Intrusion Prevention
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
soc46
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Address translation in TAP mode

Options

‎08-25-2009 08:51 PM

Hi, we have IDP blades in TAP mode in a ISG cluster. Everything works like a charm except that we loose the private addresses in the IDS alerts.


Anybody know if there's some ISG setting to make address translation to work so that the private addresses appear instead of the NAT address in the event logs?

Many thanks,
/Ola

Message 1 of 7 (7,133 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: Address translation in TAP mode

Options

‎08-26-2009 06:35 AM

Hi Ola :smileyhappy:

the IDP doesn't have option to choose the IP address before or after NAT, as per design sees the packets as they're forwarded by the FW.

 

What NAT type are you using? Maybe you can change from VIP to MIP and see the difference?

 

Ciao :smileyhappy:

Daniele

 

***Contributor at Router Freak blog***
Message 2 of 7 (7,120 Views)
 
Reply
soc46
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Re: Address translation in TAP mode

Options

‎08-26-2009 03:07 PM

Hi Daniele :smileyhappy:

DIP is used to hide traffic behind a pool of addresses (in combination with PAT). We need the source IP-address in the IDP blade.

Thanks!
/Ola
Message 3 of 7 (7,109 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: Address translation in TAP mode

Options

‎08-27-2009 02:39 AM

Ola,

if the attack is detected over a session established by the NATted client, then the original IP address should be in the logs...

 

Can you give us more details?

 

Ciao

Daniele

***Contributor at Router Freak blog***
Message 4 of 7 (7,098 Views)
 
Reply
soc46
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Re: Address translation in TAP mode

Options

‎09-01-2009 06:57 PM

Hi Daniele,

 

On the trust side, there are a couple of private subnets (RFC1918) which are hidden behind DIP pools. Tests show that in 90 percent of the cases the IDP logging shows Src IP and Xlate Src both contain the IP-address out of the DIP group. But sometimes the log view correctly shows the private Src IP in addition to the DIP address! So in 10 percent of the cases private addresses do show up in the event log. Makes any sence? 

 

Regards,

/Ola

Message 5 of 7 (7,048 Views)
 
Reply
Recognized Expert Recognized Expert
Recognized Expert
Daniele
Posts: 164
Registered: ‎11-06-2007
0

Re: Address translation in TAP mode

Options

‎09-06-2009 05:26 AM

Hi Ola,

I think this depends on the flow wing where the attack is detected.

If it's cient2server or server2client can make a difference on the IPs logged.

 

Can you check the logs and see if the IPs are depending on the direction of the flow where the attack is detected?

 

To make it more clear, I'm not talking about the direction of the session, but the direction of the flow where the attack has been detected...

 

Example:

 

Host A ------------------------------------------------------- Web Server

1.1.1.1 port 1025                                                     2.2.2.2 port 80

 

We'll have 1 session with 2 flows:

 

1.1.1.1:1025 -> 2.2.2.2:80

2.2.2.2:80 -> 1.1.1.1:1025

 

In this case we can have an attack detected on the traffic sent by the client (client2server) or detected on the traffic sent by the server (server2client).

 

Take some log events and inspect them.

You can open the attack defnition and looking at the signature definition you should be able to see the direction inspected.

 

 

Let me know!

 

Ciao :smileyhappy:

Daniele

 

***Contributor at Router Freak blog***
Message 6 of 7 (7,008 Views)
 
Reply
soc46
Visitor
soc46
Posts: 7
Registered: ‎04-21-2009
0

Re: Address translation in TAP mode

Options

‎09-27-2009 05:27 AM

Hi Daniele,

 

Thanks for the update. Our first findings suggest that address translation works fine on client2server sigs (server2client uknown) but fails on protocol anomalies. I'll have the results from more extensive tests in the next days.

 

Regards,

/Ola

Message 7 of 7 (6,815 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.