Sniffer Mode (Passive) ..................................................................... 3 Figure 2: Transparent Mode (Inline Active) .................................................... 4 Figure 3: IDP 75 Front Panel .......................................................................... 8 Figure 4: IDP 250 Front Panel ........................................................................ 8 Figure 5: IDP 800 Front Panel ....................................................
IDP 75, 250, 800, and 8200 Installation Guide viii List of Figures
List of Tables Table 1: Table 2: Table 3: Table 4: Table 5: Table 6: Table 7: Table 8: Table 9: Table 10: Table 11: Table 12: Table 13: Table 14: Table 15: Table 16: Table 17: Table 18: Table 19: Table 20: Table 21: Table 22: Table 23: Table 24: Table 25: Table 26: Table 27: Table 28: Table 29: Table 30: Table 31: Table 32: Notice Icons .................................................................................... xi Advantages and Disadvantages of Sniffer Mode (Passive) ................
IDP 75, 250, 800, and 8200 Installation Guide x List of Tables
About This Guide This guide describes the physical features of Juniper Networks Intrusion Detection and Prevention (IDP) solution: the IDP 75, IDP 250, IDP 800, and IDP 8200 sensors. It also explains how to install, configure, update/reimage, and service the IDP system.
IDP 75, 250, 800, and 8200 Installation Guide Documentation This guide is shipped in the box with all new IDP sensors. It provides the basic procedures for getting your IDP system running. With each major software release, Juniper Networks provides the IDP Documentation CD. The CD contains the documentation set in PDF format. The IDP documentation set includes the following books: Release Notes—Contain the latest information about features, changes, known problems and resolved problems.
About This Guide Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Search for known bugs: http://www2.juniper.net/kb/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.
IDP 75, 250, 800, and 8200 Installation Guide xiv Requesting Technical Support
Chapter 1 Planning an Installation This chapter provides an overview of IDP configuration options. This chapter has the following sections: Installation Roadmap on page 1 IDP Configuration Basics on page 2 Installation Roadmap This section provides a high-level roadmap of an IDP sensor installation. With each step is a reference to more information. 1. Install the NetScreen-Security Manager (NSM) server onto a dedicated host or hosts.
IDP 75, 250, 800, and 8200 Installation Guide 8. Add the sensor as an object in NSM using the Add Device wizard. Select Device Manager > Security Devices from the left navigational pane, and then click the + button. See “Adding Your Sensor to NSM” on page 29. The Add Device Wizard creates a database entry in NSM for the sensor, imports the sensor’s configuration, and loads the Juniper Networks Recommended policy onto the sensor. At that point, your sensor is actively protecting your network.
Chapter 1: Planning an Installation To use an IDP sensor as a passive intrusion detection system without prevention capabilities, deploy the sensor in passive sniffer mode to monitor and log network traffic. If the sensor is attached to a network switch, you must configure the switch to mirror all traffic to that port. The IDP sensor defaults to sniffer mode. Active mode—The gateway (inline) mode is active.
IDP 75, 250, 800, and 8200 Installation Guide Table 2: Advantages and Disadvantages of Sniffer Mode (Passive) Advantages Disadvantages Seamlessly replaces the current intrusion Passively monitors with limited prevention detection only Causes minimal network changes Requires a hub or the Switched Port Analyser (SPAN) port of a switch Does not create an additional point-of-failure gateway Monitors and logs suspicious network activity Figure 2: Transparent Mode (Inline Active) Interne
Chapter 1: Planning an Installation Table 3: Advantages and Disadvantages of Transparent Mode (Inline Active) Advantages Disadvantages Reliably responds to and prevents attacks Cannot connect IP networks with different Simple, transparent deployment address spaces Allows Layer 2 broadcasts No changes to routing tables or network equipment Forwards non-IP traffic NetScreen-Security Manager Use NetScreen-Security Manager to administer the sensor.
IDP 75, 250, 800, and 8200 Installation Guide 6 IDP Configuration Basics
Chapter 2 Hardware Overview This chapter provides detailed descriptions of the Juniper Networks IDP sensors and their components.
IDP 75, 250, 800, and 8200 Installation Guide IDP 75 Sensor The IDP 75 sensor is optimal for small networks or low-speed network segments. Figure 3 shows the following features: One console serial port One management network interface port One USB port Two copper Ethernet ports (10/100/1000 Mbps) Figure 3: IDP 75 Front Panel IDP 250 Sensor The IDP 250 sensor is optimal for medium central sites or large branch offices.
