Understanding IDP Signature Database for Migration

 

The signature database is one of the major components of the intrusion prevention system (IPS). It contains definitions of different objects, such as attack objects, application signature objects, and service objects, that are used in defining IDP policy rules.

For more information, see the following topics:

Understanding the IPS Signature Database

The signature database is one of the major components of the intrusion prevention system (IPS). It contains definitions of different objects, such as attack objects, application signature objects, and service objects, that are used in defining IDP policy rules. As a response to new vulnerabilities, Juniper Networks periodically provides a file containing attack database updates on the Juniper Networks website. You can download this file to protect your network from new threats.

Note

IPS does not need a separate license to run as a service on the SRX Series device; however, a license is required for IPS updates. Custom attacks and custom attack groups in IDP policies can also be configured and installed even when a valid license and signature database are not installed on the device.

The IPS signature database is stored on the IPS-enabled device and contains definitions of predefined attack objects and groups. These attack objects and groups are designed to detect known attack patterns and protocol anomalies within the network traffic. The IPS signature database includes more than 5000 signatures and more than 1200 protocol anomalies.

IPS updates and application signature package updates are a separately licensed subscription service. You must install the IPS signature-database-license key on your device for downloading and installing daily signature database updates from the Juniper Networks website. The IPS signature license key does not provide grace period support.

Note

If you require both AppSecure and IPS features, you must install the application signature license in addition to the IPS signature-database-update license key.

The signature database comprises the following components:

  • Detector engine—The IDP detector engine is a dynamic protocol decoder that includes support for decoding more than 60 protocols and more than 500 service contexts. You can download the protocol detector engine updates along with the signature database updates.

  • Attack database—The attack signature database stores data definitions for attack objects and attack object groups. Attack objects comprise stateful signatures and traffic anomalies. You specify attack objects in IDP rulebase rules. New attacks are discovered daily, so it is important to keep your signature database up to date. You can download the attack database updates from the Juniper Networks website.

  • Application signature database—The application signature database stores data definitions for application objects. Application objects are patterns that are used to identify applications that are running on standard or nonstandard ports.

Note

We recommend using the latest version of the signature database to ensure an up-to-date attack database.

Managing the IPS Signature Database (CLI)

This example shows how to install and schedule the signature database updates using the CLI.

Requirements

Before you install the signature database updates, ensure that you have installed an IPS license key.

Overview

IPS signature database management comprises the following tasks:

  • Update the signature database—Download the attack database updates available on the Juniper Networks website. New attacks are discovered daily, so it is important to keep your signature database up to date.

  • Verify the signature database version—Each signature database has a different version number with the latest database having the highest number. You can use the CLI to display the signature database version.

  • Update the protocol detector engine—You can download the protocol detector engine updates along with the signature database. The IPS protocol detector contains Application Layer protocol decoders. The detector is coupled with the IDP policy and is updated together. It is always needed at policy update time, even if there is no change in the detector.

  • Schedule signature database updates—You can configure the IPS-enabled device to automatically update the signature database after a set interval.

Configuration

Downloading and Installing the IPS Signature Package

Step-by-Step Procedure

New attacks are discovered daily, so it is important to keep your signature database up to date. In this example, you download and then install the latest signature package from the signature database server:

  1. Download the attack database updates available on the Juniper Networks website:

    By default, when you download the security package, you download the following components into a Staging folder in your device: the latest version of the complete attack object groups table, the application objects table, and the updates to the IPS Detector Engine. Because the attack objects table is typically very large, by default the system only downloads updates to the attack objects table. However, you can download the complete attack objects table by using the full-update configuration option.

  2. Check the security package download status:

    On a successful download, the following message is displayed:

  3. After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device. Install the security package:
  4. Check the status of the install:

    On a successful install, the following message is displayed:

Verifying the Signature Database Version

Step-by-Step Procedure

Each signature database has a different version number with the latest database having the highest number.

