Did you notice that Juniper has updated their IDP policy templates?
First lets review the list of old of pre-defined templates..
blogger@SRX> show security idp policy-templates-list
Web_Server
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Lets check the version of that template..
blogger@SRX> show security idp security-package-version
Attack database version:2395(Wed Jul 2 18:14:04 2014 UTC)
Detector version :12.6.160140626
Policy template version :2192
Lets check and see whats available..
blogger@SRX> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2395(Detector=12.6.160140626, Templates=2395)
So you see, even if you are automatically updating the attack database that doesn't update the policy templates.
GETTING THE NEW TEMPLATES.
Using the same process that I described before in my IDP blog..
a) Download the templates
blogger@LEFTY> request security idp security-package download policy-templates
Will be processed in async mode. Check the status using the status checking CLI
blogger@SRX> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2395
b) Install the templates
blogger@SRX> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
blogger@SRX> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
c) Install and then delete the script
blogger@SRX# set system scripts commit file templates.xsl
[edit]
blogger@SRX# commit
commit complete
[edit]
blogger@SRX# delete system scripts
[edit]
blogger@SRX# commit
commit complete
As always this step takes time and will likely drive your cpu to close to 100% on a low end device
d) check the version..
blogger@SRX> show security idp security-package-version
Attack database version:2395(Wed Jul 2 18:14:04 2014 UTC)
Detector version :12.6.160140626
Policy template version :2395
Our policy templates are now updated.
e) Examine the available templates..
blogger@SRX> show security idp policy-templates-list
Web_Server
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Client-Protection
Client-Protection-1G
Client-And-Server-Protection
Client-And-Server-Protection-1G
A few new templates to consider there.
Here are the descriptions that come with each template..
idp-policy Web_Server {
/* This template policy is designed to protect commonly used HTTP servers from remote attacks. */
idp-policy DMZ_Services {
/* This template policy is designed to be used to protect a typical DMZ environment. */
idp-policy DNS_Service {
/* This template policy is designed to protect DNS services. Use this template as a starting point to customize your desired level of protection. */
idp-policy File_Server {
/* This template policy is designed to provide protection to various file sharing services such as AMB, NFS, FTP, and others. */
idp-policy Getting_Started {
/* This template is a good starting point for learning how to create IDP policies. */
idp-policy IDP_Default {
/* This template policy represents a good blend od security and performance. Use this template for "in-line" mode. */
idp-policy Recommended {
/* This legacy template policy covers most current vulnerabilities. This template is supported on all platforms, including Branch devices with 1G of memory. */
idp-policy Server-Protection {
/* This template policy is designed to protect servers. It is supported on devices with 2G or more of memory. Branch devices with only 1G are not supported. */
idp-policy Server-Protection-1G {
/* This template policy is designed to protect servers. This template is supported on all platforms, including Branch devices with 1G of memory. */
idp-policy Client-Protection {
/* This template policy is designed to protect clients. It is supported on devices with 2G or more of memory. Branch devices with only 1G are not supported. */
idp-policy Client-Protection-1G {
/* This template policy is designed to protect clients. This template is supported on all platforms, including Branch devices with 1G of memory. */
idp-policy Client-And-Server-Protection {
/* This template policy is designed to protect both clients and servers. It is supported on devices with 2G or more of memory. Branch devices with only 1G are not supported. */
idp-policy Client-And-Server-Protection-1G {
/* This template policy is designed to protect both clients and servers. This template is supported on all platforms, including Branch devices with 1G of memory. */
Interesting that they call the Recommended policy now "Legacy" and I note that the Recommended template as it now comes seems to have all its rules duplicated; first as numbered and then as named rules. I guess if you wanted to use this new Recommended template you would delete which ever lot of either the named or numbered you didn't want.
ACTIVATE A POLICY
a) Copy the template you wish to use.
Make a copy of the template you wish to use as a starting point, so you can always reference where you came from and what you changed in your own policy from the default.
Eg..
blogger@SRX# copy security idp idp-policy Client-Protection-1G to idp-policy Client-Protection-1G_customised
[edit]
blogger@SRX# commit
commit complete
b) Activate the new policy
blogger@SRX# set security idp active-policy Client-Protection-1G_customised
[edit]
blogger@SRX# commit
commit complete
blogger@SRX> show security idp status
State of IDP: Default, Up since: 2014-06-06 10:16:46 EST (4w0d 06:15 ago)
Packets/second: 22 Peak: 852 @ 2014-06-27 16:01:42 EST
KBits/second : 52 Peak: 5377 @ 2014-07-04 16:20:13 EST
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 4364406] [UDP: 159154] [Other: 0]
Flow Statistics:
ICMP: [Current: 0] [Max: 714 @ 2014-06-17 14:05:40 EST]
TCP: [Current: 58] [Max: 698 @ 2014-06-17 13:59:43 EST]
UDP: [Current: 0] [Max: 1574 @ 2014-07-03 12:40:43 EST]
Other: [Current: 0] [Max: 0 @ 2014-06-06 10:16:46 EST]
Session Statistics:
[ICMP: 0] [TCP: 29] [UDP: 0] [Other: 0]
Policy Name : Client-Protection-1G_customised
Running Detector Version : 12.6.160140626
blogger@SRX>
c) Delete the other policies from the configuration for a cleanup
CHANGE POLICIES
What if you wanted to change the active IDP policy to another template after you deleted all the other ones from the config?
It can be done.
The old templates are still there for you even if they are not in the config (I.e if you did a cleanup) but you cant just switch to another one if its not in the config. Eg..
[edit]
root# set security idp active-policy Recommended
[edit]
root# commit
[edit security idp active-policy]
'active-policy Recommended'
Policy must be defined under [security idp idp-policy]
error: commit failed: (statements constraint check failed)
[edit]
root#
So if you wanted to resurrect one of the templates you deleted from the policy just commit the templates script again and select activate the policy template you want.
[edit]
root# set system scripts commit file templates.xsl
[edit]
root# commit
commit complete
[edit]
root# delete system scripts
[edit]
root# commit
commit complete
[edit]
Doing this will of course bring all the templates back into the config and also wont delete your customised template copy policy.
SUMMARY
If you using an old template its worth having a look at the new ones as a basis for starting off or just for giving you ideas of rules to add to your existing policy.
Model: srx210he
JUNOS Software Release [12.1X44-D25.5]
No comments:
New comments are not allowed.