Chapter 2: Hardware Overview One USB port Two IOC slots (each IOC containing four gigabit ports) Two built-in copper Ethernet ports (10/100/1000 Mbps) Figure 5: IDP 800 Front Panel IDP 8200 Sensor The IDP 8200 sensor is optimal for large central sites or high-traffic areas.
IDP 75, 250, 800, and 8200 Installation Guide Figure 6: IDP 8200 Front Panel Traffic Ports (Forwarding Interfaces) The IDP 75, 250, 800, and 8200 sensors have traffic ports (forwarding interfaces), which are located on the front of each device. Sensors can have a combination of copper and fiber ports. Figure 7: Traffic Ports Configurable NIC States Copper port pairs on the IDP 75, 250, 800, and 8200 can be configured to take specified actions when the sensor becomes unavailable.
Chapter 2: Hardware Overview Table 4: NIC State Options ACM Settings NIC bypass Modes Availability Description Transparent mode only Sensor failure While sensor is active, it does not pass NSRP packets unless Layer 2 bypass is enabled. Graceful shutdown When sensor becomes unavailable, ports mechanically join in a crossover. Traffic continues to flow, but sensor does not examine traffic.
IDP 75, 250, 800, and 8200 Installation Guide The fiber Ethernet ports are standard interfaces and do not incorporate the integrated bypass feature. Automatic bypass is available for fiber ports through third-party devices. NIC Bypass and Cable Choices When NIC bypass becomes active, it physically connects the pair of forwarding interfaces to each other with a crossover cable.
Chapter 2: Hardware Overview Peer Port Modulation After peer port modulation (PPM) is enabled, the sensor deactivates all the interfaces in that virtual router if the link goes down for any of the interfaces in a virtual router. All devices connected to the virtual router will detect a port failure and must be configured to take appropriate action. You cannot enable NIC bypass and PPM on the same sensor. On the IDP 75, 250, 800, and 8200 sensors: PPM works on both copper and fiber interfaces.
IDP 75, 250, 800, and 8200 Installation Guide Table 6: IDP Sensor Power Supplies IDP Sensor Power Supplies 75 One fixed power supply. 250 One removable power supply. 800, 8200 Two removable hot-swappable power supplies. Both sensors are shipped with the AC power supply. The DC power supplies are optional as FRUs.
Chapter 2: Hardware Overview Figure 8: LEDs for Management and HA Ports Table 8: IDP Sensor Management and High Availability Port LED Port LED Description Status LINK Port connection/ activity indicator. Blinks amber to indicate activity on the port. TX/RX Speed indicator. Stays off for 10 Mbps. Glows green for 100 Mbps. Glows amber for 1000 Mbps. Traffic Port LEDs The IDP 75, 250, 800, and 8200 sensors each have two traffic status LEDs on each traffic port.
IDP 75, 250, 800, and 8200 Installation Guide Table 10: Hard Drive LED Definitions Front Panel LED Description Hard drive failure (800 and The left LED on the hard drive. The LED is off if the hard drive is 8200 only) functioning normally. The LED is red if the hard drive has failed. In addition, the system emits a high-pitch noise if a hard drive has failed. The LED flashes red if the drive is being rebuilt.
Chapter 3 Installing the Sensor This chapter describes how to install the IDP sensor in an equipment rack. This chapter has the following sections: General Installation Guidelines on page 17 Rack Mounting the IDP Sensor on page 18 Connecting Power on page 20 General Installation Guidelines Observing the following precautions can prevent injuries, equipment failures, and shutdowns. WARNING: Never assume that the power supply is disconnected from a power source. Always check first.
IDP 75, 250, 800, and 8200 Installation Guide Rack Mounting the IDP Sensor The location of the sensor and the layout of your equipment rack or wiring room are crucial for proper system operation. Use the following guidelines while configuring your equipment rack. Enclosed racks must have adequate ventilation. An enclosed rack should have louvered sides and a fan to provide cooling air. When mounting a chassis in an open rack, ensure that the rack frame does not block the intake or exhaust ports.
