Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Intrusion Detection and Prevention

    The Junos OS intrusion detection and prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IDP-enabled device. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic. An IDP policy defines how your device handles the network traffic. It allows you to enforce various attack detection and prevention techniques on traffic traversing your network.

    A policy is made up of rulebases, and each rulebase is comprised of a set of rules. You define rule parameters, such as traffic match conditions, action, and logging requirements, and then add the rules to rule bases. After you create an IDP policy by adding rules in one or more rulebases, you can select that policy to be the active policy on your device. Junos OS allows you to configure multiple IDP policies, but a device can have only one active IDP policy at a time. You can install the same IDP policy on multiple devices, or you can install a unique IDP policy on each device in your network. A single policy can contain only one instance of any type of rulebase.

    For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect. Security policies contain rules defining the types of traffic permitted on the network and how the traffic is treated inside the network. Enabling IDP in a security policy directs traffic that matches the specified criteria to be checked against the IDP rulebases.

    Note: The action set in the security policy action must be permit. You cannot enable IDP for traffic that the device denies or rejects.

    To install and configure IDP on the SRX chassis cluster, follow these steps:

    Install an IDP license to enable IDP signature updates. In order to download and use the predefined attack signatures in a policy, the IDP license must be installed. If you are using only custom signatures, you do not need an IDP license. Once your license file is purchased and available, install the license using the Junos OS terminal.

    1. root@vdc-edge-fw01-n1> request system license add terminal
      [Type ^D at a new line to end input,
       enter blank line between each license key]
      Serial No :              AB0813AA0021
      Model :                  SRX3600
      Features :               SRX3600-APPSEC-A-1 0
      Issue Date :             17-Dec-2013
      Expiration Date :        16-Dec-2014
      License Id :             JUNOS466173
      License Key : 
      JUNOS466173 aeaqea qmifbd aobrgn aucmbq giyqqb qcdw7l
                  rqbea4 ujbpu2 q4esq2 sucbpr wrroiw w5kgvv
                  35oxsq ne4ynp ljbecm c5ug52 3s6cbj ldpuqj
                  xny
      
      
    2. Once you install the license, check for feature “idp-sig”.
      root@vdc-edge-fw01-n0> show system license
      License usage: 
                                       Licenses     Licenses    Licenses    Expiry
        Feature name                       used    installed      needed 
        idp-sig                               1            1           0    2014-12-15 16:00:00 PST
        appid-sig                             0            2           0    2014-12-15 16:00:00 PST
        logical-system                        1            1           0    permanent
      
      Licenses installed: License identifier: JUNOS466166 License version: 2 Valid for device: AB0813AA0014 Features: idp-sig - IDP Signature date-based, 2013-12-16 16:00:00 PST - 2014-12-15 16:00:00 PST License identifier: JUNOS466167 License version: 2 Valid for device: AB0813AA0014 Features: appid-sig - APPID Signature date-based, 2013-12-16 16:00:00 PST - 2014-12-15 16:00:00 PST
      License identifier: JUNOS466168 License version: 2 Valid for device: AB0813AA0014 Features: appid-sig - APPID Signature date-based, 2013-12-16 16:00:00 PST - 2014-12-15 16:00:00 PST

      Note: If configuring a firewall cluster, a firewall clustering license is required on both nodes of the cluster. The license is device specific.

    3. Download and install the signature database. After the IDP license is installed, the iDP signature database can be downloaded and installed by performing the following steps:
      • Make sure the device has the necessary configuration for connectivity to the Internet. A name server must be configured.
      • Configure the signature database URL.
      set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi
    4. Verify the version of the signature database in the Signature DB server. Look for “successfully retrieved”. In this example, the version in the server is 2327.
      root@vdc-edge-fw01-n0> request security idp security-package download check-server
      node0:
      --------------------------------------------------------------------------
      Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
      Version info:2345(Detector=12.6.140140207, Templates=2345)
      
      {primary:node0}
      
    5. Download the signature database (operational command, not configuration command).
      root@vdc-edge-fw01-n0> request security idp security-package download
      node0:
      --------------------------------------------------------------------------
      Will be processed in async mode. Check the status using the status checking CLI
      
      {primary:node0}
      root@vdc-edge-fw01-n0> request security idp security-package download status 
      node0:
      --------------------------------------------------------------------------
      In progress:platforms.xml.gz                            100 % 250 Bytes/ 250 Bytes
      
      {primary:node0}
      root@vdc-edge-fw01-n0> request security idp security-package download status    
      node0:
      --------------------------------------------------------------------------
      Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi)
      and synchronized to backup.
      Version info:2345(Wed Feb 12 19:13:53 2014 UTC, Detector=12.6.140140207)
      
      {primary:node0}
      
    6. Verify the progress of the IDP signature download.
      root@vdc-edge-fw01-n0> request security idp security-package download status
      node0:
      --------------------------------------------------------------------------
      In progress:platforms.xml.gz                            100 % 250 Bytes/ 250 Bytes
      
