Preparing the Network Hierarchy
Juniper Secure Analytics (JSA) uses the network hierarchy to understand your network traffic and provides you with the ability to view network activity for your entire deployment. JSA supports any network hierarchy that can be defined by a range of IP addresses.
You can create your network based on many different variables, including geographical or business units. For example, your network hierarchy might include corporate IP address ranges (internal or external), physical departments or areas, mail servers, and webservers.
Once you define the components you want to add to your network hierarchy, you can install JSA, and then configure the network hierarchy using the JSA interface. For each component you want to add to the network hierarchy, use Table 1 to indicate each component in your network map.
At a minimum, we recommend that you define objects in the network hierarchy for:
Internal/external demilitarized zone (DMZ)
All internal IP address space (for example, 0.0.0.0/8)
Network Address Translation (NAT) IP address range
Server network subnets
Voice-over-IP (VoIP) subnets
Table 1: Network Hierarchy
Example for NAT
Example for DMZ
For more information, see the Juniper Secure Analytics Administration Guide.
The following sections explain how to set your network before you install the JSA software:
Identifying Network Settings
Before you install Juniper Secure Analytics (JSA), you must have the following information for each system you want to install:
When you configure the network setting such as hostname and IP address using the qchange_netsetup script, the JSA appliance hangs while rebooting. This issue is seen in 2013.2.r3.607582 and it will be fixed in the future releases. You need to manually power cycle the JSA appliance to overcome this issue.
Network mask address
Primary DNS server
Secondary DNS server (optional)
Public IP address for networks using Network Address Translation (NAT)
NTP server (Console only) or Time server
Identifying Security Monitoring Devices and Flow Data Sources
Juniper Secure Analytics (JSA) can collect and correlate events received from external sources such as security equipment (for example, firewalls, VPNs, or IDSs) and host or application security logs, such as Windows logs. Device Support Modules (DSMs) and Flow Collectors allow you to integrate JSA with this external data. JSA automatically discovers sensor devices that are sending system log (syslog) messages to an Event Collector. The sensor devices that are automatically discovered by JSA appear in the Sensor Devices window within the JSA Administration Console. Once autodiscovery is completed, you should disable the Auto Detection Enabled option in the Event Collector configuration. For more information, see the Juniper Secure Analytics Administration Guide and Log Sources Users Guide.
Identifying Network Assets
Juniper Secure Analytics (JSA) can learn about your network and server infrastructure based on flow data. The Server Discovery function uses the JSA Asset Profile database to discover many types of servers.
Defining certain additional server and IP address types also improves tuning results. Table 2 provides a list of possible servers. See the Juniper Secure Analytics Users Guide for information on defining servers within JSA. If your network includes a large number of servers, you can use CIDR or IP subnet addresses within the server networks category.
Table 2: Asset Identification
NAT address range
Virus definition and other updates
Windows Server networks, such as domain controllers or exchange servers