SRX

Hi

I heard that SRX has feature like NBAR in cisco and using that feature we can blcok the applications like IM, p2p etc. I searched alot but I did not find any document.

Can any one kindly guide me for this how to configure this?

Thanks

Hello there,

You are probably looking for IDP Application Identification which is supported on SRX

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/jd0e58277.html#jd0e58277

May I ask what You are trying to achieve?

Rgds

Alex

Hi Alex

do you mean that  srx idp will have predefined attack signature for p2p ?

i mean how will p2p & messenger  be blocked using srx IDP

Hello,

Yes it can recognise some of p2p applications. The following printouts is from SRX running 10.0S2:

root> file show /var/db/idpd/sec-repository/application.list    
"ApplicationID:AIM" 61
"ApplicationID:APPLEJUICE" 125
"ApplicationID:ARES" 95
"ApplicationID:BGP" 201
"ApplicationID:BITTORRENT" 60
"ApplicationID:BITTORRENT-DHT" 131
"ApplicationID:BITTORRENT-TRACKER-URL" 68
"ApplicationID:CHARGEN" 39
"ApplicationID:CUPS" 146
"ApplicationID:CVS" 147
"ApplicationID:DHCP" 34
"ApplicationID:DIRECTCONNECT" 98
"ApplicationID:DISCARD" 13
"ApplicationID:DNP3" 175
"ApplicationID:DNS" 191
"ApplicationID:DOT-NET" 182
"ApplicationID:DRDA" 183
"ApplicationID:ECHO" 12
"ApplicationID:EDONKEY" 100
"ApplicationID:EDONKEY-TCP" 189
"ApplicationID:FINGER" 8
"ApplicationID:FREECAST" 163
"ApplicationID:FTP" 63
"ApplicationID:GADU-GADU" 165
"ApplicationID:GIOP" 192
"ApplicationID:GNUCLEUSLAN-CONNECT" 143
"ApplicationID:GNUCLEUSLAN-UDP-BROADCAST" 142
"ApplicationID:GNUTELLA" 83
"ApplicationID:GNUTELLA-FIREWALLED" 86
"ApplicationID:GNUTELLA-TCP" 206
"ApplicationID:GNUTELLA-UDP" 90
"ApplicationID:GNUTELLA-URN-DOWNLOAD" 85
"ApplicationID:GOPHER" 30
"ApplicationID:GROUPWISE" 137
"ApplicationID:H225RAS" 56
"ApplicationID:H225SGN" 178
"ApplicationID:HOTLINE" 139
"ApplicationID:HTTP" 64
"ApplicationID:ICA-TCP" 106
"ApplicationID:ICA-UDP" 145
"ApplicationID:ICCP" 177
"ApplicationID:IDENT" 25
"ApplicationID:IEC104" 187
"ApplicationID:IMAP" 66
"ApplicationID:IPSEC-IKE-MAIN-AGGRESSIVE-MODE" 132
"ApplicationID:IRC" 81
"ApplicationID:JABBER" 82
"ApplicationID:JONDO-PROXY" 207
"ApplicationID:KADEMLIA-KAD" 94
"ApplicationID:KADEMLIA-OVERNET" 92
"ApplicationID:KAZAA" 164
"ApplicationID:KRB4" 70
"ApplicationID:KRB5" 71
"ApplicationID:KUGOO" 136
"ApplicationID:LDAP" 72
"ApplicationID:LOTUSNOTES" 138
"ApplicationID:MANOLITO-DOWNLOAD" 141
"ApplicationID:MANOLITO-UDP-MESSAGE-EXCHANGE" 140
"ApplicationID:MAPI" 65
"ApplicationID:MGCP" 179
"ApplicationID:MMS" 105
"ApplicationID:MODBUS" 173
"ApplicationID:MSN" 84
"ApplicationID:MSRPC" 52
"ApplicationID:MUTE" 126
"ApplicationID:MYSQL" 160
"ApplicationID:NAPSTER-LOGIN" 96
"ApplicationID:NBDS" 44
"ApplicationID:NBNAME" 116
"ApplicationID:NFS" 73
"ApplicationID:NNTP" 26
"ApplicationID:NTP" 118
"ApplicationID:OPENFT" 127
"ApplicationID:PCANYWHERE" 121
"ApplicationID:PEERCAST" 128
"ApplicationID:PEERENABLE" 91
"ApplicationID:POCO-CONNECT" 129
"ApplicationID:POCO-UDP" 144
"ApplicationID:POP3" 74
"ApplicationID:PORTMAPPER" 15
"ApplicationID:POSTGRESQL" 152
"ApplicationID:QQ" 87
"ApplicationID:RADIUS" 157
"ApplicationID:RDP" 170
"ApplicationID:REXEC" 19
"ApplicationID:RLOGIN" 20
"ApplicationID:RSH" 77
"ApplicationID:RTSP" 75
"ApplicationID:RUSERS" 28
"ApplicationID:SHOUTCAST" 171
"ApplicationID:SIP" 108
"ApplicationID:SIP-SOAP" 204
"ApplicationID:SKYPE" 111
"ApplicationID:SMB" 117
"ApplicationID:SMTP" 76
"ApplicationID:SNMP" 78
"ApplicationID:SNMPTRAP" 36
"ApplicationID:SOFTETHER" 167
"ApplicationID:SOULSEEK" 130
"ApplicationID:SQLMON" 53
"ApplicationID:SQLSERVER" 107
"ApplicationID:SSH" 119
"ApplicationID:SSL" 79
"ApplicationID:SYBASE" 122
"ApplicationID:SYSLOG" 120
"ApplicationID:TELNET" 80
"ApplicationID:TFTP" 69
"ApplicationID:TIMBUKTU" 185
"ApplicationID:TN3270" 158
"ApplicationID:TNS" 55
"ApplicationID:TOC" 89
"ApplicationID:TRACEROUTE-UDP" 161
"ApplicationID:VMWARE" 181
"ApplicationID:VNC" 31
"ApplicationID:WHOIS" 49
"ApplicationID:WINNY" 174
"ApplicationID:WOW-LOGIN" 196
"ApplicationID:WOW-REALM" 197
"ApplicationID:WPNP-LOGIN" 115
"ApplicationID:X11" 155
"ApplicationID:XDMCP" 190
"ApplicationID:XUNLEI" 150
"ApplicationID:XUNLEI-DOWNLOAD" 148
"ApplicationID:XUNLEI-TCP-MESSAGE" 149
"ApplicationID:YMSG" 166

