Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Introduction to IDP Migration

This topic provides a brief overview of some basic considerations when moving from standalone Juniper Networks IDP Series Intrusion Detection and Protection Appliances or Juniper Networks ISG Series Integrated Security Gateways with IDP security module to the Juniper Networks SRX Series Firewalls.

For more information, see the following topics:

IDP Series Appliances to SRX Series Firewalls Migration Overview

Introduction

SRX Series Firewalls are equipped with full security and networking capabilities and represents the highest performing firewalls with natively integrated full intrusion prevention system (IPS) technology from Juniper Networks IDP Series Intrusion Detection and Prevention Appliances, providing inline protection against current and emerging threats throughout the network.

Although an SRX Series IDP policy can be configured entirely from within Juniper Networks J-Web software, this document focuses primarily on the CLI and Junos Space Security Director configuration steps, with the intention of providing an easy transition and learning path for both system engineers new to the IDP Series and those already familiar with managing standalone IDP Series and ISG Series with IDP solutions.

Because standalone IDP Series devices are typically deployed in either sniffer or transparent mode, additional considerations regarding network design must be addressed. These involve:

  • Network interfaces configuration

  • Security zones configuration

In addition, there are considerations regarding the following security features:

  • Denial of service (DoS) and flood protection.

  • Traffic anomaly detection or screens (as well as some of the detection methods applicable for SRX Series Firewalls).

  • Configured settings and actions must be closely analyzed because adding a new device can potentially impact network traffic—particularly in regard to Layer 3 processing.

SRX Series Firewalls can be deployed in sniffer mode (only on SRX5400, SRX5600, and SRX5800 devices). The sniffer mode is not supported on SRX300, SRX340, SRX345, and SRX550HM devices.

Multimethod Detection

SRX Series Firewalls deploy two rulebases—a main IDP rulebase and an exempt rulebase.

In addition, SRX Series Firewalls use security zones that are based on technology available with ScreenOS-based security devices, and provide detailed screen protection as an alternative for some basic standalone detection methods or rulebases.

Logging

Logging on an SRX Series Firewall must be configured to send records in response to security events through system logging to a preconfigured syslog server, such as the Juniper Networks Juniper Secure Analytics (JSA).

Sensor Configuration Settings

On both standalone IDP Series and SRX Series Firewalls, a number of sensor configuration settings can be configured to fine-tune IDP Series behavior and can be accessed from the CLI and Junos Space Security Director (SD). If any of the settings have been changed from the default value or need to be further modified, you must manually modify them. There are no automated processes to export or import modified settings.

Key Points to Consider

Note the following key points when you migrate from IDP Series Appliances to SRX Series Firewalls:

  • In comparison with deep inspection on ScreenOS, the fundamental IPS detection capabilities on the SRX Series Firewalls do not differ from that available on IDP Series Appliances or ISG Series with IDP security modules.

  • Not all IPS features are available on SRX Series IDP. We recommend that you familiarize yourself with documentation that details those differences.

  • Only SRX5400, SRX5600, and SRX5800 devices can be configured in sniffer mode (transparent mode).

  • IPS does not need a separate license to run as a service on the SRX Series Firewall; however, a license is required for IPS updates.

  • A base firewall policy is required and needs to include an IPS application-service statement to enable IPS inspection.

  • Enabling all attacks is not supported. If the policy does not load, check the service log files for policy size and load results.

  • A system log (syslog) server is required to collect security event-related messages when the messages are identified on the SRX Series data plane.

  • It is s important to understand that compiling and applying an IPS policy can take some time, depending on the number of attack objects and the size of the policy. Starting with Junos OS Release 12.1 and Junos OS Release 17.3R1, SRX Series Firewalls are leveraged for smarter compilation engine along with caching compiled information so that the compilation process takes much less time. The compilation process is conducted asynchronously, which means that the SRX Series Firewall starts the process but will not hold up CLI or SD session, but instead will allow you to check back later on the status.

Understanding Intrusion Prevention System

Overview

The Juniper Networks intrusion prevention system (IPS) feature detects and prevents attacks in network traffic.

SRX Series Firewalls provide the IPS functionality integrated within the Junos OS software; no special hardware is needed. IPS administrators have the option of deploying and administering IPS using the CLI or the Junos Space Security Director.

IPS Architecture

The IPS architecture is composed of the following:

  • SRX Series Firewall with IPS—IPS functionality is integrated as part of Junos OS and no special hardware is required.

