Tuesday, 15 January 2013

SRX IDP - Custom Policy & Attack Objects

This post will demonstrate the configuration of a custom Attack Object and custom IDP Policy. For demonstration purposes the custom IDP policy will only contain the single custom attack object. In reality complex IDP policies could contain many custom and predefined attack objects and groups. Please refer to the previous post SRX IDP - Overview & Initial Setup for licensing information and initial IDP configuration and setup.


Configuration
1. Create Custom Attack Object
In this step a signature based custom attack object name 'custom-ftp' is created. This custom attack object is configured to match on a pattern of 'anonymous' within the ftp username context. We will test this later in the post by attempting to log into an FTP site with the username anonymous. See the screenshot below for configuration commands.

2. Create Custom IDP Policy
In this step an IDP Policy is created. A name is defined for the IDP policy and rules are created. In this example only one rule is created using the custom attack object created in step 1. See below for command details.

3. Set Active IDP Policy
Although multiple policies can be configured on the SRX, only one IDP policy can be active on the device at any given time. This step configures the IDP policy created in previous step as the active policy. See the screenshot below for details.

4. Enable IDP Policy on Security Policy
Security policies are used to enable IDP processing on traffic. In this example the policy is enabled on the security policy 'OUTBOUND-INTERNET-ACCESS'. See the screenshot below for details.

5. Create local log file for IDP events (optional)
To log IDP events the syslog match statement 'RT_IDP' can be used. In the screenshot below a local file of idp-log is created and events which match 'RT_IDP' will be written to this file.


Verification & Testing
1. Show Status
The command show security idp status can be used to display current running IDP statistics such as processing rates and IDP detector versions. See the screenshot below for details.

2. Show Commit Status
The IDP policy can take longer to commit than the configuration. To check the commit status on the IDP policy the command 'show security idp policy-commit-status' can be used. I ran this command immediately after a commit to get some examples of various output. See the screenshots below for examples.


3. Test IDP Policy
The custom attack object was created to match the pattern 'anonymous' in the ftp-username context. To test this custom attack object and IDP policy we can simply access an FTP server on the internet and attempt to login with the username 'anonymous'. The screenshot below outlines this login attempt (which was unsuccessful).

The command 'show security idp attack table' confirms that a match (hit) was made.

The command 'show log idp-log' can be used to show the contents of the log file that was created to log IDP events. The screenshot below outlines the format of the log and confirms the event was blocked.


Conclusion
This concludes my posts on IDP. If anyone has questions, comments, or wants to dig deeper into any sub topics of IDP please leave comments.

For next topics I am thinking IPSEC/VPNs or expand on the Chassis Cluster/HA section to include a post with Dual Active/Active ISPs.


No comments:

Post a Comment