Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Application Security in Logical Systems

 

Application Security in logical systems enables to identify application traffic traversing your network regardless of port, protocol, and encryption, thereby providing greater visibility to control network traffic. The application security controls network traffic by setting and enforcing security policies based on accurate application information. For more information, see the following topics:

Understanding Logical Systems Application Identification Services

Predefined and custom application signatures identify an application by matching patterns in the first few packets of a session. Identifying applications provides the following benefits:

  • Allows Intrusion Detection and Prevention (IDP) to apply appropriate attack objects to applications running on nonstandard ports.

  • Improves performance by narrowing the scope of attack signatures for applications without decoders.

  • Enables you to create detailed reports using AppTrack on applications passing through the device.

With logical systems, predefined and custom application signatures are global resources that are shared by all logical systems. The master administrator is responsible for downloading and installing predefined Juniper Networks application signatures and creating custom application and nested application signatures to identify applications that are not part of the predefined database.

Application identification is enabled by default.

The application system cache (ASC) saves the mapping between an application type and the corresponding destination IP address, destination port, protocol type, and service. Each user logical system has its own ASC. A user logical system administrator can display the ASC entries for their logical system with the show services application-identification application-system-cache command. A user logical system administrator can use the clear services application-identification application-system-cache command to clear the ASC entries for their logical system.

Starting in Junos OS Release 18.2R1, the default behavior of the ASC is changed as follows:

  • Security services including security policies, application firewall (AppFW), application tracking (AppTrack), application quality of service (AppQoS), Juniper Sky ATP, IDP, and UTM do not use the ASC by default.

  • Miscellaneous services including advanced policy-based routing (APBR) use the ASC for application identification by default.

    For more information, see Enabling or Disabling Application System Cache for Application Services.

The master administrator can display or clear ASC entries for any logical system. The master administrator can also display or clear global counters with the show services application-identification counter and clear services application-identification counter commands.

Application signature package is installed at the global-level, that is shared by all user logical systems. The master logical system administrator can install or uninstall application signature package.

Starting in Junos OS Release 18.3R1, the application identification (AppID) support for logical systems include two new options to view and clear logical system statistics and logical system counters statistics.

The master logical system administrator can display or clear the statistics for all logical systems whereas the administrator for the user logical system can display or clear the statistics for their own logical system.

The user logical system administrator can view the AppID signature package status and version. Custom signatures configured by the master logical system administrator can be configured in the use logical system security policies.

You can view the status and version information about the AppID signature package status and version by using the commands show services application-identification status and show services application-identification version.

Understanding Logical Systems Application Firewall Services

An application firewall enables administrators of logical systems to create security policies for traffic based on application identification defined by application signatures. The application firewall provides additional security protection against dynamic-application traffic that might not be adequately controlled by standard network firewall policies. The application firewall controls information transmission by allowing or blocking traffic originating from particular applications.

To configure an application firewall, you define a rule set that contains rules specifying the action to be taken on identified dynamic applications. The rule set is configured independently and assigned to a security policy. Each rule set contains at least two rules, a matched rule (consisting of match criteria and action) and a default rule.

  • A matched rule defines the action to be taken on matching traffic. When traffic matches an application and other criteria specified in the rule, the traffic is allowed or blocked based on the action specified in the rule.

  • A default rule is applied when traffic does not match any other rule in the rule set.

The master administrator can download a predefined application signature database from the Juniper Networks Security Engineering website or can define application signatures using the Junos OS configuration CLI. For more information about application identification and application signatures, see Application Security User Guide for Security Devices.

Configuring an application firewall on a logical system is the same process as configuring an application firewall on a device that is not configured with logical systems. However, the application firewall applies only to the logical system for which it is configured. The master administrator can configure, enable, and monitor application firewalls on the master logical system and all user logical systems on a device. User logical system administrators can configure, enable, and monitor application firewalls only on the user logical systems for which they have access.

Example: Configuring Application Firewall Services for a Master Logical Systems

This example describes how to configure application firewall services on the master, or root, logical system by a master administrator. Only the master administrator can configure, manage, and view configuration of the master logical system, in addition to all user logical systems.

After configuring application firewall rule sets and rules, the master administrator adds the application firewall rule set information to the security policy on the master logical system.

For information about configuring an application firewall within a security policy, see Application Firewall Overview.

Requirements

Before you begin:

  • Verify that all interfaces, routing instances, and security zones have been configured on the master logical system.

    See Example: Configuring Security Features for the Master Logical Systems.

  • Verify that application firewall resources (appfw-rule-set and appfw-rule) have been allocated in a security profile and bound to the master logical system through the [system security-profile] command. For application firewall resources, a security profile configuration allows 0 to 10,000 rule sets and 0 to 10,000 rules.

    Note

    The master administrator allocates various global system resources through a security profile configuration which is then bound to the various logical systems on the device. The master administrator owns this function and configures the security profile for all user logical systems as well as the master logical system.

    For more information, see Understanding Logical Systems Security Profiles (Master Administrators Only).

  • Log in to the master logical system as the master administrator.

    For information about master administrator role functions, see Understanding the Master Logical Systems and the Master Administrator Role.

Overview

In this example you create application firewall services on the master logical system, called root-logical-system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

This example creates the following application firewall configuration:

  • Rule set, root-rs1, with rules r1 and r2. When r1 is matched, telnet traffic is allowed through the firewall. When r2 is matched, web traffic is allowed through the firewall.