  • Use the CLI to verify the signature database version installed:

    The following sample output shows the version number for the signature package:

Scheduling the Signature Database Updates

Step-by-Step Procedure

You can configure an IPS-enabled device to automatically update the signature database after a set interval. After the initial manual setup, we recommend that you schedule the signature updates so you always have protection against new vulnerabilities.

  • To schedule the signature package download, from configuration mode, specify the start time and the interval for the download:

    For example, to set a schedule for the signature download every 72 hours, you use the following configuration:

Downloading and Installing the IPS Signature Package from an Older Junos OS Release Version to Newer Junos OS Release Version

Step-by-Step Procedure

Starting with Junos OS Release 17.3, when you upgrade from Junos OS Release 12.3X48 or 15.1X49 to Junos OS Release 17.3 or downgrade from Junos OS Release 17.3 to Junos OS Release 12.3X48 or 15.1X49, you must update the IPS signature package by downloading and installing the IPS signature package update.

Note

We recommend that you perform the IPS signature package update because if the previous IPS signature package download before an upgrade or a downgrade comprised an incremental or decremental update, then reinstalling of the IPS signature package, without downloading the IPS signature package again, updates the IPS signature package with only the incremental attacks from the last download and does not contain any attacks from the baseline release. Therefore, to avoid any IDP commit configuration failure, update the IPS signature package.

The following procedure shows how to download and install an IPS signature package and update the package from an older Junos OS release version to a newer Junos OS release version:

  1. Perform a full update of the security package version.

    By default, when you download the security package, you download the following components into a Staging folder in your device—the latest version of the complete attack object groups table, the application objects table, and the updates to the IPS Detector Engine. Because the attack objects table is typically very large, by default the system downloads only updates to the attack objects table.

  2. Check the security package download status.

    On a successful download, the following message is displayed:

  3. Install the security package to update the security database with the newly downloaded updates from the Staging folder in your device.
  4. Check the status of the install.

    On a successful install, the following message is displayed:

    Note

    When you upgrade from Junos OS Release 15.1X49 to Junos OS Release 17.3, the following warning message is displayed:

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the IPS Signature Database

Purpose

Display the IPS signature database.

Action

From operational mode, enter the show security idp command.

Managing the IPS Signature Database (Security Director)

This example shows how to install and schedule the signature database updates using Junos Space Security Director.

Requirements

This example uses the following hardware and software components:

  • SRX Series device

Before you install the signature database updates, ensure that you have:

  • Installed an IPS license key

Overview

The IPS signature database can be updated using either the CLI or Junos Space Security Director. SRX Series devices can be fully managed from the CLI; however, for large deployment scenarios that use multiple SRX Series devices, it is easier to manage the security package using a management platform.

Configuration

Downloading and Installing the IPS Signature Package

Step-by-Step Procedure

In this example, you download and then install the latest signature package from the signature database server:

  1. Navigate to Security Director->Downloads->Signature Database.

    Choose the signature package listed as the latest and select Action>Download to download the signature package to Security Director.

    By default, when you download the security package, you download the following components into a Staging folder in your device: the latest version of the complete attack object groups table, the application objects table, and the updates to the IPS Detector Engine. Because the attack objects table is typically very large, by default the system only downloads updates to the attack objects table. However, you can download the complete attack objects table by using the full-update configuration option.

  2. Check the security package download status:

    On a successful download, the following message is displayed:

  3. After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device. Install the security package:
  4. Check the status of the install:

    On a successful install, the following message is displayed:

Verifying the Signature Database Version

Step-by-Step Procedure

Each signature database has a different version number with the latest database having the highest number.

  • Use the CLI to verify the signature database version installed:

    The following sample output shows the version number for the signature package:

Scheduling the Signature Database Updates

Step-by-Step Procedure

You can configure IPS-enabled device to automatically update the signature database after a set interval. After the initial manual setup, we recommend that you schedule the signature updates so you always have protection against new vulnerabilities.

