IDP Rulebase Example: Using Application Identification
This example demonstrates the usefulness of the application identification feature.
Suppose your corporate security policy changes, and you are charged with inspecting peer-to-peer traffic from applications such as Kazaa, Torrent, or eDonkey. To add new rules that inspect peer-to-peer traffic, you would take the following steps:
- Analyze network traffic to identify peer-to-peer applications running in your network.
- Research and identify the pattern for every peer-to-peer application.
- Create signature and port definitions for every peer-to-peer application.
- Verify the effectiveness of the signatures.
- Repeat these steps several times for each peer-to-peer application.
- Continually monitor the network for peer-to-peer traffic that uses nonstandard ports so you can update your signature set to inspect traffic over these ports.
Juniper Networks Security Center saves you much of this work. With predefined attack objects and application identification enabled, you can create a rule whose only elements are the predefined attack object and the service match set to Default.
Figure 1 is an example of a simple rule that detects any chat application.
Figure 1: A Simplified Rule Enabled by the Application Identification Feature
When the IDP process engine identifies a source/destination/Default service match, it examines the session against the application signatures to determine the application, regardless of which port is used. IDP then decodes the traffic and inspects it for the attack objects related to that application.
