Juniper SRX IDP (Intrusion Detection and Prevention) gives the capability to inspect network traffic to make sure that they are not malicious or intrusions.

In this section we will learn how to download and install IDP signatures and how they are used in security policies.

Juniper SRX IDP Fundamental

As the first point, you may ask, what is the difference between Firewall and IDP feature.

By Juniper SRX firewall, that we have learned in the previous section and implemented through security policies, you can configure which type of traffic are allowed or not allowed to be forwarded. But you cannot make sure if they are healthy or malicious.

Juniper SRX IDP versus Firewall Feature
Juniper SRX IDP versus Firewall Feature

But Juniper SRX IDP feature inspect the traffics to make sure that they don’t include known attack pattern which are already provided by Juniper as IDP signatures.

As an example, to better understand the difference between Firewall and IDP, suppose that firewall permit SSH Traffic, HTTP traffic, traffic originated from a specific subnet or a specific micro-application like google-map.

But the firewall cannot make sure if the content of these traffic are malicious or healthy. This is exactly what IDP want to detect with the help of IDP signatures.

IDP signatures include , known attack patterns and they are updated periodically exactly like antivirus.

Both firewall and IDP are implemented through Juniper SRX security policies, that we will see in a few minutes.

Juniper SRX IDP Configuration

For the configuration of Juniper SRX IDP, we have to first enable IDP license. Download and Install IDP signatures. Configure IDP policies and activate IDP policies in security policies.

Juniper SRX IDP Configuration Steps
Juniper SRX IDP Configuration Steps

Actually it is not easy to configure an IDP policy. because of that, we can use pre-defined IDP policy template and customize them whenever necessary. This is also what we will see in this section.

Juniper SRX IDP License check

For the first step of IDP configuration, you have to make sure that you have the required IDP licanse.

With the command “request system license add terminal”, you can install the license.

With the command “show system license”, you can make sure that the license is installed and valid.

rayka# run show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  anti_spam_key_sbl                     0            1           0    30 days
  idp-sig                               0            1           0    30 days
  appid-sig                             1            1           0    26 days
  av_key_sophos_engine                  0            1           0    30 days
  wf_key_websense_ewf                   0            1           0    30 days
  Virtual Appliance                     1            1           0    35 days
  remote-access-ipsec-vpn-client        0            2           0    permanent
  remote-access-juniper-std             0            2           0    permanent

Licenses installed: 
...

Download and Install Juniper SRX IDP Signatures

For the next step, we have to download and install IDP signatures.

With the command “request security idp security-package download check-server”, we check if juniper server is available to download signatures.

With the command “request security idp security-package download”, you can start to download the signatures.

With adding “status” keyword at the end of download command, you can check the status of download progress.

After downloading, with the command “request security idp security-package install”, you can install download signatures.

And finally with adding “status” keyword at the end of install command, you can check the status of installation progress.

rayka# run request security idp security-package download check-server 
Successfully retrieved from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3516(Detector=12.6.130200828, Templates=3516)

[edit]
rayka# run request security idp security-package download                 
Will be processed in async mode. Check the status using the status checking CLI

[edit]
rayka# run request security idp security-package download status 
In progress: Downloading ...

[edit]
rayka# run request security idp security-package download status    
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3516(Tue Aug  9 14:15:29 2022 UTC, Detector=12.6.130200828)

[edit]
rayka# run request security idp security-package install            
Will be processed in async mode. Check the status using the status checking CLI

[edit]
rayka# run request security idp security-package install status 
In progress:Installing AI ...

[edit]
rayka# run request security idp security-package install status    
Done;Attack DB update : successful - [UpdateNumber=3516,ExportDate=Tue Aug  9 14:15:29 2022 UTC,Detector=12.6.130200828]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : not performed
      due to no active policy configured.

Configure SRX IDP Policy

To configure your custom IPS policy, first we have to create an IDP policy and then activate it in any of security policy rules.

It is not easy to create an IDP policy. to see why, let’s try it together and then see then what is the solution.

With the command “set security idp idp-policy TEST rulebase-ips rule 1”, we can start to create the first rule of a new policy with the name of TEST.

