evaluated configuration guide

Juniper Networks IDP 4.0 & NSM 2006.1

Evaluated Configuration Guide

Rev B.2

8/1/2006

Prepared for:Juniper Networks, Inc.1194 North Mathilda Avenue

Sunnyvale, CA 94089

Prepared By:En Pointe Technologies, Inc.8310 Capital of Texas Highway, Ste. 305

Austin, TX 78731

Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide

Table of Contents1 Usage Guidance...........................................................................................................3

1.1 Usage Assumptions.............................................................................................31.1.1 Access..........................................................................................................31.1.2 Access Scope...............................................................................................31.1.3 Dynamic.......................................................................................................31.1.4 User Processes.............................................................................................31.1.5 Manage........................................................................................................31.1.6 No Evil Administrators................................................................................31.1.7 No Trust.......................................................................................................31.1.8 Location.......................................................................................................31.1.9 Protection.....................................................................................................4

2 Installation/Configuration Guidance...........................................................................52.1 Installation Prerequisites......................................................................................5

2.1.1 IDP Sensor...................................................................................................52.1.2 NSM Server.................................................................................................52.1.3 NSM UI.......................................................................................................6

2.2 Installation Procedures.........................................................................................62.2.1 IDP Sensor...................................................................................................62.2.2 NSM Server.................................................................................................62.2.3 NSM UI.....................................................................................................13

2.3 Configuration Procedures..................................................................................212.3.1 IDP Sensor.................................................................................................212.3.2 NSM Server...............................................................................................232.3.3 NSM UI.....................................................................................................69

3 Appendix A................................................................................................................703.1 Software Identification......................................................................................70

3.1.1 NSM UI.....................................................................................................703.1.2 NSM Server...............................................................................................713.1.3 IDP Sensor.................................................................................................73

4 Appendix B: ACM Wizard........................................................................................754.1 ACM Home Page...............................................................................................754.2 ACM Wizard Main Page...................................................................................77

4.2.1 Setup..........................................................................................................794.2.2 Mode..........................................................................................................834.2.3 Networking................................................................................................844.2.4 System......................................................................................................1274.2.5 Management............................................................................................1394.2.6 Done.........................................................................................................143

Rev B.2 8/3/2006 of 150


1 Usage GuidancePerformance of the security functions claimed for IDP and NSM is dependent on specific assumptions about the security environment in which both IDP and NSM will be installed and implemented. The following list of assumptions must be met in order for IDP & NSM to be considered in its evaluated configuration.

1.1 Usage Assumptions

1.1.1 Access

It is assumed that both IDP and NSM have access to all the IT System data it needs to perform its functions. This is accomplished by ensuring that the IDP sensor is correctly connected to the network(s) to be monitored and that NSM is correctly connected to and can communicate with IDP. [A.ACCESS]

1.1.2 Access Scope

It is assumed that the IDP appliance implemented is appropriately scalable to the IT Systems within the network in which the IDP appliance monitors. [A.ASCOPE]

1.1.3 Dynamic

It is assumed that the IDP appliance will be managed in a manner that allows it to appropriately address changes to the IT Systems that it monitors. [A.DYNMIC]

1.1.4 User Processes

It is assumed that the IDP Sensor, NSM Server, and NSM UI are installed on dedicated systems that do not contain any user processes that are not required to operate IDP or NSM. [A.USER_PROCESSES]

1.1.5 Manage

It is assumed that there will be one or more competent individuals assigned to manage both IDP and NSM and the security of the information they contain. [A.MANAGE]

1.1.6 No Evil Administrators

It is assumed that the authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided within the documentation provided for both IDP and NSM. [A.NOEVIL]

1.1.7 No Trust

It is assumed that both IDP and NSM can only be accessed by authorized users. [A.NOTRST]

1.1.8 Location

Rev B.2 8/3/2006 of 150


It is assumed that the processing resources of both the IDP Sensor and the NSM Server will be located within controlled access facilities, which will prevent unauthorized physical access. [A.LOCATE]

1.1.9 Protection

It is assumed that the hardware and software critical to security policy enforcement for both the IDP Sensor and NSM Server will be protected from unauthorized physical modification. [A.PROTCT]

Rev B.2 8/3/2006 of 150


2 Installation/Configuration GuidanceThere are specific installation and initialization requirements that must be met in order for IDP and NSM to operate in its evaluated configuration. Administrators must perform the steps described in this guidance document before implementing IDP and NSM in an operational environment so that each of the security functions can properly function.

NOTE: All of the software files required to install NetScreen-Security Manager are located on the NetScreen-Security Manager installation CD or on the Internet at the Juniper Networks corporate support web site.

2.1 Installation Prerequisites

The following prerequisites must be accommodated prior to installing IDP or NSM.

2.1.1 IDP Sensor

The IDP Sensor requires one or more of the following IDP appliances:

IDP 50 IDP 200 IDP 600-C IDP 600-F IDP 1000-C IDP 1100-F

2.1.2 NSM Server

The NSM Server requires a server meeting or exceeding the following hardware requirements:

CPU: Sun Microsystems UltraSPARC IIi 500MHz (or higher), OR Linux 1GHz (x86) processor (or higher)

Memory: 1GB (or higher); 2GB+ (depending on the number of managed devices and configuration size)

Swap Space: 4 GB for both GUI Server and Device Server Storage: IDE Hard Disk Drive with 10K rpm (minimum); 15K rpm

(recommended); 18 GB disk space (minimum); 40 GB disk space (recommended) Network Connection 100MBps NIC Ethernet adapter Other Server must be dedicated to running NetScreen-Security Manager.

The NSM Server also requires one of the following operating systems to be installed on the server:

NOTE: The latest available operating system security patches and service packs must be installed prior to installing the NSM Server or Client software.

