Juniper Networks IDP250 User Manual

IDP Series Intrusion Detection and Prevention AppliancesIDP250 Installation GuideRelease 5.0Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale,

x Table of ContentsIDP250 Installation Guide

PrefaceThis preface includes the following topics: Objectives on page xi Audience on page xi Documentation Conventions on page xi Related Document

Table 2 on page xii defines text conventions used in this guide.Table 2: Text ConventionsExamplesDescriptionConvention Issue the clock source command.

Related DocumentationTable 4 on page xiii lists related IDP documentation.Table 4: Related IDP DocumentationDescriptionDocumentContains information ab

Table 5: Related NSM Documentation (continued)DescriptionDocumentDescribes how to configure and manage IDP devices using NSM. This guidealso helps in

Find solutions and answer questions using our Knowledge Base:http://kb.juniper.net/ Download the latest versions of software and review release not

xvi Requesting Technical SupportIDP250 Installation Guide

Part 1Hardware and Software Overview Hardware Overview on page 3 Software Overview on page 15Hardware and Software Overview 1

2 Hardware and Software OverviewIDP250 Installation Guide

Chapter 1Hardware OverviewThis chapter includes the following topics: IDP250 Overview on page 3 Power Supply on page 4 Hard Drive on page 4 Fans o

This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, EpilogueTechnolog

Traffic Interface Ports on page 7 IDP250 Technical Specifications on page 59Power SupplyThe appliance has one power supply. It is a field replaceab

USB PortThe appliance has a USB port you can use to reimage the appliance, if necessary.Serial Console PortThe console serial port provides access, us

Table 7: Management Port LEDs (continued)DescriptionStateLEDConnection is 1000 Mbps.OrangeTX/RXConnection is 100 Mbps.GreenIf LINK indicates activity,

Table 8: High Availability Port LEDs (continued)DescriptionStateLEDConnection is 1000 Mbps.OrangeTX/RXConnection is 100 Mbps.GreenIf LINK indicates ac

Table 9: Copper Port LEDsDescriptionStateLEDLink is present.Glows greenLINK ACTActivity.Blinks greenNo link present.OffConnection is 100 Mbps.GreenLIN

Table 10: Fiber Port LEDsDescriptionStateLEDLink is present.Glows greenLINK ACTActivity.Flashes greenNo link present.OffConnection is 100 Mbps.GreenLI

Deployment ModeFor each virtual router, you select the deployment mode: Sniffer–In an out-of-path, sniffer mode deployment, the IDP appliance can det

Figure 6: Internal BypassWhen the IDP operating system resumes healthy operations, it sends a reset signalto the traffic interfaces, and the interface

External BypassThe External Bypass setting supports third-party external bypass units. When theIDP appliance is turned on and available, it sends NetS

When PPM is enabled, a PPM daemon monitors the health of IDP traffic interfacesbelonging to the same virtual router. If a traffic interface loses link

END USER LICENSE AGREEMENTREAD THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,INS

If you enable Layer 2 bypass, the interfaces pass through IPv6, internetworkpacket exchange (IPX), Cisco Discovery Protocol (CDP), and interior gate

Chapter 2Software OverviewThis chapter includes the following topics: On-Box Software Overview on page 15 Centralized Management with NSM Overview o

Table 11: IDP On-Box Utilities (continued)UsageSoftwareYou can use the idp.sh utility to start, stop, or get status information onappliance processes.

For IDP deployments, centralized management provides the following benefits: Centralized management for IDP appliances and other network devices Con

18 J-Security Center Updates OverviewIDP250 Installation Guide

Part 2Performing the Installation Installation Overview on page 21 Installing the Appliance to Your Equipment Rack and ConnectingPower on page 23 P

20 Performing the InstallationIDP250 Installation Guide

Chapter 3Installation OverviewThis chapter includes the following topics: Before You Begin on page 21 Basic Steps on page 22Before You BeginThe loca

Related Topics Common Criteria EAL2 Compliance on page 63Basic StepsTake the following basic steps to install the appliance and connect it to your n

Chapter 4Installing the Appliance to YourEquipment Rack and Connecting PowerThis chapter includes the following topics: Rack Mounting Kits and Requir

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Cus

Mounting to Midmount BracketsTo mount the appliance using the midmount brackets:1. Attach one rack-mounting bracket to each side of the chassis with t

Related Topics Rack Mounting Kits and Required Tools on page 23Mounting to Rack RailsTo mount the device to equipment rack rails:1. Attach the rails

2. Connect the other end of the power cable to the electrical outlet.26 Connecting PowerIDP250 Installation Guide

Chapter 5Performing the Initial NetworkConfiguration and Licensing TasksThis chapter includes the following topics: Performing the Initial Configurat

Table 13: Getting Started Configuration ToolsDefaults Applied:You Specify:Getting Started Tool Root password: abc123 Fully qualified domain name: Blan

Getting Started with the EasyConfig Wizard (Serial Console Port)We recommend you get started by running the EasyConfig wizard to assign an IPaddress t

