Understanding IPS Policies

An Intrusion prevention system (IPS) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IPS-enabled device. There are two types of policy options:

Note If Security Director discovers the root logical system, the root lsys discovers all other user lsys inside the device.

An IPS policy consists of rulebases and each rulebase contains a set of rules. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic.

An IPS rulebase protects your network from attacks by using attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.

An exempt rulebase works in conjunction with the IPS rulebase. You must have rules in the IPS rulebase before you can create exempt rules. If traffic matches a rule in the IPS rulebase, the IPS policy attempts to match the traffic against the exempt rulebase before performing the specified action or creating a log record for the event. If the IPS policy detects traffic that matches the source or destination pair and the attack objects specified in the exempt rulebase, it automatically exempts that traffic from attack detection.

Configure an exempt rulebase in the following conditions:

After you create an IPS policy by adding rules in one or more rulebases, you can publish or update the policy. You can also view a list of security devices with IPS policies assigned to them. This list assists you in viewing the details of all the IPS policies and rules assigned per device.

IPS Policy Support for Unified and Standard Firewall Policy

Starting in Junos Space Security Director Release 19.3, you can assign IPS policy to the standard and unified firewall policies. With the support of IPS policy within firewall policy:

Note For devices with Junos OS Release 18.2, single IPS policy is supported in the firewall policy rules. For devices with Junos OS Release 18.3 onward, multiple IPS policies are supported in the firewall policy rules.

If you have configured a traditional firewall policy (with 5-tuples matching condition or dynamic-application configured as none) and an unified policy (with 6-tuple matching condition), the traditional firewall policy matches the traffic first, prior to the unified policy.

When you configure a unified policy with a dynamic application as one of the matching condition, the configuration eliminates the additional steps involved in IPS policy configuration. All the IPS policy configurations are handled within the unified firewall policy and simplifies the task of configuring IPS policy to detect any attack or intrusions for a given session.

From Junos OS Release 18.2 onward, the CLI configuration for IPS policy is generated along with the standard or unified firewall policy, to which the IPS policy is attached.

Multiple IPS Policies for Unified and Standard Firewall Policies

When an SRX Series device is configured with standard and unified firewall policies, you can configure multiple IPS policies and set one of those policies as the default policy. If multiple IPS policies are configured for a session and when policy conflict occurs, the device applies the default IPS policy for that session and thus resolves any policy conflicts.

Note If you have configured two or more IPS policies in a firewall policy, then you must configure the default IPS policy.

The initial security policy lookup phase, which occurs prior to a dynamic application being identified, might result in multiple potential policy matches. IPS is enabled on the session if at least one of the matched security policies have an IPS policy configured.

If only one IPS policy is configured in the potential policy list, then that IPS policy is applied for the session. If there are multiple IPS policies configured for a session in the potential policy list, then the SRX Series device applies the IPS policy that is configured as the default IPS policy.

IPS in Logical Systems

Starting in Junos Space Security Director Release 20.1R1, an IPS policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a logical system (LSYS).

You can configure IPS policies at the root level. Configuring an IPS policy for LSYS is similar to configuring an IPS policy on a device that is not configured for LSYS. This can include the configuration of custom attack objects. IPS policy templates installed in root LSYS are visible and used by all LSYS. Specify an IPS policy in the security profile that is bound to a LSYS. Although you can configure multiple IPS policies, a LSYS can have only one active IPS policy at a time. For user LSYS, you can either bind the same IPS policy to multiple user LSYS or bind a unique IPS policy to each user LSYS.

If you have configured more than one IPS policy in a security policy, then configuring default IPS policy configuration is mandatory. If the IPS policy is not configured for a user LSYS, the default IPS policy configured is used.

You must install the IPS signature license at the root level. Once IPS is enabled at the root level, it can be used with any LSYS on the device. A single IPS security package is installed for all LSYS on the device at the root level. The download and install options can only be executed at the root level. The same version of the IPS attack database is shared by all LSYS.

Note Devices running Junos OS Release 18.3 onward supports IPS for Logical System.

Example: Assign an IPS Policy to a Firewall Policy for Devices Running Junos OS Release 18.2 and Later

In this example, we’ll show you how to create an IPS policy and attach the IPS policy to a standard firewall policy rule assigned to a device running Junos OS Release 18.2.

Note Starting in Junos Space Security Director Release 19.3, you cannot assign devices running Junos OS Release 18.2 and later to an IPS policy from the IPS Policies page. You’ll need to attach an IPS policy to a firewall policy rule for devices running Junos OS Release 18.2 and later. The CLI configuration for IPS policy is generated along with the standard or unified firewall policy, to which the IPS policy is attached.

Create an IPS Policy

Procedure

  1. Select Configure > IPS Policy> Policies.

    The IPS Policies page is displayed.

