Trước khi thực hiện: SRX cần ra được Internet, cấu hình DNS
Intrusion Detection Prevention (IDP); or sometimes known as IPS, is a feature of the Juniper SRX range. IDP is available on the branch SRX’s all the way through to the datacentre versions and is a fantastic item under the IT Services feature set. IDP is particularly useful as another layer of security to inspect data transmissions between client and server and perform an actions upon it, a good example is IDP’s ability to detect known Shell code buffer overflow exploits that are out there in the wild and stop them in their tracks AND also block that IP for set period of time, like 1 hour, 1 day or a week! These buffer overflow style attacks are typically launched at a server once traditional enumeration steps have been performed by the remote attacker. To thwart the enumeration attacks juniper makes use of SCREENS, but that is a discussion for another time.
Intrusion Detection Prevention (IDP); or sometimes known as IPS, is a feature of the Juniper SRX range. IDP is available on the branch SRX’s all the way through to the datacentre versions and is a fantastic item under the IT Services feature set. IDP is particularly useful as another layer of security to inspect data transmissions between client and server and perform an actions upon it, a good example is IDP’s ability to detect known Shell code buffer overflow exploits that are out there in the wild and stop them in their tracks AND also block that IP for set period of time, like 1 hour, 1 day or a week! These buffer overflow style attacks are typically launched at a server once traditional enumeration steps have been performed by the remote attacker. To thwart the enumeration attacks juniper makes use of SCREENS, but that is a discussion for another time.
so how do we configure an SRX for IDP?
Step by Step IDP configuration
The first thing you do is tell the Juniper were to get the latest packages for the IDP updates from
root@iLab.SRX#set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi
root@iLab.SRX#commitNext we download the packages to the device, first checking that the we can see the update server, the actually downloading the packagesroot@iLab.SRX> request
security idp security-package download check-serverDownload is already in
progress..root@iLab.SRX> request security idp security-package downloadDownload is already in progress..
you can monitor the status of the IDP package download with the following command, just keep checking the status until you get the completed notification
root@iLab.SRX> request security idp security-package download
status
In
progress: Downloading ..
Check again;
root@iLab.SRX> request security idp security-package download
status
Done;Successfully downloaded
from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2946(Thu Jul 6
01:10:33 2017 UTC, Detector=12.6.130170603)
Once the download of the IDP definitions is complete we install those definitions
root@iLab.SRX>
request security idp security-package install
Will be
processed in async mode. Check the status using the status checking CLI
check status:
root@iLab.SRX>
request security idp security-package install status
In
progress:performing DB update for an xml (SignatureUpdate.xml)
check again;
root@iLab.SRX>
request security idp security-package install status
Done;Attack DB
update : successful - [UpdateNumber=2946,ExportDate=Thu Jul 6 01:10:33 2017 UTC,Detector=12.6.130170603]
Updating control-plane with new detector :
successful
Updating data-plane with new attack or
detector : not performed
due to no active policy configured.
Get policy templates;
root@iLab.SRX>
request security idp security-package download policy-templates
Will be
processed in async mode. Check the status using the status checking CLI
root@iLab.SRX> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2946
Install policy templates
root@iLab.SRX>request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
root@iLab.SRX> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
Here is the results
root@iLab.SRX# set security idp idp-policy ?
Possible completions:
<policy-name> IDP policy name
Client-And-Server-Protection IDP policy name
Client-And-Server-Protection-1G IDP policy name
Client-Protection IDP policy name
Client-Protection-1G IDP policy name
DMZ_Services IDP policy name
DNS_Service IDP policy name
File_Server IDP policy name
Getting_Started IDP policy name
IDP_Default IDP policy name
Recommended IDP policy name
Server-Protection IDP policy name
Server-Protection-1G IDP policy name
Web_Server IDP policy name
[edit]
We have 2 ways to use IDP:
1. active IDP default and use the available templates
2. we create the actual IDP rule and then apply these to policy
To monitor the effectiveness of the IDP policies, you can perform the following commands. The ‘attack table’ command shows how many and what type of exploits have been launched at your servers and is quite informative
> show security idp active-policy
> show security idp attack table
> show security idp status
> show security idp application-statistics
No comments:
Post a Comment