Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Using Application Identification

    The application identification feature enables the IDP engine to detect applications running on standard or nonstandard ports. Port-independent application identification enhances both security and manageability by eliminating the need to manually and comprehensively configure application-port mapping for the service objects and application objects used in the IDP rulebase and APE rulebase rules.

    The application identification feature uses application signatures provided by the Juniper Security Center team (J-Security Center) to identify the session application. Beginning with IDP OS Release 5.1, the application identification feature can match extended application signatures used in APE rulebase rules. Extended application signatures are also called nested application signatures. The predefined extended application signatures developed for IDP OS Release 5.1 include the most prevalent Web 2.0 applications running over HTTP. If your security policy includes APE rules configured to match extended application signatures, the application identification process identifies and generates the following HTTP contexts: http-url-parsed, http-url-parsed-param-parsed, http-header-host, and http-header-content-type. The application identification feature can then match application signature patterns in those contexts.

    J-Security Center updates application signatures and develops new ones as necessary. Beginning with IDP OS Release 5.1, you can use NSM to browse predefined application objects, predefined extended application objects, and application groups. You can also use NSM to create custom application definitions, if needed. You cannot, however, create custom extended application definitions.

    When the application identification feature identifies a new application, it caches the result (the destination address, port, protocol, and service) to reduce processing for subsequent sessions. The application cache and extended application cache are maintained separately.

    When the IDP engine processes security policy rules, it examines the session, beginning with the first packet, to identify a match. To match service or application, the IDP engine first compares the session against the application identification cache to identify the application. If the session does not match the application identification cache, the IDP engine processes the session against the application signatures. If the IDP engine is still unable to determine the application, it uses the standard application protocol and port.

    In IDP rulebase rules, with application identification enabled, you set the service object in rules to Default to allow the application identification feature to identify the correct service. If you set service to a specific service object, application identification is not applied and the rule is processed using the service object properties.

    In APE rulebase rules, with application identification enabled, you set the service object in rules to Default and specify rules based on application or extended application. If you disable application identification and specify a match based on application, the IDP engine uses the standard application protocol and port for the application. If the application you are interested in is not listed, you can create a custom application object to match against application properties that you define.

    The application identification feature is enabled by default, and we recommend you use this feature. To support lab experimentation and troubleshooting, you can disable application identification and extended application identification, and you can tune the following settings:

    • Maximum number of sessions that utilize application identification
    • Maximum memory used by application identification
    • Maximum memory for saving TCP or UDP packets per session

    For information on tuning these parameters, see the scio const reference page in the IDP Series Administration Guide.


    Published: 2011-02-08