Professional Documents
Culture Documents
Sabp Z 085
Sabp Z 085
1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 3
4 Definitions 3
5 Background 5
6 The on-line update approach 5
7 The offline update methodology 6
1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to update offline the Juniper SRX
Gateway to ensure “secure configuration” as per SAEP-99 “Process Automation
Networks and Systems Security” procedure.
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.
Page 2 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information
4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
CLI - Command Line Interface
DHCP - Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
IDP - Intrusion Detection and Prevention
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
SSH - Secure Shell
SNMP - Simple Network Management Protocol
4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's
Page 3 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
Page 4 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
5 Background
The Juniper SRX family comes with the Intrusion Detection and Prevention (IDP)
module enabled by default. The main purpose is to enforce the reaction to network attacks
passing through the firewall Series SRX traffic. Thus to be effective, the IDP signatures
must be frequently updated to the latest versions in order to detect newest and attacks
variants.
The following document will highlight the offline approach to download the latest attacks
database signatures since the Saudi Aramco Plants DMZ is not connected to the Internet.
In a normal configuration, the IDP module is set to get its recent updates from the frontal
Internet Juniper servers.
The online IDP security update is very easy to perform through JWeb.
XX is the month
YY is the day
ZZ is the time
The value 01-10.02:00 means the update will start automatically on 10th January at
2:00am.
Page 5 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
7.1 Assumptions
We assume the PAN Administrator has sufficient knowledge to connect remotely
to Juniper through different management accesses (Telnet, FTP, SSH..) and has
the appropriate licensing information available
7.2 Licensing
Licenses can be loaded manually via JWeb, NSM, or using the CLI. The CLI
command is as follows:
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
idp_sig 0 1 0 2013-03-06
Page 6 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
The following value for detector version 10.2.140090831 is what we are looking.
Page 7 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
For our case and according to the example about, we have the following values
- Device = srx550
- Detector= 10.2.140090831
- Os = 10.2
Once the link is set as below, you should download a file called
SignatureUpdate.xml.gz .
https://services.netscreen.com/cgi-
bin/index.cgi?device=srx550&feature=idp&os=10.2&detector=10.2.14
0090831&from=&to=latest&type=update
you can refer to Appendix A to use a VBS script to download the sigature file
from Saudi Aramco Computer.
Page 8 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
Page 9 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
From the file above, we can identify URLs for downloading the following files:
- Application_groups.xml.gz
- https://services.netscreen.com/xmlupdate/89/ApplicationGroups/8/ap
plication_groups.xml.gz
- Applications.xsd
- https://services.netscreen.com/xmlupdate/89/Applications/19/applicat
ions.xsd
- applications.xml.gz
- https://services.netscreen.com/xmlupdate/89/Applications/19/applicat
ions.xml.gz
- libidp-detector.so.tgz.v
- https://services.netscreen.com/xmlupdate/89/Detector/10.2.14009060
2/libidpdetector.so.tgz.v
- groups.xml.gz
- https://services.netscreen.com/xmlupdate/89/Groups/2/groups.xml.gz
- platforms.xml.gz
- https://services.netscreen.com/xmlupdate/89/Platforms/9/platforms.x
ml.gz
Ensure that all files have been downloaded with the correct extension otherwise
the update may fail
Page 10 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
{master:0}[edit]
root@4200> file checksum md5 /var/tmp/jinstall-ex-4200-10.4R1.9-
domestic-signed.tgz
MD5 (/var/tmp/jinstall-ex-4200-10.4R1.9-domestic-signed.tgz) =
38032c0e237a65b4cbc86a9c6ab06552
Compare the MD5 checksum hash returned from the command to the MD5
provided in the SignatureUpdate.xml file. They must be the same. If there is
any difference, it means the file is corrupted. All downloaded files should be
unzipped as following:
> gzip –d Signatureupdate.xml.gz
> gzip –d applications.xml.gz
> gzip –d groups.xml.gz
> gzip –d platforms.xml.gz
> gzip –d libidp-detector.so.tgz.v
Page 11 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
https://services.netscreen.com/xmlupdate/89/Templates/1/template
s.xml.gz
Page 12 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
Step 1:
Copy the text and paste into a new file and rename it sigdwn.vbs
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0 'Set the stream position to the start
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Step 2:
This can be achieved by pasting the address into the browser then press Enter
Page 13 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
https://services.netscreen.com/xmlupdate/170/SignatureUpdates/2686/Si
gnatureUpdate.xml.gz
Step 3:
Step 4:
Page 14 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures
The script can be executed from the command line as depicted below
C:\cscript.exe sigdwn.vbs
As you may notice, the file SignatureUpdate.xml.gz is valid and the download was
successfully achieved from my own Aramco computer
Page 15 of 15