ON THIS PAGE
Application Identification for NFX Devices
Application Identification enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. Using different identification mechanisms, App ID detects the applications on your network regardless of the port, protocol, and encryption (TLS/SSL or SSH) or other evasive tactics used. For more information, see the following topics:
Understanding Application Identification Techniques
Historically, firewalls have used the IP address and port numbers as a way of enforcing policies. That strategy is based on the assumption that users connect to the network from fixed locations and access particular resources using specific port numbers.
Today, wireless networking and mobile devices require a different strategy. The way in which devices connect to the network changes rapidly. An individual can connect to the network using multiple devices simultaneously. It is no longer practical to identify a user, application, or device by a group of statically allocated IP addresses and port numbers.
This topic includes the following section:
Junos OS Next-Generation Application Identification
Next-generation application identification builds on the legacy application identification functionality and provides more effective detection capabilities for evasive applications such as Skype, BitTorrent, and Tor.
Junos OS application identification recognizes Web-based and other applications and protocols at different network layers using characteristics other than port number. Applications are identified by using a protocol bundle containing application signatures and parsing information. The identification is based on protocol parsing and decoding and session management.
The detection mechanism has its own data feed and constructs to identify applications.
The following features are supported in application identification:
Support for protocols and applications, including video streaming, peer-to-peer communication, social networking, and messaging
Identification of services within applications
Ability to distinguish actions launched within an application (such as login, browse, chat, and file transfer)
Support for all versions of protocols and application decoders and dynamic updates of decoders
Support for encrypted and compressed traffic and most complex tunneling protocols
Ability to identify all protocols from Layer 3 to Layer 7 and above Layer 7
Benefits of Application Identification
Provides granular control over applications, including video streaming, peer-to-peer communication, social networking, and messaging. It also identifies services, port usage, underlying technology, and behavioral characteristics within applications. This visibility enables you to block evasive applications inline at the NFX Series firewall.
Identifies applications and allows, blocks, or limits applications—regardless of port or protocol, including applications known for using evasive techniques to avoid identification. This identification helps organizations control the types of traffic allowed to enter and exit the network.
Application Signature Mapping
Application signature mapping is a precise method of identifying the application that issued traffic on the network. Signature mapping operates at Layer 7 and inspects the actual content of the payload.
Applications are identified by using a downloadable protocol bundle. Application signatures and parsing information of the first few packets are compared to the content of the database. If the payload contains the same information as an entry in the database, the application of the traffic is identified as the application mapped to that database entry.
Juniper Networks provides a predefined application identification database that contains entries for a comprehensive set of known applications, such as FTP and DNS, and applications that operate over the HTTP protocol, such as Facebook, Kazaa, and many instant messaging programs. A signature subscription allows you to download the database from Juniper Networks and regularly update the content as new predefined signatures are added.
Application Identification Match Sequence
Figure 1 shows the sequence in which mapping techniques are applied and how the application is determined.
In application identification, every packet in the flow passes through the application identification engine for processing until the application is identified. Application bindings are saved in the application system cache (ASC) to expedite future identification process.
Application signatures identify an application based on protocol grammar analysis in the first few packets of a session. If the application identification engine has not yet identified the application, it passes the packets and waits for more data.
The application identification module matches applications for both client-to-server and server-to-client sessions.
Once the application is determined, AppSecure service modules can be configured to monitor and control traffic for tracking, prioritization, access control, detection, and prevention based on the application ID of the traffic.
AppTrack—Tracks and reports applications passing through the device.
Intrusion Detection and Prevention (IDP)—Applies appropriate attack objects to applications running on nonstandard ports. Application identification improves IDP performance by narrowing the scope of attack signatures for applications without decoders.
AppFW—Implements an application firewall using application-based rules.
AppQoS—Provides quality-of-service prioritization based on application awareness.
Understanding the Junos OS Application Identification Database
A predefined signature database is available on the Juniper Networks Security Engineering website. This database includes a library of application signatures.
The predefined signature package provides identification criteria for known application signatures and is updated periodically.
Whenever new applications are added, the protocol bundle is updated and generated for all relevant platforms. It is packaged together with other application signature files. This package will be available for download through the security download website.
A subscription service allows you to regularly download the latest signatures for up-to-date coverage without having to create entries for your own use.
Application identification is enabled by default and is automatically turned on when you configure Intrusion Detection and Prevention (IDP), AppFW, AppQoS, or AppTrack.
