Juniper Secure Analytics Release 2014.3 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Published: 2014-10-15
Copyright Notice Copyright 2014 Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. The following terms are trademarks or registered trademarks of other companies: Java TM and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/tv technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device. Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT, SUBJECT TO THE MODIFICTAIONS SET FORTH BELOW ON THIS PAGE, ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. Release 2014.3 Copyright 2014, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History October 2014 The information in this document is current as of the date listed in the revision history. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at http://www.juniper.net/support/eula.html, as modified by the following text, which shall be treated under the EULA as an Entitlement Document taking precedence over any conflicting provisions of such EULA as regards such software: As regards software accompanying the STRM products (the Program ), such software contains software licensed by Q1Labs and is further accompanied by third-party software that is described in the applicable documentation or materials provided by Juniper Networks. 2
CONTENTS ABOUT THIS GUIDE Audience........................................................... 5 Documentation Conventions............................................ 5 Technical Documentation............................................... 5 Requesting Technical Support........................................... 6 1 INSTALLING THE NSM PLUG-IN NSM Plug-In Overview................................................. 7 Installing the NSM Plug-In.............................................. 7 2 SETTING UP THE PLUG-IN Configuring the Server Settings.......................................... 9 Setting User Permissions............................................... 9 Setting NSM Preferences............................................. 10 3 USING THE PLUG-IN Starting NSM....................................................... 11 Viewing Policy Details................................................ 12 Adding the Policy Column........................................... 12 Viewing Policy Details.............................................. 12 4 REMOVING THE NSM PLUG-IN INDEX
ABOUT THIS GUIDE The provides you with information on installing and configuring the Juniper Networks Network and Security Manager (NSM) plug-in. Audience The guide is intended for system administrators responsible for installing, configuring, or using plug-in components on your Juniper Secure Analytics (JSA) console. Documentation Conventions Table 1 lists conventions that are used throughout this guide. Table 1 Icons Icon Type Description Information note Information that describes important features or instructions. Caution Warning Information that alerts you to potential loss of data or potential damage to an application, system, device, or network. Information that alerts you to potential personal injury. Technical Documentation You can access technical documentation, technical notes, and release notes directly from the Juniper Customer Support website at https://www.juniper.net/support/. Once you access the Juniper Customer Support website, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: techpubs-comments@juniper.net. Include the following information with your comments: Document title
6 ABOUT THIS GUIDE Page number Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf. Product warranties For product warranty information, visit http://www.juniper.net/support/warranty/ JTAC Hours of Operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/ Find product documentation: http://www.juniper.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/serialnumberentitlementsearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at http://www.juniper.net/cm/. Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html.
1 INSTALLING THE NSM PLUG-IN You can use the Juniper Networks Network and Security Manager (NSM) plug-in to view policy details from the Juniper Networks NSM server for an event. NSM Plug-In Overview Juniper Networks Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. Juniper Networks NSM delivers integrated, policy-based security, and network management for all devices. Ensure that the latest Juniper Secure Analytics (JSA) patch is installed on your JSA console. When you install the Juniper Networks NSM plug-in, the httpd and Tomcat processes automatically restart and cause a service disruption. Installing the NSM Plug-In Use SSH to install the Juniper Networks NSM plug-in on your JSA console. About this task The target directory (/opt/qradar/conf/webplugins/117/) must exist on your JSA system. After you install the plug-in, the target directory is automatically created when you log in to the JSA user interface and click the NSM Settings Plug-in icon on the Admin tab. If multiple users or remote users view the Admin tab, refresh your browser to display the NSM Plug-in Settings icon to be displayed. Step 1 Step 2 Step 3 Step 4 Procedure Download the JSA ISO from the following website: http://www.juniper.net/customers/support/ Copy the ISO file to your JSA console. Using SSH, log in to JSA as the root user. Type the following command to mount the JSA ISO file: mount -o loop <path to the JSA ISO> /media/cdrom