Mask: 255.255.255.0What IP address do you want to configure for the management interface? [192.168.1.1]7. Type an IP address and press Enter.T

To get started with the QuickStart wizard:1. Connect one end of an Ethernet cable to the management interface port and theother end to the Ethernet po

6. Type the default user name (root) and password (abc123).7. Click ACM to start the ACM wizard. Complete the wizard steps as described inthe online H

[root@localhost ~] scio lic add lic.txt9. Run the following scio command to verify you have successfully added the licensekey:[root@localhost ~] scio

agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms o

34 Installing the Product License KeyIDP250 Installation Guide

Chapter 6Connecting the IDP Traffic Interfaces toYour Network and Verifying Traffic FlowThis chapter includes the following topics: Guidelines for Co

Table 14: Interface Connection Guidelines (continued)Cable Connection GuidelinesPortSniffer Mode – Copper Ports1.Connect one end of a CAT-5 straight-t

NOTE: IDP75, IDP250, IDP800, and IDP8200 support auto-MDIX.Connecting Devices That Do Not Support Auto-MDIXFor connections to a firewall or server, u

3. Slide the clip into the transceiver port until it clicks into place. Because the fit isclose, you may have to apply some pressure to seat the clip.

Part 3Adding the IDP Appliance to NSM Adding the IDP Appliance to NSM on page 41Adding the IDP Appliance to NSM 39

40 Adding the IDP Appliance to NSMIDP250 Installation Guide

Chapter 7Adding the IDP Appliance to NSMThis chapter includes the following topics: Reviewing Compatibility with NSM on page 41 Adding a Reachable I

To import an IDP device with a known IP address:1. In the NSM navigation tree, select Device Manager > Devices.Figure 12: NSM Add Device Wizard: Ad

Enter the password for the device admin user. You set the password foradmin when you ran the ACM Wizard. Enter the password for the device root use

vi

5. Log into the IDP command-line interface and verify the SSH key fingerprint.Comparing the SSH key fingerprint information enables you to detectman-i

Figure 16: NSM Add Device Wizard: Add Device Confirmation8. Click Next to import the configuration from the IDP device. Upon success, NSMdisplays the

Figure 18: NSM Device Manager: Viewing Device StatusRelated Topics Reviewing Compatibility with NSM on page 41 Basic Steps on page 2246 Adding a

Part 4Upgrading Software and Installing FieldReplaceable Units Upgrading Software on page 49 Installing Field Replaceable Units on page 53 Reimagin

48 Upgrading Software and Installing Field Replaceable UnitsIDP250 Installation Guide

Chapter 8Upgrading SoftwareThis chapter includes the following topics: Updating Software (NSM Procedure) on page 49 Upgrading Software (CLI Procedur

3. From the Select Software Image list, select the image file you just added to theNSM GUI server.4. In the Select Devices list, select the IDP device

3. Push a security policy update job to update attack objects in use in your securitypolicy:a. In NSM, select Devices > Configuration > Update D

Next Steps: Download the IDP detector engine and NSM attack database updates to the NSMGUI server:1.From the NSM main menu, select Tools > View/Upd

Chapter 9Installing Field Replaceable UnitsThis chapter includes the following topics: Replacing a Power Supply on page 53Replacing a Power SupplyThe

Table of ContentsPreface xiObjectives ...xiAudience

The power supply LED turns amber to indicate that the power supply is receivingpower. The LED turns green to indicate that it is receiving power and i

Chapter 10Reimaging the ApplianceThis chapter includes the following topic: Reimaging and Relicensing an Appliance on page 55Reimaging and Relicensin

56 Reimaging and Relicensing an ApplianceIDP250 Installation Guide

Part 5Technical Specifications and ComplianceStatements Technical Specifications on page 59 Compliance Statements on page 61 Common Criteria EAL2 C

58 Technical Specifications and Compliance StatementsIDP250 Installation Guide

Chapter 11Technical SpecificationsThis chapter includes the following topics: IDP250 Technical Specifications on page 59IDP250 Technical Specificatio

Table 17: Power Cord SpecificationsSpecificationsCountry UL-approved and CSA-certified Flexible cord minimum spec: No. 18 (1.5 mm2SVTor SJT, 3-conduct

Chapter 12Compliance StatementsThis chapter includes the following topic: Standards Compliance on page 61Standards ComplianceTable 20: Standards Comp

62 Standards ComplianceIDP250 Installation Guide

Chapter 13Common Criteria EAL2 ComplianceThis chapter includes the following topics: Common Criteria EAL2 Compliance on page 63Common Criteria EAL2 C

Part 2 Performing the InstallationChapter 3 Installation Overview 21Before You Begin ...

64 Common Criteria EAL2 ComplianceIDP250 Installation Guide

Part 6Index Index on page 67Index 65

66 IndexIDP250 Installation Guide

IndexSymbols1998 Class A compliance...61AACM ...

LEDsfault......4HA port.....

Part 4 Upgrading Software and Installing Field Replaceable UnitsChapter 8 Upgrading Software 49Updating Software (NSM Procedure) ......