Chapter 3: Installing the Sensor Figure 9: Rail with Hinged Rear Bracket 2. Rotate the hinges on both rails so that they allow the device to slide into the rack. 3. Slide the chassis into a set of rails. CAUTION: Be sure to leave at least two inches of clearance on the sides of each chassis for the cooling air inlet and exhaust ports. 4. Secure the front brackets to the rack. 5. Rotate the rear brackets so they prevent the device from sliding forward. 6. Secure the rear brackets to the rack.
IDP 75, 250, 800, and 8200 Installation Guide Figure 11: 1 RU Device (IDP 75) Midmount Bracket 2. Place the chassis into position between rack posts in the equipment rack and align the rack mounting bracket holes with the rack post holes. CAUTION: Be sure to leave at least two inches of clearance on the sides of each chassis for the cooling air inlet and exhaust ports. 3. Attach the rack-mounting brackets on each chassis to the rack with the appropriate rack screws. 4.
Chapter 4 Configuring the IDP Sensor This chapter describes how to connect to the IDP sensor and configure the device for your network. After you have configured the sensor, you need to connect the device in your network.
IDP 75, 250, 800, and 8200 Installation Guide Simple Configuration Values A simple configuration has the following settings and values: Root password—abc123 Fully qualified domain name—Blank High availability mode—Disabled RADIUS support—Disabled Network interfaces—Auto Virtual routers— Sniffer mode: One virtual router created (vr0) Transparent mode: One virtual router created for each pair of interfaces DNS—Disabled NTP—Disabled SSH on management port—Enabled
Chapter 4: Configuring the IDP Sensor To configure your sensor using the console serial port, do the following: 1. Connect one end of the provided RJ-45 null modem serial cable to the CONSOLE port located on the front of the sensor chassis. 2. Connect the other end of the cable to the serial port of your workstation. 3. Open a terminal emulation package such as Microsoft Windows HyperTerminal or XModem.
IDP 75, 250, 800, and 8200 Installation Guide The system configures your interfaces. The following text appears: Configuring default route... The current default route is: X.X.X.X Do you want to change the default route? (y/n) [n] 9. Type Y, and then press Enter. The following text appears: What IP address do you want to configure as default route? [X.X.X.X] 10. Type your default route (gateway address) and press Enter. The system asks if you want to change the system time. Configuring system time...
Chapter 4: Configuring the IDP Sensor 2. On a connected computer, open a Web browser. Type https://192.168.1.1. NOTE: Because the ACM uses an SSL connection, you must type https:// before the IP address. 3. Type the default user name (root) and password (abc123). 4. Skip to “Simple or Advanced Configuration Using the Management Port” on page 25.
IDP 75, 250, 800, and 8200 Installation Guide QuickStart Simple Configuration Table 12 provides the information you need for a simple configuration. Table 12: Information Needed for QuickStart Configuration Field Configuration Information Device Deployment mode QuickStart offers the two most popular deployment modes. If you want to use one of the other deployment modes, use the ACM instead. Sniffer—You want the sensor to report on security events, but not take action to prevent them.
Chapter 4: Configuring the IDP Sensor Table 13: Information Needed for ACM Configuration (continued) Section Configuration Information Networking Speed and duplex settings for IDP sensor interfaces. (Normally, these can be set to auto-detect. With some switches, the speed and duplex settings have to be set manually.) The VLAN interfaces you want to configure.
IDP 75, 250, 800, and 8200 Installation Guide In proxy-ARP or router mode, if you are using multiple subnets in your protected network, you must configure static routes on the IDP sensor to these subnets. Without static routes, incoming traffic to those subnets can be lost. Alternatively, you can create a static route from the IDP sensor to an internal gateway that contains inbound routes to the protected subnets. (This does not apply to the IDP 8200 sensor.
Chapter 5 Adding the Sensor to NSM This chapter describes how to add the IDP sensor to NetScreen-Security Manager (NSM) and push the Recommended policy. When you have completed the steps in this chapter, your IDP sensor will be protecting your network. You must have NSM installed to complete the steps in this chapter. See the NetScreen-Security Manager Installation Guide.
IDP 75, 250, 800, and 8200 Installation Guide Figure 12: Begin Add Device Procedure 4. On the Security Devices age, click the +button and select Device to open the Add Device wizard (Figure 13). a. Type a name and select a color to represent the device in the UI. b. Select Device is Reachable (default). Figure 13: Add Device Wizard - Device Name 5. Click Next to display the Specify Connection Settings dialog box (Figure 14).
