MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

Transcription

1 APPLICATION NOTE MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS Migrating Advanced Security Policies to SRX Series Services Gateways Copyright 2009, Juniper Networks, Inc.

2 Table of Contents Introduction...1 Deployment... 1 Feature Parity... 1 Multi-Method Detection Logging... 1 Scope...1 Description and Deployment Scenario...2 Security Policy Migration... 2 Standalone IDP Series to SRX Series... 3 Sensor Settings... 3 Migrating Policy... 4 ISG Series to SRX Series... 8 About Juniper Networks...9 ii Copyright 2009, Juniper Networks, Inc.

3 Introduction This application note is intended to provide a brief overview of some basic considerations when moving from standalone Juniper Networks IDP Series Intrusion Detection and Protection Appliances, or Juniper Networks ISG Series Integrated Security Gateways with IDP security module, to the SRX Series Services Gateways. Deployment SRX Series Services Gateways can be deployed in inline mode only. In other words, it is not possible to configure the SRX Series in sniffer or transparent mode (like the standalone IDP Series) nor can it be configured in inline tap mode like the ISG Series with IDP. Feature Parity Feature parity between standalone IDP Series and Juniper Networks JUNOS Software-based SRX Series platforms will occur in the near future. Ultimately feature parity is a goal that will be achieved over time, giving customers greater flexibility and allowing customers to choose the best solution to fit their overall business and network security needs. It is recommended that feature availability/requirements be verified before weighing device capabilities and deployment options. Multi-Method Detection SRX Series devices deploy two rulebases: Main IDP Rulebase, and Exempt Rulebase. In addition, SRX Series uses security zones which are based on technology available with ScreenOS-based security devices, and provides detailed screen protection as an alternative for some basic standalone detection methods/rulebases. Logging Logging on an SRX Series gateway must be configured to send records in response to security events via syslog to a preconfigured syslog server, such as the Juniper Networks STRM Series Security Threat Response Managers. Scope Although an SRX Series IDP policy can be configured entirely from within Juniper Networks J-Web Software, this document focuses primarily on command-line interface (CLI) and Juniper Networks Network and Security Manager configuration steps, with the intention of providing an easy transition and learning path for both system engineers new to the IDP Series and those already familiar with managing standalone IDP Series and ISG Series with IDP solutions. That said, brief J-Web configuration steps are also provided at the end of this document. Copyright 2009, Juniper Networks, Inc. 1

4 Description and Deployment Scenario Security Policy Migration This document assumes that the SRX Series gateway has been configured according to the following network diagram with all the required interfaces, security zones, and other needed configuration settings in place. GUI NSM SYSLOG fxp ge-0/0/7 ge-0/0/2 abc-trust abc-untrust ge-0/0/ SRX Series Here is an example of a basic SRX Series configuration: Figure 1: SRX Series Deployment Example set security log format syslog set security log source-address set security log stream jet severity debug set security log stream jet host set interfaces ge-0/0/2 unit 0 family inet address /24 set interfaces ge-0/0/3 unit 0 family inet address /24 set interfaces ge-0/0/7 unit 0 family inet address /24 set interfaces fxp0 unit 0 family inet address /24 set system services ssh root-login allow set system services outbound-ssh client nsm device-id EEC4B8 set system services outbound-ssh client nsm secret $9$iqfz9CuIhrp0IcrlXxbs24aUF39 set system services outbound-ssh client nsm services netconf set system services outbound-ssh client nsm port 7804 set security policies default-policy deny-all set security idp traceoptions file size 100m set security idp traceoptions flag all set security idp traceoptions level all set security zones security-zone abc-trust interfaces ge-0/0/2.0 set security zones security-zone abc-untrust interfaces ge-0/0/3.0 2 Copyright 2009, Juniper Networks, Inc.

