[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring Firewall and Intrusion Prevention System Services for SIP Signaling Traffic

You can set up stateful firewall and intrusion prevention system (IPS) security services so that they are applied to SIP signaling traffic before the traffic reaches the BSG. To use this feature, group your stateful firewall rules and security policies in a service set configuration and then apply the service set to a service interface.

Note: The IPS feature uses the term Intrusion Detection and Prevention (IDP) to refer to its service package and its policies.

This topic consists of the following tasks:.

Enabling the IDP and Stateful Firewall Service Packages

The JUNOS Software provides IDP and stateful firewall plug-in service packages that you can use with the IMSG to provide firewall and security services to your SIP signaling traffic.

To enable the IDP and stateful firewall service packages on a PIC or DPC:

  1. Determine the FPC slot number and the PIC number of the services PIC or DPC on which you want to enable the IDP and firewall service packages.

    In the following example, the FPC slot number is 0 and the PIC number is 3.

    user@host> show chassis hardware
    Hardware inventory:
    Item             Version  Part number  Serial number     Description
    .
    .
    .
    FPC 0                                              E-FPC
      PIC 0          REV 11   750-002971   RH1375            4x OC-3 SONET, MM
      PIC 1          REV 12   750-012838   DN0449            4x 1GE(LAN), IQ2
        Xcvr 0       REV 01   740-013111   8142659           SFP-T
        Xcvr 1       REV 01   740-013111   8142630           SFP-T
        Xcvr 2       REV 01   740-013111   8155199           SFP-T
        Xcvr 3       REV 01   740-013111   8154799           SFP-T
      PIC 2          REV 11   750-005724   RH2051            2x OC-3 ATM-II IQ, MM
      PIC 3          REV 15   750-014895   DN3277            MultiServices 100
    .
    .
    .
  2. Enable the IDP and stateful firewall packages on the PIC or DPC.
    [edit chassis]user@host# set fpc 0 pic 3 adaptive-services service-package extension-provider package jservices-idpuser@host# set fpc 0 pic 3 adaptive-services service-package extension-provider package jservices-sfw
  3. Set the number of megabytes that can be used for the wired process memory, which is the virtual memory used to reduce Translation Look-aside Buffer (TLB) misses.
    [edit chassis]user@host# set fpc 0 pic 3 adaptive-services service-package extension-provider wired-process-mem-size 512
  4. Set the number of processing cores dedicated to the control functionality of the jservices-idp and jservices-sfw applications.
    [edit chassis]user@host# set fpc 0 pic 3 adaptive-services service-package extension-provider control-cores 7
  5. Specify that the PIC or DPC not restart if the Routing Engine is swapped.
    [edit chassis]user@host# set no-service-pic-restart-on-failover
  6. Commit your configuration changes. You must perform the commit before you can proceed to configure the IMSG.
    [edit]user@host# commitcommit complete

Creating an IDP Policy

To create an IDP policy:

  1. Create an IDP policy and assign a name to it.
    [edit security idp]user@host# edit idp-policy attack-prevention
  2. Create a rulebase. For example, to create an IPS rulebase:
    [edit security idp idp-policy attack-prevention]user@host# edit rulebase-ips[edit security idp idp-policy attack-prevention rulebase-ips]
  3. Add rules to the rulebase.
    [edit security idp idp-policy attack-prevention rulebase-ips]user@host# edit rule 1 [edit security idp idp-policy attack-prevention rulebase-ips rule 1]
  4. Define match criteria for the rule.
    [edit security idp idp-policy attack-prevention rulebase-ips rule 1]user@host# set match application defaultuser@host# set match attacks predefined-attacks [FTP:USER:ROOT TELNET:USER:ROOT]
  5. Specify actions for the rule.
    [edit security idp idp-policy attack-prevention rulebase-ips rule 1]user@host# set then action drop-connection user@host# set then notification log-attacks

Configuring a Stateful Firewall

To configure a stateful firewall:

  1. Create a stateful firewall rule.
    [edit services stateful-firewall]user@host# edit rule r1
  2. Set the match direction for the rule.
    [edit services stateful-firewall rule r1]user@host# set match-direction input-output
  3. Add a term to the rule.
    [edit services stateful-firewall rule r1]user@host# set term t1 then reject

Configuring the Service Set

Create a service set that contains the IDP policy and the stateful firewall rule.

To configure the service set:

  1. Create a service set configuration.
    [edit services]user@host# edit service-set IPS-FW
  2. Specify the name of the stateful firewall rule that you want to apply using this service set.
    [edit services service-set IPS-FW]user@host# set stateful-firewall-rules r1
  3. Specify the name of the IDP policy that you want to apply using this service set.
    [edit services service-set IPS-FW]user@host# set idp-profile attack-prevention
  4. Specify the service interface on which you want the service set applied.
    [edit services service-set IPS-FW]user@host# set interface-service service-interface sp-0/2/0.10

Applying the Service Set to a Services Interface

In the interface that you configured for your BSG, you need to add the IDP and stateful firewall service set.

You can apply the service set to traffic received on the interface (input) and to traffic transmitted on the interface (output). However, for service sets with bidirectional service rules, you must include the same service set in both the input and output directions.

To apply the service set to a service interface:

  1. Enter edit mode for the service interface.
    [edit]user@host# edit interfaces ms-0/0/0
  2. Configure a logical unit and the protocol family and enter edit mode for the logical unit.
    [edit interfaces ms-0/0/0]user@host# edit unit 0 family inet
  3. Apply the service set to the input and output directions on the interface.
    [edit interfaces ms-0/0/0 unit 0 family inet]user@host# set service input service-set IPS-FW user@host# set service output service-set IPS-FW

Published: 2010-04-22

[an error occurred while processing this directive]