Chapter 5: Adding the Sensor to NSM Figure 14: Add Device Wizard - Connection Settings 6. Enter the following connection information: NOTE: All passwords handled by NetScreen-Security Manager are case-sensitive. a. Enter the IP address of the sensor. b. Enter admin in the Admin User Name box. c. Enter the password for the admin user name. The default password is abc123. d. Enter the password for the device root user. The default password is abc123. e. Select SSH Version 2 as the connection method.
IDP 75, 250, 800, and 8200 Installation Guide 7. Verify the SSH key fingerprint to prevent man-in-the-middle attacks: a. Connect a PC or terminal to the IDP sensor using the console serial port. b. Log in as root. c. Type cd /etc/ssh and press Enter. d. Type ssh-keygen -l -f ssh_host_dsa_key and press Enter. You see something similar to this: 1024 f4:91:d0:04:b7:61:00:77:45:c3:cc:bd:af:b3:5b:a2 ssh_host_dsa_key.pub 8.
Chapter 5: Adding the Sensor to NSM Figure 18: Add Device Wizard - Importing the Device 12. Click Finish to update the sensor with the Juniper Networks Recommended policy. The Job Information dialog shows box the status of the Update Device job. Checking the Status of Your Sensor When the update device job finishes, move the mouse pointer over the device in Device Manager to check the device status.
IDP 75, 250, 800, and 8200 Installation Guide 34 Checking the Status of Your Sensor
Chapter 6 Updating Software on the Sensor This chapter describes how to update the software on an IDP sensor. It has the following sections: Updating IDP Sensor Software Using NSM Firmware Manager on page 35 Updating IDP Sensor Software Without NSM on page 36 Reimaging the IDP Sensor on page 37 Updating IDP Sensor Software Using NSM Firmware Manager You can use NSM to upgrade your IDP sensors. First, you must load a new sensor image to NSM. Then, use NSM to load the new image onto your sensors.
IDP 75, 250, 800, and 8200 Installation Guide Upgrading Sensor Software After you have made the software available to NSM, you can use NSM to upgrade the sensor. To upgrade the sensor using NSM: 1. From the menu bar, select Devices > Firmware > Change Device Firmware to open the Change Device Firmware dialog box. 2. Select the devices whose firmware you want to upgrade. 3. Select the firmware you want installed on the device in the Select Target Firmware Version box. 4.
Chapter 6: Updating Software on the Sensor 7. Reboot the device when the script is finished. 8. Type reboot and press Enter. 9. Reconnect the HA cable after upgrading all of the sensors in the cluster. 10. In NSM, right-click the sensor in Device Manager, and then select Adjust OS Version. Reimaging the IDP Sensor Each IDP sensor comes with software preinstalled. However, if you need to reload the software onto your sensor, you can use the USB stick that was shipped with the sensor.
IDP 75, 250, 800, and 8200 Installation Guide 38 Reimaging the IDP Sensor
Chapter 7 Servicing the Device This chapter describes the service and maintenance of various components in your IDP sensors. It has the following sections: Replacing a Power Supply (IDP 800, and 8200 Only) on page 39 Replacing a Hard Drive (IDP 800 and 8200 Only) on page 40 Replacing a Power Supply (IDP 800, and 8200 Only) The power supplies on the IDP 75 and 250 sensors are in a fixed configuration so you cannot replace them.
IDP 75, 250, 800, and 8200 Installation Guide Install a Power Supply You must have a power supply bay available before you can install a power supply. To install a power supply: 1. Take the new power supply to the back of the device. 2. Hold the power supply with both hands with the red handle on the left side of the power supply, 3. Align the power supply with the empty bay and slide the power supply into the bay. 4. Push firmly until you see and hear the red lever snap into place.
Chapter 7: Servicing the Device To remove a hard drive: 1. On the front of the device identify the hard drive you want to remove. 2. Locate the blue release latch on the right side of the drive. (See Figure 20.) Figure 20: Hard Drive Latch in Closed Position 3. Press and hold down the latch to release the handle, and then pull the handle open. 4. Use one hand to hold the drive from underneath and the other hand to remove the drive completely from the bay. Install a Hard Drive To install a hard drive: 1.