Solaris 8

Rev B.2 8/3/2006 of 150


Solaris 9 Red Hat Enterprise Linux (ES/AS) 3.0-Update 5 or 4.0-Update 1

2.1.3 NSM UI

The NSM UI requires the following minimum hardware, operating system, and software components:

Hardware

IBM® compatible PC 400MHz Pentium® II or equivalent (minimum) 700 MHz Pentium II or equivalent (recommended) RAM: 256 MB (minimum) 512 MB or above (recommended) 384kbps (DSL) or LAN connection - minimum bandwidth required to connect to

the NetScreen-Security Manager management system.

Operating System

NOTE: The latest available operating system security patches and service packs must be installed prior to installing the NSM Server or Client software.

Microsoft Windows XP Microsoft Windows NT® Workstation/Server 4.0, Service Pack 6a or higher Microsoft Windows 2000 Server, Advanced Server, or Professional editions Red Hat Enterprise Linux ES 3.0 or 4.0 Red Hat Enterprise Linux AS US English versions only

Software Components

Java Runtime Environment (JRE) version 1.4.2

2.2 Installation Procedures

2.2.1 IDP Sensor

The IDP appliance is delivered with the IDP Sensor software version 4.0 pre-installed on the IDP appliance. However, new versions of the IDP Sensor software may be made available online or via CD-ROM. In order to upgrade the IDP Sensor software to the most current, follow the procedures detailed in the “Updating IDP Sensor Software” section in Chapter 6 of the “IDP 50, 200, 600, 1100 Installer’s Guide”, version 4.0.

Rev B.2 8/3/2006 of 150


2.2.2 NSM Server

To install the NSM Server, perform the following steps:

NOTE: This section assumes that an operating system as identified within section 2.1.2 has already been installed.

1. Log on to the operating system using the “root” account configured during the installation process of the operating system.

2. Change the current directory to the path containing the NSM Server installation script.

3. Execute the NSM Server installation script.

sh nsm2006.1_servers_linux_x86.sh

4. A prompt is displayed asking which servers to install. Type “3” and press Enter to confirm installing both the GUI Server and Device Server on the same system.

Creating staging directory...ok

########## PERFORMING PRE-INSTALLATION TASKS ##########Running preinstallcheck...Checking if platform is valid...............................okChecking for correct intended platform......................okChecking if all needed binaries are present.................okChecking for platform-specific binaries.....................okChecking for PostgreSQL.....................................okChecking if user is root....................................okChecking if user root exists................................okChecking if system meets RAM requirement....................okChecking for sufficient disk space..........................okChecking if RPM binary is the minimum version ..............okNoting OS name..............................................okStopping any running servers########## GATHERING INFORMATION ##########

1) Install Device Server only2) Install GUI Server only3) Install both Device Server and GUI ServerEnter selection (1-3) []> 3

5. A prompt is displayed asking if the machine will participate in an HA cluster. Press Enter to accept the default value of “n”.

Rev B.2 8/3/2006 of 150


########## GENERAL SERVER SETUP DETAILS ##########

Will this machine participate in an HA cluster? (y/n) [n]>

6. A prompt is displayed asking to provide the directory path in which the Device Server data will be stored. Press Enter to accept the default value of “/var/netscreen/DevSvr”.

########## DEVICE SERVER SETUP DETAILS ##########

The Device Server stores all of the user data under a single directory.By default, this directory is /var/netscreen/DevSvr. Because the user data (including logs and policies) can grow to be quite large, it is sometimes desirable to place this data in another partition.Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets.Enter data directory location [/var/netscreen/DevSvr]>

7. A prompt is displayed asking to provide the directory path in which the GUI Server data will be stored. Press Enter to accept the default value of “/var/netscreen/GuiSvr”.

########## GUI SERVER SETUP DETAILS ##########

The GUI Server stores all of the user data under a single directory.By default, this directory is /var/netscreen/GuiSvr. Because the user data (including database data and policies) can grow to be quite large, it is sometimes desirable to place this data in another partition.Please enter an alternative location for this data if so desired, or press ENTER for the location specified in the brackets.Enter data directory location [/var/netscreen/GuiSvr]>

8. A prompt is displayed asking to provide the directory path in which the GUI Server database logs will be stored. Press Enter to accept the default value of “/var/netscreen/GuiSvr/xdb/log”.

The GUI Server stores all of the database logs under a single directory.By default, this directory is /var/netscreen/GuiSvr/xdb/log. Because the database log can grow to be quite large, it is sometimes desirable to place this log in another partition.Please enter an alternative location for this log if so desired, or press ENTER for the location specified in the brackets.

Rev B.2 8/3/2006 of 150


Enter database log directory location [/var/netscreen/GuiSvr/xdb/log]>

9. A prompt is displayed asking to provide the IP address for the management interface that will be used to communicate with the IDP appliance(s). Type in the IP address of the management interface and press Enter.

Enter the management IP address of this server []> 10.10.10.50

Setting GUI Server address and port to 10.10.10.50:7801 for Device Server

10. A prompt is displayed asking to provide and confirm the password that will be used for authenticating to the “super” user. Type in the password and press Enter. Then retype the password and press Enter to confirm the password defined.

Please enter a password for the 'super' userEnter password (password will not display as you type)>Please enter again for verificationEnter password (password will not display as you type)>

11. A prompt is displayed asking if a Statistical Report Server will be used with this GUI Server. Press Enter to accept the default value “n”.

Will a Statistical Report Server be used with this GUI Server? (y/n) [n]>

12. A prompt is displayed asking if the server processes need to be restarted automatically in case of a failure. Press Enter to accept the default value “y”.

########## HIGH AVAILABILITY (HA) SETUP DETAILS ##########

Will server processes need to be restarted automatically in case of a failure? (y/n) [y]>

13. A prompt is displayed asking if this machine will require local database backups. Press Enter to accept the default value “y”.

########## BACKUP SETUP DETAILS ##########

Will this machine require local database backups? (y/n) [y]>

14. A prompt is displayed asking what hour of the day to start the database backup. Press Enter to accept the default value “02”.

