Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding IDP Policy Rules

    Each instruction in an Intrusion Detection and Prevention (IDP) policy is called a rule. Rules are created in rulebases.

    Rulebases are a set of rules that combine to define an IDP policy. Rules provide context to detection mechanisms by specifying which part of the network traffic the IDP system should look in to find attacks. When a rule is matched, it means that an attack has been detected in the network traffic, triggering the action for that rule. The IDP system performs the specified action and protects your network from that attack.

    IDP policy rules are made up of the following components:

    Understanding IDP Rule Match Conditions

    Match conditions specify the type of network traffic you want IDP to monitor for attacks.

    Match conditions use the following characteristics to specify the type of network traffic to be monitored:

    • From-zone and to-zone—All traffic flows from a source to a destination zone. You can select any zone for the source or destination. You can also use zone exceptions to specify unique to and from zones for each device. Specify any to monitor network traffic originating from and to any zone. The default value is any.
    • Source IP Address—Specify the source IP address from which the network traffic originates. You can specify any to monitor network traffic originating from any IP address. You can also specify source-except to specify all sources except the specified addresses. The default value is any.
    • Destination IP address—Specify the destination IP address to which the network traffic is sent. You can set this to any to monitor network traffic sent to any IP address. You can also specify destination-except to specify all destinations except the specified addresses. The default value is any.
    • Application—Specify the Application Layer protocols supported by the destination IP address. You can specify any for all applications and default for the application configured in the attack object for the rule.

    Understanding IDP Rule Objects

    Objects are reusable logical entities that you can apply to rules. Each object that you create is added to a database for the object type.

    You can configure the following types of objects for IDP rules.

    Zone Objects

    A zone or security zone is a collection of one or more network interfaces. IDP uses zone objects configured in the base system.

    Address or Network Objects

    Address objects represent components of your network, such as host machines, servers, and subnets. You use address objects in IDP policy rules to specify the network components that you want to protect.

    Application or Service Objects

    Service objects represent network services that use Transport Layer protocols such as TCP, UDP, RPC, and ICMP. You use service objects in rules to specify the service an attack uses to access your network. Juniper Networks provides predefined service objects, a database of service objects that are based on industry-standard services. If you need to add service objects that are not included in the predefined service objects, you can create custom service objects. IDP supports the following types of service objects:

    • Any—Allows IDP to match all Transport Layer protocols.
    • TCP—Specifies a TCP port or a port range to match network services for specified TCP ports. You can specify junos-tcp-any to match services for all TCP ports.
    • UDP—Specifies a UDP port or a port range to match network services for specified UDP ports. You can specify junos-udp-any to match services for all UDP ports.
    • RPC—Specifies a remote procedure call (RPC from Sun Microsystems) program number or a program number range. IDP uses this information to identify RPC sessions.
    • ICMP—Specifies a type and code that is a part of an ICMP packet. You can specify junos-icmp-all to match all ICMP services.
    • default—Allows IDP to match default and automatically detected protocols to the applications implied in the attack objects.

    Attack Objects

    IDP attack objects represent known and unknown attacks. IDP includes a predefined attack object database that is periodically updated by Juniper Networks. Attack objects are specified in rules to identify malicious activity. Each attack is defined as an attack object, which represents a known pattern of attack. Whenever this known pattern of attack is encountered in the monitored network traffic, the attack object is matched. The three main types of attack objects are described in Table 1:

    Table 1: IDP Attack Objects Description

    Attack Objects

    Description

    Signature Attack Objects

    Signature attack objects detect known attacks using stateful attack signatures. An attack signature is a pattern that always exists within an attack; if the attack is present, so is the attack signature. With stateful signatures, IDP can look for the specific protocol or service used to perpetrate the attack, the direction and flow of the attack, and the context in which the attack occurs. Stateful signatures produce few false positives because the context of the attack is defined, eliminating huge sections of network traffic in which the attack would not occur.

    Protocol Anomaly Attack Objects

    Protocol anomaly attack objects identify unusual activity on the network. They detect abnormal or ambiguous messages within a connection according to the set of rules for the particular protocol being used. Protocol anomaly detection works by finding deviations from protocol standards, most often defined by RFCs and common RFC extensions. Most legitimate traffic adheres to established protocols. Traffic that does not, produces an anomaly, which may be created by attackers for specific purposes, such as evading an intrusion prevention system (IPS).

    Compound Attack Objects

    A compound attack object combines multiple signatures and/or protocol anomalies into a single object. Traffic must match all of the combined signatures and/or protocol anomalies to match the compound attack object; you can specify the order in which signatures or anomalies must match. Use compound attack objects to refine your IDP policy rules, reduce false positives, and increase detection accuracy. A compound attack object enables you to be very specific about the events that need to occur before IDP identifies traffic as an attack. You can use And, Or, and Ordered and operations to define the relationship among different attack objects within a compound attack and the order in which events occur.

    Attack Object Groups

    IDP contains a large number of predefined attack objects. To help keep IDP policies organized and manageable, attack objects can be grouped. An attack object group can contain one or more attack objects of different types. Junos OS supports the following two types of attack groups:

    • Pre defined attack object groups—Contain objects present in the signature database. The Pre defined attack object groups are dynamic in nature. For example, FTP: Minor group selects all attacks of application- FTP and severity- Minor. If a new FTP attack of minor severity is introduced in the security database, it is added to the FTP: Minor group by default.
    • Dynamic attack groups—Contain attack objects based on a certain matching criteria. For example, a dynamic group can contain all attacks related to an application. During signature update, the dynamic group membership is automatically updated based on the matching criteria for that group.