      {primary:node0}
      root@vdc-edge-fw01-n0> request security idp security-package download status    
      node0:
      --------------------------------------------------------------------------
      Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi)
      and synchronized to backup.
      Version info:2345(Wed Feb 12 19:13:53 2014 UTC, Detector=12.6.140140207)
      
    7. Install the IDP database.
      request security idp security-package install
    8. Monitor the status of the install command.
      root@vdc-edge-fw01-n0> request security idp security-package install status
      node0:
      --------------------------------------------------------------------------
      In progress:Updating with new attack or detector for existing running policy...
      
      node1:
      --------------------------------------------------------------------------
      Done;Attack DB update : successful - [UpdateNumber=2345,ExportDate=Wed Feb 12 19:13:53 2014 UTC,Detector=12.6.140140207]
           Updating control-plane with new detector : successful
           Updating data-plane with new attack or detector : successful
            (The last known good detector link has been updated with the new detector)
      
    9. Once the security policy is configured and the action is set to “permit”, enable IDP under “application services”. This redirects traffic that matches the security policy to the IDP service for inspection. Below is an example of traffic flowing from the trust to the untrust Internet-access security policy.
      root@vdc-edge-fw01-n0# show security policies from-zone trust to-zone untrust policy Internet-access | display set
      set security policies from-zone trust to-zone untrust policy Internet-access match source-address anyset security policies from-zone trust to-zone untrust policy Internet-access match destination-address anyset security policies from-zone trust to-zone untrust policy Internet-access match application junos-httpset security policies from-zone trust to-zone untrust policy Internet-access match application junos-httpsset security policies from-zone trust to-zone untrust policy Internet-access match application junos-http-extset security policies from-zone trust to-zone untrust policy Internet-access match application junos-ntpset security policies from-zone trust to-zone untrust policy Internet-access match application junos-dns-udpset security policies from-zone trust to-zone untrust policy Internet-access match application ICMPset security policies from-zone trust to-zone untrust policy Internet-access then permit application-services idp
    10. Enable IDP for inbound traffic (flowing from the untrust security zone to the trust security zone). Once IDP is enabled in a security policy, the IDP policy should be activated, monitored for effectiveness, and tuned. The command used to activate the IDP policy in this example is:
      set security idp active-policy HTTP-inspection

      Note: There can be only one active IDP policy. The active IDP policy can be applied to multiple rules.

    11. The following display set configuration shows a complete policy called HTTP-inspection on the perimeter firewall. In this example, two rules are created. The R1 rule is from the trust security zone to the untrust security zone. The R2 rule monitors traffic from the untrust security zone to the trust security zone. The IDP rulebase is configured to match Web-based attacks. Finally, the policy is activated as shown in Step 10 using the command set security idp active-policy HTTP-inspection.
      root@vdc-edge-fw01-n0# show security idp | display set
      set security idp idp-policy HTTP-inspection rulebase-ips rule R1 match from-zone trustset security idp idp-policy HTTP-inspection rulebase-ips rule R1 match source-address anyset security idp idp-policy HTTP-inspection rulebase-ips rule R1 match to-zone untrustset security idp idp-policy HTTP-inspection rulebase-ips rule R1 match destination-address anyset security idp idp-policy HTTP-inspection rulebase-ips rule R1 match application defaultset security idp idp-policy HTTP-inspection rulebase-ips rule R1 match attacks predefined-attack-groups "Critical - HTTP"set security idp idp-policy HTTP-inspection rulebase-ips rule R1 match attacks predefined-attack-groups "Major - HTTP"set security idp idp-policy HTTP-inspection rulebase-ips rule R1 then action drop-connectionset security idp idp-policy HTTP-inspection rulebase-ips rule R1 then notification log-attacksset security idp idp-policy HTTP-inspection rulebase-ips rule R1 then severity criticalset security idp idp-policy HTTP-inspection rulebase-ips rule R2 match from-zone untrustset security idp idp-policy HTTP-inspection rulebase-ips rule R2 match source-address anyset security idp idp-policy HTTP-inspection rulebase-ips rule R2 match to-zone trustset security idp idp-policy HTTP-inspection rulebase-ips rule R2 match destination-address anyset security idp idp-policy HTTP-inspection rulebase-ips rule R2 match application defaultset security idp idp-policy HTTP-inspection rulebase-ips rule R2 match attacks predefined-attack-groups "Critical - HTTP"set security idp idp-policy HTTP-inspection rulebase-ips rule R2 match attacks predefined-attack-groups "Major - HTTP"set security idp idp-policy HTTP-inspection rulebase-ips rule R2 then action drop-connectionset security idp idp-policy HTTP-inspection rulebase-ips rule R2 then notification log-attacksset security idp idp-policy HTTP-inspection rulebase-ips rule R2 then severity criticalset security idp active-policy HTTP-inspectionset security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi

    Published: 2015-04-20