Updates to the Junos OS predefined application signature package are authorized by a separately licensed subscription service. You must install the application identification application signature update license key on your device to download and install the signature database updates provided by Juniper Networks. When your license key expires, you can continue to use the locally stored application signature package contents but you cannot update the package.
Disabling and Reenabling Junos OS Application Identification
Application identification is enabled by default. You can disable application identification with the CLI.
To disable application identification:
If you want to reenable application identification, delete the configuration statement that specifies disabling of application identification:
If you are finished configuring the device, commit the configuration.
To verify the configuration, enter the show services application-identification command.
Understanding the Application System Cache
Application system cache (ASC) saves the mapping between an application type and the corresponding destination IP address, destination port, protocol type, and service. Once an application is identified, its information is saved in the ASC so that only a matching entry is required to identify an application running on a particular system, thereby expediting the identification process.
By default, the ASC saves the mapping information for 3600 seconds. However, you can configure the cache timeout value by using the CLI.
You can use the [edit services application-identification application-system-cache-timeout] command to change the timeout value for the application system cache entries. The timeout value can be configured from 0 through 1,000,000 seconds. The ASC session might expire after 1000,000 seconds.
ASC entries expire after the configured ASC timeout. ASC entries are not refreshed even when there are cache hits (matching entry in ASC found) during the timeout period.
When you configure a new custom application signature or modify an existing custom signature, all the existing application system cache entries for predefined and custom applications will be cleared.
When you delete or disable a custom application signature, and the configuration commit fails, the application system cache (ASC) entry is not cleared completely; instead, a base application in the path of custom application will be reported in ASC.
Enabling or Disabling Application System Cache for Application Services
Starting in Junos OS Release 18.2R1, the default behavior of the ASC is changed as follows:
Security services including security policies, application firewall (AppFW), application tracking (AppTrack), application quality of service (AppQoS), Juniper Sky ATP, IDP, and UTM do not use the ASC by default.
Miscellaneous services including advanced policy-based routing (APBR) use the ASC for application identification by default.
The change in the default behavior of the ASC affects the legacy AppFW functionality. With the ASC disabled by default for the security services starting in Junos OS Release 18.2 onward, AppFW will not use the entries present in the ASC.
You can revert to the ASC behavior as in Junos OS releases before Release 18.2 by using the set services application-identification application-system-cache security-services command.
The security device might become susceptible to application evasion techniques if the ASC is enabled for security services. We recommend that you enable the ASC only when the performance of the device in its default configuration (disabled for security services) is not sufficient for your specific use case.
Use the following commands to enable or disable the ASC:
Enable the ASC for security services:user@host# set services application-identification application-system-cache security-services
Disable the ASC for miscellaneous services:user@host# set services application-identification application-system-cache no-miscellaneous-services
Disable the enabled ASC for security services:user@host# delete services application-identification application-system-cache security-services
Enable the disabled ASC for miscellaneous services:user@host# delete services application-identification application-system-cache no-miscellaneous-services
You can use the show services application-identification application-system-cache command to verify the status of the ASC.
The following sample output provides the status of the ASC:
user@host>show services application-identification application-system-cache
Application System Cache Configurations: application-cache: on Cache lookup for security-services: off Cache lookup for miscellaneous-services: on cache-entry-timeout: 3600 seconds
In releases before Junos OS Release 18.2R1, application caching was enabled by default. You can manually disable it by using the set services application-identification no-application-system-cache command.
Verifying Application System Cache Statistics
Verify the application system cache (ASC) statistics.
The application system cache will display the cache for application identification applications.
From CLI operation mode, enter the show services application-identification application-system-cache command.
user@host> show services application-identification application-system-cache
application-cache: on nested-application-cache: on cache-unknown-result: on cache-entry-timeout: 3600 seconds
The output shows a summary of the ASC statistics information. Verify the following information:
IP address—Displays the destination address.
Port—Displays the destination port on the server.
Protocol—Displays the protocol type on the destination port.
Application—Displays the name of the application identified on the destination port.
Onbox Application Identification Statistics
Application Identification services provide statistical information per session. These statistics provide customers with an application usage profile. The Onbox Application Identification Statistics feature adds application-level statistics to the AppSecure suite. Application statistics allow an administrator to access cumulative statistics as well as statistics accumulated over user-defined intervals.
With this feature, the administrator can clear the statistics and configure the interval values while maintaining bytes and session count statistics. Because the statistics count occurs at session close event time, the byte and session counts are not updated until the session closes. Juniper Networks’ devices support a history of eight intervals that an administrator can use to display application session and byte counts.