IDP 75, 250, 800, and 8200 Installation Guide 42 Replacing a Hard Drive (IDP 800 and 8200 Only)
Chapter 8 Advanced Configuration This chapter describes advanced configuration options and has the following sections: Advanced Deployment Modes on page 43 IDP High Availability Deployment Modes on page 46 Advanced Deployment Modes Most IDP sensors are configured in passive sniffer or transparent mode. However, the IDP 75, 250, and 800 sensors can also be configured in bridge, router, or proxy-ARP mode. Bridge Mode Figure 21 shows a sensor that is configured in bridge mode.
IDP 75, 250, 800, and 8200 Installation Guide Figure 21: Bridge Mode Internet Firewall IP 2.2.2.1 Hub or Switch IP 1.1.1.1 eth2 No ip address Forwarding Interface IDP Sensor Management Server IP 2.2.2.4 eth0 IP 2.2.2.7 MGT Interface eth3 No IP address Forwarding Interface Hub or Switch User Interface IP 2.2.2.5 Server1 IP 1.1.1.2 GW 1.1.1.1 Server2 IP 1.1.1.3 GW 1.1.1.1 Protected Machines Server3 IP 1.1.1.4 GW 1.1.1.
Chapter 8: Advanced Configuration Router Mode Figure 22 shows a sensor that is configured in bridge mode. Table 15 lists the advantages and disadvantages of bridge mode. Figure 22: Router Mode Internet Firewall IP 2.2.2.1 Hub or Switch IP 192.168.0.2 eth2 IP 192.168.0.1 Forwarding Interface IDP Sensor eth0 IP 2.2.2.7 MGT Interface eth3 IP 1.1.1.1 Forwarding Interface Management Server IP 2.2.2.4 Hub or Switch User Interface IP 2.2.2.5 Server1 IP 1.1.1.2 GW 1.1.1.1 Server2 IP 1.1.1.3 GW 1.1.1.
IDP 75, 250, 800, and 8200 Installation Guide Proxy-ARP Mode Figure 23 shows a sensor that is configured in bridge mode. Table 16 lists the advantages and disadvantages of bridge mode. Figure 23: Proxy-ARP Mode Internet Firewall IP 2.2.2.1 Hub or Switch IP 1.1.1.1 eth2 IP 1.1.1.254 Forwarding Interface IDP Sensor Management Server IP 2.2.2.4 eth0 IP 2.2.2.7 MGT Interface eth3 IP 1.1.1.5 Forwarding Interface Hub or Switch User Interface IP 2.2.2.5 Server1 IP 1.1.1.2 GW 1.1.1.1 Server2 IP 1.1.1.
Appendix A Specifications This appendix provides general specifications for the IDP sensors and standards for compliance.
IDP 75, 250, 800, and 8200 Installation Guide IDP 75 Technical Specifications Tables 17–20 list the physical, AC power, power cord, and environmental technical specifications for the IDP 75 sensor. Table 17: Physical Specifications Specification Value Height 1 RU (1.3 inches) Width 17 inches Depth 15 inches Weight 14.
Appendix A: Specifications IDP 250 Technical Specifications Tables 21–24 list the physical, AC power, power cord, and environmental technical specifications for the IDP 250 sensor. Table 21: Physical Specifications Specification Value Height 2 RU (2.9 inches) Width 17 inches Depth 20.5 inches Weight 29.
IDP 75, 250, 800, and 8200 Installation Guide IDP 800 Technical Specifications Tables 25–28 list the physical, AC power, power cord, and environmental technical specifications for the IDP 800 sensor. Table 25: Physical Specifications Specification Value Height 2 RU (2.9 inches) Width 17 inches Depth 20.5 inches Weight 33.
Appendix A: Specifications IDP 8200 Technical Specifications Tables 29–32 list the physical, AC power, power cord, and environmental technical specifications for the IDP 8200 sensor. Table 29: Physical Specifications Specification Value Height 2 RU (2.9 inches) Width 17 inches Depth 20.5 inches Weight 36.
IDP 75, 250, 800, and 8200 Installation Guide Safety Compliance UL 60950, Third Edition — Safety of Information Technology Equipment CSA C2.22 No.
Index A M ACM mounting the appliance ....................................................18 configuration information..........................................26 audience for documentation .............................................. xi N bypass mode internal bypass ..........................................................11 NIC Bypass .......................................................................10 NIC bypass........................................................................
IDP 75, 250, 800, and 8200 Installation Guide 54 Index