8 INSTALLING THE NSM PLUG-IN Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Where <path to the JSA ISO> is the directory path to where the installation ISO is stored. Type the following command to install the NSM plug-in rpm: rpm -Uvh /media/cdrom/post/qradar/nsm_plugin-2014.3-931999.x86_64.rpm Where <build> is the related JSA build number. The package manager installs the NSM plug-in rpm. To create the target directory: a Log in to the JSA user interface: https://<ip Address> Where <IP Address> is the IP address of the JSA system. b c Click the Admin tab. Click the NSM Plug-in Settings icon. Using SSH, log in to JSA as the root user. Choose the following option: To connect JSA to Juniper NSM server, you must copy a certificate to JSA, go to Step 9. To connect JSA to any other version of Juniper NSM, go to Step 11. Type the following command to copy the server certificate from your Juniper NSM server to the JSA console: scp root@<nsm IP address>:/usr/netscreen/guisvr/lib/webproxy/conf/server.crt /opt/qradar/conf/webplugins/117/nsmplugin.cert Where <NSM IP address> is the IP address of the Juniper Networks NSM server. The server.crt file is copied from the Juniper Networks NSM server and renamed to nsmplugin.cert on your JSA console. Type the following command to set the proper file permissions: chown nobody:nobody /opt/qradar/conf/webplugins/117/nsmplugin.cert Type the following command to restart Tomcat: service tomcat restart What to do next Setting Up the Plug-In
2 SETTING UP THE PLUG-IN The Juniper Networks Network and Security Manager (NSM) plug-in allows Juniper Secure Analytics (JSA) to integrate with your Juniper Networks NSM appliance to view policy-based security and network management information from NSM appliances. Before you can view policy information, you must configure JSA permissions and user roles. Configuring the Server Settings After you successfully install the Juniper Networks NSM plug-in, configure your JSA console with the IP address and port number of your Juniper Networks NSM appliance. Step 1 Step 2 Step 3 Step 4 Step 5 Procedure Click the Admin tab. In the navigation menu, click Plug-ins. In the Plug-In Configuration pane, click the NSM Plug-in Settings icon. In the NSM Server URL field, type the IP address or host name of the Juniper Networks NSM server to which you want to connect. For example, https://192.168.2.1:8443. Click Save Changes. Setting User Permissions Ensure that each JSA user who requires access to the Juniper NSM Plug-in has the appropriate user permissions. You must have administrative privileges to configure user roles in JSA. Step 1 Step 2 Step 3 Step 4 Procedure Click the Admin tab. On the navigation menu, click System Configuration. In the User Management pane, click the User Roles icon. Choose one of the following options: a To create a new role, click Create Role. b To edit an existing role to include NSM Plug-in Settings, select the role and click the Edit icon.
10 SETTING UP THE PLUG-IN Step 5 Step 6 Step 7 Step 8 Select the user permissions for the NSM Plug-in settings: Launch NSM Client - Select this check box o allow users to start the NSM Client from the main user interface. View NSM Policy Details from Events interface - Select this check box to allow users to view policy details for the Juniper Networks NSM server from the Log Activity tab. Select the remaining permissions. For more information on role permissions, see the Juniper Secure Analytics Administration Guide. Complete the steps of the wizard. On the Admin tab, click Deploy Changes. Setting NSM Preferences If you have the View NSM Policy Details from Events interface role permission, configure your NSM settings to authenticate your user account with the Juniper Networks NSM server. Before you begin Make sure that you have Events permissions to access the policy details. About this task If your administrator has not completed the configuration of the plug-in, an information message is displayed. Contact your system administrator to complete the configuration before you continue. For more information, see Configuring the Server Settings. The Juniper Networks NSM server might reject your credentials as a result of too many failed login attempts. If this occurs, contact your Juniper Networks NSM server administrator to unblock the following IP address: 127.0.0.1 by using the Tools > Manage Blocked Hosts option in the Juniper Networks NSM client. Step 1 Step 2 Step 3 Procedure In the upper-right corner of the user interface, click NSM Preferences. Enter values for the following parameters: NSM Login Type your user name, as defined on the Juniper Networks NSM server. NSM Password Type your password, as defined on the Juniper Networks NSM server. NSM Domain Type your domain, as defined on the Juniper Networks NSM server. Click Save Changes.