As security policy, “match” and “then” keywords are the most important parameters in each rule in IPS policy.

rayka# set security idp idp-policy TEST rulebase-ips rule 1 ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  description          Rule description
> match                Rule match criteria
  terminal             Set/Unset terminal flag
> then    

rayka# set security idp idp-policy TEST rulebase-ips rule 1 match ?
Possible completions:
  application          Specify application or application-set name to match
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> attacks              Match attack objects
+ destination-address  Match destination address
+ destination-except   Don't match destination address
  from-zone            Match from zone
+ source-address       Match source address
+ source-except        Don't match source address
  to-zone              Match to zone

Juniper SRX IDP Policy, “match” options

With “match” keyword, we can match the traffic based on source and destination zone, source and destination IP address and source and destination IP address except. “except” is used when we want to ignore some addresses from being inspected by the rule. For example IP address from NOC or SOC machines.

We can also match based on attacks pre-defined in signatures or custom attacks. We have to configure “match attacks predefined-attacks ?”, to see the list of attacks.

There are thousands of pre-defined attacks or attack-groups. It is not easy to select between these attacks or attack-groups.

[edit]
rayka# set security idp idp-policy TEST rulebase-ips rule 1 match attacks ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
+ custom-attack-groups  Custom attack groups
+ custom-attacks       Custom attacks
+ dynamic-attack-groups  Dynamic attack groups
+ predefined-attack-groups  Predefined attack groups
+ predefined-attacks   Predefined attacks
[edit]
rayka# set security idp idp-policy TEST rulebase-ips rule 1 match attacks predefined-attacks ?
Possible completions:
  <value>              Predefined attacks
  APP:2WIRE-DSL-VULN   
  APP:ABB-NETSCANHOST-OF  
  APP:ACCELLION-FILE-TRANSFER  
  APP:ACRONIS-TRU-IMG-ECO-SRV-DOS  
  APP:ADOBE-CF-DIR-TRAV  
  APP:ADOBE-COLDFUSION-WEBSOCKET  
  APP:ADOBE-FLASH-MEDIA-SRVR  
  APP:ADOBE-FLASH-RTMP-RCE  
  APP:AFP-LEN-OF       
  APP:AGENTX-RECEIVE-INT-OF  
  APP:AGENTX-RECEIVE-OF  
  APP:ALTN-WORLDCLIENT-MEM  
  APP:AMANDA:AMANDA-ROOT-OF1  
....

The list of pre-defined attack groups can also be seen with the command “show security idp attack attack-list predefined-group ?”.

rayka# run show security idp attack attack-list predefined-group ?  
Possible completions:
  <predefined-group>   Predefined group name
  "APP - All"          
  "APP - Critical"     
  "APP - Info"         
  "APP - Major"        
  "APP - Minor"        
...

In a few minutes, we will see how we can easily activate existing recommended IPS policy.

Juniper SRX IDP Policy, “then” options

With “then” keyword, we can choose which action must be taken for each attack.

For the action, there are some options that is actually not easy to decide which action for which attack is suitable.

rayka# set security idp idp-policy TEST rulebase-ips rule 1 then action ?              
Possible completions:
> mark-diffserv        Mark differentiated services codepoint (DSCP)
> class-of-service     Classification of traffic based on class-of-service
  no-action            No action
  ignore-connection    Ignore
  drop-packet          Drop packet
  drop-connection      Drop connection
  close-client         Close client
  close-server         Close server
  close-client-and-server  Close client and server
  recommended          Recommended

Th most important actions are “drop packet” and “drop-connection” which drop a single packet or drop any packet in an existing session.

The actions “close client”, “close-server” and “close-client-and-server” are another important action which send TCP-reset packet to the client, to the server or to the both sides.

But there is another option ”recommended”, which means, for each attack, there is a recommended action which mostly is a best choice when we can not decide which can be correct action.

download and install SRX pre-defined IDP Policy-Templates

As you have noticed, it is not east at all, to configure custom IDP policy.

