IPS Policy and Initial Configuration

LY
N
O
SE
U
AL
N
R
TE
IN
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Requirements to Run the IPS Engine

N

IPS features are only supported on high memory branch SRX platforms. You can verify the version
(high memory or low memory) of the SRX device by running the show chassis hardware
R

command. The slide displays the output for this command. The chassis description will contain
either an H or B after the SRX platform model number. In this case, the output shows SRX240-H.
TE

The H indicates high memory, and the B indicates a base memory (low memory) version.
IN

2 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

IPS Requires a Subscription License

N

You must have a valid license to enable the IPS feature set on SRX Series devices. As with other
Juniper Networks devices, you can obtain the appropriate license for a given device (once you have
R

purchased it) through the Juniper Networks website, as displayed on the slide.
TE
IN

www.juniper.net 3
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Installing the License Using J-Web

N

The slide shows the process of installing a license through the J-Web interface.
R
TE
IN

4 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

CLI License Install Methods

N

The slide displays two methods to install the license on the CLI. The first method is to append the
license token to the terminal using the command request system license add terminal.
R

The second method shown is to apply the license file itself with the command request system
license add filename, where filename is the name of the license file.
TE
IN

www.juniper.net 5
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

The Security Package Installs the IPS Attack Signature Database

N

In addition to having a valid license to enable the IPS feature set, you must obtain and apply the
most recent attack database on the SRX Series device.
R

This database is available from Juniper Networks and contains thousands of signatures and details
about known vulnerabilities and attacks. The Juniper Networks J-Security team updates this
TE

database daily (and sometimes more than once a day) to ensure comprehensive protection against
new attacks.
IN

6 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Download and Install CLI Commands

N

You can use the request security idp security-package download command
through the Junos OS CLI to download the latest attack database. Use the request security
R

idp security-packet download status to check when is done. Use request

security idp security-package install to install the database on the SRX Series
TE

device.
IN

www.juniper.net 7
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Security Package Install Using J-Web

N

The slide shows the same process of adding the attack database through the Web interface.
R

Note the current version and date. This information allows you to tell at a glance how recent
the package is, so you can keep the device configured with the most current attack prevention
measures.
TE
IN

8 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Manual Updates
N

You can download the Juniper Networks security package manually or automatically at specified
time intervals. The first output on the slide illustrates the available operational mode commands.
R

You can manually download the security package using the command request security idp
security-package download full-update.
TE

Automatic Updates
You can configure the SRX device to automatically download the security package. The slide also
shows an example configuration of automating the download. The interval value is the number of
IN

hours before the device downloads the update.

www.juniper.net 9
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

IPS Operates in Either SRX Deployment Mode

N

Given that the SRX Series device performs a variety of roles within the network, many factors
determine device deployment. In general, two basic SRX modes exist in which you can deploy the
R

device to perform IPS functionality; transparent (sometimes referred to as Inline) mode and routed
mode.
TE

In transparent mode, the SRX interfaces used for IPS functionality do not have assigned IP
addresses, they function similar to a switch. In essence, the interfaces are transparent to network
devices on either side of the SRX.
In routed mode, the SRX Series device applies IPS policies to routing interfaces, each of which has
IN

one or more assigned IP addresses.

10 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Transparent Mode Example

N

When deploying the SRX Series device in this mode, conceptually it sits in the path of traffic into and
out of the network. In this example, neither ge-0/0/1 nor ge-0/0/2 have any assigned IP addresses.
R

They are dedicated to traffic inspection and therefore do not require any traditional settings to pass
traffic in the usual sense.
TE
IN

www.juniper.net 11
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Routed Mode Example

N

In this deployment mode, the SRX Series device routes traffic into and out of the network through
physical interfaces for which IP addresses have been assigned in a traditional manner. The diagram
R

illustrates a simple example, in which the SRX Series device acts as the gateway for hosts on the
192.168.1.0 network.
TE
IN

12 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

IPS Factors That Affect Data Throughput Performance

N

There are several IPS performance considerations on SRX devices. Understanding these
considerations can help you to better realize the impact that IPS can have on data throughput
R

performance. These considerations include:

• Size of IPS policy: Keep in mind that when you add rules into the IPS policy, the IPS
TE

engine will process all rules each time it scans IPS traffic until an attack is found.
Configuring specific IPS rules will improve the IPS engine efficiency. A detailed
discussion of IPS rules is beyond the scope of this material. Heavier IPS policies incur a
higher performance hit.
IN

• Actual traffic being processed: Some signatures have a higher performance load over
other signatures. Some signatures require IPS inspection for the complete stream of
traffic during the traffic’s session duration, while other signatures do not.
• IPS traffic processing modes: Integrated mode IPS processing can impact the
performance of both firewall and IPS processing if the IPS engine becomes
exceptionally busy, since all firewall and IPS processing is performed directly by the
flowd firewall process. Also, if the firewall process crashes, the entire data plane will be
restarted. If high availability (HA) clustering is configured, this will trigger a failure of the
data plane to the other node, while the data plane is restarted. Dedicated and inline tap
mode can improve IPS performance. These modes are discussed shortly in this
material.

www.juniper.net 13
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Amount of IPS Logging

N

When you configure an IPS rule for logging, each matching event creates a log entry. Because the
software generates IPS event logs during an attack, log generation happens in bursts, generating a
R

much larger volume of messages during an attack. In comparison to other event messages, the
message size is also much larger for attack-generated messages. The log volume and message size
TE

are important concerns for log management. To better manage the volume of log messages, IPS
supports log suppression. Log suppression limits multiple instances of the same log occurring from
the same or similar sessions over a given period of time. The software enables log suppression by
default but you can adjust attributes through configuration under the [edit security idp
sensor-configuration log suppression] hierarchy.
IN

Monitoring IPS Memory Utilization

If the IPS process runs out of memory, the software no longer evaluates traffic for attacks. Use the
command shown on the slide to monitor IPS data plane memory utilization.

