Juniper NetScreen IDP 100 IDP 500  range - FAQ 

What is the NetScreen-IDP?

What components comprise the NetScreen-IDP?

The NetScreen-IDP is a three-tier system. It includes a sensor, a centralized management server and a user interface. The sensor is an in-line device through which network traffic flows. The sensor enforces the security policy that is installed from the management server. The management server contains logs from all the sensors. All user interaction is through the user  interface to the management server. The management server is the central repository for all logs, security policies and system configuration information. This allows security administrators to log in to the management server from any remote location without losing any information orcapability.

How is the NetScreen-IDP deployed across the enterprise network?

The NetScreen-IDP is a three-tier system. The sensors and the management server can be located anywhere and can communicate with each other using IP. Sensors are placed anywhere in the network where there is critical data to protect. Typical locations for installing a sensor include the DMZ and segments that include critical internal servers, such as the finance and human resources, engineering and manufacturing servers, etc. The number of sensors depends on the kind of business and the amount of protection that is desired by the corporation. These sensors communicate with the management server. The security administrator communicates with the sensors by logging in to the management server using the user interface.

What is the network installation configuration of the NetScreen-IDP?

There are two major installation configurations for the NetScreen-IDP: sniffer and gateway mode. There are three modes of gateway operation, bridge mode, proxy-ARP mode and router mode, that differ based on how the device forwards packets. Gateway modes enable active responses, which means a security device can actually prevent attacks by dropping packets or connections, so that they never reach their intended “victim.” The alternative to a gateway mode is sniffer mode. In sniffer mode, the device operates similar to a traditional intrusion detection system, acting as a passive observer of the network that provide only limited and less reliable methods to respond to detected attacks. Customers that deploy NetScreen-IDP in sniffer mode will not receive the benefit of the system’s active prevention capabilities, however, they will be able to take advantage of the accuracy and simple management of the device.

What is the impact of installing the NetScreen-IDP in sniffer mode?

The NetScreen-IDP can be installed as a sniffer, though it is most effective when installed as a gateway device. When configured as a sniffer, the NetScreen-IDP is unable to drop connections when attacks are detected. All other features, such as improved management and accuracy are available in sniffer mode. NetScreen recommends a gateway mode deployment to derive the full benefit of the system.

Can you describe the different gateway modes?

Bridge Mode: An in-line operating mode of the NetScreen-IDP system. In this mode, NetScreen IDP automatically learns the network topology and forwards packets to their correct destination. In Bridge Mode, the NetScreen-IDP is transparent and no reconfiguration needs to be done to let the hosts know that it is there. Moreover, the hosts are not aware that the NetScreen-IDP is even on the network. For the NetScreen-IDP system, the Bridge mode is the easiest to deploy and is the recommended mode of operation. Using third party load balancing solutions, IDP can be installed in a High Availability configuration in Bridge mode.

Proxy-ARP Mode: An in-line operating mode of the NetScreen-IDP system. In this mode, NetScreen-IDP automatically learns the network topology and forwards packets to their correct destination, just like it does in Bridge Mode. However, unlike Bridge Mode, the host machines are aware that the NetScreen-IDP is on the network in Proxy-ARP Mode. NetScreen-IDP automatically reconfigures the host machines to send it all packets that need to be forwarded. Proxy-ARP mode typically has higher throughput performance than Bridge Mode, but only works with networks that have a single router. The IDP can be installed in Standalone High Availability configuration in Proxy-ARP mode.

Router Mode: An in-line operating mode of the NetScreen-IDP system. In Router mode, NetScreen-IDP acts as a router. This means it uses a routing table to determine where the packets need to be sent and then forwards the packets to the correct destination. All of the hosts that are attached to NetScreen-IDP, when it is in Router Mode, need to be configured to forward their packets to NetScreen-IDP, otherwise the hosts will not be able to send any traffic. Router mode is traditionally associated with older security devices, such as Firewalls, and is only offered in NetScreen-IDP for compatibility. The IDP can be installed in a High Availability configuration using third party load balancing solutions or in a standalone HA configuration in Router mode.

NetScreen claims to reduce false positives. How is this achieved exactly?

