Best Practice

SABP-Z-085 20 April 2016

Juniper Intrusion Detection and Prevention Signatures Offline Update

Document Responsibility: Plants Networks Standards Committee

Saudi Aramco DeskTop Standards

Table of Contents

1 Introduction 2
2 Conflicts with Mandatory Standards 2
3 References 3
4 Definitions 3
5 Background 5
6 The on-line update approach 5
7 The offline update methodology 6

Previous Issue: New Next Planned Update: 3 May 2020

Page 1 of 15
Primary contact: Ouchn, Nabil J (ouchnnj) on +966-3-8801365

Copyright©Saudi Aramco 2016. All rights reserved.

Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

1 Introduction
1.1 Purpose and Intended Users
The purpose of this best practice document is to establish a recommended
methodology to implement advanced security configurations for Industrial
Control Systems (ICS). These guidelines are intended for plant network
administrator(s) and technical support staff for the purpose of prompt risk
mitigation and overall adherence to company’s cyber security regulations,
especially those intended for immediate implementation. The intended users
include engineers and / or technicians working as Process Automation Network
(PAN) Administrators.
1.2 Scope
This best practice defines the methodology to update offline the Juniper SRX
Gateway to ensure “secure configuration” as per SAEP-99 “Process Automation
Networks and Systems Security” procedure.
1.3 Disclaimer
This Best Practice complements other procedures or best practices provided by
vendor and / or consulting agent for the implementation of security configurations
by the PAN administrator(s), and shall not be considered “exclusive” to provide
“comprehensive” compliance to SAEP-99 or any other Saudi Aramco
Engineering’s standards requirements.
The use of this Best Practice does not relieve the PAN administrator(s) from their
responsibility or duties to confirm and verify the accuracy of any information
presented herein and the thorough coordination with respective control system
steering committee chairman and vendor.

2 Conflicts with Mandatory Standards

In the event of a conflict between this Best Practice and other Mandatory Saudi Aramco
Engineering Requirements, the Mandatory Saudi Aramco Engineering Requirements
shall govern.

Page 2 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

3 References
Specific sections of the following documents are referenced within the body of the
document. Material or equipment supplied to this best practice, shall comply with the
referenced sections of the latest edition of these specifications. Where specific sections
are not referenced, the system shall comply with the entire referenced document.
 Saudi Aramco References
Saudi Aramco Engineering Procedures
SAEP-99 Process Automation Networks and Systems
Security
Saudi Aramco Engineering Standards
SAES-Z-001 Process Control Systems
SAES-Z-010 Process Automation Networks
General Instruction
GI-0710.002 Classification of Sensitive Information

4 Definitions
This section contains definitions for acronyms, abbreviations, words, and terms as they
are used in this document.
4.1 Acronyms
CLI - Command Line Interface
DHCP - Dynamic Host Configuration Protocol
HTTPS - HyperText Transfer Protocol Secure
IP - Internet Protocol
IDP - Intrusion Detection and Prevention
NTP - Network Time Protocol
PCS - Process Control Systems
PAN - Process Automation Network
SSH - Secure Shell
SNMP - Simple Network Management Protocol

4.2 Abbreviations
Authentication: A security measure designed to establish the validity of a
transmission, message, or originator, or a means of verifying an individual's

Page 3 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

authorization to receive specific categories of information. When humans have

assets that are worth to be protected, the authentication always exists. The initial
step in protecting systems and information is authentication that identifies who.
Process Automation Systems (PAS): PAS include Networks and Systems
hardware and software such as Process Automation Network (PAN), Distributed
Control Systems (DCSs), Emergency Shutdown Systems (ESD), Programmable
Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA)
systems, Terminal Management Systems (TMS), networked electronic sensing
systems, and monitoring (such as VMS AND PMS), diagnostic, and related
industrial automation and control systems. PAS also include associated internal,
human, network, or machine interfaces used to provide control, safety,
maintenance, quality assurance, and other process operations functionalities to
continuous, batch, discrete, and combined processes.
Logs: Files or prints of information in chronological order.
PAN: Process Automation Network, or sometimes referred to as Plant
Information Network (PIN), is a plant-wide network (switches, routers, firewalls,
computers, etc. interconnecting process control system and provides an interface
to the corporate network. PAN Administrator: Process Automation Networks
(PAN) Administrator administers and performs system configuration and
monitoring and coordinating with Process Control System Administrator, if
different, as designated by the plant management. The PAN Administrator
assumes the ownership of the IA&CS including the PAN Firewall and has the
function of granting, revoking, and tracking access privileges and
communications of users on ICS including the Firewall.
Password: A form of secret authentication data that is used to control access to
a resource. Password authentication determines authenticity based on testing for
a device or a user that is requesting access to systems using for example a personal
identification number (PIN) or password. Password authentication scheme is the
simplest and most common mechanism.
Server: A dedicated un-manned data provider.

