Application Security in Logical Systems
Application Security in logical systems enables to identify application traffic traversing your network regardless of port, protocol, and encryption, thereby providing greater visibility to control network traffic. The application security controls network traffic by setting and enforcing security policies based on accurate application information. For more information, see the following topics:
Understanding Logical Systems Application Identification Services
Predefined and custom application signatures identify an application by matching patterns in the first few packets of a session. Identifying applications provides the following benefits:
Allows Intrusion Detection and Prevention (IDP) to apply appropriate attack objects to applications running on nonstandard ports.
Improves performance by narrowing the scope of attack signatures for applications without decoders.
Enables you to create detailed reports using AppTrack on applications passing through the device.
With logical systems, predefined and custom application signatures are global resources that are shared by all logical systems. The primary administrator is responsible for downloading and installing predefined Juniper Networks application signatures and creating custom application and nested application signatures to identify applications that are not part of the predefined database.
Application identification is enabled by default.
The application system cache (ASC) saves the mapping between
an application type and the corresponding destination IP address,
destination port, protocol type, and service. Each user logical system
has its own ASC. A user logical system administrator can display the
ASC entries for their logical system with the show services application-identification
application-system-cache command. A user logical system administrator
can use the clear services application-identification application-system-cache command to clear the ASC entries for their logical system.
Starting in Junos OS Release 18.2R1, the default behavior of the ASC is changed as follows:
Security services including security policies, application firewall (AppFW), application tracking (AppTrack), application quality of service (AppQoS), Juniper ATP Cloud, IDP, and Content Security do not use the ASC by default.
Miscellaneous services including advanced policy-based routing (APBR) use the ASC for application identification by default.
For more information, see Enabling or Disabling Application System Cache for Application Services.
The primary administrator can display or clear ASC entries for
any logical system. The primary administrator can also display or
clear global counters with the show services application-identification
counter and clear services application-identification counter commands.
Application signature package is installed at the global-level, that is shared by all user logical systems. The primary logical system administrator can install or uninstall application signature package.
Starting in Junos OS Release 18.3R1, the application identification (AppID) support for logical systems include two new options to view and clear logical system statistics and logical system counters statistics.
The primary logical system administrator can display or clear the statistics for all logical systems whereas the administrator for the user logical system can display or clear the statistics for their own logical system.
The user logical system administrator can view the AppID signature package status and version. Custom signatures configured by the primary logical system administrator can be configured in the use logical system security policies.
You can view the status and version information about the AppID
signature package status and version by using the commands show
services application-identification status and show services
application-identification version.
See Also
Understanding Logical Systems Application Firewall Services
An application firewall enables administrators of logical systems to create security policies for traffic based on application identification defined by application signatures. The application firewall provides additional security protection against dynamic-application traffic that might not be adequately controlled by standard network firewall policies. The application firewall controls information transmission by allowing or blocking traffic originating from particular applications.
To configure an application firewall, you define a rule set that contains rules specifying the action to be taken on identified dynamic applications. The rule set is configured independently and assigned to a security policy. Each rule set contains at least two rules, a matched rule (consisting of match criteria and action) and a default rule.
A matched rule defines the action to be taken on matching traffic. When traffic matches an application and other criteria specified in the rule, the traffic is allowed or blocked based on the action specified in the rule.
A default rule is applied when traffic does not match any other rule in the rule set.
The primary administrator can download a predefined application signature database from the Juniper Networks Security Engineering website or can define application signatures using the Junos OS configuration CLI. For more information about application identification and application signatures, see Application Security User Guide for Security Devices.
Configuring an application firewall on a logical system is the same process as configuring an application firewall on a device that is not configured with logical systems. However, the application firewall applies only to the logical system for which it is configured. The primary administrator can configure, enable, and monitor application firewalls on the primary logical system and all user logical systems on a device. User logical system administrators can configure, enable, and monitor application firewalls only on the user logical systems for which they have access.
See Also
Example: Configuring Application Firewall Services for a Primary Logical Systems
This example describes how to configure application firewall services on the primary, or root, logical system by a primary administrator. Only the primary administrator can configure, manage, and view configuration of the primary logical system, in addition to all user logical systems.
After configuring application firewall rule sets and rules, the primary administrator adds the application firewall rule set information to the security policy on the primary logical system.