  • To schedule the signature package download, from configuration mode, specify the start time and the interval for the download:

    For example, to set a schedule for the signature download every 72 hours, you use the following configuration:

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the IPS Signature Database

Purpose

Display the IPS signature database.

Action

From operational mode, enter the show security idp command.

Example: Updating the IPS Signature Database Manually

This example shows how to update the IPS signature database manually.

Requirements

Before you begin, configure network interfaces.

Overview

Juniper Networks regularly updates the predefined attack database and makes it available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.

In this example, you download the security package with the complete table of attack objects and attack object groups. Once the installation is completed, the attack objects and attack object groups are available in the CLI under the predefined-attack-groups and predefined-attacks configuration statements at the [edit security idp idp-policy] hierarchy level. You create a policy and specify the new policy as the active policy. You only download the updates that Juniper Networks has recently uploaded and then update the attack database, the running policy, and the IPS protocol detector with these new updates.

Configuration

CLI Quick Configuration

CLI quick configuration is not available for this example, because manual intervention is required during the configuration.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To manually download and update the signature database:

  1. Specify the URL for the security package.
    Note

    By default it will take URL as https://services.netscreen.com/cgi-bin/index.cgi.

  2. Commit the configuration.
  3. Switch to operational mode.
  4. Download the security package.
  5. Check the security package download status.
  6. Update the attack database using the install command.
  7. Check the attack database update status using the following command. The command output displays information about the downloaded and installed versions of attack database versions.
  8. Switch to configuration mode.
  9. Create an IDP policy.
  10. Associate attack objects or attack object groups with the policy.
  11. Set action.
  12. Activate the policy.
  13. Commit the configuration.
  14. In the future if you want to download the signature package, download only the updates that Juniper Networks has recently uploaded.
  15. Check the security package download status.
  16. Update the attack database, the active policy, and the detector with the new changes.
  17. Check the attack database, the active policy, and the detector.
    Note

    It is possible that an attack has been removed from the new version of an attack database. If this attack is used in an existing policy on your device, the installation of the new database will fail. An installation status message identifies the attack that is no longer valid. To update the database successfully, remove all references to the deleted attack from your existing policies and groups, and rerun the install command.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the IDP Signature Database Manually

Purpose

Display the IDP signature database manually.

Action

From operational mode, enter the show security idp command.

Example: Downloading and Installing the IPS Signature Package in Chassis Cluster Mode

This example shows how to download and install the IPS signature database to a device operating in chassis cluster mode.

Requirements

Before you begin, set the chassis cluster node ID and cluster ID. See Example: Setting the Node ID and Cluster ID for SRX Series Devices in a Chassis Cluster .

Overview

The security package for intrusion detection and prevention (IDP) contains a database of predefined IDP attack objects and IDP attack object groups that you can use in IDP policies to match traffic against known and unknown attacks. Juniper Networks regularly updates the predefined attack objects and groups with newly discovered attack patterns.

To update the signature database, you must download a security package from the Juniper Networks website. After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device.

Note

On branch SRX Series devices, if your device memory utilization is high on the control plane, loading a large IDP policy might cause the device to run out of memory. This can trigger a system reboot during the IPS security package update.

When you download the IPS security package on a device operating in chassis cluster mode, the security package is downloaded to the primary node and then synchronized to the secondary node. This synchronization helps maintain the same version of the security package on both the primary node and the secondary node.

Downloading and Installing the IPS Signature Database

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Specify the URL for the security package.
  2. Switch to operational mode.
  3. Download the IPS security package to the primary node (downloads in the var/db/idpd/sec-download folder).

    The following message is displayed:

  4. Check the security package download status.

    On a successful download, the following message is displayed.

  5. Update the attack database using the install command.
  6. Check the attack database update status. The command output displays information about the downloaded and installed versions of the attack database.
    Note

    You must download the IPS signature package to the primary node. This way, the security package is synchronized on the secondary node. Attempts to download the signature package to the secondary node will fail.

    If you have configured a scheduled download for the security packages, the signature package files are automatically synchronized from the primary node to the backup node.

Related Documentation