Tuesday, 8 January 2013

SRX IDP - Policy Templates

This post will demonstrate the configuration of an IDP policy on the SRX device using Policy Templates. Policy templates are predefined IDP policies that can be downloaded from Juniper with a valid IDP subscription. Please refer to the previous post SRX IDP - Overview & Initial Setup for licensing information and initial IDP configuration and setup.

**In the configuration demonstration I will be configuring this IDP policy on a general outbound internet rule. In reality these IDP policies would be configured on inbound rules which protect servers and applications.**

Predefined IDP Policy Templates
The following is a list of the policy templates provided by Juniper;
DMZ_Services [designed to be used to protect a typical DMZ environment]
DNS_Service [designed to protect DNS services. Use this template as a starting point to customize your desired level of protection]
File_Server [designed to provide protection to various file sharing services such as AMB, NFS, FTP, and others]
Getting_Started [a good starting point for learning how to create IDP policies]
IDP_Default [a good blend of security and performance. Use this template for "in-line" mode]
Recommended [covers the most important vulnerabilities. Use this template as a base line]
Web_Server [designed to protect commonly used HTTP servers from remote attacks]

Configuration - Recommended Policy Template
1. Set Active IDP Policy
As mentioned in the previous post, multiple IDP policies can be configured on the SRX device, however only one can be active. This step sets the pre-defined policy template of 'Recommended' as the active IDP policy

2. Enable IDP on Security Policy
Security policies are used to enable IDP processing on traffic. The active policy can be configured on multiple policies. In the screenshot below the active policy 'Recommended' is enabled on the security policy 'OUTBOUND-INTERNET'.

3. Create local log file for IDP events (optional)
To log IDP events the syslog match statement 'RT_IDP' can be used. In the screenshot below a local file of idp-log is created and events which match 'RT_IDP' will be written to this file.

1. Show Status
The command show security idp status can be used to display current running IDP statistics such as processing rates and IDP detector versions. See the screenshot below for details.

2. Show Memory Usage
The command show security idp memory can be used to display memory in use by IDP process and the remaining amount of memory. See the screenshot below for details.

3. Show IDP Package Version
The command show idp package version can be used to display the attack database to confirm if it up to date. See the screenshot below for details.

This post focused on creating a IDP policy using Juniper provided Policy Templates. The next post will focus on using a custom created policy.

No comments:

Post a Comment