  • Management—SRX Series Firewalls can be fully managed using the CLI commands. However, if there are multiple SRX Series Firewalls involved in the IPS deployment, we recommend using the Junos Space Security Director application.

  • Logging—Juniper Secure Analytics (JSA) is Juniper Networks’ security information and event management (SIEM) solution. JSA has predefined dashboards and reports for the SRX Series Firewalls IPS solution. In addition to logging, JSA provides event correlation, incident management, and flow monitoring. SRX Series logs are in syslog (structured data syslog) format, and these can be sent to JSA or to any other syslog servers that users might already have in place.

IPS with Chassis Clustering Limitations

IPS is supported in both active/passive and active/active chassis cluster modes on SRX Series Firewalls with the following limitations:

  • No inspection is performed on sessions that fail over or fail back. Only new sessions after a failover are inspected by IPS, and older sessions become firewall sessions.

  • The IP action table is not synchronized across nodes. If an IP action is taken for a session, and the source IP, destination IP or both is added to the IP action table, this information is not synchronized to the secondary node. Therefore, the sessions from the source IP, destination IP or both will be forwarded until a new attack is detected.

  • The SSL session ID cache is not synchronized across nodes. If an SSL session reuses a session ID and it happens to be processed on a node other than the one on which the session ID is cached, the SSL session cannot be decrypted and will be bypassed for IPS inspection.

Understanding the Intrusion Prevention System Deployment Modes

This topic provide you an overview of the different types of IPS deployment modes for SRX Series Firewalls.

IPS provides three different modes of deployment:

  • Integrated mode

  • Sniffer mode

Integrated Mode

Integrated mode is supported on SRX Series Firewalls. Integrated mode is the default mode in which IPS operates on the SRX Series Firewalls (There are no specific indications that show that the device is in integrated mode.)

Note:

We recommend deploying IPS in integrated mode.

Sniffer Mode

Sniffer mode is supported only on SRX5400, SRX5600, and SRX5800 devices. You can use the sniffer mode of IPS deployment by configuring the interfaces in promiscuous mode and manipulating the traffic and flow setup with routing.

On SRX5400, SRX5600, and SRX5800 devices, in sniffer mode, ingress and egress interfaces work with flow showing both source and destination interface as egress interface.

As a workaround, in sniffer mode, use the tagged interfaces. Hence, the same interface names are displayed in the logs. For example, ge-0/0/2.0 as ingress (sniffer) interface and ge-0/0/2.100 as egress interface are displayed in the logs to show the source interface as ge-0/0/2.100.

Getting Started with IPS

Before configuring the SRX Series Firewall for IPS functionality, perform the following tasks:

  1. Install the License—You must install an IDP license before you can download any attack objects. If you are using only custom attack objects, you do not need to install a license, but if you want to download Juniper Networks predefined attack objects, you must have this license. Juniper provides you with the ability to download a 30-day trial license to permit this functionality for a brief period of time to evaluate the functionality. All you need is run the request system license add command either specifying a file storage location or copy and paste it into the terminal.

  2. Configure Network Access—Before you can download the attack objects, you must have network connectivity to either the Juniper download server or a local server from which the signatures can be downloaded. This typically requires network configuration (IP/Netmask, routing, and DNS) and permitted access to reach the server. At the time of this writing, HTTP proxies are not supported, but you can configure a local webserver from which to serve the files.

  3. Download Attack Objects—Before deploying the IPS, you must first download the attack objects from which the policy will be compiled. Triggering a manual download does not configure the SRX Series Firewall to download them in the future, so you must configure automatic updates to download them.

  4. Install Attack Objects—Once the download has been completed, you must install the attack updates before they are actually used in a policy. If you already have a policy configured, you do not need to recommit the policy—installing the updates adds them to the policy. The installation process compiles the attack objects that have been downloaded to a stage directory into the configured policy.

  5. Download Policy Templates (optional)—You can optionally download and install predefined IPS policies known as policy templates provided by Juniper to get started. After finishing this chapter, you should be able to configure your own policy, so you probably will not need policy templates.

Note:

Starting with Junos OS Release 12.1 and Junos OS Release 17.3R1, the SRX Series Firewalls automatically push the signature package to the secondary member of the chassis cluster. Prior to Junos OS Release 12.1 and Junos OS Release 17.3R1, you had to use the fxp0 on both members of the cluster because both members had to download their own instance. With Junos OS Releases beyond 12.1 and 17.3R1, there is no explicit configuration. SRX Series Firewall will download the signature package and push it to the secondary member during the download process.