Page 4 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

5 Background
The Juniper SRX family comes with the Intrusion Detection and Prevention (IDP)
module enabled by default. The main purpose is to enforce the reaction to network attacks
passing through the firewall Series SRX traffic. Thus to be effective, the IDP signatures
must be frequently updated to the latest versions in order to detect newest and attacks
variants.

The following document will highlight the offline approach to download the latest attacks
database signatures since the Saudi Aramco Plants DMZ is not connected to the Internet.

In a normal configuration, the IDP module is set to get its recent updates from the frontal
Internet Juniper servers.

6 The on-line update approach

This configuration setup is for informational purpose only. A direct Internet connection
to the Plant DMZ is strictly prohibited.

The online IDP security update is very easy to perform through JWeb.

- Select Configure>Security>IDP>Signature Update.

- Click the Download tab.
- Click the Security Package Automatic Download Settings link.
- In the URL field, leave it blank and the SRX will use the predefined default URL.
- In the Start Time field, enter XX-YY.ZZ:00
- In the Interval field, enter 168
- Click the "Enable Schedule Update".
- Click OK.
- Click Apply and commit the changes

XX is the month
YY is the day
ZZ is the time

The value 01-10.02:00 means the update will start automatically on 10th January at
2:00am.

Page 5 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

7 The offline update methodology

The Saudi Aramco Plants using Juniper SRX Series will rely on the following guidelines
to update the IDP signatures.
As of the time of writing this document, there is no exchange platform in the Plant DMZ
to be used as a buffer environment to get the security packages. Therefore, it is
mandatory for the PAN Admins to take extra precautions when downloading the
bundles.

7.1 Assumptions
We assume the PAN Administrator has sufficient knowledge to connect remotely
to Juniper through different management accesses (Telnet, FTP, SSH..) and has
the appropriate licensing information available

7.2 Licensing
Licenses can be loaded manually via JWeb, NSM, or using the CLI. The CLI
command is as follows:

root> request system license add terminal

Type ^D at a new line to end input, enter blank line between each
license key
Paste the license key and press enter
Type Ctrl+D

The License key should be added successfully.

Verify the license was installed using the following command:

root> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
idp_sig 0 1 0 2013-03-06

Page 6 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

7.3 Security rules

The packages should be downloaded from the sources given herein this document.
The PAN Admin shall use exclusively to download the security bundles a Saudi
Aramco computer with hardening controls enabled.
Once the bundles are downloaded, they should be scanned with the latest AV
engine to ensure they are safe for use.

7.4 Intrusion Signatures Database and System Version

In order to download the appropriate bundle of the security package, you need to
know the exact version you are using on your JunOS device.
This could be obtained through the following commands:

root@srx> show security idp security-package-version

Attack database version:1499(Tue Sep 8 09:02:16 2009)

Detector version :10.2.140090831
Policy template version :N/A

The following value for detector version 10.2.140090831 is what we are looking.

Page 7 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

7.5 Download the package

The package for Firewall SRX Series should be downloaded from the location
https://services.netscreen.com/cgi-
bin/index.cgi?device=XXX&feature=idp&os=YYY&detector=ZZZZZ&from=
&to=latest&type=update

In the above URL we can observe the following:

- device = device type (e.g. srx5800 or srx3400 or srx3600 etc) for SRX
Branch device the device type is jsrx210, jsrx240 and so on
- detector = detector displayed in the output (10.2.140090602)
- os = Junos version(9.6,10.0, 10.1 and so on)
- from = current downloaded version (if there is no DB it will be null)
- to = latest (version to download. If not mentioned latest is downloaded)
- feature = idp (while other values above change - feature never changes)

For our case and according to the example about, we have the following values

- Device = srx550
- Detector= 10.2.140090831
- Os = 10.2

Once the link is set as below, you should download a file called
SignatureUpdate.xml.gz .

https://services.netscreen.com/cgi-
bin/index.cgi?device=srx550&feature=idp&os=10.2&detector=10.2.14
0090831&from=&to=latest&type=update

you can refer to Appendix A to use a VBS script to download the sigature file
from Saudi Aramco Computer.