It is through the implementation of both multiple detection methods and a rulebased management system that we are able to increase detection accuracy. By combining eight detection methods, including Stateful Signature Detection and Protocol Anomaly Detection, NetScreen-IDP is capable of detecting a greater number of attacks than all other devices that just use a few methods. Because Stateful Signatures only look for attacks in the relevant portions of the communication stream and because the rule based  management server gives the administrator granular control over what the system looks for and how it reacts when specific traffic is identified, these features further improve the accuracy of the NetScreen-IDP by minimizes the number of false alarms.

What does NetScreen mean by Multi-Method Detection? And how does that help with improving accuracy?

The ability to detect intrusions using multiple mechanisms at the same time and at high data rates to improve detection accuracy. These methods include Stateful Signature Detection, Protocol Anomaly Detection, Traffic Anomaly Detection, IP Spoofing Detection, Layer 2 Det ection, DOS Detection, and a Network Honeypot. It also includes a proprietary detection method called Backdoor Detection, which identifies and prevents unauthorized interactive traffic. Because different types of attacks can often only be identified using one of these methods, products designed to use only a single method miss any attacked not detected by their chosen method. Combining multiple detection methods makes the NetScreen-IDP capable of detecting more types of attacks, delivering higher accuracy than products that only use one or two methods. NetScreen-IDP was built from the ground up to detect the broadest range of attacks.

What is a Stateful Signature?

A Stateful Signature is an advanced form of an attack signature. Most IDSes use packet signature detection, which looks at all of the packets in a flow, without regard to the context of the packet, to determine if there is an attack. Packet signature diction produces a lot of false alarms. Stateful Signature detection compares attack patterns only to the relevant portions of the communication, making the comparison a lot more targeted and accurate. In addition, because the signature is only looking at relevant portions of the traffic, it is significantly faster than packet signature detection.

What is Protocol Anomaly Detection?

The ability to analyze traffic on the network and perform packet decode and protocol analysis to determine what constitutes a protocol anomaly. Applied to an IDS, Protocol Anomaly Detection is needed to determine what packets are illegal or ambiguous, when checked against the RFCs or definitions imposed by the network administrator, and may constitute security threats. The reason Protocol Anomaly Detection works is that under normal conditions, system and network devices do not tend to create illegal or ambiguous traffic. Attackers create illegal or ambiguous traffic to try to evade an IDS that uses Signature-Based Detection methods.

What is Traffic Anomaly Detection?

Traffic Anomaly Detection is the ability to analyze traffic in totality to look for attack patterns.Used in advanced intrusion detection systems, like the NetScreen-IDP, traffic signatures allow NetScreen-IDP to detect intrusion attempts that span multiple connections – that would be otherwise be undetectable by protocol analysis or regular signatures-based systems. The system does this by determining normal versus abnormal traffic based on a profile of network activity that is developed over time. The profile defines the normal usage patterns that can be expected on the network, enabling security administrators to set thresholds and triggers so that alerts can be sent for traffic deviating from such normal patterns. Typically, network probes and port scans can be detected by traffic signatures. Scans are often precursors to attacks, so security administrators can use pattern analysis to help identify them before an attack is launched.

What is Backdoor Detection?

Backdoor Detection is NetScreen’s proprietary mechanism that has the ability to detect unauthorized interactive traffic. It works by performing statistical analysis on the traffic to determine whether it is interactive, and checking it against rules set by the user to indicate whether or not the traffic is expected and authorized. It is the ideal method for detecting and preventing a compromise when an attacker connects with a backdoor that has been installed on a critical system.

What is a Network Honeypot?

The Network Honeypot fools attackers by making it appear that there are open services that
could be vulnerable to attack. When attackers try to connect to these services, their malicious intentions are identified and they can be blocked from the network. This is a useful method for reducing the noise from script kiddies, allowing administrators to focus on other types of malicious activity.

All other IDS products are passive, and for a good reason because of the false positives they generate. If I put the NetScreen-IDP solution in the line of packets, won’t you drop packets that shouldn’t be dropped?

