Understanding Custom Application Signatures
Application identification supports user-defined custom application signatures and signature groups. Custom application signatures are unique to your environment and are not part of the predefined application package when you install them into the device. The custom application signatures are pushed to the device when you publish or update and subsequently, you can use them in the application firewall policy rules only.
The custom application signatures are required:
To control traffic particular to an environment
To bring visibility for unknown or unclassified applications by developing custom applications
To identify applications over Layer 7 that are transiting or temporary applications, and to achieve further granularity of known applications
To perform QoS for your specific application
Starting in Junos Space Security Director 17.1, you can create the custom application identification for all devices running Junos OS Release 15.1X49-D40 and later. You can use the custom application identification in the application firewall policies similar to the predefined application identifications. If the custom application identifications are not supported by a device, Security Director shows an error during the policy publish or the configuration preview.
You can import the custom application signatures from a device and also push the created custom application signatures to a device, by using the publish and update workflow.
You can use the custom application signatures only in the application firewall policy rules.
Security Director and device configurations must be in sync for the application visibility to work with the custom application signatures.
SRX Series devices support the following types of custom signatures:
The ICMP mapping technique maps standard ICMP message types and optional codes to a unique application name. This mapping technique lets you differentiate between various types of ICMP messages.
Layer 3 and Layer 4 address mapping defines an application by the IP address and optional port range of the traffic.
To ensure adequate security, use address mapping when the configuration of your private network predicts application traffic to or from trusted servers. Address mapping provides efficiency and accuracy in handling traffic from a known application.
With Layer 3 and Layer 4 address-based custom applications, you can match the IP address and port range to destination IP address and port. When IP address and port are configured, they must match the destination tuples (IP address and port range) of the packet.
For example, consider a Session Initiation Protocol (SIP) server that initiates sessions from its known port 5060. Because all traffic from this IP address and port is generated by only the SIP application, the SIP application can be mapped to an IP address of the server and port 5060 for application identification. In this way, all traffic with this IP address and port is identified as SIP application traffic.
IP Protocol-Based Mapping
Standard IP protocol numbers can map an application to IP traffic. As with address mapping, to ensure an adequate security, use IP protocol mapping only in your private network for trusted servers.
Layer 7-Based Signatures
Layer 7 custom signatures define an application running over TCP or UDP or Layer 7 applications. Layer 7-based custom application signatures are required for the identification of multiple applications running on the same Layer 7 protocols. For example, applications such as Facebook and Yahoo Messenger can run over HTTP, but there is a need to identify them as two different applications running on the same Layer 7 protocol. The custom signature is cacheable for Layer 7 signatures only. You can create multiple signatures and each signature can contain multiple members up to maximum of 15 members.
Layer 7-based custom application signatures detect applications based on the patterns in HTTP contexts. However, some HTTP sessions are encrypted in SSL, also called Transport Layer Security (TLS). Application identification can extract the server name information or the server certification from the TLS or SSL sessions. It can also detect patterns in TCP or UDP payload in Layer 7 applications.