Rev B.2 8/3/2006 of 150


Enter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 = 2pm ...)[02]>

15. A prompt is displayed asking if the daily backup will need to be sent to a remote machine. Press Enter to accept the default value “n”.

Will daily backups need to be sent to a remote machine? (y/n) [n]>

16. A prompt is displayed asking to enter the number of backups to keep. Press Enter to accept the default value “7”.

Enter number of database backups to keep [7]>

17. A prompt is displayed asking to enter the rsync command timeout. The default timeout is 1800. Press Enter to accept the default value “1800”.

Enter the rsync command timeout [1800]>

18. A prompt is displayed asking to specify the location of the database backup directory. Press Enter to accept the default value “/var/netscreen/dbbackup”.

Enter database backup directory [/var/netscreen/dbbackup]>

19. A prompt is displayed asking to specify the full path to the rsync program installed. Press Enter to accept the default value “/usr/bin/rsync”.

The database backup server(s) requires that you have previously installed the rsync program.Enter the full path to rsync [/usr/bin/rsync]>

20. A prompt is displayed asking for the Postgres DevSvr Db port which is by default “5432”. Press Enter to accept the same default value, like wise Postgres DevSvr Db super user with a default name of “nsm” is prompted. Accept the default name for which you will be prompted to give a password and also verification is asked with respect to the password entered.

########## DEVSVR DB SETUP DETAILS ##########

Enter Postgres DevSvr Db port [5432]>Postgres DevSvr Db port set to 5432

Enter Postgres DevSvr Db super user [nsm]>

Rev B.2 8/3/2006 of 150


Postgres DevSvr Db super user set to 'nsm'

Enter Postgres DevSvr Db password for user 'nsm'Enter password (password will not display as you type)>Please enter again for verificationEnter password (password will not display as you type)>Postgres DevSvr Db password set for 'nsm'

21. A prompt is displayed asking if the servers should be started after the installation has completed. Type “y” and press Enter.

########## POST-INSTALLATION OPTIONS ##########

Start server(s) when finished? (y/n) []> y

22. A prompt is displayed asking to confirm the set of configurations that have just been applied. Type “y” and press Enter to accept the configurations. Otherwise, type “n” to repeat steps 6 - 23.

########## CONFIRMATION ##########

About to proceed with the following actions:- Install Device Server- Install GUI Server- Install High Availability Server- This machine does not participate in an HA cluster- Store Device Server data in /var/netscreen/DevSvr- Store GUI Server data in /var/netscreen/GuiSvr- Store GUI Server database log in /var/netscreen/GuiSvr/xdb/log- Use IP address 10.10.10.50 for management- Connect to GUI Server at 10.10.10.50:7801- Set password for 'super' user- Servers will be restarted automatically in case of a failure- Local database backups are enabled- Start backups at 02- Daily backups will not be sent to a remote machine- Number of database backups to keep: 7- Logging is disabled: n- Create database backup in /var/netscreen/dbbackup- Use rsync program at /usr/bin/rsync- Postgres DevSvr Db Server port: 5432- Postgres DevSvr Db super user: nsm- Postgres DevSvr Db password set for ‘nsm’- Start server(s) when finished: Yes

Are the above actions correct? (y/n)> y

Rev B.2 8/3/2006 of 150


23. After the configuration has been accepted, the installation process begins. If the installation is completed successfully, then you will see test similar to the text provided below. If the installation process does not complete successfully, then you should ensure that you have correctly satisfied all of the installation prerequisites identified in section 2.1 and then re-execute the installation script.

########## EXTRACTING PAYLOADS ##########Extracting payload..........................................okDecompressing payload.......................................ok

########## PERFORMING INSTALLATION TASKS ##########

----- INSTALLING Device Server -----Looking for existing RPM package............................okRemoving DevSvr files from default location.................okInstalling Device Server RPM................................okUnpacking DevSvr............................................okInstalling JRE..............................................okCreating var directory......................................okCreating /var/netscreen/dbbackup............................okPutting NSROOT into start scripts...........................okFilling in Device Server config file(s).....................okSetting permissions for Device Server.......................ok----------Setting up PostgreSQL for DevSvr--------------Changing password for user nsm.New UNIX password:BAD PASSWORD: it is based on a dictionary wordRetype new UNIX password: Passwd: all authentication tokens updated successfully.Setting up PostgreSQL for DevSvr. . . ........................okInstallation of Device Server complete.

----- INSTALLING GUI Server -----Looking for existing RPM package............................okRemoving GuiSvr files from default location.................okInstalling GUI Server RPM...................................ok Installing JRE..............................................okCreating var directory......................................okPutting NSROOT into start scripts...........................okFilling in GUI Server config file(s)........................okSetting permissions for GUI Server..........................okRunning generateMPK utility.................................okRunning fingerprintMPK utility..............................okInstallation of GUI Server complete.

----- INSTALLING HA Server -----Looking for existing RPM package............................okRemoving HaSvr files from default location..................okInstalling HA Server RPM....................................ok

Rev B.2 8/3/2006 of 150


Creating var directory......................................okPutting NSROOT into start scripts...........................okFilling in HA Server config file(s).........................okSetting permissions for HA Server...........................okInstallation of HA Server complete.

----- SETTING START SCRIPTS -----Enabling Device Server start script.........................okEnabling GUI Server start script............................okEnabling HA Server start script.............................ok

########## PERFORMING POST-INSTALLATION TASKS ##########Running nacnCertGeneration..................................okRunning idpCertGeneration...................................okRemoving staging directory..................................okStarting GUI Server.........................................okStarting Device Server......................................okStarting HA Server..........................................ok

NOTES:- Installation log is stored in /usr/netscreen/DevSvr/var/errorLog/netmgtInstallLog. 20060613094753

- This is the GUI Server fingerprint: 38:09:B8:7A:3E:21:0B:FC:D8:20:8B:B4:3A:AC:7E:76:F3:4A:8A:56You will need this for verification purposes when logging into the GUI Server. Please make a note of it.