Fortunately, Juniper has created some pre-defined IDP policy-templates that we can use them easily in security policies or tune them when needed.

rayka# run request security idp security-package download policy-templates 
Will be processed in async mode. Check the status using the status checking CLI

[edit]
rayka# run request security idp security-package download status              
In progress: Downloading ...

[edit]
rayka# run request security idp security-package download status    
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi).
Version info:3516

[edit]
rayka# run request security idp security-package install policy-templates     
Will be processed in async mode. Check the status using the status checking CLI

[edit]
rayka# run request security idp security-package install status              
Done;policy-templates has been successfully updated into internal repository
     (=>/var/run/scripts/commit/templates.xsl)!
	 
[edit]
rayka# set system scripts commit file templates.xsl 

[edit]
rayka# commit 
commit complete

To use juniper pre-defined IDP policy templates, we have to download and install them.

With the command “request security idp security-package download policy-templates”, we can start to download them.

With the command “request security idp security-package download status”, we can check the status of download.

After download, we can install pre-defined IDP policy templates with the command “request security idp security-package install policy-templates”.

With the command “request security idp security-package install status”, we can check the status of installation process.

When installation process is successful, it shows that a file with the name of “templates.xsl” is stored in local repository.

Finally with command “set system scripts commit file templates.xsl”, we can load IDP policy templates into the configuration.

explore pre-defined IDP Policy-Templates

Now if use the command “set security idp idp-policy ?” in configuration mode, you will see that more than 10 IDP policy is created in the juniper SRX.

rayka# set security idp idp-policy ?
Possible completions:
  <policy-name>        IDP policy name
  Web_Server           IDP policy name
  DMZ_Services         IDP policy name
  DNS_Service          IDP policy name
  File_Server          IDP policy name
  Getting_Started      IDP policy name
  IDP_Default          IDP policy name
  Server-Protection    IDP policy name
  Server-Protection-1G  IDP policy name
  Client-Protection    IDP policy name
  Client-Protection-1G  IDP policy name
  Client-And-Server-Protection  IDP policy name
  Client-And-Server-Protection-1G  IDP policy name
  Recommended          IDP policy name

The name if each policy shows the target of that policy.

For example, IDP policy with the name of “Web_Server” must be used to protect web servers.

With the name of other IDP policies, like “DMZ_Services”, “DNS_Service”, “File_Server” , we can also understand somehow what they do and in which policy they should e activated.

With the command “show security idp”, you can see the details of each pre-defined idp policy.

rayka# show security idp                               
idp-policy Web_Server {
    /* This template policy is designed to protect commonly used HTTP servers from remote attacks. */
    rulebase-ips {
        rule 1 {
            /* This rule drops all packets that should not occur on a clean network, and can be used by attackers to evade IDSs. This rule is necessary to harden the IDP against evasion attempts. */
            match {
                from-zone any;
                source-address any;
                to-zone any;
                destination-address any;
                application default;
                attacks {
                    predefined-attack-groups [ "IP - Major" "IP - Critical" "TCP - Critical" "TCP - Major" ];
                }
            }
            then {
                action {
                    drop-packet;
                }
                notification {
                    log-attacks;
...

For example in the first rule of “Web_Server” idp policy, any packets including attacks in the category of “IP – Major”, “IP – Critical”, “TCP – Critical” and “TCP – Major” are dropped and a log notification is generated.

deploy Juniper SRX IDP Policy in Security Policy

Now that we know pre-defined IDP policies or we have configured our custom IDP policies, how they can be activated.

activating Juniper SRX IDP Policy in unified Security Polciies
activating Juniper SRX IDP Policy in unified Security Polciies

Fortunately , you can activate IDP policy in the same security policies that we have configured in the previous sections. Therefore there is a unified security policy for firewall and IPS configuration.

for each security policy, you can choose a separate IDP policy from the list of IDP policies to protect that specific traffic.

for example, for policy which permit HTTP traffic, you can use an IDP policy which protect HTTP traffic. And for the policy that permit ICMP traffic you can choose an IDP policy which protect ICMP traffic.

