Professional Documents
Culture Documents
IPS Policy and Initial Configuration
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
N
R
TE
IN
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
IPS features are only supported on high memory branch SRX platforms. You can verify the version
(high memory or low memory) of the SRX device by running the show chassis hardware
R
command. The slide displays the output for this command. The chassis description will contain
either an H or B after the SRX platform model number. In this case, the output shows SRX240-H.
TE
The H indicates high memory, and the B indicates a base memory (low memory) version.
IN
2 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
You must have a valid license to enable the IPS feature set on SRX Series devices. As with other
Juniper Networks devices, you can obtain the appropriate license for a given device (once you have
R
purchased it) through the Juniper Networks website, as displayed on the slide.
TE
IN
www.juniper.net 3
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
The slide shows the process of installing a license through the J-Web interface.
R
TE
IN
4 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
The slide displays two methods to install the license on the CLI. The first method is to append the
license token to the terminal using the command request system license add terminal.
R
The second method shown is to apply the license file itself with the command request system
license add filename, where filename is the name of the license file.
TE
IN
www.juniper.net 5
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
In addition to having a valid license to enable the IPS feature set, you must obtain and apply the
most recent attack database on the SRX Series device.
R
This database is available from Juniper Networks and contains thousands of signatures and details
about known vulnerabilities and attacks. The Juniper Networks J-Security team updates this
TE
database daily (and sometimes more than once a day) to ensure comprehensive protection against
new attacks.
IN
6 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
You can use the request security idp security-package download command
through the Junos OS CLI to download the latest attack database. Use the request security
R
device.
IN
www.juniper.net 7
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
The slide shows the same process of adding the attack database through the Web interface.
R
Note the current version and date. This information allows you to tell at a glance how recent
the package is, so you can keep the device configured with the most current attack prevention
measures.
TE
IN
8 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
Manual Updates
N
You can download the Juniper Networks security package manually or automatically at specified
time intervals. The first output on the slide illustrates the available operational mode commands.
R
You can manually download the security package using the command request security idp
security-package download full-update.
TE
Automatic Updates
You can configure the SRX device to automatically download the security package. The slide also
shows an example configuration of automating the download. The interval value is the number of
IN
www.juniper.net 9
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
Given that the SRX Series device performs a variety of roles within the network, many factors
determine device deployment. In general, two basic SRX modes exist in which you can deploy the
R
device to perform IPS functionality; transparent (sometimes referred to as Inline) mode and routed
mode.
TE
In transparent mode, the SRX interfaces used for IPS functionality do not have assigned IP
addresses, they function similar to a switch. In essence, the interfaces are transparent to network
devices on either side of the SRX.
In routed mode, the SRX Series device applies IPS policies to routing interfaces, each of which has
IN
10 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
When deploying the SRX Series device in this mode, conceptually it sits in the path of traffic into and
out of the network. In this example, neither ge-0/0/1 nor ge-0/0/2 have any assigned IP addresses.
R
They are dedicated to traffic inspection and therefore do not require any traditional settings to pass
traffic in the usual sense.
TE
IN
www.juniper.net 11
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
In this deployment mode, the SRX Series device routes traffic into and out of the network through
physical interfaces for which IP addresses have been assigned in a traditional manner. The diagram
R
illustrates a simple example, in which the SRX Series device acts as the gateway for hosts on the
192.168.1.0 network.
TE
IN
12 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
There are several IPS performance considerations on SRX devices. Understanding these
considerations can help you to better realize the impact that IPS can have on data throughput
R
engine will process all rules each time it scans IPS traffic until an attack is found.
Configuring specific IPS rules will improve the IPS engine efficiency. A detailed
discussion of IPS rules is beyond the scope of this material. Heavier IPS policies incur a
higher performance hit.
IN
• Actual traffic being processed: Some signatures have a higher performance load over
other signatures. Some signatures require IPS inspection for the complete stream of
traffic during the traffic’s session duration, while other signatures do not.