- To enable firmware updates to ScreenOS 4.x devices, the TFTP server on this machine needs to be enabled.

- To enable firmware updates to ScreenOS 4.x devices, the TFTP server on this machine must have its root directory set to ‘/usr/netscreen/DevSvr/var/cache’ [root@nsm ~]#

2.2.3 NSM UI

To install the NSM UI, perform the following steps:

1. Log on to the operating system using the “root” or “administrator” account configured during the installation process of the operating system.

2. Open a terminal window or command prompt, if it is not already open.3. Insert the NSM CD or download NSM Client application from Juniper Networks,

Inc. website:4. Change the current directory to the path containing the NSM UI installation file:

Rev B.2 8/3/2006 of 150


For Windows:

d:\ (Assuming that D: is the drive letter associated with the CD device)

or,

C:\tempdir (Assuming that C:\tempdir is the location where NSM UI installation was downloaded to)

5. Execute the NSM UI installation file:

For Windows:

nsm2006.1_ui_win_x86.exe

6. The “Introduction” screen is displayed, as identified in the figure below. Click on “Next” to continue.

Rev B.2 8/3/2006 of 150


7. The “License Agreement” screen is displayed, as identified in the figure below. Read through the agreement and select “I accept the terms of the License Agreement”, if it is agreed. Then click on “Next” to continue.

Rev B.2 8/3/2006 of 150


8. The “Choose Install Folder” screen is displayed, as identified in the figure below. Click on “Next” to accept the default value and continue.

NOTE: The installation path identified above is based on a Windows installation. See below for the default values of each operating system.

Windows: C:\Program Files\NetScreen-Security Manager

Rev B.2 8/3/2006 of 150


9. The “Choose Shortcut Folder” screen is displayed, as identified in the figure below. Click on “Next” to accept the default value and continue.

Rev B.2 8/3/2006 of 150


10. The “Pre-Installation Summary” screen is displayed, as identified in the figure below. Click on “Install” to confirm the installation options selected and continue with the installation process.

Rev B.2 8/3/2006 of 150


11. The “Installing NetScreen-Security Manager” screen is displayed, as identified in the figure below. Remain patient until the indicator at the bottom of the screen becomes completely green, indicating that the installation is now complete.

Rev B.2 8/3/2006 of 150


12. The “Install Complete” screen is then displayed, as identified in the figure below. Click on “Done” to exit the NSM UI installer.

Rev B.2 8/3/2006 of 150


2.3 Configuration Procedures

The following subsections provide instructions for configuring the IDP Sensor, NSM Server, and NSM UI components. The configuration procedures should be performed in the order in which they are presented, unless specific steps reference to perform other procedures outside of this order.

2.3.1 IDP Sensor

Configuring the IDP appliance involves connecting to the IDP appliance, as described in section 2.3.1.1 below, and running the Appliance Configuration Manager (ACM) wizard, as further described in section 4 below.

2.3.1.1 Connect to the IDP Appliance

To connect with and configure the IDP appliance, you may establish a connection either by connecting through the management port or through the console. The following subsections describe how to connect to the IDP appliance using both methods.

2.3.1.1.1 Using the Management Port

To connect to the IDP appliance using the management port, perform the following steps:

1. Locate the management port for your IDP appliance. The management port is identified as the following for each respective evaluated IDP appliance:

IDP 50 - MGT IDP 200 - MGT IDP 1000-C - MGT IDP 1100-F - MGT IDP 600-C MGT IDP 600-F MGT

2. Connect a standalone computer, such as a laptop, to the IDP appliance management port, as identified above. To connect directly to the appliance, use a crossover cable. To connect to the appliance over a hub or switch, use a straight-through cable.

3. Change the IP address of the standalone computer to 192.168.1.2, with the subnet mask being 255.255.255.0 and the gateway being 192.168.1.1. For instructions on changing your IP address, see your computer’s operating system documentation.

Rev B.2 8/3/2006 of 150


4. On the connected computer, open a Web browser. Enter the URL of the ACM wizard as https://192.168.1.1. Because the ACM uses a secure form of HTTP, you MUST enter https:// before the IP address.

5. Enter the default user name (root) and password (abc123). When the ACM wizard appears, proceed to section 4 below.

2.3.1.1.2 Using the Console

To connect to the IDP appliance using the console, perform the following steps:

1. Connect to the IDP appliance. The console can be accessed through either the serial port or the keyboard and monitor connections:

a. For serial console connections, connect a serial console to the IDP appliance Serial port and configure the terminal software to use parameters 8-N-1, 9600. For Windows, use HyperTerminal. For Linux, use minicom.

b. For keyboard and monitor connections, connect a keyboard and monitor to the IDP appliance.

2. Log in to the IDP appliance using the default user name (root) and password (abc123). The Ethernet configuration script automatically runs. Follow the instructions in the script’s help text to configure Ethernet access to the IDP appliance.

3. When prompted, select the network card you want to configure. The default configuration for that network card appears.

a. To accept the default configuration, type n and press Enter to continue.b. To reconfigure the network card, type y. Assign an IP address and

netmask to the network card. Be sure to use an IP address that is reachable by the computer you will use to configure the Sensor software. Press Enter to continue.

4. When prompted, set a default route by pressing y. Enter the default route for the computer that you will use to configure the Sensor software. Press Enter.

5. Perform the procedures above in section 2.3.1.1.1 to connect to the management port just configured, and run the ACM wizard.

Rev B.2 8/3/2006 of 150


2.3.2 NSM Server

2.3.2.1 Authenticate to the NSM Server

Before any configuration can be applied to the NSM Server, you must first authenticate to the NSM Server using the NSM UI installed. To authenticate, perform the following steps.

1. Open the shortcut selected in the “Choose Shortcut Folder” screen for the NSM UI installation (see item 9 in section 2.2.3).