      On SRX Series devices, for a dynamic attack group using the direction filter, the expression 'and' should be used in the exclude values. As is the case with all filters, the default expression is 'or'. However, there is a choice of 'and' in the case of the direction filter.

      For example, if you want to choose all attacks with the direction client-to-server, configure the direction filter using set security idp dynamic-attack-group dyn1 filters direction values client-to-server command

      In the case of chain attacks, each of the multiple members has its own direction. If a policy includes chain attacks, a client-to-server filter selects all chain attacks that have any member with client-to-server as the direction. This means chain attacks that include members with server-to-client or ANY as the direction are selected if the chain has at least one member with client-to-server as the direction.

      To prevent these chain attacks from being added to the policy, configure the dynamic group as follows:

      • set security idp dynamic-attack-group dyn1 filters direction expression and
      • set security idp dynamic-attack-group dyn1 filters direction values client-to-server
      • set security idp dynamic-attack-group dyn1 filters direction values exclude-server-to-client
      • set security idp dynamic-attack-group dyn1 filters direction values exclude-any
    • Custom attack groups—Contain customer defined attack groups and can be configured through the CLI. They can contain specific predefined attacks, custom attacks, predefined attack groups, or dynamic attack groups. They are static in nature, because the attacks are specified in the group. Therefore the attack group do not change when the security database is updated

    Understanding IDP Rule Actions

    Actions specify the actions you want IDP to take when the monitored traffic matches the attack objects specified in the rules.

    Table 2 shows the actions you can specify for IDP rules:

    Table 2: IDP Rule Actions

    Term

    Definition

    No Action

    No action is taken. Use this action when you only want to generate logs for some traffic.

    Ignore Connection

    Stops scanning traffic for the rest of the connection if an attack match is found. IDP disables the rulebase for the specific connection.

    Note: This action does not mean ignore an attack.

    Diffserv Marking

    Assigns the indicated Differentiated Services code point (DSCP) value to the packet in an attack, then passes the packet on normally.

    Note that DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets.

    Drop Packet

    Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address.

    Note: When an IDP policy is configured using a non-packet context defined in a custom signature for any application and has the action drop packet, when IDP identifies an attack the decoder will promote drop_packet to drop_connection. With a DNS protocol attack, this is not the case. The DNS decoder will not promote drop_packet to drop_connection when an attack is identified. This will ensure that only DNS attack traffic will be dropped and valid DNS requests will continue to be processed. This will also avoid TCP retransmission for the valid TCP DNS requests..

    Drop Connection

    Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

    Close Client

    Closes the connection and sends an RST packet to the client but not to the server.

    Close Server

    Closes the connection and sends an RST packet to the server but not to the client.

    Close Client and Server

    Closes the connection and sends an RST packet to both the client and the server.

    Recommended

    All predefined attack objects have a default action associated with them. This is the action that Juniper Networks recommends when that attack is detected.

    Note: This action is supported only for IPS rulebases.

    Recommended —A list of all attack objects that Juniper Networks considers to be serious threats, organized into categories.

    • Attack type groups attack objects by type (anomaly or signature). Within each type, attack objects are grouped by severity.
    • Category groups attack objects by predefined categories. Within each category, attack objects are grouped by severity.
    • Operating system groups attack objects by the operating system to which they apply: BSD, Linux, Solaris, or Windows. Within each operating system, attack objects are grouped by services and severity.
    • Severity groups attack objects by the severity assigned to the attack. IDP has five severity levels: Critical, Major, Minor, Warning, and Info. Within each severity, attack objects are grouped by category.

    Understanding IDP Rule IP Actions

    IP actions are actions that apply on future connections that use the same IP action attributes. For example, you can configure an IP action in the rule to block all future HTTP sessions between two hosts if an attack is detected on a session between the hosts. Or you can specify a timeout value that defines that the action should be applied only if new sessions are initiated within that specified timeout value. The default timeout value for IP actions is 0, which means that IP actions are never timed out.

    IP actions are similar to other actions; they direct IDP to drop or close the connection. However, because you now also have the attacker’s IP address, you can choose to block the attacker for a specified time. If attackers cannot immediately regain a connection to your network, they might try to attack easier targets. Use IP actions in conjunction with actions and logging to secure your network.

    IP action attributes are a combination of the following fields:

    • Source IP address
    • Destination IP address
    • Destination port
    • From-zone
    • Protocol

    Table 3 summarizes the types IP actions supported by IDP rules:

    Table 3: IDP Rule IP Actions

    Term

    Definition

    Notify

    Does not take any action against future traffic, but logs the event. This is the default.

    Drop/Block Session

    All packets of any session matching the IP action rule are dropped silently.

    Close Session

    Any new sessions matching this IP action rule are closed by sending RST packets to the client and server.

    When traffic matches multiple rules, the most severe IP action of all matched rules is applied. The most severe IP action is the Close Session action, the next in severity is the Drop/Block Session action, and then the Notify action.

    Understanding IDP Rule Notifications

    Notification defines how information is to be logged when an action is performed. When attacks are detected, you can choose to log an attack and create log records with attack information and send that information to the log server.

    By using notifications, you can also configure the following options that instruct the log server to perform specific actions on logs generated for each rule:

    • Set Alerts—Specify an alert option for a rule in the IDP policy. When the rule is matched, the corresponding log record displays an alert in the alert column of the Log Viewer. Security administrators use alerts to become aware of and react to important security events.
    • Set Severity Level—Set severity levels in logging to support better organization and presentation of log records on the log server. You can use the default severity settings of the selected attack objects or choose a specific severity for your rule. The severity you configure in the rules overrides the inherited attack severity. You can set the severity level to the following levels:
      • Info—2
      • Warning—3
      • Minor—4
      • Major—5
      • Critical—7
     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page