Introduction to IDP Migration

Introduction

SRX Series Firewalls are equipped with full security and networking capabilities and represents the highest performing firewalls with natively integrated full intrusion prevention system (IPS) technology from Juniper Networks IDP Series Intrusion Detection and Prevention Appliances, providing inline protection against current and emerging threats throughout the network.

Although an SRX Series IDP policy can be configured entirely from within Juniper Networks J-Web software, this document focuses primarily on the CLI and Junos Space Security Director configuration steps, with the intention of providing an easy transition and learning path for both system engineers new to the IDP Series and those already familiar with managing standalone IDP Series and ISG Series with IDP solutions.

Because standalone IDP Series devices are typically deployed in either sniffer or transparent mode, additional considerations regarding network design must be addressed. These involve:

• Network interfaces configuration

• Security zones configuration

In addition, there are considerations regarding the following security features:

• Denial of service (DoS) and flood protection.

• Traffic anomaly detection or screens (as well as some of the detection methods applicable for SRX Series Firewalls).

• Configured settings and actions must be closely analyzed because adding a new device can potentially impact network traffic—particularly in regard to Layer 3 processing.

SRX Series Firewalls can be deployed in sniffer mode (only on SRX5400, SRX5600, and SRX5800 devices). The sniffer mode is not supported on SRX300, SRX340, SRX345, and SRX550HM devices.

Multimethod Detection

SRX Series Firewalls deploy two rulebases—a main IDP rulebase and an exempt rulebase.

In addition, SRX Series Firewalls use security zones that are based on technology available with ScreenOS-based security devices, and provide detailed screen protection as an alternative for some basic standalone detection methods or rulebases.

Logging

Logging on an SRX Series Firewall must be configured to send records in response to security events through system logging to a preconfigured syslog server, such as the Juniper Networks Juniper Secure Analytics (JSA).

Sensor Configuration Settings

On both standalone IDP Series and SRX Series Firewalls, a number of sensor configuration settings can be configured to fine-tune IDP Series behavior and can be accessed from the CLI and Junos Space Security Director (SD). If any of the settings have been changed from the default value or need to be further modified, you must manually modify them. There are no automated processes to export or import modified settings.

Key Points to Consider

Note the following key points when you migrate from IDP Series Appliances to SRX Series Firewalls:

• In comparison with deep inspection on ScreenOS, the fundamental IPS detection capabilities on the SRX Series Firewalls do not differ from that available on IDP Series Appliances or ISG Series with IDP security modules.

• Not all IPS features are available on SRX Series IDP. We recommend that you familiarize yourself with documentation that details those differences.

• Only SRX5400, SRX5600, and SRX5800 devices can be configured in sniffer mode (transparent mode).

• IPS does not need a separate license to run as a service on the SRX Series Firewall; however, a license is required for IPS updates.

• A base firewall policy is required and needs to include an IPS application-service statement to enable IPS inspection.

• Enabling all attacks is not supported. If the policy does not load, check the service log files for policy size and load results.

• A system log (syslog) server is required to collect security event-related messages when the messages are identified on the SRX Series data plane.

• It is s important to understand that compiling and applying an IPS policy can take some time, depending on the number of attack objects and the size of the policy. Starting with Junos OS Release 12.1 and Junos OS Release 17.3R1, SRX Series Firewalls are leveraged for smarter compilation engine along with caching compiled information so that the compilation process takes much less time. The compilation process is conducted asynchronously, which means that the SRX Series Firewall starts the process but will not hold up CLI or SD session, but instead will allow you to check back later on the status.

Overview

The Juniper Networks intrusion prevention system (IPS) feature detects and prevents attacks in network traffic.

SRX Series Firewalls provide the IPS functionality integrated within the Junos OS software; no special hardware is needed. IPS administrators have the option of deploying and administering IPS using the CLI or the Junos Space Security Director.

IPS Architecture

The IPS architecture is composed of the following:

• SRX Series Firewall with IPS—IPS functionality is integrated as part of Junos OS and no special hardware is required.

• Management—SRX Series Firewalls can be fully managed using the CLI commands. However, if there are multiple SRX Series Firewalls involved in the IPS deployment, we recommend using the Junos Space Security Director application.

• Logging—Juniper Secure Analytics (JSA) is Juniper Networks’ security information and event management (SIEM) solution. JSA has predefined dashboards and reports for the SRX Series Firewalls IPS solution. In addition to logging, JSA provides event correlation, incident management, and flow monitoring. SRX Series logs are in syslog (structured data syslog) format, and these can be sent to JSA or to any other syslog servers that users might already have in place.

IPS with Chassis Clustering Limitations

IPS is supported in both active/passive and active/active chassis cluster modes on SRX Series Firewalls with the following limitations:

• No inspection is performed on sessions that fail over or fail back. Only new sessions after a failover are inspected by IPS, and older sessions become firewall sessions.

• The IP action table is not synchronized across nodes. If an IP action is taken for a session, and the source IP, destination IP or both is added to the IP action table, this information is not synchronized to the secondary node. Therefore, the sessions from the source IP, destination IP or both will be forwarded until a new attack is detected.

• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses a session ID and it happens to be processed on a node other than the one on which the session ID is cached, the SSL session cannot be decrypted and will be bypassed for IPS inspection.

Integrated Mode

Integrated mode is supported on SRX Series Firewalls. Integrated mode is the default mode in which IPS operates on the SRX Series Firewalls (There are no specific indications that show that the device is in integrated mode.)

Sniffer Mode

Sniffer mode is supported only on SRX5400, SRX5600, and SRX5800 devices. You can use the sniffer mode of IPS deployment by configuring the interfaces in promiscuous mode and manipulating the traffic and flow setup with routing.

On SRX5400, SRX5600, and SRX5800 devices, in sniffer mode, ingress and egress interfaces work with flow showing both source and destination interface as egress interface.

As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface names are displayed in the logs. For example, ge-0/0/2.0 as ingress (sniffer) interface and ge-0/0/2.100 as egress interface are displayed in the logs to show the source interface as ge-0/0/2.100.