For information about configuring an application firewall within a security policy, see Application Firewall Overview.
Requirements
Before you begin:
Verify that all interfaces, routing instances, and security zones have been configured on the primary logical system.
See Example: Configuring Security Features for the Primary Logical Systems.
Verify that application firewall resources (appfw-rule-set and appfw-rule) have been allocated in a security profile and bound to the primary logical system through the [
system security-profile] command. For application firewall resources, a security profile configuration allows 0 to 10,000 rule sets and 0 to 10,000 rules.Note:The primary administrator allocates various global system resources through a security profile configuration which is then bound to the various logical systems on the device. The primary administrator owns this function and configures the security profile for all user logical systems as well as the primary logical system.
For more information, see Understanding Logical Systems Security Profiles (Primary Administrators Only).
Log in to the primary logical system as the primary administrator.
For information about primary administrator role functions, see Understanding the Primary Logical Systems and the Primary Administrator Role.
Overview
In this example you create application firewall services on the primary logical system, called root-logical-system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example creates the following application firewall configuration:
Rule set, root-rs1, with rules r1 and r2. When r1 is matched, telnet traffic is allowed through the firewall. When r2 is matched, web traffic is allowed through the firewall.
Rule set, root-rs2, with rule r1. When r1 is matched, example2 traffic is blocked by the firewall.
All rule sets require a default rule, which specifies whether to permit or deny traffic that is not specified in any rules of a rule set. The default-rule action (permit or deny) must be the opposite from the action that is specified for the other rule(s) in the rule set.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set logical-systems root-logical-system security application-firewall rule-sets root-rs1 rule r1 match dynamic-application junos:telnet set logical-systems root-logical-system security application-firewall rule-sets root-rs1 rule r1 then permit set logical-systems root-logical-system security application-firewall rule-sets root-rs1 rule r2 match dynamic-application-group junos:web set logical-systems root-logical-system security application-firewall rule-sets root-rs1 rule r2 then permit set logical-systems root-logical-system security application-firewall rule-sets root-rs1 default-rule deny set logical-systems root-logical-system security application-firewall rule-sets root-rs2 rule r1 match dynamic-application junos:facebook set logical-systems root-logical-system security application-firewall rule-sets root-rs2 rule r1 then deny set logical-systems root-logical-system security application-firewall rule-sets root-rs2 default-rule permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure application firewall for a primary logical system:
Log in to the primary logical system as the primary administrator. See Example: Configuring Root Password for Logical Systems and enter configuration mode.
admin@host> configure admin@host#
Configure an application firewall rule set for root-logical-system.
[edit ] admin@host# set logical-systems security application-firewall rule-sets root-rs1
Configure a rule for this rule set and specify which dynamic applications and dynamic application groups the rule should match.
[edit] admin@host# set logical-systems security application-firewall rule-sets root-rs1 rule r1 match dynamic-application telnet then permit
Configure the default rule for this rule set and specify the action to take when the identified dynamic application is not specified in any rules of the rule set.
[edit] admin@host# set logical-systems security application-firewall rule-sets root-rs1 default-rule deny
Repeat these steps to configure another rule set, root-rs2, if desired.
Results
From configuration mode, confirm your configuration
by entering the show security application-firewall rule-sets command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit]
admin@host# show security application-firewall rule-sets all
...
application-firewall {
rule-sets root-rs1 {
rule r1 {
match {
dynamic-application [junos:telnet];
}
then {
permit;
}
}
default-rule {
deny;
}
}
rule-sets root-rs1 {
rule r2 {
match {
dynamic-application-group [junos:web];
}
then {
permit;
}
}
rule-sets root-rs2 {
rule r1 {
match {
dynamic-application [junos:FACEBOOK];
}
then {
deny;
}
}
default-rule {
permit;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Application Firewall Configuration
Purpose
View the application firewall configuration on the primary logical system.
