Understanding IDP Policy Rules
Each instruction in an Intrusion Detection and Prevention (IDP) policy is called a rule. Rules are created in rulebases.
Rulebases are a set of rules that combine to define an IDP policy. Rules provide context to detection mechanisms by specifying which part of the network traffic the IDP system should look in to find attacks. When a rule is matched, it means that an attack has been detected in the network traffic, triggering the action for that rule. The IDP system performs the specified action and protects your network from that attack.
IDP policy rules are made up of the following components:
- Understanding IDP Rule Match Conditions
- Understanding IDP Rule Objects
- Understanding IDP Rule Actions
- Understanding IDP Rule IP Actions
- Understanding IDP Rule Notifications
Understanding IDP Rule Match Conditions
Match conditions specify the type of network traffic you want IDP to monitor for attacks.
Match conditions use the following characteristics to specify the type of network traffic to be monitored:
- From-zone and to-zone—All traffic flows from a source to a destination zone. You can select any zone for the source or destination. You can also use zone exceptions to specify unique to and from zones for each device. Specify any to monitor network traffic originating from and to any zone. The default value is any.
- Source IP Address—Specify the source IP address from which the network traffic originates. You can specify any to monitor network traffic originating from any IP address. You can also specify source-except to specify all sources except the specified addresses. The default value is any.
- Destination IP address—Specify the destination IP address to which the network traffic is sent. You can set this to any to monitor network traffic sent to any IP address. You can also specify destination-except to specify all destinations except the specified addresses. The default value is any.
- Application—Specify the Application Layer protocols supported by the destination IP address. You can specify any for all applications and default for the application configured in the attack object for the rule.
Understanding IDP Rule Objects
Objects are reusable logical entities that you can apply to rules. Each object that you create is added to a database for the object type.
You can configure the following types of objects for IDP rules.
Zone Objects
A zone or security zone is a collection of one or more network interfaces. IDP uses zone objects configured in the base system.
Address or Network Objects
Address objects represent components of your network, such as host machines, servers, and subnets. You use address objects in IDP policy rules to specify the network components that you want to protect.
Application or Service Objects
Service objects represent network services that use Transport Layer protocols such as TCP, UDP, RPC, and ICMP. You use service objects in rules to specify the service an attack uses to access your network. Juniper Networks provides predefined service objects, a database of service objects that are based on industry-standard services. If you need to add service objects that are not included in the predefined service objects, you can create custom service objects. IDP supports the following types of service objects:
- Any—Allows IDP to match all Transport Layer protocols.
- TCP—Specifies a TCP port or a port range to match network services for specified TCP ports. You can specify junos-tcp-any to match services for all TCP ports.
- UDP—Specifies a UDP port or a port range to match network services for specified UDP ports. You can specify junos-udp-any to match services for all UDP ports.
- RPC—Specifies a remote procedure call (RPC from Sun Microsystems) program number or a program number range. IDP uses this information to identify RPC sessions.
- ICMP—Specifies a type and code that is a part of an ICMP packet. You can specify junos-icmp-all to match all ICMP services.
Attack Objects
IDP attack objects represent known and unknown attacks. IDP includes a predefined attack object database that is periodically updated by Juniper Networks. Attack objects are specified in rules to identify malicious activity. Each attack is defined as an attack object, which represents a known pattern of attack. Whenever this known pattern of attack is encountered in the monitored network traffic, the attack object is matched. The three main types of attack objects are described in Table 40:
Table 40: IDP Attack Objects Description
Attack Objects | Description |
|---|---|
Signature Attack Objects | Signature attack objects detect known attacks using stateful attack signatures. An attack signature is a pattern that always exists within an attack; if the attack is present, so is the attack signature. With stateful signatures, IDP can look for the specific protocol or service used to perpetrate the attack, the direction and flow of the attack, and the context in which the attack occurs. Stateful signatures produce few false positives because the context of the attack is defined, eliminating huge sections of network traffic in which the attack would not occur. |
Protocol Anomaly Attack Objects | Protocol anomaly attack objects identify unusual activity on the network. They detect abnormal or ambiguous messages within a connection according to the set of rules for the particular protocol being used. Protocol anomaly detection works by finding deviations from protocol standards, most often defined by RFCs and common RFC extensions. Most legitimate traffic adheres to established protocols. Traffic that does not, produces an anomaly, which may be created by attackers for specific purposes, such as evading an intrusion prevention system (IPS). |
Compound Attack Objects | A compound attack object combines multiple signatures and/or protocol anomalies into a single object. Traffic must match all of the combined signatures and/or protocol anomalies to match the compound attack object; you can specify the order in which signatures or anomalies must match. Use compound attack objects to refine your IDP policy rules, reduce false positives, and increase detection accuracy. A compound attack object enables you to be very specific about the events that need to occur before IDP identifies traffic as an attack. You can use And, Or, and Ordered and operations to define the relationship among different attack objects within a compound attack and the order in which events occur. |
Attack Object Groups
IDP contains a large number of predefined attack objects. To help keep IDP policies organized and manageable, attack objects can be grouped. An attack object group can contain one or more attack objects of different types. JUNOS Software supports the following two types of attack groups:
- Static groups—Contain a fixed set of attack objects.