When the download of SignatureUpdate.xml.gz is completed, unzip it and

open the file in order to locate the other URLs for downloading the rest of the
Attack Database files.

The files that need to be downloaded are highlighted below

Page 8 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

Example of unzipped file SignatureUpdate.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Signature Update type="base"
xsi:noNamespaceSchemaLocation="http://services.netscreen.com/xmlupdate/Sign
atureUpdate.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://services.netscreen.com">
<XMLVersion>1.0.0</XMLVersion> <UpdateNumber>1484</UpdateNumber>
<ExportDate>Tue Aug 18 10:31:22
2009</ExportDate>
<ApplicationGroups md5="6ee5d392ec033625292a689b1465b70a"
version="8">https://services.netscreen.com/xmlupdate/89/ApplicationGroups/8/ap
plication_groups.xml.gz
</ApplicationGroups>
<ApplicationSchema md5="0a13c75093b386c292746bea7eec16aa"
version="19">https://services.netscreen.com/xmlupdate/89/Applications/19/appli
cations.xsd</ApplicationSchema>
<Applications md5="6c7bae362af8fa5df969ca9cf26b5dd1"
version="19">
https://services.netscreen.com/xmlupdate/89/Applications/19/applications.xml.g
z
</Applications>
<Contexts md5="402ffe32a6c2c8d28291a458d4e8329a"
version="8">https://services.netscreen.com/xmlupdate/89/Contexts/8/contexts.xm
l.gz</Contexts>
<Detector md5="8a3a7fa2fd214025f7e1b8f0f9f43b38" version="10.2.140090602"
family="srx">
https://services.netscreen.com/xmlupdate/89/Detector/10.2.140090602/libidpdete
ctor.so.tgz.v
</Detector>
<Filters md5="cd85f6ab8c48ae087563aaf7d5844ded"
version="1">https://services.netscreen.com/xmlupdate/89/Filters/1/filters.xml.
gz< /Filters>
<Groups md5="387deeff3e4713bf18f1632289c10beb" version="2">
https://services.netscreen.com/xmlupdate/89/Groups/2/groups.xml.gz
</Groups>
<Platforms md5="98f752b5af92c348e3d664ffd187b00a" version="9">
https://services.netscreen.com/xmlupdate/89/Platforms/9/platforms.xml.gz
</Platforms>
<Products md5="db6df3a3d22c280e84637d5faac81163"
version="2">https://services.netscreen.com/xmlupdate/89/Products/2/products.xm
l.gz</Products>
<Services md5="cf106794e453acca87464aec38b29ee3"
version="7">https://services.netscreen.com/xmlupdate/89/Services/7/services.xm
l.gz</Services>
<Templates md5="c4d5b4a11ac9eb363112eb60fb45315f"
version="1">https://services.netscreen.com/xmlupdate/89/Templates/1/templates.
xml.gz</Templates>

Page 9 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

From the file above, we can identify URLs for downloading the following files:

- Application_groups.xml.gz
- https://services.netscreen.com/xmlupdate/89/ApplicationGroups/8/ap
plication_groups.xml.gz
- Applications.xsd
- https://services.netscreen.com/xmlupdate/89/Applications/19/applicat
ions.xsd
- applications.xml.gz
- https://services.netscreen.com/xmlupdate/89/Applications/19/applicat
ions.xml.gz
- libidp-detector.so.tgz.v
- https://services.netscreen.com/xmlupdate/89/Detector/10.2.14009060
2/libidpdetector.so.tgz.v
- groups.xml.gz
- https://services.netscreen.com/xmlupdate/89/Groups/2/groups.xml.gz
- platforms.xml.gz
- https://services.netscreen.com/xmlupdate/89/Platforms/9/platforms.x
ml.gz

Ensure that all files have been downloaded with the correct extension otherwise
the update may fail

Page 10 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

7.6 Package installation

You need to transfer all the downloaded files to the SRX device using a remote
access (sFTP, SSH).