Action
From operational mode, enter the show security
application-firewall rule-set logical-system root-logical-system rule-set
all command.
admin@host> show security application-firewall rule-set logical-system root-logical-system rule-set all
Rule-set: root-rs1
Logical system: root-logical-system
Rule: r1
Dynamic Applications: junos:telnet
Action:permit
Number of sessions matched: 10
Default rule:deny
Number of sessions matched: 100
Number of sessions with appid pending: 2
Rule-set: root-rs1
Logical system: root-logical-system
Rule: r2
Dynamic Applications: junos:web
Action:permit
Number of sessions matched: 20
Default rule:deny
Number of sessions matched: 200
Number of sessions with appid pending: 4
Rule-set: root-rs2
Logical system: root-logical-system
Rule: r1
Dynamic Applications: junos:FACEBOOK
Action:deny
Number of sessions matched: 40
Default rule:permit
Number of sessions matched: 400
Number of sessions with appid pending: 10
Understanding Logical Systems Application Tracking Services
AppTrack is an application tracking tool that provides statistics for analyzing bandwidth usage of your network. When enabled, AppTrack collects byte, packet, and duration statistics for application flows in the specified zone. By default, when each session closes, AppTrack generates a message that provides the byte and packet counts and duration of the session, and sends it to the host device. The Security Threat Response Manager (STRM) retrieves the data and provides flow-based application visibility.
AppTrack can be enabled and configured within any logical system. Configuring AppTrack in a logical system is the same as configuring AppTrack on a device that is not configured for logical systems. An AppTrack configuration only applies to the logical system in which it is configured. The name of the logical system is added to AppTrack logs. The primary administrator can configure AppTrack for any logical system while a user logical system administrator can only configure AppTrack for the logical system that they are logged in to.
The system log configuration is global on the device and must be configured by the primary administrator. The user logical system administrator cannot configure system logging for a logical system.
Counters keep track of the number of log messages sent and logs
that have failed. AppTrack counters are global to the device. The
primary administrator as well as user logical system administrators
can view AppTrack counters with the show security application-tracking
counters command.
See Also
Example: Configuring Application Firewall Services for a User Logical System
This example describes how to configure application firewall services on a user logical system by a user logical system administrator. User logical system administrators can manage and monitor their own system application firewall rule sets and rules and manage the dynamic applications allowed or blocked on their respective logical systems.
After configuring application firewall rule sets and rules, user logical system administrators add the application firewall rule set information to the security policy on their individual logical systems.
For information about configuring an application firewall within a security policy, see Application Firewall Overview.
Requirements
Before you begin:
Verify that the security zones are configured for the user logical system.
Verify that the primary administrator has allocated application firewall resources (appfw-rule-set and appfw-rule) in the security profile bound to the user logical system.
For more information, see Understanding Logical Systems Security Profiles (Primary Administrators Only).
Log in to the logical system as the user logical system administrator.
For information about user logical system administrator role functions, see Understanding User Logical Systems and the User Logical System Administrator Role.
Overview
In this example you configure application firewall services on the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example creates the following application firewall configuration:
Rule set, ls-product-design-rs1, with rules r1 and r2. When r1 is matched, telnet traffic is allowed through the firewall. When r2 is matched, web traffic is allowed through the firewall.
Rule set, ls-product-design-rs2, with rule r1. When r1 is matched, Facebook traffic is blocked by the firewall.
All rule sets require a default rule, which specifies whether to permit or deny traffic that is not specified in any rules of a rule set. The default-rule action (permit or deny) must be the opposite from the action that is specified for the other rule(s) in the rule set.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security application-firewall rule-sets ls-product-design-rs1 rule r1 match dynamic-application junos:telnet set security application-firewall rule-sets ls-product-design-rs1 rule r1 then permit set security application-firewall rule-sets ls-product-design-rs1 rule r2 match dynamic-application-group junos:web set security application-firewall rule-sets ls-product-design-rs1 rule r2 then permit set security application-firewall rule-sets ls-product-design-rs1 default-rule deny set security application-firewall rule-sets ls-product-design-rs2 rule r1 match dynamic-application junos:facebook set security application-firewall rule-sets ls-product-design-rs2 rule r1 then deny set security application-firewall rule-sets ls-product-design-rs2 default-rule permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure application firewall for a user logical system:
Log in to the user logical system as the user logical system administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configure lsdesignadmin1@host:ls-product-design#
Configure an application firewall rule set for this logical system.
[edit] lsdesignadmin1@host:ls-product-design# set security application-firewall rule-sets ls-product-design-rs1
Configure a rule for this rule set and specify which dynamic applications and dynamic application groups the rule should match.