• IPS traffic processing modes: Integrated mode IPS processing can impact the
performance of both firewall and IPS processing if the IPS engine becomes
exceptionally busy, since all firewall and IPS processing is performed directly by the
flowd firewall process. Also, if the firewall process crashes, the entire data plane will be
restarted. If high availability (HA) clustering is configured, this will trigger a failure of the
data plane to the other node, while the data plane is restarted. Dedicated and inline tap
mode can improve IPS performance. These modes are discussed shortly in this
material.
www.juniper.net 13
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
When you configure an IPS rule for logging, each matching event creates a log entry. Because the
software generates IPS event logs during an attack, log generation happens in bursts, generating a
R
much larger volume of messages during an attack. In comparison to other event messages, the
message size is also much larger for attack-generated messages. The log volume and message size
TE
are important concerns for log management. To better manage the volume of log messages, IPS
supports log suppression. Log suppression limits multiple instances of the same log occurring from
the same or similar sessions over a given period of time. The software enables log suppression by
default but you can adjust attributes through configuration under the [edit security idp
sensor-configuration log suppression] hierarchy.
IN
14 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
Integrated Mode
N
Integrated mode is the default option for the high-end SRX, and is the only option available for the
branch SRX Series. Traffic processed by the firewall process within the Network Processing Unit or
R
NPU (branch) and SPU (high end), and any traffic that is destined to be sent to have IPS processing,
is handled by the firewall process itself. This means the firewall process, rather than a separate
TE
process, handles the IPS processing. Because SRX processors are multicore, multithreaded
processors, multiple flows can be processed concurrently. On the high-end SRX devices, integrated
mode can be useful for situations where the IPS engine only needs to process a small amount of
traffic.
IN
www.juniper.net 15
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
Dedicated Mode
N
In dedicated mode, the firewall and IPS operations are processed separately. Traffic that is marked
for application-services idp is handled by the IPS process; however the firewall process
R
does not remain idle. All IPS-bound traffic is still inspected before being passed out the unit. Once
the IPS process completes, it sends the traffic back to the firewall process for handling. To enable
TE
dedicated mode you must use the CLI command set security forwarding-process
application-services maximize-idp-sessions. You must reboot the SRX device for this
setting to take effect. This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and
SRX5800 devices.
IN
16 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
The slide displays the flow process for inline tap mode. The inline tap mode feature provides passive,
inline detection for IPS policies. A copy of the packet is sent to the IPS engine for processing, while
R
the firewall session traffic is uninterrupted. If a threat is detected in inline tap mode, the SRX will
close the firewall flow session. This mode also has the disadvantage that it will allow attacks that are
TE
require a separate tap or span port. This feature is supported on SRX1400, SRX3400, SRX3600,
SRX5600, and SRX5800 devices.
www.juniper.net 17
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
The slide reviews how security policies determine which traffic is processed by IPS. For transit traffic
to pass through IPS inspection, you configure a security policy and enable IPS application services
R
on all traffic that you want to inspect. Security policies contain rules defining the types of traffic
permitted on the network and the way that the traffic is treated inside the network. Enabling IPS in a
TE
security policy directs traffic that matches the specified criteria to be checked against the IPS
rulebases.
IN
18 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
You can configure multiple IPS policies, but a device can have only one active IPS policy at a time.
You must configure A single policy can contain only one instance of any type of rulebase. You must
R
set an active IPS policy for IPS to function on the SRX device.
TE
IN
www.juniper.net 19
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
Predefined policy templates are provided as a starting point for creating your own policies. Each
template is set of rules of a specific rulebase type that you can copy and then update according to
R
your requirements. These templates are available in the templates.xml file from the Juniper
Networks website. To start using a template, you run a command from the CLI to download and copy
TE
20 www.juniper.net
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
The slide shows a sample IPS policy configured with the Junos OS template policy named
Recommended. The slide shows a rule named rule 2 in an IPS rulebase with the matching conditions
R
highlighted. In this case, the rule matches on traffic from any zone and source address to any zone
and destination address. The rule also matches on an application type of default. When you select
TE
this application type, the software bases application matches on the attack or attack group objects.
The Junos OS automatically matches on application or service settings associated with the defined
attack or attack group object. You can also specify a configured application or application-set or use
the any option. The sample configuration also shows a predefined attack group designed for Internet
Control Message Protocol (ICMP) attacks. Predefined attack and attack group objects are part of the
IN
signature database. You can also specify custom attack and attack group objects or dynamic attack
group objects.
You can enable logging using the notification action. The Junos OS stores logs according to the data
plane logging configuration present on the Junos security platform.
www.juniper.net 21
IPS Policy and Initial Configuration
LY
N
O
SE
U
AL
The show security idp attack table command lists the detected attacks on SRX
platforms. In this case, the output shows an attack has matched the predefined signature object
R
HTTP:OVERFLOW:PI3WEB-SLASH-OF.
TE
22 www.juniper.net