Applications and Application Sets
Applications are predefined or custom-defined entities that represent specific types of network traffic or services. Application sets are collections of applications grouped for easier management and policy creation. You can create an application set that includes multiple related applications and then apply policies to the entire set.
Applications or services correspond to Application layer protocols that define how communication occurs between networked systems, specifying how data is structured, formatted and processed at the application level as it travels across the network.
In the context of IDP policies, applications and application sets see the following:
- Applications—These are predefined or custom-defined entities that represent specific types of network traffic or services. An application in this context can be anything from a web service (like HTTP or HTTPS), an email protocol (like SMTP), a file transfer service (like FTP), or any other type of network application. Each application has a set of characteristics that allow the IDP system to identify and monitor the traffic associated with that application.
- Application Sets—These are collections of applications grouped together for easier management and policy creation. Instead of defining policies for individual applications, you can create an application set that includes multiple related applications and then apply policies to the entire set. This is particularly useful for simplifying the management of security policies when dealing with a large number of applications.
IDP Application Sets
The services you support on your network are the same services that attackers use to attack your network, you can specify which services are supported by the destination IP to make your rules more efficient. Juniper Networks provides predefined applications and application sets that are based on industry-standard applications. If you need to add applications that are not included in the predefined applications, you can create custom applications or modify predefined applications to suit your needs.
You specify an application, or service, to indicate that a policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making them difficult to manage. Junos OS allows you to create groups of applications called application set. Application sets simplify the process by allowing you to manage a small number of application sets, rather than a large number of individual application entries.
The application (or application set) is configured as a match criterion for packets. Packets must be of the application type specified in the policy for the policy to apply to the packet. If the packet matches the application type specified by the policy and all other criteria match, then the policy action is applied to the packet. You can use predefined or custom applications and refer to them in a policy.
See Also
Example: Configure IDP Applications Sets
This example shows how to create an application set and associate it with an IDP policy.
Requirements
Before you begin:
Configure network interfaces.
Enable IDP application services in a security policy.
Define applications. See Example: Configuring Security Policy Applications and Application Sets.
Overview
To configure an application set, you add predefined or custom applications separately to an application set and assign a meaningful name to the application set. Once you name the application set you specify the name as part of the policy. The policy applies to a packet only if the packet matches any one of the applications included in the set.
This example describes how to create an application set called SrvAccessAppSet and associate it with IDP policy ABC. The application set SrvAccessAppSet combines three applications. Instead of specifying three applications in the policy rule, you specify one application set. If all of the other criteria match, any one of the applications in the application set serves as valid matching criteria.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set applications application-set SrvAccessAppSet application junos-ssh set applications application-set SrvAccessAppSet application junos-telnet set applications application-set SrvAccessAppSet application cust-app set security idp idp-policy ABC rulebase-ips rule ABC match application SrvAccessAppSet set security idp idp-policy ABC rulebase-ips rule ABC then action no-action set security idp active-policy ABC
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application set and associate it with an IDP policy:
Create an application set and include three applications in the set.
[edit applications application-set SrvAccessAppSet] user@host# set application junos-ssh user@host# set application junos-telnet user@host# set application cust-app
Create an IDP policy.
[edit] user@host# edit security idp idp-policy ABC
Associate the application set with an IDP policy.
[edit security idp idp-policy ABC] user@host# set rulebase-ips rule ABC match application SrvAccessAppSet
Specify an action for the policy.
[edit security idp idp-policy ABC] user@host# set rulebase-ips rule ABC then action no-action
Activate the policy.
[edit] user@host# set security idp active-policy ABC
Results
From configuration mode, confirm your configuration
by entering the show security idp and show applications commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security idp
idp-policy ABC {
rulebase-ips {
rule R1 {
match {
application SrvAccessAppSet;
}
then {
action {
no-action;
}
}
}
}
}
active-policy ABC;
[edit]
user@host# show applications
application-set SrvAccessAppSet {
application ssh;
application telnet;
application custApp;
}
If you are done configuring the device, enter commit from configuration mode.
Example: Configure IDP Applications and Services
This example shows how to create an application and associate it with an IDP policy.
Requirements
Before you begin:
Configure network interfaces.
Enable IDP application services in a security policy.
Overview
To create custom applications, specify a meaningful name for an application and associate parameters with it—for example, inactivity timeout, or application protocol type. In this example, you create a special FTP application called cust-app, specify it as a match condition in the IDP policy ABC running on port 78, and specify the inactivity timeout value as 6000 seconds.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration
mode.
set applications application cust-app application-protocol ftp protocol tcp destination-port 78 inactivity-timeout 6000 set security idp idp-policy ABC rulebase-ips rule ABC match application cust-app set security idp idp-policy ABC rulebase-ips rule ABC then action no-action set security idp active-policy ABC
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To create an application and associate it with an IDP policy:
Create an application and specify its properties.
[edit applications application cust-app] user@host# set application-protocol ftp protocol tcp destination-port 78 inactivity-timeout 6000
Specify the application as a match condition in a policy.
[edit security idp idp-policy ABC rulebase-ips rule ABC] user@host# set match application cust-app
Specify the no action condition.
[edit security idp idp-policy ABC rulebase-ips rule ABC] user@host# set then action no-action
Activate the policy.
[edit] user@host# set security idp active-policy ABC
Results
From configuration mode, confirm your configuration
by entering the show security idp and show applications commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show security idp
idp-policy ABC {
rulebase-ips {
rule R1 {
match {
application cust-app;
}
}
}
}
active-policy ABC;
[edit]
user@host# show applications
application cust-app {
application-protocol ftp;
protocol tcp;
destination-port 78;
inactivity-timeout 6000;
}
If you are done configuring the device, enter commit from configuration mode.