Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

IDP Signature Database

Signature-based IDP monitors packets in the network and compares with preconfigured and pre-determined attack patterns known as signatures.

The Intrusion Detection and Prevention (IDP) system's signature database management is crucial for maintaining robust network security. By enabling the download and installation of regular updates, you ensure that your network is protected against the latest threats. You can configure custom attack objects and groups to tailor security measures to your specific needs, enhancing the flexibility and effectiveness of the system. Basic IDP functionality is enabled by default without requiring a license, but to receive daily updates, the installation of an IDP signature-database-update license key is necessary. This ensures continuous protection by keeping the attack database current with emerging vulnerabilities. For license details, see Junos OS Feature License Keys.

You can perform the following tasks to manage the IDP signature database:

  1. Update the signature database by downloading attack database updates from the Juniper Networks website. New attacks emerge daily, so keep your database current.

  2. Verify the signature database version using the CLI, as each version has a unique number, with the latest being the highest.

  3. Update the protocol detector engine alongside the signature database. The IDP protocol detector includes Application Layer protocol decoders and updates with the IDP policy. It's necessary for policy updates, even if unchanged.

  4. Schedule automatic updates for the signature database on the IDP-enabled device at set intervals.

Benefits of IDP Signature Database Management

  • Ensures up-to-date protection against emerging threats by allowing regular downloads of the latest signature updates.

  • Provides flexibility in defining specific security parameters by allowing you to create custom attack objects and groups tailored to individual network environments.

Junos OS IDP Signature Package through an Explicit Proxy Server

Juniper Networks regularly updates the predefined attack database and makes it available as a security package on the Juniper Networks website https://signatures.juniper.net/cgi-bin/index.cgi. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.

You need to create a proxy profile and use it for downloading the IDP signature package through an explicit proxy server:

  • Configure the proxy profile option of security package download to connect to the external server through a specified proxy server. The proxy profile is configured under [edit services proxy] hierarchy. You can configure more than one proxy profile. IDP can utilize only one proxy profile. Multiple proxy profiles are not supported for use under IDP simultaneously.

  • Deploy a web proxy server on your device for HTTP(S) outbound session access and authentication. The IDP web proxy server support depends on the system-level proxy profile configuration. Configure a proxy profile with the proxy server's host and port details to use it for downloading, and apply the profile in the [security idp security-package] hierarchy.

When a proxy profile is applied under [security idp security-package] hierarchy, the idpd process connects to the proxy host instead of the signature pack download server. The proxy host then communicates with the download server and provides the response back to the idpd process. The idpd process receives a notification whenever changes occur at the [edit services proxy] hierarchy.

Once the security package installation is complete, all the downloaded and installed IDP attack objects and attack groups are available to be configured in an IDP policy or policies. These attack objects and attack object are then utilized in the security rules under the set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name hierarchy.

You create a policy and specify the new policy as the active policy. You can download only the updates that Juniper Networks has recently uploaded and then update the attack database, the running policy, and the detector with these updates.

You can disable the proxy server for IDP signature download using the delete security idp security-package proxy-profile proxy-profile

Example: Download the Junos OS IDP Signature Package through an Explicit Proxy Server

In this example, the SRX Series Firewall downloads and installs the IDP security package, with the complete table of attack objects and attack object groups that is available on an external server, utilizing the proxy profile configured.

Overview

To download the IDP signature package using a proxy server, you need to configure proxy profile for HTTP connections.

Table 1 provides the details of the parameters used in this example.

Table 1: Proxy Profile Configuration Parameters

Parameter

Name

Profile Name

test_idp_proxy1

IP address of the proxy server

10.255.255.254

Port number of the proxy server

3128

Requirements

This example uses the following hardware and software components:

  • This configuration example is tested on SRX Series Firewall with Junos OS Release 18.3R1 or later.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the edit hierarchy, and then enter commit from configuration mode.

Step-by-Step Procedure

To create a proxy profile and to download the IDP signature package through the proxy server:

  1. Specify the proxy host IP address.

  2. Specify the port number used by the proxy server.

  3. Specify the proxy profile that has to be referred for the security package download.

  4. Commit the configuration.

  5. Switch to operational mode.

  6. Download the IDP security package.

    The option to perform an offline IDP signature package download and install from the Juniper website is still available. To download and install the IDP signature package offline, run the request security idp security-package offline-download CLI command. The installation process remains the same for both download commands.

Verification

Verify IDP Signature Download through Proxy Server

Purpose

Display the details for the IDP signature package download through a proxy server.

Action

From operational mode, enter the show security idp security-package proxy-profile command to view IDP specific proxy details.

Meaning

In the output, you can find the IDP specific proxy profile details in Proxy Profile and Proxy Address fields.

Verify IDP Signature Download Status

Purpose

Check the IDP signature package download status.

Action

Check the security package download status.

From operational mode, enter the request security idp security-package download status command.

Meaning

The output displays the IDP signature package download status.

Example: Download and Install the IDP Security Packages in Chassis Cluster Mode

This example shows how to download and install the IDP signature database to a device operating in chassis cluster mode.

Requirements

Before you begin, set the chassis cluster node ID and cluster ID. See Example: Setting the Node ID and Cluster ID for Security Devices in a Chassis Cluster .

Overview

When you download the IDP security package on a device operating in chassis cluster mode, the security package is downloaded to the primary node and then synchronized to the secondary node. This synchronization helps maintain the same version of the security package on both the primary node and the secondary node. See IDP Signature Database.

On SRX Series Firewalls, if your device memory utilization is high on the control plane, loading a large IDP policy might cause the device to run out of memory. This can trigger a system reboot during the IDP security package update.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Specify the URL for the security package.

  2. Switch to operational mode.

  3. Download the IDP security package to the primary node (downloads in the var/db/idpd/sec-download folder.

    The following message is displayed.

  4. Check the security package download status.

    On a successful download, the following message is displayed.

  5. Update the attack database using the install command.

  6. Check the attack database update status. The command output displays information about the downloaded and installed versions of the attack database.

    You must download the IDP signature package into the primary node. This way, the security package is synchronized on the secondary node.

IDP Signature Database Version

New attack objects are added to the signature database server frequently; downloading these updates and installing them on your managed devices regularly ensures that your network is effectively protected against the latest threats. As new attack objects are added to the signature database server, the version number of the database is updated with the latest database version number. Each signature database has a different version number with the latest database having the highest number.

When updating the signature database, the signature database update client connects to the Juniper Networks website and obtains the update using an HTTPS connection. The update calculates the difference between the existing and latest signature databases using their version number. After you download the updates, the updated information is merged with the existing signature database and the version number is set to that of the latest signature database.

See Also

Verify the IDP Signature Database Version

Purpose

Display the signature database version.

Action

From the operational mode in the CLI, enter show security idp security-package-version.

Meaning

The output displays the version numbers for the signature database, protocol detector, and the policy template on the IDP-enabled device. Verify the following information:

  • Attack database version—On April 16, 2008, the version of the signature database active on the device is 31.

  • Detector version—Displays the version number of the IDP protocol detector currently running on the device.

  • Policy template version—Displays the version of the policy template that is installed in the /var/db/scripts/commit directory when you run the request security idp security-package install policy-templates configuration statement in the CLI.

For a complete description of output, see the show security idp security-package-version description.

See Also

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.2R1
You can download IDP security package through an explicit proxy server. To download the IDP security package that hosts on an external server, you need to configure a proxy profile and use the proxy host and port details that are configured in the proxy profile. This feature allows you to use a deployed Web proxy server on your device for access and authentication for HTTP(S) outbound sessions for your overall security solution.