If application grouping is supported in your configuration of Junos OS, then the Onbox Application Identification Statistic feature supports onbox per-group matching statistics. The statistics are maintained for predefined groups only.
Reinstalling an application signature package will not clear the application statistics. If the application is disabled, there will not be any traffic for that application, but the application is still maintained in the statistics. It does not matter if you are reinstalling a predefined application, because applications are tracked according to application type. For predefined group statistics, reinstalling a security package will not clear the statistics. However, any changes to group memberships are updated. For example, junos:web might have 50 applications in the current release and 60 applications following an upgrade. Applications that are deleted and application groups that are renamed are handled in the same way as applications that are added.
The Application Identification module maintains a 64-bit session counters for each application on each Services Processing Unit (SPU). The counter increments when a session is identified as a particular application. Another set of 64-bit counters aggregates the total bytes per application on the SPU. Counters for unspecified applications are also maintained. Statistics from multiple SPUs for both sessions and bytes are aggregated on the Routing Engine and presented to the users.
Individual SPUs have interval timers to roll over statistics per interval time. To configure the interval for statistics collection, use the set services application-identification statistics interval time command. Whenever the Routing Engine queries for the required interval, the corresponding statistics are fetched from each SPU, aggregated in the Routing Engine and presented to the user.
Use the clear services application-identification statistics to clear all application statistics such as cumulative, interval, applications, and application groups.
Use the clear services application-identification counter command to reset the counters manually. Counters reset automatically when a device is upgraded or rebooted, when flowd restarts, or when there is a change in the interval timer.
Use the set services application-identification application-system-cache-timeout value to specify the timeout value in seconds for the application system cache entries.
Configuring IMAP Cache Size
Internet Message Access Protocol (IMAP) is an Internet standard protocol used by e-mail clients for e-mail storage and retrieval services. IMAP cache is used for protocol parsing and context generation. It stores parsing related information of an email.
You can configure to limit the maximum number of entries in the IMAP cache and specify the timeout value for the entries in the cache.
You can use the following commands to modify the settings for IMAP cache:
set services application-identification imap-cache imap-cache-size size
set services application-identification imap-cache imap-cache-timeout time in seconds
In this example, the IMAP cache size is configured to store 50,000 entries.
In this example, time out period is configured to 600 seconds during which a cache entry remains in IMAP cache.
Understanding Jumbo Frames Support for Junos OS Application Identification Services
Application identification support the larger jumbo frame size of 9192 bytes. Although jumbo frames are enabled by default, you can adjust the maximum transmission unit (MTU) size by using the [set interfaces] command. CPU overhead can be reduced while processing jumbo frames.
Improving the Application Traffic Throughput
The application traffic throughput can be improved by setting the deep packet inspection (DPI) in performance mode with default packet inspection limit as two packets, including both client-to-server and server-to-client directions. By default, performance mode is disabled on NFX Series devices.
To improve the application traffic throughput:
- Enable the DPI performance mode. user@host# set services application-identification enable-performance-mode
- (Optional) You can set the maximum packet threshold for
DPI performance mode, including both client-to-server and server-to-client
You can set the packet inspection limit from 1 through 100.user@host# set services application-identification enable-performance-mode max-packet-threshold value
- Commit the configuration.user@host# commit
Use the show services application-identification status command to display detailed information about application identification status.
show services application-identification status (DPI Performance Mode Enabled)
user@host> show services application-identification status
pic: 2/1 Application Identification Status Enabled Sessions under app detection 0 Engine Version 4.18.2-24.006 (build date Jul 30 2014) Max TCP session packet memory 30000 Force packet plugin Disabled Force stream plugin Disabled DPI Performance mode: Enabled Statistics collection interval 1 (in minutes) Application System Cache Status Enabled Negative cache status Disabled Max Number of entries in cache 262144 Cache timeout 3600 (in seconds) Protocol Bundle Download Server https://signatures.juniper.net/cgi-bin/index.cgi AutoUpdate Disabled Slot 1: Application package version 2399 Status Active Version 1.40.0-26.006 (build date May 1 2014) Sessions 0 Slot 2 Application package version 0 Status Free Version Sessions 0
The DPI Performance mode field displays whether the DPI performance mode is enabled or not. This field is displayed in the CLI command output only if the performance mode is enabled.
If you want to set DPI to default accuracy mode and disable the performance mode, delete the configuration statement that specifies enabling of the performance mode:
To disable the performance mode:
- Delete the performance mode. user@host# delete services application-identification enable-performance-mode
- Commit the configuration.user@host# commit