SRX IDP Full IDP Stateful Inspection 8 Detection mechanisms including Stateful Signatures and Protocol Anomalies Reassemble, normalize, eliminate ambi

IDP (INTRUSION DETECTION AND PREVENTION)

SRX IDP Full IDP Stateful Inspection 8 Detection mechanisms including Stateful Signatures and Protocol Anomalies Reassemble, normalize, eliminate ambiguity Track sessions Packets Application Traffic 0000000000000000000000000000000000 0000000000000000000000000000000000 0000000000000000000000000000000 XOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXO XOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXOXO XOXOXOXOXOXOXOXOXOOXOXOXOXOX OXOXOXOXOXOXOXOXOXOXOXOXOXOX XOXOXOXOXOXOXOXOXOXOXOXOXOXO Application Traffic Deny Some Attacks Deny Traffic SRX IDP SRX 2 Copyright 2009 Juniper Networks, Inc. www.juniper.net

脆弱性や新たな脅威を研究する専任チーム プロトコルデコードのノウハウ 複数の研究機関やベンダーとのパートナーシップ リバース エンジニアリングの専門家 グローバルなハニーポット ネットワーク 業界トップクラスのレスポンスタイム シグネチャを毎日更新 グローバルに分散配置したチーム 緊急時は数時間以内または数分以内に更新 www.juniper.net/security 3 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP

IDP IDP IDP 5 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP ) lab@srx1> request system license add? Possible completions: <filename> Filename (URL, local, remote, or floppy) terminal Use login terminal lab@srx1> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed idp-sig 0 1 0 2010-12-28 09:00:00 JST 6 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP ( DNS ) lab@srx1> request security idp security-package download check-server Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1687(detector=10.3.160100319, Templates=2) lab@srx1> request security idp security-package download 7 Copyright 2009 Juniper Networks, Inc. www.juniper.net

Status lab@srx1> request security idp security-package download status In progress: Downloading... lab@srx1> request security idp security-package download status In progress:signatureupdate_tmp.xml.gz 100 % 1174171 Bytes/ 1174171 Bytes lab@srx1> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgibin/index.cgi). Version info:1687(fri May 21 12:48:07 2010, Detector=10.3.160100319) 8 Copyright 2009 Juniper Networks, Inc. www.juniper.net

lab@srx1> request security idp security-package install Status lab@srx1> request security idp security-package install status In progress:performing DB update for an xml (SignatureUpdate.xml) lab@srx1> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=1687,ExportDate=Fri May 21 12:48:07 2010,Detector=10.3.160100319] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found. 9 Copyright 2009 Juniper Networks, Inc. www.juniper.net

lab@srx1> show security idp security-package-version Attack database version:1687(fri May 21 12:48:07 2010) Detector version :10.3.160100319 Policy template version :N/A 10 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP lab@srx1> request security idp security-package download policy-templates lab@srx1> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgibin/index.cgi). Version info:2 11 Copyright 2009 Juniper Networks, Inc. www.juniper.net

lab@srx1> request security idp security-package install policy-templates lab@srx1> request security idp security-package install status Done;policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates.xsl)! lab@srx1# set system scripts commit file templates.xsl 12 Copyright 2009 Juniper Networks, Inc. www.juniper.net

lab@srx1# run show security idp policy-templates-list Web_Server DMZ_Services DNS_Service File_Server Getting_Started IDP_Default Recommended 13 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP IDP rule 1. rulebase-ips match from-zone to-zone source-address destination-address application lab@srx1# set security idp idp-policy idp-policy-1 rulebase-ips rule 1 match fromzone any to-zone any source-address any destination-address any application default attacks predefined-attack-groups [Critical Major] 14 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP 2. no-action - ( ) ignore - drop-packet - drop-connection - close-client - RST close-server RST close-client-and-server RST mark-diffserv DSCP recommended Juniper lab@srx1# set security idp idp-policy Intranet rulebase-ips rule 1 then action drop-connection 15 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP 3. notification lab@srx1# set security idp idp-policy Intranet rulebase-ips rule 1 then notification log-attacks 16 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP 4. IP IP ip-notify ( ) ip-close ip-block lab@srx1# set security idp idp-policy Intranet rulebase-ips rule 1 then ipaction ip-close 17 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP IDP lab@srx1# set security idp active-policy idp-policy-1 18 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP lab@srx1# set security policies from-zone trust to-zone untrust policy trust-tountrust match source-address any destination-address any application any lab@srx1# set security policies from-zone trust to-zone untrust policy trust-tountrust then permit application-services idp 19 Copyright 2009 Juniper Networks, Inc. www.juniper.net

IDP CONFIGURATION lab@srx1# show security idp idp-policy idp-policy-1 { rulebase-ips { rule 1 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ Critical Major ]; } } then { action { drop-connection; } ip-action { ip-close; } notification { log-attacks; } } } } } 20 Copyright 2009 Juniper Networks, Inc. www.juniper.net

show security idp lab@srx1> show security idp? Possible completions: application-identification Show IDP application identification data application-statistics Show IDP application statistics attack Show IDP attack data counters Show IDP counters memory Show IDP data plane memory statistics policies Show the list of currently installed policies policy-templates-list Show available policy templates security-package-version Show the version of currently installed security-package status Show IDP status 21 Copyright 2009 Juniper Networks, Inc. www.juniper.net

lab@srx1> show security idp memory IDP data plane memory statistics: Total IDP data plane memory : 212 MB Used : 20 MB ( 20480 KB ) ( 9.43%) Available : 192 MB ( 196608 KB ) ( 90.57%) 22 Copyright 2009 Juniper Networks, Inc. www.juniper.net

lab@srx1# run show security idp status State of IDP: Disabled, Up since: 2010-09-17 17:23:19 UTC (00:40:42 ago) Packets/second: 0 Peak: 0 @ 2010-09-17 17:23:19 UTC KBits/second : 0 Peak: 0 @ 2010-09-17 17:23:19 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2010-09-17 17:23:19 UTC] TCP: [Current: 0] [Max: 0 @ 2010-09-17 17:23:19 UTC] UDP: [Current: 0] [Max: 0 @ 2010-09-17 17:23:19 UTC] Other: [Current: 0] [Max: 0 @ 2010-09-17 17:23:19 UTC] Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name : idp-policy-1 23 Copyright 2009 Juniper Networks, Inc. www.juniper.net