IDP-Based Threat Detection for SRX Series Firewalls
An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on network traffic. You can enable IDP on the Juniper Networks® SRX Series Firewall operating as a spoke device in your Juniper Mist™ network by activating it in an application policy.
Intrusion detection is the process of monitoring the events occurring on your network and analyzing them for signs of incidents, violations, or imminent threats to your security policies. Intrusion prevention is the process of performing intrusion detection and then stopping the detected incidents. For details, see Intrusion Detection and Prevention Overview.
You must install the IDP signature database update license key on your Mist device. For details about licenses, see Junos OS Feature License Keys. The Juniper Mist cloud portal manages downloading of signatures and enabling the IDP features on your firewall if you have a valid license.
Juniper Mist cloud supports the following IDP profiles:
-
Standard—The Standard profile is the default profile and represents the set of IDP signatures and rules that Juniper Networks recommends. Each attack type and severity has a Juniper-defined, non-configurable action that the IDP engine enforces when it detects an attack. The possible actions are as follows:
-
Close the client and server TCP connection.
-
Drop the current packet and all subsequent packets
-
Send an alert only (no additional action).
-
-
Alert—The Alert profile is suitable only for low-severity attacks. When the IDP engine detects malicious traffic on the network, the system generates an alert, but it does not take additional measures to prevent the attack. The IDP signature and rules are the same as in the standard profile.
-
Strict—The Strict profile contains a similar set of IDP signatures and rules as the standard profile. However, when the system detects an attack, this profile actively blocks any malicious traffic or other attacks detected on the network.
-
Critical Only (SRX)—The Critical-Only profile is suitable for critical-severity attacks. When the system detects a critical attack, this profile takes appropriate action. We recommend the Critical – Only SRX profile for SRX300 line of firewalls.
-
None—No profile is applied when you select this option.
You can apply an IDP profile to an application policy. Each profile has an associated traffic action, and these actions define how to apply a rule set to a service or an application policy. Actions in the IDP profile are preconfigured and are not available for users to configure.
To configure IDP-based threat detection:
After you apply an IDP profile, the spoke devices download the IDP policy and display the status of IDP as Enabled, as shown in Figure 2.
You can test the effects of the IDP-based security scanner by launching sample attacks. You can use tools such as Nikto in Kali Linux, which has a variety of options available for security-penetration testing.
Use a virtual machine (VM) desktop (desktop1) in a sandbox or lab environment, and install a simple security scanner for web servers, such as Nikto. Nikto is an open-source web server and web application scanner. For example, you can run Nikto against an unhardened Apache Tomcat web server (or its equivalent) that is local to your lab. In this test, you can send plain or unencrypted HTTP requests for IDP inspection.
The following sample shows a process where you install the tool, check the presence of the HTTP server, and then launch the attacks.
virsh console desktop1 apt-get update apt-get install -y nikto # Check the Apache Tomcat Server of the local lab wget http://172.16.77.155:8080 --2022-09-16 15:47:32-- http://172.16.77.155:8080/ Connecting to 172.16.77.155:8080... connected. HTTP request sent, awaiting response... 200 Length: unspecified [text/html] Saving to: ‘index.html’ index.html [ <=> ] 10.92K --.-KB/s in 0s 2022-09-16 15:47:32 (85.3 MB/s) - ‘index.html’ saved [11184] # Now start our security scanner for the first time nikto -h http://172.16.77.155:8080 - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 172.16.77.155 + Target Hostname: 172.16.77.155 + Target Port: 8080 + Start Time: 2022-09-16 15:48:22 (GMT0) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xW/21630 0x1556961512000 + OSVDB-39272: favicon.ico file identifies this server as: Apache Tomcat + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + Cookie JSESSIONID created without the httponly flag + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. + OSVDB-3233: /manager/manager-howto.html: Tomcat documentation found. + /manager/html: Default Tomcat Manager interface found + 6544 items checked: 1 error(s) and 10 item(s) reported on remote host + End Time: 2022-09-16 15:50:03 (GMT0) (101 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
You can view the generated events by navigating to Site > Secure WAN Edge IDP/URL Events.
Figure 3 shows detected events generated for an SRX Series Firewall.
In the previous example, you used passive logging for the events by using IDP profile type Alerts. Next, use IDP profile type Strict to stop or mitigate the events. When you use the Strict profile, the IDP engine closes TCP connections against the detected attacks.
You can follow the same process as shown in the sample. However, this time you change the spoke device template and change the IDP profile from Alert to Strict, as shown in Figure 4.
Run the security scanner. You'll notice that the scanner takes longer to run because it detects more errors and less events.
nikto -h http://172.16.77.155:8080 - Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 172.16.77.155 + Target Hostname: 172.16.77.155 + Target Port: 8080 + Start Time: 2022-09-16 16:01:51 (GMT0) --------------------------------------------------------------------------- + Server: No banner retrieved + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xW/21630 0x1556961512000 + OSVDB-39272: favicon.ico file identifies this server as: Apache Tomcat + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + 6544 items checked: 5657 error(s) and 6 item(s) reported on remote host + End Time: 2022-09-16 16:05:27 (GMT0) (216 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Figure 5 shows that for some events, the action is to close the session to mitigate the threats (under the Action field).
Intrusion Detection and Prevention (IDP) Bypass Profiles
The IDP Bypass works in conjunction with the intrusion prevention system (IPS) rules to prevent unnecessary alarms from being generated. You configure IDP profile when you want to exclude a specific destination, or attack type from matching an IDP rule. This prevents IDP from generating unnecessary alarms.
An IDP profile can have multiple bypass profiles, each with multiple bypass rules.
To create IDP bypass profile:
In the Juniper Mist cloud portal, select Organization > WAN > Application Policy > IDP bypass profiles.
The page displays a list of IDP bypass profiles (if available)
- Click Add Bypass Profile to create a profile.
- In the Create Bypass Profile window:
- Add Name. Use alphanumerics, underscores, or dashes, and cannot exceed 63 characters.
- Select base profile. The supported base profiles are:
- Standard
- Strict
- Critical only– SRX
You need a base IDP profile to create an IDP bypass profile.
- Click Next. The portal opens a rules page where you can
define the rule for the IDP bypass profile.Figure 6: IDP Bypass Profile Rule
- Action – Select the associated traffic action. Available options are — Alter, Drop, or Close.
- Destination IP – IP address of the destination for traffic you want to exempt. You can select one or more destination IP address from the populated list or you can enter the destination IP address by clicking Add Destination IP.
- Attack Name – Select the attacks you want IDP to exempt for the specified destination addresses from the displayed list. Alternatively you can enter the attack by clicking Add Attack Name. The attack you enter must be of type supported by Juniper Networks IPS Signature.
- Click Save.
The rule you created appears under IDP Bypass Profile pane. Next, you need to apply the IDP bypass profile in an application policy similar applying any IDP profile by using the following steps:
- In the Juniper Mist cloud portal, click Organization > WAN Edge Templates and select a template for your spoke device.
- Under the IDP column, select the IDP profile. For example, select the IDP bypass
profile that you created in the previous step. Figure 7: Apply IDP Bypass Profile in Application Policy
- Click Save once you configure other options in application policy. See Configure Application Policies on SRX Series Firewalls.
You can view the generated events by navigating to Site > Secure WAN Edge IDP/URL Events.