NetScreen-IDP products minimize false positives and maximize the number of real attacks detected. This is because NetScreen-IDP uses Multi-Method Detection, including an advanced form of signature analysis, called Stateful Signature Detection, which reduces false positives. The combination of eight detection methods with a rule-based management system, which provides an administrator complete control over how the system behaves, means that the results of the NetScreen-IDP are far more accurate. With the confidence that the detected attacks are real, NetScreen-IDP enables customers to dictate, in the rulebase, exactly which attacks warrant being dropped. NetScreen-IDP will not drop anything that it is not explicitly told to drop. Plus, the drop action is specific to the malicious packet or connection, which means that future connections from that IP are unaffected. As a result, NetScreen-IDP only drops the packets that should be dropped, forwarding all other traffic to its proper destination.

Passive IDS products offer OPSEC capabilities, does that not provide protection capabilities similar to the NetScreen-IDP?

OPSEC capabilities allow the device to signal the firewall to block future traffic from the IP address where the attack is supposed to have originated. This is a misleading prevention method because it does nothing to stop the attack that triggered the signal, since it only applies to future connections from that IP, plus blocking an IP address can lead to a self-induced Denial of Service attack. If the attacker uses or spoofs an IP address, such as an AOL IP, and the detection device instructs the firewall to block that address, then legitimate AOL users originating from that IP will not be able to access your network, including any Web server behind that firewall. NetScreen-IDP, on the other hand, is capable of stopping the attack itself, as soon as it detects it, and will only drop the current connection that the hacker is using to attack the network. With this approach, normal users will still be able to access the network, while the hacker will be kept out.

Can I decide which attacks I want to drop and which I only want to know about or do I have to apply the drop action to all attacks?

One of the most powerful features of the NetScreen-IDP is its management granularity. Almost every facet of the system allows the security administrator to decide what to detect, where to detect it and how to respond when a specific attack is detected. The administrator is not restricted to any one kind of response. Therefore the system can be instructed to drop connections for specific attacks or only notify without taking action. Taking this one step further, security administrators can define different response mechanisms for the same attack on different parts of the network.

You state that the NetScreen-IDP makes it easy to manage multiple sensors. Since I have different requirements and traffic for different segments of my network, will I not need to have a separate set of rules for each network segment?

Being an enterprise security management system, the NetScreen-IDP is designed to take into account that network traffic in the corporate network can be significantly different in different segments. The NetScreen-IDP policy management system allows users to specify to which sensors, or groups of sensors, an individual rule in the rulebase applies. This gives security administrators the ability to create rules for individual sensors within a single rulebase.

Can I write my own signatures – just like Snort?

Absolutely. The NetScreen-IDP features an open signature format that enables customers to write their own signatures. In addition, the NetScreen-IDP provides a framework for writing Stateful Signatures. This will help make customers create powerful customized signatures that pinpoint where in the traffic a pattern match should occur, making the signature less prone to irrelevant pattern matches to reduce false positives.

How often can I expect signatures from NetScreen? Is there a group that isdedicated to defining new signatures?

Stateful Signatures are only one component of detection mechanisms for the NetScreen-IDP. That being said, NetScreen has a dedicated group of security engineers who create the Stateful Signatures needed for new attacks and exploits. NetScreen sends out weekly signature updates and will release signatures for new attacks as soon as they are developed and tested for effectiveness. Another advantage over most other commercial solutions is that the NetScreen-IDP has an open signature format, so users can also create their own signatures if they so desire.

When I receive new signatures from NetScreen or create new ones, do I have to install them on all sensors? If not, how do I do this?

The NetScreen-IDP is a centralized policy-based management system. The system determines which signatures are applicable to individual sensors based on the rules defined in the rule base. When new signatures become available, they need to be installed on the management system. With one click, the policies can then be pushed to all sensors and the system will install the new signatures where applicable.

Will I need to check at the NetScreen Web site for new signatures or will I be informed when updates are available?

When new signatures become available, NetScreen will immediately send an e-mail to security administrators. It is also recommended that administrators check the NetScreen customer Web site regularly, as new information will constantly be uploaded to the site.

What do you mean when you talk about advanced incident management capabilities?

