Introduction to IDP Migration

 

This topic provides a brief overview of some basic considerations when moving from standalone Juniper Networks IDP Series Intrusion Detection and Protection Appliances or Juniper Networks ISG Series Integrated Security Gateways with IDP security module to the Juniper Networks SRX Series Services Gateways.

For more information, see the following topics:

IDP Series Appliances to SRX Series Devices Migration Overview

Introduction

SRX Series devices are equipped with full security and networking capabilities and represents the highest performing firewalls with natively integrated full intrusion prevention system (IPS) technology from Juniper Networks IDP Series Intrusion Detection and Prevention Appliances, providing inline protection against current and emerging threats throughout the network.

Although an SRX Series IDP policy can be configured entirely from within Juniper Networks J-Web software, this document focuses primarily on the CLI and Junos Space Security Director configuration steps, with the intention of providing an easy transition and learning path for both system engineers new to the IDP Series and those already familiar with managing standalone IDP Series and ISG Series with IDP solutions.

Because standalone IDP Series devices are typically deployed in either sniffer or transparent mode, additional considerations regarding network design must be addressed. These involve:

  • Network interfaces configuration

  • Security zones configuration

In addition, there are considerations regarding the following security features:

  • Denial of service (DoS) and flood protection.

  • Traffic anomaly detection or screens (as well as some of the detection methods applicable for SRX Series devices).

  • Configured settings and actions must be closely analyzed because adding a new device can potentially impact network traffic—particularly in regard to Layer 3 processing.

SRX Series Services Gateways can be deployed in sniffer mode (only on SRX5400, SRX5600, and SRX5800 devices). The sniffer mode is not supported on SRX300, SRX340, SRX345, and SRX550HM devices.

Multimethod Detection

SRX Series devices deploy two rulebases—a main IDP rulebase and an exempt rulebase.

In addition, SRX Series devices use security zones that are based on technology available with ScreenOS-based security devices, and provide detailed screen protection as an alternative for some basic standalone detection methods or rulebases.

Logging

Logging on an SRX Series device must be configured to send records in response to security events through system logging to a preconfigured syslog server, such as the Juniper Networks Juniper Secure Analytics (JSA).

Sensor Configuration Settings

On both standalone IDP Series and SRX Series devices, a number of sensor configuration settings can be configured to fine-tune IDP Series behavior and can be accessed from the CLI and Junos Space Security Director (SD). If any of the settings have been changed from the default value or need to be further modified, you must manually modify them. There are no automated processes to export or import modified settings.

Key Points to Consider

Note the following key points when you migrate from IDP Series Appliances to SRX Series devices:

  • In comparison with deep inspection on ScreenOS, the fundamental IPS detection capabilities on the SRX Series devices do not differ from that available on IDP Series Appliances or ISG Series with IDP security modules.

  • Not all IPS features are available on SRX Series IDP. We recommend that you familiarize yourself with documentation that details those differences.

  • Only SRX5400, SRX5600, and SRX5800 devices can be configured in sniffer mode (transparent mode).

  • IPS does not need a separate license to run as a service on the SRX Series device; however, a license is required for IPS updates.

  • A base firewall policy is required and needs to include an IPS application-service statement to enable IPS inspection.

  • Enabling all attacks is not supported. If the policy does not load, check the service log files for policy size and load results.

  • A system log (syslog) server is required to collect security event-related messages when the messages are identified on the SRX Series data plane.

  • It is s important to understand that compiling and applying an IPS policy can take some time, depending on the number of attack objects and the size of the policy. Starting with Junos OS Release 12.1 and Junos OS Release 17.3R1, SRX Series devices are leveraged for smarter compilation engine along with caching compiled information so that the compilation process takes much less time. The compilation process is conducted asynchronously, which means that the SRX Series device starts the process but will not hold up CLI or SD session, but instead will allow you to check back later on the status.

Understanding Intrusion Prevention System for SRX Series Devices

Overview

The Juniper Networks intrusion prevention system (IPS) feature detects and prevents attacks in network traffic.

SRX Series devices provide the IPS functionality integrated within the Junos OS software; no special hardware is needed. IPS administrators have the option of deploying and administering IPS using the CLI or the Junos Space Security Director.

IPS Architecture

The IPS architecture is composed of the following:

  • SRX Series device with IPS—IPS functionality is integrated as part of Junos OS and no special hardware is required.

  • Management—SRX Series devices can be fully managed using the CLI commands. However, if there are multiple SRX Series devices involved in the IPS deployment, we recommend using the Junos Space Security Director application.

  • Logging—Juniper Secure Analytics (JSA) is Juniper Networks’ security information and event management (SIEM) solution. JSA has predefined dashboards and reports for the SRX Series devices IPS solution. In addition to logging, JSA provides event correlation, incident management, and flow monitoring. SRX Series logs are in syslog (structured data syslog) format, and these can be sent to JSA or to any other syslog servers that users might already have in place.

