Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Data Collection

 

JSA accepts information in various formats and from a wide range of devices, including security events, network traffic, and scan results.

Collected data is categorized into three major sections: events, flows, and vulnerability assessment (VA) information.

Event Data Collection

Events are generated by log sources such as firewalls, routers, servers, and intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Most log sources send information to JSA by using the syslog protocol. JSA also supports the following protocols:

  • Simple Network Management Protocol (SNMP)

  • Java database Connectivity (JDBC)

  • Security Device Event Exchange (SDEE)

By default, JSA automatically detects log sources after a specific number of identifiable logs are received within a certain time frame. After the log sources are successfully detected, JSA adds the appropriate device support module (DSM) to the Log Sources window in the Admin tab.

Although most DSMs include native log sending capability, several DSMs require extra configuration, or an agent, or both to send logs. Configuration varies between DSM types. You must ensure the DSMs are configured to send logs in a format that JSA supports. For more information about configuring DSMs, see the Juniper Secure Analytics Configuring DSMs Guide.

Certain log source types, such as routers and switches, do not send enough logs for JSA to quickly detect and add them to the Log Source list. You can manually add these log sources. For more information about manually adding log sources, see the Juniper Secure Analytics Log Sources User Guide.

Collected data is categorized into three major sections: events, flows, and vulnerability assessment (VA) information.

Flow Data Collection

Flows provide information about network traffic and can be sent to JSA in various formats, including Flowlog files, NetFlow, J-Flow, sFlow, and Packeteer.

By accepting multiple flow formats simultaneously, JSA can detect threats and activities that would otherwise be missed by relying strictly on events for information.

JSA Flow Processor provide full application detection of network traffic regardless of the port on which the application is operating. For example, if the Internet Relay Chat (IRC) protocol is communicating on port 7500/TCP, a JSA flow processor identifies the traffic as IRC and provides a packet capture of the beginning of the conversation. NetFlow and J-Flow notify you only that port 7500/TCP has traffic without providing any context for what protocol is being used.

Common mirror port locations include core, DMZ, server, and application switches, with NetFlow providing supplemental information from border routers and switches.

JSA Flow Processor are enabled by default and require a mirror, span, or tap to be connected to an available interface on the JSA appliance. Flow analysis automatically begins when the mirror port is connected to one of the network interfaces on the JSA appliance. By default, JSA monitors on the management interface for NetFlow traffic on port 2055/UDP. You can assign extra NetFlow ports, if required.

Vulnerability Assessment (VA) Information

JSA can import VA information from various third-party scanners.

VA information helps JSA Risk Manager identify active hosts, open ports, and potential vulnerabilities.

JSA Risk Manager uses VA information to rank the magnitude of offenses on your network.

Depending on the VA scanner type, JSA Risk Manager can import scan results from the scanner server or can remotely start a scan.