Configuring Firewall and Intrusion Prevention System Services for SIP Signaling Traffic
You can set up stateful firewall and intrusion prevention system (IPS) security services so that they are applied to SIP signaling traffic before the traffic reaches the BSG. To use this feature, group your stateful firewall rules and security policies in a service set configuration and then apply the service set to a service interface.
 | Note: The IPS feature uses the term Intrusion Detection and Prevention (IDP) to refer to its service package and its policies. |
This topic consists of the following tasks:.
Enabling the IDP and Stateful Firewall Service Packages
The Junos OS provides IDP and stateful firewall plug-in service packages that you can use with the IMSG to provide firewall and security services to your SIP signaling traffic.
To enable the IDP and stateful firewall service packages on a PIC or DPC:
- Determine the FPC slot number and the PIC number
of the services PIC or DPC on which you want to enable the IDP and
firewall service packages.
In the following example, the FPC slot number is 0 and the PIC number is 3.
user@host> show chassis hardwareHardware inventory: Item Version Part number Serial number Description . . . FPC 0 E-FPC PIC 0 REV 11 750-002971 RH1375 4x OC-3 SONET, MM PIC 1 REV 12 750-012838 DN0449 4x 1GE(LAN), IQ2 Xcvr 0 REV 01 740-013111 8142659 SFP-T Xcvr 1 REV 01 740-013111 8142630 SFP-T Xcvr 2 REV 01 740-013111 8155199 SFP-T Xcvr 3 REV 01 740-013111 8154799 SFP-T PIC 2 REV 11 750-005724 RH2051 2x OC-3 ATM-II IQ, MM PIC 3 REV 15 750-014895 DN3277 MultiServices 100 . . . - Enable the IDP and stateful firewall
packages on the PIC or DPC. [edit chassis]user@host# set fpc 0 pic 3 adaptive-services service-package extension-provider package jservices-idpuser@host# set fpc 0 pic 3 adaptive-services service-package extension-provider package jservices-sfw
- Set the number of megabytes that can
be used for the wired process memory, which is the virtual memory
used to reduce Translation Look-aside Buffer (TLB) misses.[edit chassis]user@host# set fpc 0 pic 3 adaptive-services service-package extension-provider wired-process-mem-size 512
- Set the number of processing cores dedicated
to the control functionality of the jservices-idp and jservices-sfw applications.[edit chassis]user@host# set fpc 0 pic 3 adaptive-services service-package extension-provider control-cores 8
- Specify that the PIC or DPC not restart
if the Routing Engine is swapped. [edit chassis]user@host# set no-service-pic-restart-on-failover
- Commit your configuration changes. You
must perform the commit before you can proceed to configure the IMSG.[edit]user@host# commitcommit complete
Creating an IDP Policy
To create an IDP policy:
- Create an IDP policy and assign a name to it.[edit security idp]user@host# edit idp-policy attack-prevention
- Create a rulebase. For example, to create
an IPS rulebase:[edit security idp idp-policy attack-prevention]user@host# edit rulebase-ips[edit security idp idp-policy attack-prevention rulebase-ips]
- Add rules to the rulebase. [edit security idp idp-policy attack-prevention rulebase-ips]user@host# edit rule 1 [edit security idp idp-policy attack-prevention rulebase-ips rule 1]
- Define match criteria for the rule. [edit security idp idp-policy attack-prevention rulebase-ips rule 1]user@host# set match application defaultuser@host# set match attacks predefined-attacks [FTP:USER:ROOT TELNET:USER:ROOT]
- Specify actions for the rule. [edit security idp idp-policy attack-prevention rulebase-ips rule 1]user@host# set then action drop-connection user@host# set then notification log-attacks
Configuring a Stateful Firewall
To configure a stateful firewall:
- Create a stateful firewall rule.[edit services stateful-firewall]user@host# edit rule r1
- Set the match direction for the rule.[edit services stateful-firewall rule r1]user@host# set match-direction input-output
- Add a term to the rule.
Configuring the Service Set
Create a service set that contains the IDP policy and the stateful firewall rule.
To configure the service set:
- Create a service set configuration. [edit services]user@host# edit service-set IPS-FW
- Specify the name of the stateful firewall
rule that you want to apply using this service set. [edit services service-set IPS-FW]user@host# set stateful-firewall-rules r1
- Specify the name of the IDP policy that
you want to apply using this service set. [edit services service-set IPS-FW]user@host# set idp-profile attack-prevention
- Specify the service interface on which
you want the service set applied. [edit services service-set IPS-FW]user@host# set interface-service service-interface sp-0/2/0.10
Applying the Service Set to a Services Interface
In the interface that you configured for your BSG, you need to add the IDP and stateful firewall service set.
You can apply the service set to traffic received on the interface (input) and to traffic transmitted on the interface (output). However, for service sets with bidirectional service rules, you must include the same service set in both the input and output directions.
To apply the service set to a service interface:
- Enter edit mode for the service interface.[edit]user@host# edit interfaces ms-0/0/0
- Configure a logical unit and the protocol
family and enter edit mode for the logical unit. [edit interfaces ms-0/0/0]user@host# edit unit 0 family inet
- Apply the service set to the input and
output directions on the interface.[edit interfaces ms-0/0/0 unit 0 family inet]user@host# set service input service-set IPS-FW user@host# set service output service-set IPS-FW
