Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP for Tenant Systems

An Intrusion Detection and Prevention (IDP) policy in tenant systems enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through an SRX Series device. The SRX Series devices offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks.

Understanding IDP for Tenant Systems

A Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a tenant system.

This topic includes the following sections:

IDP Policies

Configuring IDP policies at the root level and tenant systems level are similar. IDP policy templates configured at the root level are visible and used by all tenant systems. The primary administrator specifies an IDP policy in the security profile that is bound to a tenant system. To enable IDP in a tenant system, the primary administrator or tenant system administrator configures a security policy that defines the traffic to be inspected and specifies at the permit application-services idp-policy idp-policy-name hierarchy level.

The primary administrator can configure multiple IDP policies and a tenant system can have multiple IDP policies at a time. For tenant systems, the primary administrator can either bind the same IDP policy to multiple tenant systems or bind the necessary IDP policies to each tenant system. If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.

The primary administrator configures the number of maximum IDP sessions reservation for a primary logical system and tenant systems. The number of IDP sessions that are allowed for a primary logical system are defined using the command set security idp max-sessions max-sessions and the number of IDP sessions that are allowed for a tenant system are defined using the command set security idp tenant-system tenant-system max-sessions max-sessions.

The tenant system administrator performs the following actions:

  • Configure multiple IDP policies and attach to the firewall policies to be used by the tenant systems. If the IDP policy is not configured for a tenant system, the default IDP policy configured by the primary administrator is used. The IDP policy is bound to the tenant systems through a tenant systems security policy.

  • Create or modify IDP policies for their tenant system. The IDP policies are bound to tenant systems. When an IDP policy is changed, and commit fails, only the tenant system that has initiated the commit change is notified about the commit failure.

  • The tenant system administrator can create security zones in the tenant system and assign interfaces to each security zone. Zones that are specific to tenant systems cannot be referenced in IDP policies configured by the primary administrator. The primary administrator can reference zones in the primary logical system in an IDP policy configured for the primary logical system.

  • View the attack statistics detected and IDP counters, attack table, and policy commit status by the individual tenant system using the commands show security idp counters, show security idp attack table, show security idp policies, show security idp policy-commit-status, and show security idp security-package-version.

View the attack statistics detected and IDP counters, attack table, and policy commit status from the root using the commands show security idp counters counters tenant tenant-name, show security idp attack table tenant tenant-name, show security idp policies tenant tenant-name, show security idp policy-commit-status tenant tenant-name, and show security idp security-package-version tenant tenant-name.

Limitation

  • IDP policy compilation in Packet Forwarding Engine is done at global level. Any changes in policy made for a logical system or a tenant system results in the compilation of policies of all the logical systems or tenant systems because the IDP internally treats it as a single global policy.

  • Any changes in policy made for a logical system or a tenant system results in clearing the attack table of all logical systems or a tenant systems.

IDP Installation and Licensing for Tenant Systems

An idp-sig license must be installed at the root level. Once IDP is enabled at the root level, it can be used with any tenant system on the device.

A single IDP security package is installed for all tenant systems on the device at the root level. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all tenant systems.

Understanding IDP Features in Tenant Systems

This topic includes the following sections:

Rulebases

A single IDP policy can contain only one instance of any type of rulebase. The Intrusion prevention system (IPS) rulebase uses attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.

Note:

Status monitoring for IPS is global to the device and not on a per tenant system basis.

Multi-Detectors

When a new IDP security package is received, it contains attack definitions and a detector. After a new policy is loaded, it is also associated with a detector. If the policy being loaded has an associated detector that matches the detector already in use by the existing policy, the new detector is not loaded and both policies use a single associated detector. But if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection.

The version of the detector is common to all tenant systems.

Logging and Monitoring

Status monitoring options are available to the primary administrator only. All status monitoring options under the show security idp and clear security idp CLI operational commands present global information, but not on a per tenant system basis.

Note:
  • SNMP monitoring for IDP is not supported on tenant systems.

  • The tenant systems supports only the stream mode for syslog and does not support the event mode.

IDP generates event logs when an event matches an IDP policy rule in which logging is enabled.

The tenant systems identification is added to the following types of IDP traffic processing logs:

  • Attack logs. The following example shows an attack log for the TSYS1 tenant system:

  • IP action logs. The following example shows an IP action log for the TSYS1 tenant system:

Example: Configuring IDP Policies and Attacks for Tenant Systems

This example shows how to configure IDP policies and attacks for tenant systems.

Requirements

This example uses the following hardware and software components:

  • SRX Series device configured with the tenant systems.

  • Junos OS Release 19.2R1 and later releases.

Before you configure IDP policies and attacks for tenant systems, be sure you have:

Overview

In this example you configure IDP custom attacks, policies, custom attack group, pre-defined attack and attack-group, and dynamic attack group in the tenant system TSYS1.

Configuration

Configuring a Custom Attack

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a custom attack object:

  1. Create the custom attack object and set the severity level.

  2. Configure stateful signature parameters.

Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack my-http command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring an IDP Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an IDP policy:

  1. Create the IDP policy and configure match conditions.

  2. Configure actions for the IDP policy.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Multiple IDP Policies with a Default IDP Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure multiple IDP policies:

  1. Create multiple IDP policies and configure match conditions.

  2. Configure security policies and attach IDP policies to them.

  3. Configure a default IDP policy.

    Note:

    If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine, show security idp idp-policy idpengine1, show security policies, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring IDP Custom Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP custom attack group:

  1. Create the IDP policy.

  2. Configure match condition of IDP policy.

  3. Configure stateful signature parameters.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Pre-defined Attack and Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the pre-defined attack and attack group:

  1. Configure the pre-defined attack.

  2. Configure the pre-defined attack group.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring IDP Dynamic Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP dynamic attack group:

  1. Configure dynamic attack group parameter.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verify IDP Policies and Commit Status

Purpose

Verify that the IDP policies and commit status is displayed after policy compilation for the tenant system TSYS1.

Action

From operational mode, enter the show security idp policies command.

From operational mode, enter the show security idp policy-commit-status command.

Meaning

The output displays the IDP policy configured in the tenant system TSYS1 and the commit status information.

Verify IDP Attack Detection

Purpose

Verify that the IDP attack detection is successful for the tenant system TSYS1 and displayed in the attack table.

Action

From operational mode, enter the show security idp attack table command.

Meaning

The output displays the attacks detected for the custom attack that is configured in the tenant system TSYS1.

Verify IDP Counters

Purpose

Verify one of the IDP counter status is displayed for the tenant system TSYS1.

Action

From operational mode, enter the show security idp counters flow command.

Meaning

The output displays the IDP counter flow status is displayed properly for the tenant system TSYS1.