To enable IDP policy into unifies security policy, we use the keyword “application-services idp-policy”, after “permit” command in security policy.

rayka# set security policies from-zone inside to-zone outside policy PERMIT-HTTP then permit application-services idp-policy ?
Possible completions:
  <idp-policy>         Specify idp policy name
  Client-And-Server-Protection  [security idp idp-policy]
  Client-And-Server-Protection-1G  [security idp idp-policy]
  Client-Protection    [security idp idp-policy]
  Client-Protection-1G  [security idp idp-policy]
  DMZ_Services         [security idp idp-policy]
  DNS_Service          [security idp idp-policy]
  File_Server          [security idp idp-policy]
  Getting_Started      [security idp idp-policy]
  IDP_Default          [security idp idp-policy]
  Recommended          [security idp idp-policy]
  Server-Protection    [security idp idp-policy]
  Server-Protection-1G  [security idp idp-policy]
  Web_Server           [security idp idp-policy]

In front of “application-services” keyword, there are also other application services in addition to idp-policy that can be activated in unified security policy like “ssl-proxy” or “packet-capture”.

rayka# set security policies from-zone inside to-zone outside policy PERMIT-HTTP then permit application-services ?
Possible completions:
  advanced-anti-malware-policy  Specify advanced-anti-malware policy name
> application-traffic-control  Application traffic control services
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  gtp-profile          Specify GPRS Tunneling Protocol profile name
  icap-redirect        Specify icap redirect profile name
  idp                  Intrusion detection and prevention
  idp-policy           Specify idp policy name
  packet-capture       Capturing traffic related to this policy
  redirect-wx          Set WX redirection
  reverse-redirect-wx  Set WX reverse redirection
  sctp-profile         Specify Stream Control Protocol profile name
> security-intelligence  Generate security intellegence feeds
  security-intelligence-policy  Specify security-intelligence policy name
> ssl-proxy            SSL proxy services
> uac-policy           Enable unified access control enforcement of policy
  utm-policy           Specify utm policy name
> web-proxy            Web proxy services

As an example, let’s activate the IDP policy “Recommended” in the first policy, “PERMIT-HTTPS” in security policy and see the final configuration.

rayka# set security policies from-zone inside to-zone outside policy PERMIT-HTTPS then permit application-services idp-policy Recommended   

[edit]
rayka# show | compare 
[edit security policies from-zone inside to-zone outside policy PERMIT-HTTPS then permit]
+        application-services {
+            idp-policy Recommended;
+        }

[edit]
rayka# show security policies from-zone inside to-zone outside policy PERMIT-HTTPS 
match {
    source-address any;
    destination-address any;
    application junos-https;
    dynamic-application any;
}
then {
    permit {
        application-services {
            idp-policy Recommended;
        }
    }
    log {
        session-init;
    }
}

As you can see, “application-services idp-policy Recommended” is added inside permit action in PERMIT-HTTPS security policy.

monitor SRX IDP Policy status

To monitor status of IDP policies, we can use the command “show security idp status”, which show statistics of packets, flow and sessions inspected by IPS policy engiene.

rayka# run show security idp status  

Intelligent Inspection State Details:
 State: Inactive


Intelligent offload State Details:
 State: Active

State of IDP: Default,  Up since: 2022-08-01 14:21:30 UTC (1w2d 08:08 ago)

Packets/second: 1               Peak: 19 @ 2022-08-10 22:29:50 UTC
KBits/second  : 1               Peak: 27 @ 2022-08-10 22:29:50 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 40] [UDP: 0] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2022-08-10 22:15:17 UTC]
  TCP: [Current: 14] [Max: 16 @ 2022-08-10 22:29:50 UTC]
  UDP: [Current: 0] [Max: 0 @ 2022-08-10 22:15:17 UTC]
  Other: [Current: 0] [Max: 0 @ 2022-08-10 22:15:17 UTC]

Session Statistics:
 [ICMP: 0] [TCP: 7] [UDP: 0] [Other: 0]

Number of SSL Sessions : 0

  Policy Name : idp-policy-unified
  Running Detector Version : 12.6.130200828
Back to: Juniper Security Associate (JNCIA-SEC) based on vSRX version 22.1R1.10 > Security Policies

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment