Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

IDP for Logical Systems

 

An Intrusion Detection and Prevention (IDP) policy in logical systems enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. For more information, see the following topics:

IDP in Logical Systems Overview

A Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a logical system.

This topic includes the following sections:

IDP Policies

The master administrator configures IDP policies at the root level. Configuring an IDP policy for logical systems is similar to configuring an IDP policy on a device that is not configured for logical systems. This can include the configuration of custom attack objects.

IDP policy templates installed in root logical system are visible and used by all logical systems.

The master administrator then specifies an IDP policy in the security profile that is bound to a logical system. To enable IDP in a logical system, the master administrator or user logical system administrator configures a security policy that defines the traffic to be inspected and specifies the permit application-services idp action.

Although the master administrator can configure multiple IDP policies, a logical system can have only one active IDP policy at a time. For user logical systems, the master administrator can either bind the same IDP policy to multiple user logical systems or bind a unique IDP policy to each user logical system. To specify the active IDP policy for the master logical system, the master administrator can either reference the IDP policy in the security profile that is bound to the master logical system or use the active-policy configuration statement at the [edit security idp] hierarchy level.

The root administrator configures the number of maximum IDP sessions reservation for a root and user logical system. The number of IDP sessions that are allowed for a root logical system are defined using the command set security idp max-sessions max-sessions and the number of IDP sessions that are allowed for a user logical system are defined using the command set security idp logical-system logical-system max-sessions max-sessions .

Note

A commit error is generated if an IDP policy is both configured in the security profile that is bound to the master logical system and specified with the active-policy configuration statement. Use only one method to specify the active IDP policy for the master logical system.

Note

If you have configured more than one IDP policy in a security policy, then configuring default IDP policy configuration is mandatory.

A default IDP policy configuration is supported when multiple IDP policies are available. The default IDP policy is one of the multiple IDP policies. For more information about configuring multiple IDP policies and default IDP policy, see the IDP Policy Selection for Unified Policies.

The logical system administrator performs the following actions:

  • Configure multiple IDP policies and attach to the firewall policies to be used by the user logical systems. If the IDP policy is not configured for a user logical system, the default IDP policy configured by the master administrator is used. The IDP policy is bound to the user logical systems through a logical systems security policy.

  • Create or modify IDP policies for their user logical systems. The IDP policies are bound to user logical systems. When an IDP policy is changed, and commit succeeds, the existing sessions mapped to current active policy continue to use the old IDP combined policy. When an IDP policy is changed, and commit fails, only the logical system user that has initiated the commit change is notified about the commit failure.

  • The logical system can create security zones in the user logical system and assign interfaces to each security zone. Zones that are specific to user logical systems cannot be referenced in IDP policies configured by the master administrator. The master administrator can reference zones in the master logical system in an IDP policy configured for the master logical system.

  • View the attack statistics detected and IDP counters, attack table, and policy commit status by the individual logical system using the commands show security idp counters, show security idp attack table, show security idp policies, show security idp policy-commit-status, and show security idp security-package-version.

Limitation

  • When a IDP policy is changed and compiled in a specific user logical system, this change is considered as a single global policy change and compiled for all policies of all the logical systems.

IDP Installation and Licensing for Logical Systems

An idp-sig license must be installed at the root level. Once IDP is enabled at the root level, it can be used with any logical system on the device.

A single IDP security package is installed for all logical systems on the device at the root level. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all logical systems.

Understanding IDP Features in Logical Systems

This topic includes the following sections:

Rulebases

A single IDP policy can contain only one instance of any type of rulebase. The following IDP rulebases are supported for logical systems:

  • The Intrusion prevention system (IPS) rulebase uses attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.

  • The application-level distributed denial-of-service (DDoS) rulebase defines parameters to protect servers such as DNS or HTTP. The application-level DDoS rulebase defines the source match condition for traffic that should be monitored and takes an action, such as drop the connection, drop the packet, or no action. It can also perform actions against future connections that use the same IP address.

Note

Status monitoring for IPS and application-level DDoS is global to the device and not on a per logical system basis.

Protocol Decoders

The Junos IDP module ships with a set of preconfigured protocol decoders. These protocol decoders have default settings for various protocol-specific contextual checks that they perform. The IDP protocol decoder configuration is global and applies to all logical systems. Only the master administrator at the root level can modify the settings at the [edit security idp sensor-configuration] hierarchy level.

SSL Inspection

IDP SSL inspection uses the Secure Sockets Layer (SSL) protocol suite to enable inspection of HTTP traffic encrypted in SSL.

SSL inspection configuration is global and applies to all logical systems on a device. SSL inspection can only be configured by the master administrator at the root level with the ssl-inspection configuration statement at the [edit security idp sensor-configuration] hierarchy level.

Inline Tap Mode

The inline tap mode feature provides passive, inline detection of Application Layer threats for traffic matching security policies that have the IDP application service enabled. When a device is in inline tap mode, packets pass through firewall inspection and are also copied to the independent IDP module. This allows the packets to get to the next service module without waiting for IDP processing results.

Inline tap mode is enabled or disabled for all logical systems at the root level by the master administrator. To enable inline tap mode, use the inline-tap configuration statement at the [edit security forwarding-process application-services maximize-idp-sessions] hierarchy level. Delete the inline tap mode configuration to switch the device back to regular mode.

Note

The device must be restarted when switching to inline tap mode or back to regular mode.

Multi-Detectors

When a new IDP security package is received, it contains attack definitions and a detector. After a new policy is loaded, it is also associated with a detector. If the policy being loaded has an associated detector that matches the detector already in use by the existing policy, the new detector is not loaded and both policies use a single associated detector. But if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection.

The version of the detector is common to all logical systems.

Logging and Monitoring

Status monitoring options are available to the master administrator only. All status monitoring options under the show security idp and clear security idp CLI operational commands present global information, but not on a per logical system basis.

Note

SNMP monitoring for IDP is not supported on logical systems.

IDP generates event logs when an event matches an IDP policy rule in which logging is enabled.

The logical systems identification is added to the following types of IDP traffic processing logs:

  • Attack logs. The following example shows an attack log for the ls-product-design logical system:

    Note

    In the IDP attack detection event log message (IDP_ATTACK_LOG_EVENT_LS), the time-elapsed, inbytes, outbytes, inpackets, and outpackets fields are not populated.

  • IP action logs. The following example shows an IP action log for the ls-product-design logical system:

  • Application DDoS logs. The following example shows an application DDoS log for the ls-product-design logical system:

Example: Configuring an IDP Policy for the Master Logical Systems

This example shows how to configure an IDP policy in a master logical system.

Requirements

Before you begin:

Overview

In this example you configure a custom attack that is used in an IDP policy. The IDP policy is specified in a security profile that is applied to the master logical system. IDP is then enabled in a security policy configured in the master logical system.

You configure the features described in Table 1.

Table 1: IDP Configuration for the Master Logical System

Feature

Name

Configuration Parameters

Custom attack

http-bf

  • Severity critical

  • Detect three attacks between source and destination addresses of sessions.

  • Stateful signature attack type with the following characteristics:

    • location http-url-parsed

    • pattern .*juniper.*

    • client to server traffic

IPS rulebase policy

root-idp-policy

Match:

  • application default

  • http-bf custom attacks

Action:

  • drop-connection

  • notification log-attacks

Logical system security profile

master-profile (previously configured and applied to root-logical-system)

Add IDP policy root-idp-policy.

Security policy

enable-idp

Enable IDP in a security policy that matches any traffic from the lsys-root-untrust zone to the lsys-root-trust zone.

Note

A logical system can have only one active IDP policy at a time. To specify the active IDP policy for the master logical system, the master administrator can reference the IDP policy in the security profile that is bound to the master logical system as shown in this example. Alternatively, the master administrator can use the active-policy configuration statement at the [edit security idp] hierarchy level.

A commit error is generated if an IDP policy is both configured in the security profile that is bound to the master logical system and specified with the active-policy configuration statement. Use only one method to specify the active IDP policy for the master logical system.

Configuration

Configuring a Custom Attack

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a custom attack object:

  1. Log in to the master logical system as the master administrator and enter configuration mode.
  2. Create the custom attack object and set the severity level.
  3. Configure attack detection parameters.
  4. Configure stateful signature parameters.

Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack http-bf command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring an IDP Policy for the Master Logical System

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an IDP policy:

  1. Create the IDP policy and configure match conditions.
  2. Configure actions for the IDP policy.
  3. Add the IDP policy to the security profile.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy root-idp-policy and show system security-profile master-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enabling IDP in a Security Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To enable IDP in a security policy:

  1. Create the security policy and configure match conditions.
  2. Enable IDP.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Attack Matches

Purpose

Verify that attacks are being matched in network traffic.

Action

From operational mode, enter the show security idp attack table command.

Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System

The master administrator can either download predefined IDP policies to the device or configure custom IDP policies at the root level using custom or predefined attack objects. The master administrator is responsible for assigning an IDP policy to a user logical system. This example shows how to assign a predefined IDP policy to a user logical system.

Requirements

Before you begin:

Overview

The predefined IDP policy named Recommended contains attack objects recommended by Juniper Networks. All rules in the policy have their actions set to take the recommended action for each attack object. You add the Recommended IDP policy to the ls-design-profile, which is bound to the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To add a predefined IDP policy to a security profile for a user logical system:

  1. Log in to the master logical system as the master administrator and enter configuration mode.
  2. Add the IDP policy to the security profile.

Results

From configuration mode, confirm your configuration by entering the show security idp and show system security-profile ls-design-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the Configuration

Purpose

Verify the IDP policy assigned to the logical system.

Action

From operational mode, enter the show security idp logical-system policy-association command. Ensure that the IDP policy in the security profile that is bound to the logical system is correct.

Example: Enabling IDP in a User Logical System Security Policy

This example shows how to enable IDP in a security policy in a user logical system.

Requirements

Before you begin:

Overview

In this example, you configure the ls-product-design user logical system as shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

You enable IDP in a security policy that matches any traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone. Enabling IDP in a security policy directs matching traffic to be checked against the IDP rulebases.

Note

This example uses the IDP policy configured and assigned to the ls-product-design user logical system by the master administrator in Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a security policy to enable IDP in a user logical system:

  1. Log in to the logical system as the user logical system administrator and enter configuration mode.
  2. Configure a security policy that matches traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone.
  3. Configure the security policy to enable IDP for matching traffic.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Attack Matches

Purpose

Verify that attacks are being matched in network traffic.

Action

From operational mode, enter the show security idp attack table command.

Example: Configuring an IDP Policy for a User Logical System

This example shows how to configure and assign an IDP policy to a user logical system. After assigning the IDP policy, the traffic is sent from client to check for the attack detection on the configured custom attack.

Requirements

This example uses the following hardware and software components:

  • Junos OS Release 18.3R1 and later

  • an SRX4200 device

Before you configure IDP policy on user logical system:

Overview

In this example, you configure a custom attack that is used in an IDP policy. The IDP policy is specified and enabled using a security policy configured in the user logical system.

Configuration

To configure IDP in a user logical system:

Configuring a user logical system

CLI Quick Configuration

Step-by-Step Procedure

To configure a user logical system:

  1. Configure a user logical system.
  2. Exit from the configuration mode and enter to the operational mode.
  3. Login as LSYS1 user to the user logical sytem and enter to configuration mode.

Results

From configuration mode, confirm your configuration by entering the show logical-systems command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Configuring a Custom Attack

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a custom attack object:

  1. Log in to the user logical system as LSYS1 and enter configuration mode.
  2. Create the custom attack object and set the severity level.
  3. Configure stateful signature parameters.

Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack my-http command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring an IDP Policy for the User Logical System

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an IDP policy:

  1. Create the IDP policy and configure match conditions.
  2. Configure actions for the IDP policy.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine and show system security-profile master-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enabling IDP in a Security Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To enable IDP in a security policy:

  1. Create the security policy and configure match conditions.
  2. Enable IDP.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To send traffic and check for attack detection from user logical system:

Verifying Attack Detection

Purpose

Verify that attack detection is happening for the custom attack.

Action

From operational mode, enter the show security idp attack table command.

user@host:LSYS1> show security idp policies
user@host:LSYS1> show security idp attack table

Meaning

The output displays the attacks detected for the custom attack that is configured in the IDP policy in the user logical system LSYS1.

See also