Intrusion Detection and Prevention Overview
Intrusion detection is the process of monitoring the events occurring in your network and analyzing them for signs of possible incidents, violations, or imminent threats to your security policies. Intrusion prevention is the process of performing intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.
For more information, see the following topics:
Understanding Intrusion Detection and Prevention
An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on the network traffic passing through your security device. Security devices offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. The basic IDP configuration involves the following tasks:
Download and install the IDP license.
Download and install the signature database—You must download and install the IDP signature database. The signature databases are available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.
Configure recommended policy as the IDP policy—Juniper Networks provides predefined policy templates to use as a starting point for creating your own policies. Each template is a set of rules of a specific rulebase type that you can copy and then update according to your requirements.
To get started, we recommend you use the predefined policy named “Recommended”.
Enable a security policy for IDP inspection—For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect.
SRX5400, SR5600, and SRX5800 devices can be deployed in inline tap mode.
Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, inline tap mode is not supported.
Understanding IDP Inline Tap Mode
Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, IDP inline tap mode is not supported on SRX Series devices. Also, SRX series devices with SPC5K-SPC3 cards do not support inline tap mode. When you configure inline tap mode, the following message is displayed along with the existing warning.
IDP inline tap mode configuration must not be enabled for SPC3.
The main purpose of inline tap mode is to provide best case deep inspection analysis of traffic while maintaining over all performance and stability of the device. The inline tap feature provides passive, inline detection of application layer threats for traffic matching security policies which have the IDP application service enabled. When a device is in inline tap mode, packets pass through firewall inspection and are also copied to the independent IDP module. This allows the packets to get to the next service module without waiting for IDP processing results. By doing this, when the traffic input is beyond the IDP throughput limit, the device can still sustain processing as long as it does not go beyond the modules limits, such as with the firewall. If the IDP process fails, all other features of the device will continue to function normally. Once the IDP process recovers, it will resume processing packets for inspection. Since inline tap mode puts IDP in a passive mode for monitoring, preventative actions such as session close, drop, and mark diffserv are deferred. The action drop packet is ignored.
Inline tap mode can only be configured if the forwarding process mode is set to maximize IDP sessions, which ensures stability and resiliency for firewall services. You also do not need a separate tap or span port to use inline tap mode.
You must restart the device when switching to inline tap mode or back to regular mode.
Example: Configuring IDP Inline Tap Mode
This example shows how to configure a device for inline tap mode.
Before you begin, review the inline tap mode feature. See Understanding IDP Inline Tap Mode.
Starting in Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, IDP inline tap mode is not supported on SRX Series devices.
The inline tap mode feature provides passive, inline detection of Application Layer threats for traffic matching security policies that have the IDP application service enabled.
IDP inline tap mode does not require a separate tap or span port.
To configure a device for inline tap mode:
- Set inline tap mode.user@host# set security forwarding-process application-services maximize-idp-sessions inline-tap
- If you are done configuring the device, commit the configuration.user@host# commit
- Restart the system from operational mode.user@host> request system reboot
When switching to inline tap mode or back to regular mode, you must restart the device.
- If you want to switch the device back to regular mode,
delete inline tap mode configuration.[edit security]user@host# delete forwarding-process application-services maximize-idp-sessions inline-tap
To verify that inline tap mode is enabled, enter the show security idp status command. The line item for the forwarding process mode shows “Forwarding process mode: maximizing sessions (Inline-tap)”.