Example: Configuring an IDP Policy for the Master Logical System

Requirements

• Log in to the master logical system as the master administrator. See Understanding the Master Logical System and the Master Administrator Role.
• Read IDP in Logical Systems Overview.
• Use the show system security-profile command to see the resources allocated to the master logical system. See the Junos OS CLI Reference .

Overview

In this example you configure a custom attack that is used in an IDP policy. The IDP policy is specified in a security profile that is applied to the master logical system. IDP is then enabled in a security policy configured in the master logical system.

You configure the features described in Table 1.

Note: A logical system can have only one active IDP policy at a time. To specify the active IDP policy for the master logical system, the master administrator can reference the IDP policy in the security profile that is bound to the master logical system as shown in this example. Alternatively, the master administrator can use the active-policy configuration statement at the [edit security idp] hierarchy level. A commit error is generated if an IDP policy is both configured in the security profile that is bound to the master logical system and specified with the active-policy configuration statement. Use only one method to specify the active IDP policy for the master logical system.

Configuration

• Configuring a Custom Attack
• Configuring an IDP Policy for the Master Logical System
• Enabling IDP in a Security Policy

Configuring a Custom Attack

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Log in to the master logical system as the master administrator and enter configuration mode.
   [edit]admin@host> configureadmin@host#
2. Create the custom attack object and set the severity level.
   [edit security idp]admin@host# set custom-attack http-bf severity critical
3. Configure attack detection parameters.
   [edit security idp]admin@host# set custom-attack http-bf time-binding count 3 admin@host# set custom-attack http-bf time-binding scope peer
4. Configure stateful signature parameters.
   [edit security idp]admin@host# set custom-attack http-bf attack-type signature context http-url-parsedadmin@host# set custom-attack http-bf attack-type signature pattern .*juniper.*admin@host# set custom-attack http-bf attack-type signature direction client-to-server

Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack http-bf command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring an IDP Policy for the Master Logical System

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Create the IDP policy and configure match conditions.
   [edit security idp]admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 match application defaultadmin@host# set idp-policy root-idp-policy rulebase-ips rule 1 match attacks custom-attacks http-bf
2. Configure actions for the IDP policy.
   [edit security idp]admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 then action drop-connectionadmin@host# set idp-policy root-idp-policy rulebase-ips rule 1 then notification log-attacks
3. Add the IDP policy to the security profile.
   [edit system security-profile master-profile]admin@host# set idp-policy lsys1-idp-policy

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy root-idp-policy and show system security-profile master-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Enabling IDP in a Security Policy

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

1. Create the security policy and configure match conditions.
   [edit security policies from-zone lsys-root-untrust to-zone lsys-root-trust]admin@host# set policy enable-idp match source-address anyadmin@host# set policy enable-idp match destination-address anyadmin@host# set policy enable-idp match application any
2. Enable IDP.
   [edit security policies from-zone lsys-root-untrust to-zone lsys-root-trust]admin@host# set policy enable-idp then permit application-services idp

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Attack Matches

Purpose

Verify that attacks are being matched in network traffic.

Action

From operational mode, enter the show security idp attack table command.

IDP attack statistics:
  Attack name                                 #Hits
  http-bf                                              1