 Please note that application signatures are available as part of the security package provided by Juniper Networks. You download predefined application signatures along with the security package updates. You cannot create your own application signatures.

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/under-app-ident-section.html

Application signatures enable the sensor to identify known and unknown applications running on nonstandard ports and to apply the correct attack objects.

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-swconfig-security/topic-42381.html

HTH

Rgds

Alex

Hi Alex

Thanks for great explaination. Can you give me idea how to block p2p applications using this application identification feature in SRX?

Thanks

Hello,

I think it's IDP policy which you need to configure to look at P2P traffic and IDP uses Application Identification as a tool.

Have You tried to block P2P using predefined P2P attack groups?

root> file show /var/db/idpd/sec-repository/attack-group.list | grep p2p | no-more              
"Critical - P2P"
"Info - P2P"
"Major - P2P"
"Minor - P2P"
"Misc_Critical - P2P"
"Misc_Info - P2P"
"Misc_Major - P2P"
"Misc_Minor - P2P"
"Misc_P2P"
"Misc_P2P - All"
"Misc_P2P - Critical"
"Misc_P2P - Info"
"Misc_P2P - Major"
"Misc_P2P - Minor"
"Misc_P2P - Warning"
"Misc_Warning - P2P"
"P2P"
"P2P - All"
"P2P - Critical"
"P2P - Info"
"P2P - Major"
"P2P - Minor"
"P2P - Warning"
"Response_Critical - P2P"
"Response_Info - P2P"
"Response_Major - P2P"
"Response_Minor - P2P"
"Response_P2P"
"Response_P2P - All"
"Response_P2P - Critical"
"Response_P2P - Info"
"Response_P2P - Major"
"Response_P2P - Minor"
"Response_P2P - Warning"
"Response_Warning - P2P"
"Warning - P2P"
"[Recommended]Critical - P2P"
"[Recommended]Info - P2P"
"[Recommended]Major - P2P"
"[Recommended]Minor - P2P"
"[Recommended]Misc_Critical - P2P"
"[Recommended]Misc_Info - P2P"
"[Recommended]Misc_Major - P2P"
"[Recommended]Misc_Minor - P2P"
"[Recommended]Misc_P2P"
"[Recommended]Misc_P2P - All"
"[Recommended]Misc_P2P - Critical"
"[Recommended]Misc_P2P - Info"
Recommended]Misc_P2P - Major"
"[Recommended]Misc_P2P - Minor"
"[Recommended]Misc_P2P - Warning"
"[Recommended]Misc_Warning - P2P"
"[Recommended]P2P"
"[Recommended]P2P - All"
"[Recommended]P2P - Critical"
"[Recommended]P2P - Info"
"[Recommended]P2P - Major"
"[Recommended]P2P - Minor"
"[Recommended]P2P - Warning"
"[Recommended]Response_Critical - P2P"
"[Recommended]Response_Info - P2P"
"[Recommended]Response_Major - P2P"
"[Recommended]Response_Minor - P2P"
"[Recommended]Response_P2P"
"[Recommended]Response_P2P - All"
"[Recommended]Response_P2P - Critical"
"[Recommended]Response_P2P - Info"
"[Recommended]Response_P2P - Major"
"[Recommended]Response_P2P - Minor"
"[Recommended]Response_P2P - Warning"
"[Recommended]Response_Warning - P2P"
"[Recommended]Warning - P2P"