[edit] lsdesignadmin1@host:ls-product-design# set security application-firewall rule-sets ls-product-design-rs1 rule r1 match dynamic-application telnet then permit
Configure the default rule for this rule set and specify the action to take when the identified dynamic application is not specified in any rules of the rule set.
[edit] lsdesignadmin1@host:ls-product-design# set security application-firewall rule-sets ls-product-design-rs1 default-rule deny
Repeat these steps to configure another rule set, ls-product-design-rs2, if desired.
Results
From configuration mode, confirm your configuration
by entering the show security application-firewall rule-set all command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit]
lsdesignadmin1@host:ls-product-design# show security application-firewall rule-set all
...
application-firewall {
rule-sets ls-product-design-rs1 {
rule r1 {
match {
dynamic-application [junos:telnet];
}
then {
permit;
}
}
default-rule {
deny;
}
}
rule-sets ls-product-design-rs1 {
rule r2 {
match {
dynamic-application-group [junos:web];
}
then {
permit;
}
}
rule-sets ls-product-design-rs2 {
rule r1 {
match {
dynamic-application [junos:FACEBOOK];
}
then {
deny;
}
}
default-rule {
permit;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Application Firewall Configuration
Purpose
View the application firewall configuration on the user logical system.
Action
From operational mode, enter the show security
application-firewall rule-set all command.
lsdesignadmin1@host:ls-product-design> show security application-firewall rule-set all
Rule-set: ls-product-design-rs1
Logical system: ls-product-design
Rule: r1
Dynamic Applications: junos:telnet
Action:permit
Number of sessions matched: 10
Default rule:deny
Number of sessions matched: 100
Number of sessions with appid pending: 2
Rule-set: ls-product-design-rs1
Logical system: ls-product-design
Rule: r2
Dynamic Applications: junos:web
Action:permit
Number of sessions matched: 20
Default rule:deny
Number of sessions matched: 200
Number of sessions with appid pending: 4
Rule-set: ls-product-design-rs2
Logical system: ls-product-design
Rule: r1
Dynamic Applications: junos:FACEBOOK
Action:deny
Number of sessions matched: 40
Default rule:permit
Number of sessions matched: 400
Number of sessions with appid pending: 10
Example: Configuring AppTrack for a User Logical Systems
This example shows how to configure the AppTrack tracking tool so you can analyze the bandwidth usage of your network.
Requirements
Before you begin:
Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.
(Primary administrator) Configure system logging in the primary logical system. See Network Management and Monitoring Guide.
Overview
This example shows how to enable application tracking for the security zone ls-product-design-trust in the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
The first message is generated at session start and update messages are sent every 5 minutes after that or until the session ends. A final message is sent at session end.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security zones security-zone ls-product-design-trust application-tracking set security application-tracking first-update
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure AppTrack for a user logical system:
Log in to the user logical system as the logical system administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configure lsdesignadmin1@host:ls-product-design#
Enable AppTrack for the security zone.
[edit security] lsdesignadmin1@host:ls-product-design# set zones security-zone ls-product-design-trust application-tracking
Generate update messages at session start and at 5-minute intervals.
[edit security] lsdesignadmin1@host:ls-product-design# set application-tracking first-update
Results
From configuration mode, confirm your configuration
by entering the show security command. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit]
lsdesignadmin1@host:ls-product-design# show security
...
application-tracking {
first-update;
}
...
zones {
security-zone ls-product-design-trust {
...
application-tracking;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying AppTrack Operation
- Verifying Security Flow Session Statistics
- Verifying Application System Cache Statistics
- Verifying the Status of Application Identification Counter Values
Verifying AppTrack Operation
Purpose
View the AppTrack counters periodically to monitor tracking.
Action
From operational mode, enter the show application-tracking
counters command.
Verifying Security Flow Session Statistics
Purpose
Compare byte and packet counts in logged messages with
the session statistics from the show security flow session command output.
Action
From operational mode, enter the show security
flow session command.
Verifying Application System Cache Statistics
Purpose
Compare cache statistics such as IP address, port,
protocol, and service for an application from the show services
application-identification application-system-cache command
output.
Action
From operational mode, enter the show services
application-identification application-system-cache command.
Verifying the Status of Application Identification Counter Values
Purpose
Compare session statistics for application identification
counter values from the show services application-identification
counter command output.
Action
From operational mode, enter the show services
application-identification counter command.