While it is important to detect attacks, it is just as important to be able to respond to them. The NetScreen-IDP aggregates and then visually presents all of the information it captures in a way that makes it easy for a user to see both the top trend information down to the specific packet data that triggered a log. Rather than having to manually collect and correlate this information or purchase a separate management platform to try to get at this level of data manipulation, IDP gives customers the ability to quickly drill up or down within the system itself NetScreen-IDP provides a summary-level dashboard that provides a quick look at the most important attack activity occurring in the network, making it easy to spot trends and concentrate on the most significant events. An administrator can then take a closer look at any event and chart different scenarios by pivoting the tables, using different combinations of hosts, targets and attacks, over a period of time. This log investigation capability gives administrators the ability to spot anomalies, filter the information as needed and act quickly to protect their network. In addition, administrators can drill down to the log and the specific packet data associated with the log, or drill up to the security policy to quickly update it to keep the network protected from the most recent threats. All this can be performed from one user interface, which contains attack information and links to provide additional context and information on what is really going on in the network.

Can I deploy IDP in a High Availability configuration?

Yes. Two or more NetScreen-IDPs can be clustered together to provide a high availability configuration. In this configuration, the devices perform load sharing, enabling almost double the throughput of a single box.

How does packet logging work?

The NetScreen-IDP is capable of logging raw packets when an attack is detected. The security administrator can define in the rulebase how many packets before and after the attack the system should log. When an attack is detected, the sensor logs the packets, as defined by the rule. The user can then access these packets from the logs using the management interface. By obtaining the raw packets, the security administrator can precisely see what the hacker was attempting to do on the network. These packets can also be exported to third party tools for replaying the attack.

How does the NetScreen-IDP respond to attacks?

The NetScreen-IDP has multiple response mechanisms. When defining rules in the rulebase, a security administrator can decide what response mechanism to use for an attack or a family of attacks, depending upon the specific network. These responses vary from dropping the packet or connection to doing nothing and just logging or sending an e-mail alarm. When the sensor detects an attack, it then uses the response mechanism defined by the administrator. This ensures maximum flexibility and effectiveness in protecting a network.

NetScreen-IDP Response Options

Drop Connection--Drop the connection before the attack can cause harm to the network or
system.
Close Connection--Close the connection by sending a message to both the client and server.
Session Packet Logging--Capture the packet that triggered the ‘alarm.’ A windowing option allows pre- and post- trigger packets to also be logged as part of the connection.
Session Summary--Capture the session start, stop and overall statistics.
E-mail--Send an e-mail message to one or more recipients. Attachment options are available.
Custom--Take a custom action, such as SNMP trap generation, defined by the administrator.
Logging--Log the connection for future forensic investigation. What protocols does the NetScreen-IDP support? The following protocols with the relevant RFCs, where applicable, have been implemented. NetScreen is in the process of adding support for more protocols.

Protocols Supported -Protocols RFC

• IP
• 791
• TCP
• 793
• HTTP
• 2616
• SMTP
• 821
• FTP
• 959
• RPC
• 1831
• 1050
• POP3
• 1939, 1957
• TELNET
• 854
• RSH No RFC*
• REXEC No RFC*
• RLOGIN
• 1282
• ICMP
• 792
• DNS
• 1305
• 1183
• 2358
• 2535
• 1712
• 2671
• 1876
• 2065
• DHCP
• 1497
• 1533
• 2131
• 2132
• TFTP
• 783
• 1350
• IMAP
• 2060
• FINGER
• 742
• 1288
• CHARGEN
• 864
• ECHO
• 862
• DISCARD
• 863
• RTSP
• 2326
• SNMP
• 1157
• SNMP trap v1
• SYSLOG 3164
• SSH Internet Drafts
• SMB 1001, 1002
  
  

What hardware platforms does the NetScreen-IDP run on?

The NetScreen-IDP sensor is an appliance, and the management server can be installed on Linux 7.2 or Solaris 7/8. The user interface can be installed on the Windows 2000 and Linux platforms.

How do the sensors communicate with the management server? How does the management server communicate with the user interface?

The sensors communicate with the management server using a proprietary and robust encryption protocol. This protocol has been designed to prevent susceptibility to denial of service attacks. The management server communicates with the management interface using blowfish encryptionto assure confidentiality.

How much additional traffic does the NetScreen-IDP add to the network?

In a typical implementation, the NetScreen-IDP generates less than 1% of total network traffic.