2. If this is the first time that the NSM UI is run, a prompt will display with the RSA fingerprint of the NSM server. Verify this fingerprint with the fingerprint previously documented in step 23 of section 2.2.2 of this document. Click “Accept” if correct.

3. The NSM UI Login prompt is displayed, as identified in the figure below. Enter the administrator name in the “Login:” field, the password in the “Password:” field, and the IP address or hostname of the NSM Server in the “Server:” field. Then left-click on “OK”.

NOTE: If this is your first time authenticating to the NSM Server, you will need to use the “super” administrator account with the password specified in step 10 of section 2.2.2 above.

Rev B.2 8/3/2006 of 150


4. The NSM UI is then displayed, as identified in the figure below. The default display is the Log Viewer module display. However, the NSM UI remembers the last screen in focus the next time the same user authenticates.

Rev B.2 8/3/2006 of 150


2.3.2.2 Configure Events to Log

To ensure that all auditable events required are selected to be recorded, perform the following steps:

1. Left-click on the “Audit Log Viewer” module.2. Left-click on the “Edit” menu bar.3. Left-click on “Set Auditable Activity”.4. Left-click on the check box next to each of the following “Read only” auditable

events that are not already selected with a check mark:

a. View Admins FAU_GEN.1: Access to the TOE and System data

b. View Audit Logs FAU_GEN.1 [FAU_SAR.1]: Reading of information from the audit records

FAU_GEN.1: Access to the TOE and System data

c. View Devices, Device Groups, & Templates

FAU_GEN.1: Access to System

d. View Device Config


e. View Device Logs


f. View Admin Roles


g. View IDP Rulebase


h. View Backdoor Rulebase


i. View Security Policies


j. View Action Attributes


k. View SYNProtector Rulebase


Rev B.2 8/3/2006 of 150


l. View Traffic Signature Rulebase


m. View Network Honeypot Rulebase


n. View Auditable Activities


5. Left-click on the “Read-write” tab next to the “Read only” tab.6. Left-click on the check box next to each of the following “Read-write” auditable

events that are not already selected with a check mark:

NOTE: While all Read-write auditable events are selected, by default, the Read-write auditable events below must remain selected with a check mark to comply with the evaluated configuration.

a. Create Admins FAU_GEN.1: Access to the TOE and System data

FAU_GEN.1 [FMT_MTD.1]: All modifications to the values of TSF data

b. Edit Admins FAU_GEN.1: Access to the TOE and System data


c. Delete Admins FAU_GEN.1: Access to the TOE and System data


d. Update Device Config


FAU_GEN.1 [FMT_MOF.1]: All modifications in the behavior of the functions of the TSF.


e. Hide & Unhide Device Log



Rev B.2 8/3/2006 of 150


f. Purge Device Logs



g. Create Security Policies




h. Delete Rulebases FAU_GEN.1: Access to the TOE and System data



i. Delete Security Policies




j. Create Admin Roles



FAU_GEN.1 [FMT_SMR.1]: Modifications to the group of users that are part of a role.

k. Edit Admin Roles FAU_GEN.1: Access to the TOE and System data



Rev B.2 8/3/2006 of 150


l. Delete Admin Roles




m. Attack Update FAU_GEN.1: Access to the TOE and System data



n. Modify policylookup Table




o. Create/Edit IDP Rulebase




p. Create/Edit Backdoor Rulebase




q. Edit Security Policies




Rev B.2 8/3/2006 of 150


r. Modify Action Attributes




s. Create/Edit SYN/Protector Rulebase




t. Create/Edit Traffic Signature Rulebase




u. Create/Edit Network Honeypot Rulebase




7. Left-click on “OK” to confirm and save the selections.

Rev B.2 8/3/2006 of 150


2.3.2.3 Configure NSM to Communicate with IDP

Before configuring communication to the IDP appliance, ensure that the procedures identified above for connecting to and configuring the IDP appliance have been performed. Also ensure that the IDP appliance is powered on and that the management port is correctly configured and connected to communicate with the NSM Server.

To establish a communication path between the NSM Server and the IDP appliance, the following steps must be performed:

1. Left-click on the plus sign (+) next to the “Device Manager” module to expand the components within that module.

2. Left-click on the “Security Devices” component.3. Left-click on the plus sign (+) within the “Security Device Tree” tab that is

displayed to the right of the modules tree.4. Left-click on “Device”.

5. Type in a name for the IDP appliance in the “Device Name” field.6. Select the default option displayed “Device is Reachable (i.e. Static IP Address)”

Rev B.2 8/3/2006 of 150


7. Left-click on “Next” to continue.

Rev B.2 8/3/2006 of 150


8. Type in the IP Address of the management port for the IDP appliance within the “IP Address” field.

9. Type in “admin” in the “Name” field.10. Type in the password created for the admin user in the “Password” field.

NOTE: This is the password specified for the admin account in section 4.2.1.1.

11. Type in the password created for the root user in the “Super user Password for IDP Device” field.

NOTE: This is the password specified for the root account in section 4.2.1.1.

12. Select the default selection, “SSH Version 2”, in the “Connect To Device With:” field.

13. Select the default selection, “22”, in the “Port Number” field.14. Left-click on “Next” to continue.

Rev B.2 8/3/2006 of 150


15. Verify the SSH Key displayed by connecting to the console of the IDP appliance, as described in section 2.3.1.1.2, and typing the following commands:

cd /etc/ssh

ssh-keygen -l -f ssh_host_dsa_key.pub

16. If the key presented as a result from performing the commands above matches the key displayed in “Verify Device Authenticity” window, then left-click on “Next” to confirm the device’s authenticity.

Rev B.2 8/3/2006 of 150


17. The Add Device wizard will now attempt to auto detect the settings configured on the IDP appliance. When the detection is complete, the “Finish” button will be enabled. Left-click on “Finish” to complete the process for adding the IDP appliance.

18. The Add Device wizard will now display a text box indicating that the device is currently being added.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


19. When the Add Device wizard is complete, the NSM UI will brought back into focus and the IDP appliance just added will now be displayed within the “Security Devices Tree” tab.