IPS with Chassis Clustering Limitations

IPS is supported in both active/passive and active/active chassis cluster modes on SRX Series devices with the following limitations:

  • No inspection is performed on sessions that fail over or fail back. Only new sessions after a failover are inspected by IPS, and older sessions become firewall sessions.

  • The IP action table is not synchronized across nodes. If an IP action is taken for a session, and the source IP, destination IP or both is added to the IP action table, this information is not synchronized to the secondary node. Therefore, the sessions from the source IP, destination IP or both will be forwarded until a new attack is detected.

  • The SSL session ID cache is not synchronized across nodes. If an SSL session reuses a session ID and it happens to be processed on a node other than the one on which the session ID is cached, the SSL session cannot be decrypted and will be bypassed for IPS inspection.

Understanding the Intrusion Prevention System Deployment Modes for SRX Series Devices

This topic provide you an overview of the different types of IPS deployment modes for SRX Series devices.

IPS provides three different modes of deployment:

  • Integrated mode

  • Inline-tap mode

  • Sniffer mode

Integrated Mode

Integrated mode is supported on SRX Series devices. Integrated mode is the default mode in which IPS operates on the SRX Series devices (There are no specific indications that show that the device is in integrated mode.)

Note

We recommend deploying IPS in integrated mode.

Inline-Tap Mode

Junos OS Release 10.2 and later supports inline-tap mode only on SRX5400, SRX5600, and SRX5800 devices.

The main purpose of inline-tap mode is to provide best-case deep inspection analysis of traffic while maintaining overall performance and stability of the device. When a device is in inline-tap mode, the firewall process (flowd) processes the firewall traffic as normal, but makes a copy of the packet and puts it in a queue for the independent IPS module (idpd) to inspect. In the meantime, flowd forwards the original packet without waiting for idpd to perform the inspection.

Because inline tap mode puts IPS in a passive mode for inspection, preventative actions such as close, drop, and mark diffserv are deferred. The drop packet action is ignored.

Note

In inline-tap mode, the SRX Series device with IPS provides minimum protection. Upon detecting an attack, idpd can reset a session, but by the time the reset occurs, flowd would have allowed malicious packets through the network.

Sniffer Mode

Sniffer mode is supported only on SRX5400, SRX5600, and SRX5800 devices. You can use the sniffer mode of IPS deployment by configuring the interfaces in promiscuous mode and manipulating the traffic and flow setup with routing.

On SRX5400, SRX5600, and SRX5800 devices, in sniffer mode, ingress and egress interfaces work with flow showing both source and destination interface as egress interface.

As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface names are displayed in the logs. For example, ge-0/0/2.0 as ingress (sniffer) interface and ge-0/0/2.100 as egress interface are displayed in the logs to show the source interface as ge-0/0/2.100.

set interfaces ge-0/0/2 promiscuous-mode
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 0 vlan-id 0
set interfaces ge-0/0/2 unit 100 vlan-id 100

Getting Started with IPS on SRX Series Devices

Before configuring the SRX Series device for IPS functionality, perform the following tasks:

  1. Install the License—You must install an IDP license before you can download any attack objects. If you are using only custom attack objects, you do not need to install a license, but if you want to download Juniper Networks predefined attack objects, you must have this license. Juniper provides you with the ability to download a 30-day trial license to permit this functionality for a brief period of time to evaluate the functionality. All you need is run the request system license add command either specifying a file storage location or copy and paste it into the terminal.

  2. Configure Network Access—Before you can download the attack objects, you must have network connectivity to either the Juniper download server or a local server from which the signatures can be downloaded. This typically requires network configuration (IP/Netmask, routing, and DNS) and permitted access to reach the server. At the time of this writing, HTTP proxies are not supported, but you can configure a local webserver from which to serve the files.

  3. Download Attack Objects—Before deploying the IPS, you must first download the attack objects from which the policy will be compiled. Triggering a manual download does not configure the SRX Series device to download them in the future, so you must configure automatic updates to download them.

  4. Install Attack Objects—Once the download has been completed, you must install the attack updates before they are actually used in a policy. If you already have a policy configured, you do not need to recommit the policy—installing the updates adds them to the policy. The installation process compiles the attack objects that have been downloaded to a stage directory into the configured policy.

  5. Download Policy Templates (optional)—You can optionally download and install predefined IPS policies known as policy templates provided by Juniper to get started. After finishing this chapter, you should be able to configure your own policy, so you probably will not need policy templates.

Note

Starting with Junos OS Release 12.1 and Junos OS Release 17.3R1, the SRX Series devices automatically push the signature package to the secondary member of the chassis cluster. Prior to Junos OS Release 12.1 and Junos OS Release 17.3R1, you had to use the fxp0 on both members of the cluster because both members had to download their own instance. With Junos OS Releases beyond 12.1 and 17.3R1, there is no explicit configuration. SRX Series device will download the signature package and push it to the secondary member during the download process.