  • Rule set, root-rs2, with rule r1. When r1 is matched, example2 traffic is blocked by the firewall.

All rule sets require a default rule, which specifies whether to permit or deny traffic that is not specified in any rules of a rule set. The default-rule action (permit or deny) must be the opposite from the action that is specified for the other rule(s) in the rule set.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure application firewall for a master logical system:

  1. Log in to the master logical system as the master administrator. See Example: Configuring Root Password for Logical Systems and enter configuration mode.
  2. Configure an application firewall rule set for root-logical-system.
  3. Configure a rule for this rule set and specify which dynamic applications and dynamic application groups the rule should match.
  4. Configure the default rule for this rule set and specify the action to take when the identified dynamic application is not specified in any rules of the rule set.
  5. Repeat these steps to configure another rule set, root-rs2, if desired.

Results

From configuration mode, confirm your configuration by entering the show security application-firewall rule-sets command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Application Firewall Configuration

Purpose

View the application firewall configuration on the master logical system.

Action

From operational mode, enter the show security application-firewall rule-set logical-system root-logical-system rule-set all command.

admin@host> show security application-firewall rule-set logical-system root-logical-system rule-set all

Understanding Logical Systems Application Tracking Services

AppTrack is an application tracking tool that provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. The Security Threat Response Manager (STRM) retrieves the data and provides flow-based application visibility.

AppTrack can be enabled and configured within any logical system. Configuring AppTrack in a logical system is the same as configuring AppTrack on a device that is not configured for logical systems. An AppTrack configuration only applies to the logical system in which it is configured. The name of the logical system is added to AppTrack logs. The master administrator can configure AppTrack for any logical system while a user logical system administrator can only configure AppTrack for the logical system that they are logged in to.

Note

The system log configuration is global on the device and must be configured by the master administrator. The user logical system administrator cannot configure system logging for a logical system.

Counters keep track of the number of log messages sent and logs that have failed. AppTrack counters are global to the device. The master administrator as well as user logical system administrators can view AppTrack counters with the show security application-tracking counters command.

Example: Configuring Application Firewall Services for a User Logical System

This example describes how to configure application firewall services on a user logical system by a user logical system administrator. User logical system administrators can manage and monitor their own system application firewall rule sets and rules and manage the dynamic applications allowed or blocked on their respective logical systems.

After configuring application firewall rule sets and rules, user logical system administrators add the application firewall rule set information to the security policy on their individual logical systems.

For information about configuring an application firewall within a security policy, see Application Firewall Overview.

Requirements

Before you begin:

Overview

In this example you configure application firewall services on the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

This example creates the following application firewall configuration:

  • Rule set, ls-product-design-rs1, with rules r1 and r2. When r1 is matched, telnet traffic is allowed through the firewall. When r2 is matched, web traffic is allowed through the firewall.

  • Rule set, ls-product-design-rs2, with rule r1. When r1 is matched, Facebook traffic is blocked by the firewall.

All rule sets require a default rule, which specifies whether to permit or deny traffic that is not specified in any rules of a rule set. The default-rule action (permit or deny) must be the opposite from the action that is specified for the other rule(s) in the rule set.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure application firewall for a user logical system:

  1. Log in to the user logical system as the user logical system administrator and enter configuration mode.
  2. Configure an application firewall rule set for this logical system.
  3. Configure a rule for this rule set and specify which dynamic applications and dynamic application groups the rule should match.
  4. Configure the default rule for this rule set and specify the action to take when the identified dynamic application is not specified in any rules of the rule set.
  5. Repeat these steps to configure another rule set, ls-product-design-rs2, if desired.

Results

From configuration mode, confirm your configuration by entering the show security application-firewall rule-set all command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Application Firewall Configuration

Purpose

View the application firewall configuration on the user logical system.

Action

From operational mode, enter the show security application-firewall rule-set all command.

lsdesignadmin1@host:ls-product-design> show security application-firewall rule-set all

Example: Configuring AppTrack for a User Logical Systems

This example shows how to configure the AppTrack tracking tool so you can analyze the bandwidth usage of your network.

Requirements

Before you begin:

Overview

This example shows how to enable application tracking for the security zone ls-product-design-trust in the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

The first message is generated at session start and update messages are sent every 5 minutes after that or until the session ends. A final message is sent at session end.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure AppTrack for a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.
  2. Enable AppTrack for the security zone.
  3. Generate update messages at session start and at 5-minute intervals.

Results

From configuration mode, confirm your configuration by entering the show security command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying AppTrack Operation

Purpose

View the AppTrack counters periodically to monitor tracking.

Action

From operational mode, enter the show application-tracking counters command.

Verifying Security Flow Session Statistics

Purpose

Compare byte and packet counts in logged messages with the session statistics from the show security flow session command output.

Action

From operational mode, enter the show security flow session command.

Verifying Application System Cache Statistics

Purpose

Compare cache statistics such as IP address, port, protocol, and service for an application from the show services application-identification application-system-cache command output.

Action

From operational mode, enter the show services application-identification application-system-cache command.

Verifying the Status of Application Identification Counter Values

Purpose

Compare session statistics for application identification counter values from the show services application-identification counter command output.

Action

From operational mode, enter the show services application-identification counter command.