[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

ip

See the following sections:

ip (Protocol Binding Custom Attack)

Syntax



ip {
protocol-number             transport-layer-protocol-number;

}

Hierarchy Level



[edit security idp custom-attack attack-name attack-type chain
protocol-binding]
[edit security idp custom-attack attack-name attack-type signature
protocol-binding]

Release Information

Statement introduced in Release 9.3 of JUNOS software.

Description

Allow IDP to match the attack for a specified IP protocol type.

This statement is supported on SRX-series devices.

Options

protocol-number transport-layer-protocol-number —Transport Layer protocol number.

Usage Guidelines

For configuration instructions and examples, see the JUNOS Software Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

ip (Security Screen)

Syntax



ip {
bad-option;
block-frag;
loose-source-route-option;
record-route-option;
security-option;
source-route-option;
spoofing;
stream-option;
strict-source-route-option;
tear-drop;
timestamp-option;
unknown-protocol;
}

Hierarchy Level



[edit security screen ids-option            screen-name         ]

Release Information

Statement introduced in Release 8.5 of JUNOS software.

Description

Configure IP layer IDS options.

This statement is supported on J-series and SRX-series devices.

Options

bad-option—Detect and drop any packet with an incorrectly formatted IP option in the IP packet header. The device records the event in the SCREEN counters list for the ingress interface.
block-frag—Enable IP packet fragmentation blocking.
loose-source-route-option—Detect packets where the IP option is 3 (Loose Source Routing), and record the event in the SCREEN counters list for the ingress interface. This option specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other devices in between those specified.
record-route-option—Detect packets where the IP option is 7 (Record Route), and record the event in the SCREEN counters list for the ingress interface.
security-option—Detect packets where the IP option is 2 (security), and record the event in the SCREEN counters list for the ingress interface.
source-route-option—Detect packets, and record the event in the SCREEN counters list for the ingress interface.
spoofing—Prevent spoofing attacks. Spoofing attacks occur when unauthorized agents attempt to bypass firewall security by imitating valid client IP addresses. Using the spoofing option invalidates such false source IP address connections.
The default behavior is to base spoofing decisions on individual interfaces.
stream-option—Detect packets where the IP option is 8 (Stream ID), and record the event in the SCREEN counters list for the ingress interface.
strict-source-route-option—Detect packets where the IP option is 9 (Strict Source Routing), and record the event in the SCREEN counters list for the ingress interface. This option specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field.
tear-drop—Block the Teardrop attack. Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The tear-drop option directs the device to drop any packets that have such a discrepancy.
timestamp-option—Detect packets where the IP option list includes option 4 (Internet Timestamp), and record the event in the SCREEN counters list for the ingress interface.
unknown-protocol—Discard all received IP frames with protocol numbers greater than 137. Such protocol numbers are undefined or reserved.

Usage Guidelines

For configuration instructions and examples, see the JUNOS Software Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

ip (Signature Attack)

Syntax



ip {


destination {
match (equal | greater-than
| less-than | not-equal);
value   
            hostname             ;
}




identification {
match (equal | greater-than
| less-than | not-equal);
value   
            identification-value             ;
}




ip-flags {
(df | no-df);
(mf | no-mf);
(rb | no-rb);
}




protocol {
match (equal | greater-than
| less-than | not-equal);
value   
            transport-layer-protocol-id     
       ;
}




source {
match (equal | greater-than
| less-than | not-equal);
value   
            hostname             ;
}




tos {
match (equal | greater-than
| less-than | not-equal);
value   
            type-of-service-in-decimal      
      ;
}




total-length {
match (equal | greater-than
| less-than | not-equal);
value   
            total-length-of-ip-datagram     
       ;
}




ttl {
match (equal | greater-than
| less-than | not-equal);
value   
            time-to-live             ;
}


}

Hierarchy Level



[edit security idp custom-attack            attack-name          attack-type signature protocol]

Release Information

Statement introduced in Release 9.3 of JUNOS software.

Description

Allow IDP to match the IP header information for the signature attack.

This statement is supported on SRX-series devices.

Options

The remaining statements are explained separately.

Usage Guidelines

For configuration instructions and examples, see the JUNOS Software Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]