The files should be moved to this directory /var/db/idpd/sec-download

>cp applications.xml.gz, applications.xsd,
applications_groups.xml.gz, groups.xml.gz,platforms.xml.gz,
SignatureUpdate.xml.gz,libidp-detector.so.tgz.v
/var/db/idpd/sec-download

Verify the integrity of the copied files

> file checksum md5 /var/tmp/jinstall-ex-4200-10.4R1.9-domestic-
signed.tgz

{master:0}[edit]
root@4200> file checksum md5 /var/tmp/jinstall-ex-4200-10.4R1.9-
domestic-signed.tgz
MD5 (/var/tmp/jinstall-ex-4200-10.4R1.9-domestic-signed.tgz) =
38032c0e237a65b4cbc86a9c6ab06552

Compare the MD5 checksum hash returned from the command to the MD5
provided in the SignatureUpdate.xml file. They must be the same. If there is
any difference, it means the file is corrupted. All downloaded files should be
unzipped as following:
> gzip –d Signatureupdate.xml.gz
> gzip –d applications.xml.gz
> gzip –d groups.xml.gz
> gzip –d platforms.xml.gz
> gzip –d libidp-detector.so.tgz.v

Start the update process using the following syntax:

> request security idp security-package install source-path
/var/db/idpd/sec-download

Check the status of the update:

> request security idp security-package install status

Verify the new update version:

> show security idp security-package-version

Page 11 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

7.7 Policy deployment

Copy the SignatureUpdate.xml downloaded in the previous step to
/var/db/idpd/sec-download/sub-download folder

Download the templates.xml.gz from website. Open the

SignatureUpdate.xml to find the location to download the
templates.xml.gz

https://services.netscreen.com/xmlupdate/89/Templates/1/template
s.xml.gz

Copy the templates.xml.gz to /var/db/idpd/sec-download/sub-

download folder and deflate templates.xml.gz

> gzip –d templates.xml.gz

Install the policy templates

> request security idp security-package install policy-templates

Check the status of the install with the command

> request security idp security-package install status

Page 12 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

Appendix A: Automated script to download the signature

The SignatureUpdate.xml.gz can be downloaded using the following VBS script.

Step 1:
Copy the text and paste into a new file and rename it sigdwn.vbs

' Set your settings

strFileURL = "SIGNATURE_URL"
strHDLocation = "SIGNATURE_LOCATION"

' Fetch the file

Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false

objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then

Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary

objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0 'Set the stream position to the start

Set objFSO = Createobject("Scripting.FileSystemObject")

If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile
strHDLocation
Set objFSO = Nothing

objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if

Set objXMLHTTP = Nothing

Step 2:

Resolve the following address https://services.netscreen.com/cgi-

bin/index.cgi?device=srx550&feature=idp&os=10.2&detector=10.2.1400908
31&from=&to=latest&type=update into a direct link.

This can be achieved by pasting the address into the browser then press Enter

Page 13 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

The link will be displayed as

https://services.netscreen.com/xmlupdate/170/SignatureUpdates/2686/Si
gnatureUpdate.xml.gz

Step 3:

The following variables should be modified

' Set your settings

strFileURL = "SIGNATURE_URL"
strHDLocation = "SIGNATURE_LOCATION"
to
' Set your settings
strFileURL =
"https://services.netscreen.com/xmlupdate/170/SignatureUpdates/2686/Si
gnatureUpdate.xml.gz"
strHDLocation = "D:\SignatureUpdate.xml.gz"

Step 4:

Page 14 of 15
Document Responsibility: Plants Networks Standards Committee SABP-Z-085
Issue Date: 20 April 2016 Network Devices Support
Next Planned Update: 3 May 2020 Guide – Juniper IPS Signatures

The script can be executed from the command line as depicted below

C:\cscript.exe sigdwn.vbs

As you may notice, the file SignatureUpdate.xml.gz is valid and the download was
successfully achieved from my own Aramco computer

Page 15 of 15