- Dynamic groups—Contain attack objects based on a certain matching criteria. For example, a dynamic group can contain all attacks related to an application. During signature update, the dynamic group membership is automatically updated based on the matching criteria for that group.
Understanding IDP Rule Actions
Actions specify the actions you want IDP to take when the monitored traffic matches the attack objects specified in the rules.
Table 41 shows the actions you can specify for IDP rules:
Table 41: IDP Rule Actions
Term | Definition |
|---|---|
No Action | No action is taken. Use this action when you only want to generate logs for some traffic. |
Ignore Connection | Stops scanning traffic for the rest of the connection if an attack match is found. IDP disables the rulebase for the specific connection. Note: This action does not mean ignore an attack. |
Diffserv Marking | Assigns the indicated Differentiated Services code point (DSCP) value to the packet in an attack, then passes the packet on normally. Note that DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets. |
Drop Packet | Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address. Note: When an IDP policy is configured using a non-packet context defined in a custom signature for any application and has the action drop packet, when IDP identifies an attack the decoder will promote drop_packet to drop_connection. With a DNS protocol attack, this is not the case. The DNS decoder will not promote drop_packet to drop_connection when an attack is identified. This will ensure that only DNS attack traffic will be dropped and valid DNS requests will continue to be processed. This will also avoid TCP retransmission for the valid TCP DNS requests.. |
Drop Connection | Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing. |
Close Client | Closes the connection and sends an RST packet to the client but not to the server. |
Close Server | Closes the connection and sends an RST packet to the server but not to the client. |
Close Client and Server | Closes the connection and sends an RST packet to both the client and the server. |
Recommended | All predefined attack objects have a default action associated with them. This is the action that Juniper Networks recommends when that attack is detected. Note: This action is supported only for IPS rulebases. Recommended —A list of all attack objects that Juniper Networks considers to be serious threats, organized into categories.
|
Understanding IDP Rule IP Actions
IP actions are actions that apply on future connections that use the same IP action attributes. For example, you can configure an IP action in the rule to block all future HTTP sessions between two hosts if an attack is detected on a session between the hosts. Or you can specify a timeout value that defines that the action should be applied only if new sessions are initiated within that specified timeout value. The default timeout value for IP actions is 0, which means that IP actions are never timed out.
IP actions are similar to other actions; they direct IDP to drop or close the connection. However, because you now also have the attacker’s IP address, you can choose to block the attacker for a specified time. If attackers cannot immediately regain a connection to your network, they might try to attack easier targets. Use IP actions in conjunction with actions and logging to secure your network.
IP action attributes are a combination of the following fields:
- Source IP address
- Destination IP address
- Destination port
- From-zone
- Protocol
Table 42 summarizes the types IP actions supported by IDP rules:
Table 42: IDP Rule IP Actions
Term | Definition |
|---|---|
Notify | Does not take any action against future traffic, but logs the event. This is the default. |
Drop/Block Session | All packets of any session matching the IP action rule are dropped silently. |
Close Session | Any new sessions matching this IP action rule are closed by sending RST packets to the client and server. |
When traffic matches multiple rules, the most severe IP action of all matched rules is applied. The most severe IP action is the Drop/Block Session action, the next in severity is the Close Session action, and then the Notify action.
Understanding IDP Rule Notifications
Notification defines how information is to be logged when an action is performed. When attacks are detected, you can choose to log an attack and create log records with attack information and send that information to the log server.
By using notifications, you can also configure the following options that instruct the log server to perform specific actions on logs generated for each rule:
- Set Alerts—Specify an alert option for a rule in the IDP policy. When the rule is matched, the corresponding log record displays an alert in the alert column of the Log Viewer. Security administrators use alerts to become aware of and react to important security events.
- Set Severity Level—Set severity levels
in logging to support better organization and presentation of log
records on the log server. You can use the default severity settings
of the selected attack objects or choose a specific severity for your
rule. The severity you configure in the rules overrides the inherited
attack severity. You can set the severity level to the following levels:
- Info—2
- Warning—3
- Minor—4
- Major—5
- Critical—7
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Understanding IDP Policy Rulebases
- Understanding IDP Application-Level DDoS Rulebases
- Understanding IDP IPS Rulebases
- Understanding IDP Exempt Rulebases
- Understanding IDP Terminal Rules
- Understanding DSCP Rules in IDP Policies
- Understanding Predefined IDP Policy Templates