  2. Click the + icon.

    The Create IPS Policy page is displayed.

  3. Enter the IPS policy name as IPS_Policy.

    A policy name can be a maximum of 255 characters and can include alphanumeric characters, spaces, and periods.

  4. Select the Policy Type as Device Policy.

    Note You can also select the group policy option. The group or device-specific IPS policy can be attached to the firewall policy.

  5. Do not select any device from the drop-down list.

    Note The devices running Junos OS Release 18.1 and below are listed and 18.2 and above are not listed. To configure IPS policy on devices running Junos OS Release 18.2 and above, you’ll need to assign an IPS policy (without device assignment) to firewall policy rule. The IPS policy is updated along with firewall policy update.

  6. Click OK.

    The created IPS Policy (IPS_Policy) is displayed on the IPS Policy page.

Assign the IPS Policy to the Firewall Policy

Procedure

  1. Select Configure > Firewall Policy > Standard Policies.

    The Standard Policies page is displayed.

  2. Click the + icon.

    The Create Firewall Policy page is displayed.

  3. Enter the firewall policy name as Firewall_Policy.
  4. Select the Policy Type as Device Policy.

    In device policy, the firewall policy is created per device. In group policy, the firewall policy is shared with multiple devices.

  5. Select the device as vsrx-18.2.

    To discover devices in Security Director, see Creating Device Discovery Profiles in Security Director.

    Note The selected device must be running Junos OS Release 18.2 or later.

  6. Click OK to create the firewall policy.

    The created firewall policy (Firewall_Policy) is displayed on the Standard Policies page.

  7. Click the Add Rule link for the Firewall_Policy to add rules.

    The Create Rule page is displayed.

  8. On the General tab, enter the rule name as Firewall_Policy_Rule.

  9. Click Next until you reach the Advanced Security tab.
  10. On the Advanced Security tab:

    Procedure

    1. Select the Action Permit.
    2. Select the IPS Policy value IPS_Policy from the drop-down list.

      Note Starting in Junos Space Security Director Release 20.1R1 V1 hot patch, you can attach a group IPS policy which is not assigned to any device.

  11. Click Next until you reach the Rule Placement tab and click Finish.

    You can view the IPS policy details in the firewall policy configuration summary.

  12. Click OK to create the rule.

    The rule is displayed on the Firewall_Policy/Rules page.

  13. Click Save to save the rule.

CLI Configuration

You can see the IPS policy (IPS_Policy) is attached to the firewall policy rules (Firewall_Policy_Rule and Firewall_Policy_Rule2).

##Security Firewall Policy: global ##

set security policies global policy Firewall_Policy_Rule match application any

set security policies global policy Firewall_Policy_Rule match destination-address any

set security policies global policy Firewall_Policy_Rule match source-address any

set security policies global policy Firewall_Policy_Rule then permit application-services idp-policy IPS_Policy

set security policies global policy Firewall_Policy_Rule2 match application any

set security policies global policy Firewall_Policy_Rule2 match destination-address any

set security policies global policy Firewall_Policy_Rule2 match source-address any

set security policies global policy Firewall_Policy_Rule2 then permit application-services idp-policy IPS_Policy

##IDP Configurations##

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match application default

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match attacks predefined-attack-groups "Additional Web Services - Info"

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match from-zone any

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match to-zone any

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 then action recommended

Example: Import an IPS Policy from a Device Running Junos OS Release 18.2 and Later

In this example, we’ll show how to import a device running Junos OS Release 18.2 to Security Director. You’ll see that the attached IPS policy is also imported along with the firewall policy.

Note Starting in Junos Space Security Director Release 19.3, when you import a firewall policy, the IPS policy is also imported since the IPS policy is attached to the firewall policy.

Import an IPS Policy

Procedure

  1. Select Devices > Security Devices.

    The Security Devices page is displayed.

  2. Select the vsrx-18.2 device and click Import.

    The Import Configuration page is displayed.

  3. Select the firewall policy vsrx-18.2 to be imported (IPS policy is attached to the firewall policy).
  4. Click Next.

    A summary of configuration changes to be imported is displayed.

  5. Click OK to import the device configurations.

    The Job Details page is displayed. The IPS policy (IPS-Policy-1) is also imported along with the firewall policy (vsrx-18.2).

    Click OK.

    The imported policies are displayed on the IPS Policies page and also in the firewall policy rule.

CLI Configuration in the Device (vsrx-18.2)

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match from-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match to-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match application default

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match attacks predefined-attacks

ICMP:INFO:ECHO-REPLY

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 then action recommended

set security policies global policy rule-one match source-address any

set security policies global policy rule-one match destination-address any

set security policies global policy rule-one match application any

set security policies global policy rule-one then permit application-services idp-policy IPS-Policy-1