14 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Integrated Mode
N

Integrated mode is the default option for the high-end SRX, and is the only option available for the
branch SRX Series. Traffic processed by the firewall process within the Network Processing Unit or
R

NPU (branch) and SPU (high end), and any traffic that is destined to be sent to have IPS processing,
is handled by the firewall process itself. This means the firewall process, rather than a separate
TE

process, handles the IPS processing. Because SRX processors are multicore, multithreaded
processors, multiple flows can be processed concurrently. On the high-end SRX devices, integrated
mode can be useful for situations where the IPS engine only needs to process a small amount of
traffic.
IN

www.juniper.net 15
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Dedicated Mode
N

In dedicated mode, the firewall and IPS operations are processed separately. Traffic that is marked
for application-services idp is handled by the IPS process; however the firewall process
R

does not remain idle. All IPS-bound traffic is still inspected before being passed out the unit. Once
the IPS process completes, it sends the traffic back to the firewall process for handling. To enable
TE

dedicated mode you must use the CLI command set security forwarding-process
application-services maximize-idp-sessions. You must reboot the SRX device for this
setting to take effect. This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, and
SRX5800 devices.
IN

16 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Inline Tap Mode

N

The slide displays the flow process for inline tap mode. The inline tap mode feature provides passive,
inline detection for IPS policies. A copy of the packet is sent to the IPS engine for processing, while
R

the firewall session traffic is uninterrupted. If a threat is detected in inline tap mode, the SRX will
close the firewall flow session. This mode also has the disadvantage that it will allow attacks that are
TE

configured to block if they are single packet attacks.

To configure the device for inline tap mode, use the command set forwarding-process
application-services maximize-idp-sessions inline-tap. When switching to
inline tap mode, or back to regular mode, you must reboot the SRX device. Inline tap mode does not
IN

require a separate tap or span port. This feature is supported on SRX1400, SRX3400, SRX3600,
SRX5600, and SRX5800 devices.

www.juniper.net 17
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Security Policies Determine Which Traffic Is Processed by IPS

N

The slide reviews how security policies determine which traffic is processed by IPS. For transit traffic
to pass through IPS inspection, you configure a security policy and enable IPS application services
R

on all traffic that you want to inspect. Security policies contain rules defining the types of traffic
permitted on the network and the way that the traffic is treated inside the network. Enabling IPS in a
TE

security policy directs traffic that matches the specified criteria to be checked against the IPS
rulebases.
IN

18 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

The Active IPS Policy

N

You can configure multiple IPS policies, but a device can have only one active IPS policy at a time.
You must configure A single policy can contain only one instance of any type of rulebase. You must
R

set an active IPS policy for IPS to function on the SRX device.
TE
IN

www.juniper.net 19
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Predefined IPS Policy Templates

N

Predefined policy templates are provided as a starting point for creating your own policies. Each
template is set of rules of a specific rulebase type that you can copy and then update according to
R

your requirements. These templates are available in the templates.xml file from the Juniper
Networks website. To start using a template, you run a command from the CLI to download and copy
TE

this file to the /var/db/scripts/ commit directory.

IN

20 www.juniper.net
 IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

Recommended IPS Policy Example

N

The slide shows a sample IPS policy configured with the Junos OS template policy named
Recommended. The slide shows a rule named rule 2 in an IPS rulebase with the matching conditions
R

highlighted. In this case, the rule matches on traffic from any zone and source address to any zone
and destination address. The rule also matches on an application type of default. When you select
TE

this application type, the software bases application matches on the attack or attack group objects.
The Junos OS automatically matches on application or service settings associated with the defined
attack or attack group object. You can also specify a configured application or application-set or use
the any option. The sample configuration also shows a predefined attack group designed for Internet
Control Message Protocol (ICMP) attacks. Predefined attack and attack group objects are part of the
IN

signature database. You can also specify custom attack and attack group objects or dynamic attack
group objects.
You can enable logging using the notification action. The Junos OS stores logs according to the data
plane logging configuration present on the Junos security platform.

www.juniper.net 21
IPS Policy and Initial Configuration

LY
N
O
SE
U
AL

View IPS Attack Statistics

N

The show security idp attack table command lists the detected attacks on SRX
platforms. In this case, the output shows an attack has matched the predefined signature object
R

HTTP:OVERFLOW:PI3WEB-SLASH-OF.
TE

Tracing IPS Operations

You can configure IDP traceoptions to log control plane events. Currently, the only flag available is
the all flag. By default, the software logs IDP traceoptions events to the
/var/log/idpd file.
IN

22 www.juniper.net