Rev B.2 8/3/2006 of 150


2.3.2.4 Import IDP Device Configuration

Before any changes can be made to the IDP appliance configuration, the configuration of the IDP appliance must first be imported into the NSM Server. This is accomplished by performing the following steps:

1. Within the “Security Devices Tree” tab, right-click on the IDP device added in section 2.3.2.3 above, and left-click on “Import Device”.

Rev B.2 8/3/2006 of 150


2. The configuration pertaining to the IDP appliance added will be imported. When the importing process is complete, a result will be returned indicating “Device imported successfully”, as identified in the figure below. Left-click on “Close” to exit the Import Device wizard.

Rev B.2 8/3/2006 of 150


2.3.2.5 Update IDP Detector Engine

The IDP Detector Engine

1. While in the “Device Manager” module view, select “IDP Detector Engine > Load IDP Detector Engine” from the “Devices” menu bar.

Rev B.2 8/3/2006 of 150


2. A confirmation prompt is displayed, reminding the user to save any changes to the IDP appliance configuration before proceeding. Left-click on “Next” to continue.

Rev B.2 8/3/2006 of 150


3. Select the check box next to the IDP appliance added in section 2.3.2.3 above. Left-click on “Finish” to continue.

Rev B.2 8/3/2006 of 150


4. A “Job Information” window is displayed, indicating that the operation has completed successfully. Left-click on “Close” to exit the IDP Detector Engine wizard.

Rev B.2 8/3/2006 of 150


2.3.2.6 Install Attack Signature Updates

1. While in the “Device Manager” module view, select “View/Update NSM Attack Database” from the “Tools” menu bar.

Rev B.2 8/3/2006 of 150


2. A confirmation prompt is displayed, reminding the user to save any changes to the IDP appliance configuration before proceeding. Left-click on “Next” to continue.

Rev B.2 8/3/2006 of 150


3. A summary prompt is displayed, identifying both the current version.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


2.3.2.7 Create Policies to Monitor/Protect Networks

1. Right-click on the “Security Policies” module and left-click on “New Policy…”

Rev B.2 8/3/2006 of 150


2. Type in a name for the IDP policy within the “Policy Name” field.

After entering the Name in the “Policy Name” field the “Next” button gets enabled. Left-click on the “Next” button and you will be taken to the below window.

Rev B.2 8/3/2006 of 150


Un-check the “Firewall/VPN Devices” statement and tick the checkbox having the statement “Stand Alone IDP Devices” as shown below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


3. Select “Use IDP Template”, then select a template available within the “Name” selection box and left-click on “OK”.

Once a Name is selected from the drop down box, the Next button gets enabled. Left-click on the “Next” button

Rev B.2 8/3/2006 of 150


Left-click on the “Next” button.

Rev B.2 8/3/2006 of 150


Click on the “Finish” button.

Rev B.2 8/3/2006 of 150


4. When the policy has been successfully created, the NSM UI will brought back into focus and the security policy just created will now be displayed within the “Security Policies” screen.

Rev B.2 8/3/2006 of 150


2.3.2.8 Apply Policies to the IDP Appliance

1. Left-click on the “Security Devices” component within the “Device Manager” module.

2. Right-click on the IDP appliance added in section 2.3.2.3 above and left-click on “Policy > Assign Policy…”.

Rev B.2 8/3/2006 of 150


3. Select the IDP policy created in section 2.3.2.7 above within the “Security Policy Name” field.

4. Left-click on “OK’ to apply the policy to the IDP appliance.

Rev B.2 8/3/2006 of 150


5. When the operation has successfully completed, the NSM UI will brought back into focus with the IDP appliance displayed within the “Security Devices Tree” tab.

Rev B.2 8/3/2006 of 150


2.3.2.9 Update the Configuration to the IDP Appliance

1. While in the “Security Devices” view of the “Device Manager” module, right-click on the IDP appliance added in section 2.3.2.3 above and left-click on “Update Device”.

Rev B.2 8/3/2006 of 150


2. Confirm the default option selected, “Restart IDP Profiler after Device Update” and left-click on “OK”.

NOTE: It is not mandatory to request the IDP Profiler to restart after the device update.

3. When the device update is complete, a confirmation screen is displayed. Left-click on “Close” to exit the Update Device wizard.

Rev B.2 8/3/2006 of 150


2.3.2.10 Configure Authentication Failure Handling

1. While in the “Security Devices” view of the “Device Manager” module, left-click on “Preferences” from the “Tools” menu bar.

Once you click on “Preferences” the following window appears.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


2. Left-click on “System Properties”.3. Set the numerical value in the “Consecutive, failed login attempts until blocked”

field to a value other than zero.

NOTE: The default value of 10 in considered being a reasonable value for ensuring convenience of users in the event of a mistake, while also preventing multiple unsuccessful authentication attempts for cases where an attacker may attempt to brute force an account.

4. Left-click on “OK’ to accept the new value, save the change, and exit the Preferences screen.

Rev B.2 8/3/2006 of 150


2.3.2.11 Create an Administrator

1. While in the “Security Devices” view of the “Device Manager” module, left-click on “Manage Administrators and Domains” from the “Tools” menu bar.

Rev B.2 8/3/2006 of 150


5. Left-click on the plus sign (+) to create a new administrator.

Rev B.2 8/3/2006 of 150


6. Type in a name for the new administrator within the “Name” field.7. Enter information into the other available fields.

NOTE: The only field required to be completed is the “Name” field. Therefore, the remaining fields are optional and do not have to be completed to create an administrator, if they are not needed.

Rev B.2 8/3/2006 of 150


8. Left-click on the “Authorization” tab.9. Left-click on the “Set Password…” button.

10. Type in the password to be used for the new administrator within the “Enter a new password:” and “Confirm new password:” fields.

NOTE: The password provided must be between 9-64 characters in length.