3 USING THE PLUG-IN After you configure the Network and Security Manager (NSM) plug-in, you can view policy event information. Starting NSM You can start Network and Security Manager (NSM) from the Juniper Secure Analytics (JSA) user interface. Step 1 Step 2 Step 3 Procedure In the upper-right corner of the user interface, click Launch NSM. Choose one of the following options: If you use the Mozilla Firefox web browser and this is the first time that you start NSM, go to Step 3. If you use the Microsoft Internet Explorer 8.0 or 9.0 web browser, with Compatibility View enabled, and this is the first time that you are start NSM, go to Step 4. If you previously launched NSM, go to Step 5. To start NSM for the first time in the Mozilla Firefox web browser: a b c d e f In the Opening window, select the Open with option. Click Browse. Select the NSM.exe file from the appropriate directory: - For previous NSM versions, the file path is c:\program Files\NSM\NSM.exe. Click OK. Select the Do this automatically for files like this from now on check box. Click OK. g Go to Step 5.
12 USING THE PLUG-IN Step 4 Step 5 Step 6 To start NSM for the first time in the Internet Explorer 8.0 or 9.0, with Compatibility View enabled: a Create an association for the.nsm extension and change the extension to access the NSM.exe file. Select the NSM.exe from the appropriate directory: - For NSM 2014.1, the file path is c:\program Files\Network and Security Manager\NSM.exe. - For previous NSM versions, the file path is C:\Program Files\NSM\NSM.exe. For more information about how to create a file association, see your vendor documentation. b Go to Step 5. Type the necessary login credentials for the Juniper Networks Client. Click OK. Viewing Policy Details Adding the Policy Column After the Juniper Networks NSM plug-in is installed and configured, you can view policy details using the Log Activity tab. However, before you can view policy details, you must add the NSM Policy (custom) column to the Log Activity page display. Use the event search page to add the NSM Policy (custom) column to the Log Activity page: About this task This task includes only the search criteria for displaying NSM Policy (custom) column. For information about search parameters, see the Juniper Secure Analytics Users Guide. Step 1 Step 2 Step 3 Step 4 Step 5 Procedure Click the Log Activity tab. From the Search list, select New Search. From the Available Columns list, select NSM Policy (custom). Select the arrow to move the item to the Column list. Click Filter. Result The Log Activity page displays the NSM Policy (custom) column. Viewing Policy Details You can view policy details from the Log Activity tab. About this task Each Juniper Networks NSM policy includes groups of rule bases and rules. This window provides details of the selected NSM policy and details of the associated
Viewing Policy Details 13 rules for this policy. This window might require several minutes to populate depending on the amount of data. For more information about the Juniper Networks NSM policy, see your Juniper Networks NSM documentation. Step 1 Step 2 Step 3 Procedure Click the Log Activity tab. If events are displayed in Real Time (streaming) mode, click the Pause icon. Right-click the NSM Policy (custom) parameter for the event you want to investigate, and then select More options > View NSM Policy Details.
4 REMOVING THE NSM PLUG-IN After you uninstall the Network and Security Manager (NSM) plug-in, such as when you upgrade to another Juniper product, you must manually remove the plug-in RPM to ensure that the Juniper NSM components are removed from the Juniper Secure Analytics (JSA) user interface. Step 1 Step 2 Step 3 Step 4 Procedure Using SSH, log in to JSA as the root user. To identify the name of the plug-in RPM, type the following command: rpm -qa grep plugin To remove the RPM file, type the following command: rpm -e nsm_plugin-<build_number> Restart the Tomcat service, type the following command: service tomcat restart
16 REMOVING THE NSM PLUG-IN
17
INDEX A adding policy column 12 audience 5 C configure server settings 9 conventions 5 customer support contacting 6 I installing plug-in 7 N NSM plug-in installing 7 launching 11 P plug-in installing 7 using 11 policy column adding 12 policy details viewing 12 S server settings configure 9 setup server settings 9 user permissions 9 user preferences 10 U user permissions setting 9 user preferences setting 10