SRX

Hi Experts

My scenario is that I have Trust and Untrust Zone. Trust zone has users and Untrust Zone has internet. I am using interface based NAT for the traffic Trust to Untrust.

Now I want to make IDP policy which will inspect users http traffic from trust to untrust. My question is that Source NAT occours before the IDP policy evaluation. So when I make the IDP policy then in match condition, what source IP I have to give I mean traslated source IP of users OR users actual private IP?

Many thanks

The policy engine will match translated addresses for Destination or Static NAT. In other words, packets will be translated before they enter the policy engine.

The policy engine will match un-translated addresses for source or reverse Static NAT connections

This is a good article for you to read:

http://www.juniper.net/elqNow/elqRedir.htm?ref=http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

Hi

So it means that for the source NAT, the IDP policy will match the source as untranslated sourece IP and for the static and destination NAT, the IDP policy will match the translated destination IP? Am I correct in understanding?

Thanks

Yup thats it.

Hi MMcD,

From the link you posted above, it follows that "Services" (which AFAIK should
include IDP) is processed after both souce and destination (and static) NAT.
So it seems to me that IDP rules work with source and destination addresses
that are both already translated. Am I missing something here? Did you check
this particular IDP behavior in lab?

Hi

I think Peter is right because in the SRX traffic flow, IDP services will processed after NAT. Can any one confirm this?

Hi Guys,

Sorry, you are correct, I was having a brain fart and looking this question as policy processing not services.

As you can see Source NAT is after policy and Destination + Static before.

Hi

I want to inspect http traffic from users to internet and I am using interface based NAT. So in the IDP policy when I make the rule then in the match source what would be the soure? It will be the translated source IP which is interface IP?

Thanks

Hi

If to believe the above discussed diagram - yes. But I am not 100% sure. I will

be able to check this in lab next week, if you or someone else can do it earlier,

please post here.

By the way, if not a secret, what attacks (attack groups) are you going to search

for in client http connections? Server initiated attacks? Worms? 

Yes thats correct. Server to Clients and also client to servers as well.

Thanks

My sillyness has now made me wonder, I will try this also in a lab next week as I'm now curious, I would assume it works as per the document, but is it possible that you cannot use IDP on pre source nat addresses?

Hi

Thanks guys. I will also try to do this in lab. I would apprciate if any one of can do this also.

Thanks

Hi

From my testing it follows that in IDP rules, matches are on pre-translation addresses - for both

source and destination NAT... Testing with SRX240, Junos 10.4.

HI Peter

That seems to be very confusing. Because as per documentation IPS processing occurs after static/destination NAT, security policy lookup and source NAT. Specially your finding that even incase of static and destination NAT, IPS policy match occurs pre-translated IP. If this is the case then the traffic coming from Internet to public DMZ, IPS policy match would be like source any, destination is public IP of servers? In JUNOS Security book, the IPS policy was made on private IP of DMZ when traffic is coming from internet to public DMZ.

I am still confuse 😞

Hi

If you mean Chapter 8 of Junos Security, yes, they have private addressing in their DMZ,
and match on those addresses, but they are not using NAT at all in their case study.
So there is no contradiction here.

I tested it now with static NAT and in all cases (including reverse static NAT) I see
that IDP rules match on pre-translation addresses only.

Hi Peter

Thanks for the efforts. But still I did not get if you see the packet flow in SRX then IDP lookup will take place after the static/destination nat, security policy and source NAT.

Thanks

Hi

The IDP engine knows both pre- and post-translated addresses in a session.
So it is just the matter of developer's choice, on which addresses to match.

By the way, in the log, when attack is found, both addresses (before and after
NAT) are logged.

<If this is the case then the traffic coming from Internet to public DMZ, IPS policy match would be like source any, destination is public IP of servers?>

Here's an example that might help. This applies to JunOS 11.2r4,11.4r1 on the SRX Branch and just shows the zones/address match conditions within the IPS policy

The IPS and IPS Exempt rulebases both work the same way.

Your Destination Zone is DMZ

Your Servers private IP in the DMZ is 10.10.10.10

Your Servers public IP as advertised on the Internet is 123.123.123.10.

IPS rule on incoming traffic from Internet to the Server in DMZ

source zone (untrust),  source address (any), destination zone (post-nat dest zone), destination address (pre-nat destination ip)

source zone (untrust),  source address (any), destination zone (DMZ), destination address (123.123.123.10)

IPS rule on outgoing traffic from the Server in DMZ to Internet

source zone (pre-nat source zone),  source address (pre-nat source-ip), destination zone (untrust), destination address (any).

source zone (DMZ),  source address (10.10.10.10), destination zone (untrust), destination address (any).