Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Preparing the Network Hierarchy

    Juniper Secure Analytics (JSA) uses the network hierarchy to determine your network traffic and provides you with the ability to view network activity for your entire deployment. JSA supports any network hierarchy that can be defined by a range of IP addresses.

    You can create your network based on many different variables, including geographical or business units. For example, your network hierarchy might include corporate IP address ranges (internal or external), physical departments or areas, mail servers, and webservers.

    Once you define the components you want to add to your network hierarchy, you can install JSA and then configure the network hierarchy using the JSA interface. For each component you want to add to the network hierarchy, use Table 1 to indicate each component in your network map.

    At a minimum, we recommend that you define objects in the network hierarchy for:

    • Internal/external demilitarized zone (DMZ)
    • VPN
    • All internal IP address space (for example, 0.0.0.0/8)
    • Proxy servers
    • Network Address Translation (NAT) IP address range
    • Server network subnets
    • Voice-over-IP (VoIP) subnets

    Table 1: Network Hierarchy

    Description

    Name

    IP/CIDR Value

    Color

    Weight

    Example for NAT

    NAT_Ranges

    0.0.0.5/32

    #00FF33

    50

    Example for DMZ

    Internal

    0.0.0.1/32

    #000099

    50

    For more information, see the Juniper Secure Analytics Administration Guide.

    The following sections explain how to set your network before you install the JSA software:

    Identifying Network Settings

    Before you install Juniper Secure Analytics (JSA), you must have the following information for each system you want to install:

    • Hostname
    • IP address
    • Network mask address
    • Subnet mask
    • Default gateway
    • Primary DNS server
    • Secondary DNS server (optional)
    • Public IP address for networks using Network Address Translation (NAT)
    • E-mail server
    • NTP server (console only) or Time server

    Identifying Security Monitoring Devices and Flow Data Sources

    Juniper Secure Analytics (JSA) can collect and correlate events received from external sources such as security equipment (for example, firewalls, VPNs, or IDSs), and host or application security logs, such as Windows logs. Device Support Modules (DSMs), and Flow Collectors allow you to integrate JSA with this external data. JSA automatically discovers sensor devices that are sending system log (syslog) messages to an Event Collector. The sensor devices that are automatically discovered by JSA appear in the Sensor Devices window within the JSA Administration console. Once autodiscovery is completed, you should disable the Auto Detection Enabled option in the Event Collector configuration. For more information, see the Juniper Secure Analytics Administration Guide and Log Sources Users Guide.

    Identifying Network Assets

    Juniper Secure Analytics (JSA) can learn about your network and server infrastructure based on flow data. The Server Discovery function uses the JSA Asset Profile database to discover many types of servers.

    Defining certain additional server and IP address types also improves tuning results. Table 2 provides a list of possible servers. See the Juniper Secure Analytics Users Guide for information on defining servers within JSA. If your network includes a large number of servers, you can use CIDR or IP subnet addresses within the server networks category.

    Table 2: Asset Identification

    Server

    IP Address(es)

    Qty.

    Name

    NAT address range

    Vulnerability scanners

    Network management

    Proxy

    Virus definition and other updates

    Windows Server networks, such as domain controllers or Exchange servers

    Published: 2015-03-18