IDP-Based Threat Detection for SRX Series Firewalls

An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on network traffic. You can enable IDP on the Juniper Networks® SRX Series Firewall operating as a spoke device in your Juniper Mist™ network by activating it in an application policy.

Intrusion detection is the process of monitoring the events occurring on your network and analyzing them for signs of incidents, violations, or imminent threats to your security policies. Intrusion prevention is the process of performing intrusion detection and then stopping the detected incidents. For details, see Intrusion Detection and Prevention Overview.

Note:

You must install the IDP signature database update license key on your Mist device. For details about licenses, see Junos OS Feature License Keys. The Juniper Mist cloud portal manages downloading of signatures and enabling the IDP features on your firewall if you have a valid license.

Juniper Mist cloud supports the following IDP profiles:

Standard—The Standard profile is the default profile and represents the set of IDP signatures and rules that Juniper Networks recommends. Each attack type and severity has a Juniper-defined, non-configurable action that the IDP engine enforces when it detects an attack. The possible actions are as follows:
- Close the client and server TCP connection.
- Drop the current packet and all subsequent packets
- Send an alert only (no additional action).
Alert—The Alert profile is suitable only for low-severity attacks. When the IDP engine detects malicious traffic on the network, the system generates an alert, but it does not take additional measures to prevent the attack. The IDP signature and rules are the same as in the standard profile.
Strict—The Strict profile contains a similar set of IDP signatures and rules as the standard profile. However, when the system detects an attack, this profile actively blocks any malicious traffic or other attacks detected on the network.
Critical Only (SRX)—The Critical-Only profile is suitable for critical-severity attacks. When the system detects a critical attack, this profile takes appropriate action. We recommend the Critical – Only SRX profile for SRX300 line of firewalls.
None—No profile is applied when you select this option.

You can apply an IDP profile to an application policy. Each profile has an associated traffic action, and these actions define how to apply a rule set to a service or an application policy. Actions in the IDP profile are preconfigured and are not available for users to configure.

To configure IDP-based threat detection:

In the Juniper Mist cloud portal, click Organization > WAN Edge Templates and select a template for your spoke device.
On the WAN Edge Templates spoke page, scroll down to the Applications Policies pane. The pane displays the list of existing application policies.
Under the IDP column, select an IDP profile. For example, select the Alert profile for all application policies.

Figure 1: Configure an IDP Profile (Alert)
Click Save.

The Juniper Mist cloud applies the configured IDP profile on all spoke devices.

Note:
Ensure that you set the policy action to PERMIT; otherwise, the IDP settings might override the DENY statement.

After you apply an IDP profile, the spoke devices download the IDP policy and display the status of IDP as Enabled, as shown in Figure 2.

Figure 2: Activated IDP Policy

You can test the effects of the IDP-based security scanner by launching sample attacks. You can use tools such as Nikto in Kali Linux, which has a variety of options available for security-penetration testing.

Use a virtual machine (VM) desktop (desktop1) in a sandbox or lab environment, and install a simple security scanner for web servers, such as Nikto. Nikto is an open-source web server and web application scanner. For example, you can run Nikto against an unhardened Apache Tomcat web server (or its equivalent) that is local to your lab. In this test, you can send plain or unencrypted HTTP requests for IDP inspection.

The following sample shows a process where you install the tool, check the presence of the HTTP server, and then launch the attacks.

You can view the generated events by navigating to Site > Secure WAN Edge IDP/URL Events.

Figure 3 shows detected events generated for an SRX Series Firewall.

Figure 3: IDP Events Generated for an Alert IDP Profile

In the previous example, you used passive logging for the events by using IDP profile type Alerts. Next, use IDP profile type Strict to stop or mitigate the events. When you use the Strict profile, the IDP engine closes TCP connections against the detected attacks.

You can follow the same process as shown in the sample. However, this time you change the spoke device template and change the IDP profile from Alert to Strict, as shown in Figure 4.

Figure 4: IDP Profile Configuration (Strict Profile)

Run the security scanner. You'll notice that the scanner takes longer to run because it detects more errors and less events.

Figure 5 shows that for some events, the action is to close the session to mitigate the threats (under the Action field).

Figure 5: IDP Events Generated for the Strict IDP Profile

Intrusion Detection and Prevention (IDP) Bypass Profiles

The IDP Bypass works in conjunction with the intrusion prevention system (IPS) rules to prevent unnecessary alarms from being generated. You configure IDP profile when you want to exclude a specific destination, or attack type from matching an IDP rule. This prevents IDP from generating unnecessary alarms.

An IDP profile can have multiple bypass profiles, each with multiple bypass rules.

To create IDP bypass profile:

In the Juniper Mist cloud portal, select Organization > WAN > Application Policy > IDP bypass profiles.

The page displays a list of IDP bypass profiles (if available)
Click Add Bypass Profile to create a profile.
In the Create Bypass Profile window:
1. Add Name. Use alphanumerics, underscores, or dashes, and cannot exceed 63 characters.
2. Select base profile. The supported base profiles are:
  - Standard
  - Strict
  - Critical only– SRX
  You need a base IDP profile to create an IDP bypass profile.
3. Click Next. The portal opens a rules page where you can define the rule for the IDP bypass profile.
  Figure 6: IDP Bypass Profile Rule
  - Action – Select the associated traffic action. Available options are — Alter, Drop, or Close.
  - Destination IP – IP address of the destination for traffic you want to exempt. You can select one or more destination IP address from the populated list or you can enter the destination IP address by clicking Add Destination IP.
  - Attack Name – Select the attacks you want IDP to exempt for the specified destination addresses from the displayed list. Alternatively you can enter the attack by clicking Add Attack Name. The attack you enter must be of type supported by Juniper Networks IPS Signature.
  - Click Save.

The rule you created appears under IDP Bypass Profile pane. Next, you need to apply the IDP bypass profile in an application policy similar applying any IDP profile by using the following steps:

In the Juniper Mist cloud portal, click Organization > WAN Edge Templates and select a template for your spoke device.
Under the IDP column, select the IDP profile. For example, select the IDP bypass profile that you created in the previous step.
Figure 7: Apply IDP Bypass Profile in Application Policy
Click Save once you configure other options in application policy. See Configure Application Policies on SRX Series Firewalls.

You can view the generated events by navigating to Site > Secure WAN Edge IDP/URL Events.

IDP-Based Threat Detection for SRX Series Firewalls

Intrusion Detection and Prevention (IDP) Bypass Profiles

Related Documentation