New and Changed Features

The following table summarizes new and changed features.

Table 1: New Features

Feature

Description

High availability

IDP OS Release 5.1 supports high availability in network designs where you have deployed redundant network paths and use the failure detection features of a firewall, router, or switch to manage the cutover from the primary path to the backup path in cases of failure. For details, see IDP Series Deployment Scenarios.

Simulation mode

Beginning in IDP OS Release 5.1, you can operate the IDP Series device in simulation mode. In simulation mode, the original packets are forwarded immediately and the IDP Series device processes a copy, logging actions that would have been taken if simulation mode were not enabled.

You operate an IDP Series device in simulation mode in the following situations:

  • When you first deploy the IDP Series device in your network and you want to evaluate the security actions it takes without disrupting traffic.
  • When you implement a new feature or change a security policy and you want to evaluate the impact without disrupting traffic.
  • As a workaround to avoid traffic outages when IDP processing is resulting in crashes and other failures.

For details, see Simulation Mode Overview and its related topics.

Enhanced system resource instrumentation

IDP OS Release 5.1 supports extensive system resource instrumentation, so you can use SNMP utilities to monitor device health and load. For details, see SNMP Statistic Reporting and Traps Task Summary and its related topics.

Enhanced application identification

Beginning with IDP OS Release 5.1, the application identification feature can match extended application signatures used in APE rulebase rules. Extended application signatures are also called nested application signatures. The predefined extended application signatures developed for IDP OS Release 5.1 include the most prevalent Web 2.0 applications running over HTTP. If your security policy includes APE rules configured to match extended application signatures, the application identification process identifies and generates the following HTTP contexts: http-url-parsed, http-url-parsed-param-parsed, http-header-host, and http-header-content-type. The application identification feature can then match application signature patterns in those contexts.

J-Security Center updates application signatures and develops new ones as necessary. Beginning with IDP OS Release 5.1, you can use NSM to browse predefined application objects, predefined extended application objects, and application groups. You can also use NSM to create custom application definitions, if needed. You cannot, however, create custom extended application definitions.

For details, see Using Application Identification, Using Application Objects, and their related topics.

Enhanced APE rulebase features

Beginning with IDP OS Release 5.1:

  • You can create rules that match extended application objects (also called nested application objects).
  • You can apply a new action to matching rules: DiffServ + Ratelimiting.
  • If you use user-role based matching, you can set a global option to enable an aggregate limit for matching user-roles (default) or a per-subscriber rate limit (by using a CLI command).

For details, see Understanding the APE Rulebase and its related topics.

Enhanced attack signature

IDP OS Release 5.1 supports the following configurable constraints to enable you to fine-tune custom attack signatures:

  • Within bytes—Configure a byte range where the attack pattern must be detected.
  • Within packets—Configure a packet range where the attack pattern must be detected.
  • Context checking—Configure a byte-length requirement for matching contexts.

This release also supports bit-level matching for binary protocols.

For details, see the IDP Series Custom Attack Object Reference and Examples Guide.

Configurable syslog communication

Beginning with IDP OS Release 5.1, you can specify the protocol and port to use for syslog messages. See Configuring Syslog Collection (NSM Procedure).

Bidirectional packet capture

Beginning with IDP OS Release 5.1, you can use a new utility to capture packets at the Rx interface (receiving interface) and also at the Tx interface (transmitting interface). See Using jnetTcpdump to Capture Packets.

Enhanced debugging and troubleshooting tools

You can use the following CLI command enhancements to display system information:

  • scio app cache—A new option, listall, allows you to list the entire application identification cache. Previously, only the most recent 32 were listed.
  • scio logview—A new command that enables you to troubleshoot log collection by NSM. The command allows you to view raw log data on the IDP Series device so you can compare it to the logs seen at NSM.
  • scio subs—A new option displays aggregate statistics for all IDP engines on IDP8200. IDP8200 has multiple IDP engines. To view an aggregation, use scio subs aggregatestatus s0. To view statistics per engine, use scio subs status s0.
  • scio var—The TCP and UDP flow tables now include a column for application.