Intrusion Prevention
Reply
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Address translation in TAP mode

Hi, we have IDP blades in TAP mode in a ISG cluster. Everything works like a charm except that we loose the private addresses in the IDS alerts.


Anybody know if there's some ISG setting to make address translation to work so that the private addresses appear instead of the NAT address in the event logs?

Many thanks,
/Ola

Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: Address translation in TAP mode

Hi Ola :smileyhappy:

the IDP doesn't have option to choose the IP address before or after NAT, as per design sees the packets as they're forwarded by the FW.

 

What NAT type are you using? Maybe you can change from VIP to MIP and see the difference?

 

Ciao :smileyhappy:

Daniele

 

***Contributor at Router Freak blog***
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Re: Address translation in TAP mode

Hi Daniele :smileyhappy:

DIP is used to hide traffic behind a pool of addresses (in combination with PAT). We need the source IP-address in the IDP blade.

Thanks!
/Ola
Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: Address translation in TAP mode

Ola,

if the attack is detected over a session established by the NATted client, then the original IP address should be in the logs...

 

Can you give us more details?

 

Ciao

Daniele

***Contributor at Router Freak blog***
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Re: Address translation in TAP mode

Hi Daniele,

 

On the trust side, there are a couple of private subnets (RFC1918) which are hidden behind DIP pools. Tests show that in 90 percent of the cases the IDP logging shows Src IP and Xlate Src both contain the IP-address out of the DIP group. But sometimes the log view correctly shows the private Src IP in addition to the DIP address! So in 10 percent of the cases private addresses do show up in the event log. Makes any sence? 

 

Regards,

/Ola

Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: Address translation in TAP mode

Hi Ola,

I think this depends on the flow wing where the attack is detected.

If it's cient2server or server2client can make a difference on the IPs logged.

 

Can you check the logs and see if the IPs are depending on the direction of the flow where the attack is detected?

 

To make it more clear, I'm not talking about the direction of the session, but the direction of the flow where the attack has been detected...

 

Example:

 

Host A ------------------------------------------------------- Web Server

1.1.1.1 port 1025                                                     2.2.2.2 port 80

 

We'll have 1 session with 2 flows:

 

1.1.1.1:1025 -> 2.2.2.2:80

2.2.2.2:80 -> 1.1.1.1:1025

 

In this case we can have an attack detected on the traffic sent by the client (client2server) or detected on the traffic sent by the server (server2client).

 

Take some log events and inspect them.

You can open the attack defnition and looking at the signature definition you should be able to see the direction inspected.

 

 

Let me know!

 

Ciao :smileyhappy:

Daniele

 

***Contributor at Router Freak blog***
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Re: Address translation in TAP mode

Hi Daniele,

 

Thanks for the update. Our first findings suggest that address translation works fine on client2server sigs (server2client uknown) but fails on protocol anomalies. I'll have the results from more extensive tests in the next days.

 

Regards,

/Ola

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.