ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Posts: 39
Registered: ‎05-27-2008
0
Accepted Solution

DI: MS-SQL inspection w. customer service

Hi,

 

one of my customers and I are wondering, how to implement a DI with a policy, that matches

traffic for MS-SQL services not running on well-known-ports. While one has to specifiy an

application inside the policy configuration for DI, this cannot be done with MS-SQL, because

there is no application like SQL or MS-SQL.

 

Usually one has to select the propper application for a protocol, that has cutomer ports or port

ranges (version 6.0.0.x, C&E Volume 4, page 152):

 

 

 - - - - - -

When using a custom service in a policy with a Deep Inspection (DI) component,
you must explicitly specify the application that is running on that service so that the
DI module can function properly. For example, if you create a custom service for
FTP running on a nonstandard port number such as 2121 (see Figure 52), you can
reference that custom service in a policy as follows:


set service ftp-custom protocol tcp src-port 0-65535 dst-port 2121-2121
set policy id 1 from untrust to trust any ftp-srv1 custom-ftp permit


However, if you add a DI component to a policy that references a custom service,
the DI module cannot recognize the application because it is using a nonstandard
port number.

 - - - - - -

 

 

So, how is one able to solve this for MS-SQL? Or would you call this a build-in limitation

for "Deep Inspection" on SSG devices?

 

With kind regards,

 

Klaus

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007

Re: DI: MS-SQL inspection w. customer service

MS-SQL is not on the list of supported protocols for DI. The list can be found in ScreenOS Concepts & Examples Guide, Volume 4.

 

In particular, page 129 has the list of available protocols for which DI attack objects exist.

 

-Richard

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.