5 Standalone IDP Series to SRX Series Because standalone IDP Series devices are typically deployed in either sniffer or transparent mode, additional considerations with regards to the network design must be made. These involve: Network interfaces configuration Security zones configuration In addition, there are considerations with regards to additional security features, such as: Denial of service (DoS)/flood protection Traffic anomaly detection or screens (as well as some of the detection methods which may have yet to be implemented as part of the current JUNOS release) Finally, security policy settings and, more specifically, configured actions have to be closely analyzed, because a new device has the potential to impact production network traffic flows as a result of its participation in Layer 3 processing. Sensor Settings On both standalone IDP Series and SRX Series devices, there are a number of sensor configuration settings which can be configured to fine-tune IDP Series behavior and can be accessed from CLI and Network and Security Manager. If any of the settings have been changed from the default value or need to be further modified, this would need to be done manually; there are no automated processes to export/import these settings. Note: In order to be able to update sensor configuration settings on the SRX Series from NSM, the SRX Series device needs to be configured in In-Device policy management mode. Copyright 2009, Juniper Networks, Inc. 3

6 Migrating Policy Following is a simple DMZ-based IDP Series security policy as it runs on a standalone IDP device. The task of porting this policy to the SRX Series device involves the following steps: 1. Make sure the SRX Series device is in Central Management Policy Mode. 2. Add and configure firewall rulebase. Configure source and destination zones Configure Install On Enable IDP Rename policy so it reflects new platform for easier management 4 Copyright 2009, Juniper Networks, Inc.

7 3. Change Install On in IDP policy and edit rules if needed. 4. Assign the policy. 5. Update device. Copyright 2009, Juniper Networks, Inc. 5

8 6. If the update fails due to inventory mismatch (between the device and associated information in NSM database such as the following Job Information example):.... then reconcile the Inventory:.... and update again 6 Copyright 2009, Juniper Networks, Inc.

9 7. Device update should resemble the following: show security idp idp-policy SRX_DMZ display set set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match source-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match destination-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups IP - Major set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups IP - Critical set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups TCP - Critical set security idp idp-policy SRX_DMZ rulebase-ips rule 1 match attacks predefined-attack-groups TCP - Major set security idp idp-policy SRX_DMZ rulebase-ips rule 1 then action drop-packet set security idp idp-policy SRX_DMZ rulebase-ips rule 1 then notification log-attacks alert set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match source-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match destination-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match attacks predefined-attack-groups DNS - Critical set security idp idp-policy SRX_DMZ rulebase-ips rule 2 match attacks predefined-attack-groups DNS - Major Copyright 2009, Juniper Networks, Inc. 7

10 set security idp idp-policy SRX_DMZ rulebase-ips rule 2 then action drop-connection set security idp idp-policy SRX_DMZ rulebase-ips rule 2 then notification log-attacks alert set security idp idp-policy SRX_DMZ rulebase-ips rule 3 match source-address any set security idp idp-policy SRX_DMZ rulebase-ips rule 3 match destination-address any FINGER - Minor FTP - Minor GOPHER - Minor HTTP - Minor IMAP - Minor NNTP - Minor POP3 - Minor SHELLCODE - Minor SMTP - Minor SSH - Minor set security idp idp-policy SRX_DMZ rulebase-ips rule 3 then action no-action set security idp idp-policy SRX_DMZ rulebase-ips rule 3 then notification log-attacks ISG Series to SRX Series If the ISG Series with IDP is not configured in transparent (L2) mode and the network design is not to change, then the migration process becomes very straightforward. All considerations described in previous sections have already been addressed with the ISG Series and have been used for some length of time, providing greater confidence that the security policy will not impact production. The steps involved in migrating policy do not vary from the process involved in standalone IDP Series migration except that there is no need to additionally create firewall policy, and probably no need to redesign surrounding network and addressing, as well as required DoS and flood protection Even in the most demanding migration scenario, ISG Series migration involves only a subset of standalone IDP Series migration steps. A more demanding scenario would be if the ISG Series has been configured in Transparent (L2) mode. This process becomes more involved than in L3 mode, because breaking the broadcast domains can cause some concerns and would warrant additional care when configuring policy and its appropriate responses. However, just like in case of standalone IDP Series provided that networking configuration is done properly security policy rules (responses to specific events) can be enabled/changed selectively. 8 Copyright 2009, Juniper Networks, Inc.

11 About Juniper Networks Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and applications over a single network. This fuels high-performance businesses. Additional information can be found at Corporate And Sales Headquarters Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA Phone: 888.JUNIPER ( ) or Fax: APAC Headquarters Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: Fax: To purchase Juniper Networks solutions, please contact your Juniper Networks representative at or authorized reseller. EMEA Headquarters Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: Fax: Copyright 2009 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice EN Mar 2009 Printed on recycled paper. 9