Rev B.2 8/3/2006 of 150


11. Left-click on the “Permissions” tab.12. Left-click on the plus sign (+) to assign a role to the new administrator.

13. Select the role to be assigned to the administrator from one of the available roles within the “Role” selection box.

Rev B.2 8/3/2006 of 150


14. Select the check box next to the Domain that the new administrator will be assigned to and left-click on “OK” to accept the selection. The default domain is the global domain.

15. The focus is then returned back to the New Administrator wizard. Left-click on “OK” to accept the configurations applied and create the new administrator defined.

Rev B.2 8/3/2006 of 150


16. The focus is then returned back to the Manage Administrators and Domains screen. Left-click on “OK” to exit the Manage Administrators and Domains screen.

2.3.3 NSM UI

No configuration steps are necessary since all configurations that affect the NSM UI are only configurable and enforceable from the NSM Server.

Rev B.2 8/3/2006 of 150


3 Appendix A

3.1 Software Identification

3.1.1 NSM UI

1. Open the shortcut selected in the “Choose Shortcut Folder” screen for the NSM UI installation (see item 9 in section 2.2.3).

2. The NSM UI Login prompt is displayed, as identified in the figure below. Verify that the version and build identified in the bottom left-hand corner of NSM UI Login prompt matches the version indicated for the NSM UI within the Security Target.

Rev B.2 8/3/2006 of 150


3.1.2 NSM Server

1. Authenticate to the NSM Server using the steps provided in section 2.3.2.1.2. When the NSM UI is displayed, left-click on “About NetScreen-Security

Manager” from the “Help” menu bar.

Rev B.2 8/3/2006 of 150


3. The “About Juniper Networks - NSM” prompt is displayed. Verify that the version and build identified in the bottom left-hand corner of the “About Juniper Networks - NSM” prompt matches the version indicated for the NSM Server within the Security Target.

Rev B.2 8/3/2006 of 150


3.1.3 IDP Sensor

1. From within the NSM UI, left-click on the plus sign (+) next to the “Device Manager” module to expand the components within that module.

2. Left-click on the “Security Devices” component.3. Right-click on the IDP appliance added in section 2.3.2.3 above, and left-click on

“Edit”.

Rev B.2 8/3/2006 of 150


4. The IDP appliance properties are displayed. Verify that the version and build identified in the “Detector Version” field matches the version indicated for the IDP Sensor within the Security Target.

Rev B.2 8/3/2006 of 150


4 Appendix B: ACM Wizard

4.1 ACM Home Page

When you first navigate to the IDP appliance through a web browser, you are presented with the ACM home page as identified in the figure below. From here, you can view and apply the current IDP configuration, download or upload the IDP configuration, or reconfigure the IDP appliance using the ACM wizard. Additionally, individual links are also presented beneath the “ACM menu” section which allows you to browse to a specific configuration page within the ACM wizard.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2 ACM Wizard Main Page

Once the ACM Wizard is invoked, you are redirected to the ACM wizard page as identified in the figure below. From here, you can start the configuration process by clicking on “Start Configuration Wizard”, or you can import an existing configuration file by specifying the location of the existing configuration file and clicking on “Upload Config Template”.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.1 Setup

The Setup section of the ACM wizard allows you to: specify the password for the root and admin accounts on the IDP Sensor, and to specify a Fully Qualified Domain Name (FQDN) for the IDP appliance.

4.2.1.1 Choose Sensor Passwords

The “Choose Sensor Passwords” page provides the ability to change the password for both the root and admin accounts, as identified in the figure below.

WARNING: While changing the default passwords is optional on this page, it is required by the evaluated configuration that you change the root and admin passwords from their default value of (abc123).

NOTE: As indicated in the figure below, the password chosen must be between 6-20 characters in length.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.1.2 Choose Sensor FQDN

The “Choose Sensor FQDN” page provides the ability to change or set the FQDN for the IDP Appliance, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.2 Mode

The Mode section of the ACM wizard allows you to: specify the deployment mode that is to be used by the IDP Sensor.

4.2.2.1 Choose Deployment Mode

The “Choose Deployment Mode” page provides the ability to specify which deployment mode to be used by the IDP Sensor, as identified in the figure below.

As indicated, the modes available for deployment include:

Sniffer Mode Bridge Mode Proxy-Arp Mode Transparent Mode Router Mode

NOTE: The configuration screens within the next section vary based on the deployment mode chosen here. For the additional mode-specific configurations, see section 4.2.3.2 below.

Rev B.2 8/3/2006 of 150


4.2.3 Networking

The Networking section of the ACM wizard allows you to: configure the network interface hardware installed on your IDP appliance,

Rev B.2 8/3/2006 of 150


configure deployment mode-specific configurations, configure the routing table, and configure DNS.

4.2.3.1 Choose Network Interface Hardware

The “Choose Network Interface Hardware” page provides the ability to specify the transmission mode to be used by the network interfaces installed on your IDP appliance, as identified in the figure below.By default, the transmission mode is set to “auto”.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2 Deployment Mode Specific Configurations

This section provides the additional configuration pages available within the Networking section that are specific to the deployment mode chosen in section 4.2.2.1 above.

4.2.3.2.1 Sniffer Mode

If Sniffer mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed.

4.2.3.2.1.1 Configure the Management Interface

The “Configure the Management Interface” page provides the ability to choose the management interface to be used and the IP address and netmask to be assigned to the management interface, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.1.2 Choose Sniffer Interface(s)

The “Choose Sniffer Interface(s)” page provides the ability to choose one or more interfaces to be used for sniffing network traffic, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.1.3 Choose Reset Interface

The “Choose Reset Interface” page provides the ability to choose the interface to be used for resetting live connections, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.2 Bridge Mode

If Bridge mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed.

4.2.3.2.2.1 Configure VLANs and Virtual Routers

The “Configure VLANs and Virtual Routers” page provides the ability to enable 802.1Q VLAN tags and/or multiple virtual routers, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.2.3 Configure Forwarding Interfaces

The “Choose Forwarding Interfaces” page provides the ability to choose the interfaces that will be used to forward traffic, as identified in the figure below.