Your IDP policy should look like

set security idp idp-policy <policy-name> rulebase-ips rule <rule-name> match attacks predefined-attack-groups <predefined P2P attack group name from list above>
set security idp idp-policy <policy-name> rulebase-ips rule <rule-name> match application default
set security idp idp-policy <policy-name> rulebase-ips rule <rule-name> then action drop-packet

Hope the above makes sense

Rgds

Alex

Hi Alex

Thanks for your help. Actually the example you provide me its showing to block the p2p traffic using IDP signatures. I want to block through application identification capability of SRX. Is there any possibility?

Thanks

Aeorplane -

The IDP engine uses the Application Identification capability to do it's thing.

I think what's being asked is "is there a way to use AI outside of an IDP policy".  I would like to know this as well - say I don't want to completely want to block bittorrent traffic, but I do want to reclassify or it rate-limit it - is there a way I can use the AI engine to identify it and then apply shaping or limiting somehow, rather than just using IDP to block it as an attack?

I'm thinking this is not available currently...

Thanks,

---

@aeroplane wrote:

Hi Alex

 

Thanks for your help. Actually the example you provide me its showing to block the p2p traffic using IDP signatures. I want to block through application identification capability of SRX. Is there any possibility?

 

Thanks

---

AFAIK, not possible at the moment. Application Identification is what it is - Identification only. The action has to be taken by IDS. May I ask if this makes a real difference in production or is it just a lab exercise?

Rgds

Alex

Hi Alex

Actually we had the cisco router before SRX and this cisco router has the NBAR feature. Using this feature we just mention this in ACL application p2p and then through QOS configuration apply the rate limiting etc. Its very easy and cool but I could not find this in SRX. Using p2p ports we not do the same on SRX becuase these applications use the dynamic ports.

Is there any possibility for this on SRX?

Thanks

Hello,

NBAR-like functionality is currently implemented on SRX via Application Identification and currently it's only IDS code which is capable of taking advantage of AppId. Rate-limiting or any kind of QoS using AppId is not possible on SRX at the moment. AFAIK, this is on the roadmap for branch SRX, please talk to your Juniper account team.

Rgds

Alex

Thanks for your explaination.

Hi,

I have to replace Cisco router with SRX240. At existing configuration I found P2P traffic limit configuration. Does this feature already supported on SRX for branch?

Thanks,

Hi,

I'm trying to drop all bittorrent traffic using AI via the IDP.  When composing an IDP rule like so:

 set security idp idp-policy srx-idp-policy rulebase-ips rule 1 match application ?

There is no junos-bittorrent availiable to select. However, when I look in the services this   appication "junos:bittorrent" is defined. 

Any reccomendations?

Thanks.

Hi Alex

Thanks for reply. Actually I want to apply quality of service and bandwidth limit for p2p applications, voice data etc. In order to match applications like p2p cisco has feature NBAR (network based application recognition). SRX has the same feature through IDP?

Kindly clear this confusion.

thanks