NOTE: You must configure at least two interfaces.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.2.4 Configure Bridge Interfaces

The “Configure Bridge Interfaces” page provides the ability to specify the IP address and netmask for the forwarding interfaces defined in section 4.2.3.2.2.3 or to specify Stealth mode in cases where no IP address is assigned to the forwarding interface, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.3 Proxy-ARP Mode

If Proxy-Arp mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed.



Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.3.4 Configure Proxy-ARP Interfaces

The “Configure Proxy-ARP Interfaces” page provides the ability to specify the IP address and netmask for the forwarding interfaces defined in section 4.2.3.2.3.3, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.4 Transparent Mode

If Transparent mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed.


The “Configure VLANs and Virtual Routers” page provides the ability to enable multiple virtual routers, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.5 Router Mode

If Router mode was chosen in section 4.2.2.1 above, then the following configuration pages are displayed.



Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.2.5.4 Configure Router Interfaces

The “Configure Router Interfaces” page provides the ability to specify the IP address and netmask for the forwarding interfaces defined in section 4.2.3.2.5.3, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.3 Choose Routing Table

The “Configure Routing Table” page provides the ability to specify one or multiple routes to be used by the network interfaces installed on your IDP appliance, as identified in the figure below.As a minimum, the default route should be specified for the network pertaining to the management interface.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.3.4 Configure DNS

The “Configure DNS” page provides the ability to enable and configure DNS information, such as Domain Name, Domain Search, and up to three different Name servers, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.4 System

The System section of the ACM wizard allows you to: configure the date, time, and time zone, configure NTP settings, configure Radius settings, configure SNMP settings, and configure SSH access settings.

4.2.4.1 Configure Date/Time

The “Configure Date/Time” page provides the ability to enable and configure the date, time, and time zone for the IDP appliance, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.4.2 Configure NTP

The “Configure NTP” page provides the ability to enable NTP and configure the ability to synch time with up to three different NTP servers, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.4.3 Configure Radius

The “Configure Radius” page provides the ability to enable and configure Radius information, such as the Radius server IP, Radius server port, the shared secret and external User ID, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.4.4 Configure SNMP

The “Configure SNMP” page provides the ability to enable and configure SNMP information, such as the read only community, system location, and system contact, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.4.5 Configure SSH Access

The “Configure SSH Access” page provides the ability to enable remote access via SSH and to configure networks that are restricted access to initiate communication via SSH, as identified in the figure below.The “Restrict Networks” button for configuring restricted access is further described below in section 4.2.4.5.1.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.4.5.1 Restrict Networks

When the “Restrict Networks” button is clicked from the “Configure SSH Access” page, an additional “Configure SSH Access” page is displayed providing the ability to specify networks that should be allowed to establish a connection via SSH, as identified in the figure below.When no networks are defined and SSH is enabled, access to establish a connection via SSH is granted to any network. When specific network(s) are defined and SSH is enabled, only the network(s) specified are allowed access to establish a connection via SSH and all other network not specifically defined are denied access.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.5 Management

The Management section of the ACM wizard allows you to: configure NSM server communication settings, and configure settings that restrict access to the ACM interface.

4.2.5.1 Configure Access to the IDP ACM

The “Configure Access to the IDP ACM” page provides the ability to enable access to the ACM and to configure networks that are restricted access to initiate communication to ACM, as identified in the figure below.The “Restrict Networks” button for configuring restricted access is further described below in section 4.2.5.1.1.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.5.1.1 Restrict Networks

When the “Restrict Networks” button is clicked from the “Configure Access to the IDP ACM” page, an additional “Configure Access to the IDP ACM” page is displayed providing the ability to specify networks that should be allowed to establish a connection to ACM, as identified in the figure below.When no networks are defined and ACM is enabled, access to establish a connection to ACM is granted to any network. When specific network(s) are defined and ACM is enabled, only the network(s) specified are allowed access to establish a connection to ACM and all other network not specifically defined are denied access.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.6 Done

The Done section of the ACM wizard allows you to: view, save, and apply the settings selected through the previous ACM wizard

pages.

4.2.6.1 Brief Configuration Report

The “Brief Configuration Report” page is the default page displayed within the Done section and provides the ability to view a brief summary of, save, and apply the settings selected through the previous ACM wizard pages, as identified in the figure below.

NOTE: While only a brief view of the configuration defined is displayed, all configurations that have been defined are saved and applied when “Save Only” or “Save & Apply” is selected.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.6.2 Detailed Configuration Report

By selecting the “Detailed Configuration Report” button from the “Brief Configuration Report” page, the “Detailed Configuration Report” page is displayed which provides the ability to view a detailed summary of, save, and apply the settings selected through the previous ACM wizard pages, as identified in the figure below.

Note: The entire page could not be captured in the figure below. However, all information that is displayed in addition the information in the Brief Configuration Report” page is identified within the figure below.

Rev B.2 8/3/2006 of 150


4.2.6.3 Save Only

By selecting the “Save Only” option and clicking the “Confirm Configuration” button from either the “Brief Configuration Report” page or “Detailed Configuration Report” Rev B.2 8/3/2006 of 150


page, the “Configuration Saved” page is displayed which confirms having saved the settings selected through the previous ACM wizard pages, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150


4.2.6.4 Save & Apply

By selecting the “Save & Apply” option and clicking the “Confirm Configuration” button from either the “Brief Configuration Report” page or “Detailed Configuration Report” page, the “Configuration Saved & Applied” page is displayed which confirms having saved and applied the settings selected through the previous ACM wizard pages, as identified in the figure below.

Rev B.2 8/3/2006 of 150


Rev B.2 8/3/2006 of 150

evaluated configuration guide

Documents

nsm server

nsm ui

idp sensor

juniper networks idp

configuration procedures

acm home page

acm wizard main page

usage guidance