Quick And Dirty Juniper SRX IDP Test Config

When implementing a SRX IDP (Intrusion Detection and Prevention) configuration, you may want to check if everything is working properly. The 'default' templates supplied by Juniper can't be tested easily, since they protect your network from very specific attacks. Chances are small that you'll see one while you're testing.

I usually use a simple ICMP-TEST policy which will drop all ICMP traffic, and logs the event to a local file (for basic testing, but you'll want to forward these events to a syslog server).

IDP Config:

set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match from-zone any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match source-address any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match to-zone any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match destination-address any
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match application default
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match attacks predefined-attacks ICMP:INFO:ECHO-REPLY
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 match attacks predefined-attacks ICMP:INFO:ECHO-REQUEST
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 then action drop-packet
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 then notification log-attacks alert
set security idp idp-policy ICMP-TEST rulebase-ips rule 1 then severity critical
set security idp active-policy ICMP-TEST

Add the IDP to the appropriate firewall rules and verify that your ICMP (ping) packets are being dropped.

Firewall rule example:

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services idp

If your ICMP packets aren't being dropped while 'pinging' to Google DNS (8.8.8.8), you dit something wrong :-)

Verification of IDP functionality in Splunk.

Posted on November 1, 2013 by Willem and filed under Junos, Security, Tips'n Tricks and tagged idp srx example.

I'm Published (sort of...)

Someone mentioned that they found a link to my website in a Juniper exam training PDF. Looks like I did a good job on describing the implementation of the Application Firewall feature in the Juniper SRX.

Here is the link to the actual article.

Posted on October 31, 2013 by Willem and filed under Junos, Personal, Security, Tips'n Tricks and tagged exam srx AppFW Juniper.

Junos Dual ISP Backup Route Configuration

The last couple of years, we've had two ISP's on premise. One (XS4ALL) for basic Internet Access via VDSL, and one our (VoIP) phone provided by Ziggo. The Ziggo phone services includes free (and ultra lite) Internet access through the use of their cable modem. It's ultra-lite, since it's only 256kbps. More than enough for VoIP, but not nearly enough for modern basic Internet access.

Having these two ISP's means that I should be able to provide some redundancy in case my primary DSL connection fails (for whatever reason). Preferably an automated fail-over of some kind. Since there are no dynamic protocols available from either ISP (the Internet service is consumer-grade), I have to find some work-around.

Posted on August 16, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged IP monitoring fail-over ISP dual isp Splunk Juniper.

Choose Your Password (Language) With Care

When you want to use words / sentences in a password, it pays to use a non-English dictionary. Just check the Kaspersky blog on strong passwords., and try it for yourself.

The English word combination 'horse' and 'toad' are considered weaker than the Dutch equivalent ('paard' and 'pad').

Posted on August 5, 2013 by Willem and filed under Security, Tips'n Tricks and tagged password kaspersky strong dictionary strength.

Create a Juniper SRX ca-profile For Unified Access Control

When you have a registered Juniper UAC / IC appliance, you have to option to download a VMWare version of the system. This is called a DTE appliance (Development and Test Environment). With this you have a full-blown UAC at your disposal for testing and development. Only downside is that it's limited to 5 connected users. Apart from that, it's just like the real-deal.

Posted on July 30, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged xca srx UAC Unified Access Control PKI Juniper.

Juniper SRX Apply-groups

A while back I wrote a blog post about enabling global logging on security rules. This week I applied the same technique to enable ping on all zones for testing / troubleshooting purposes.

Instead of adding ping as a host-inbound-traffic system-service to all zones, and if you have a couple this means some configuring, you can solve this by adding just 3 (three) lines of config to the firewall.

Posted on July 15, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged srx config apply-groups groups ping firewall Juniper.

Interview With Edward Snowden - The PRISM Whistleblower

The dude deserves a medal. I guess that Uncle Sam would disagree.
The video itself doesn't reveal that much. Nothing more than a confirmation of the things we guessed were happening. And don't think that the US is the only country doing this. They all do (or want to).

Posted on June 11, 2013 by Willem and filed under Security and tagged PRISM Edward Snowden whistleblower.

Configure Application Firewalling On A Juniper SRX

Juniper entered the realm of application firewalling since the release of Junos 11.4 (for SRX platforms). A realm that is mainly dominated by Palo Alto (they basically invented it) and Checkpoint, but more and more vendor's are starting to move in on that territory.
And Juniper is one of those vendors that started to implement Application Firewalling (AppFW) on their (SRX) firewalls.

This post will show what needs to be done to enable AppFW, and how to configure those policies by using the J-Web interface and the CLI. The Junos software used in this exercise is version 12.1X44.4.

Posted on May 10, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged AppFW Juniper YouTube block srx application firewall example config configuration.

Cisco ISE: Change of Authorization (CoA) not working

We had a wireless security implementation at a customer site which consisted of the following components:

The setup included a wireless lan for guest access by using the Cisco ISE guest portal functionality.

We started by configuring the WLC's and ISE environment and having done that everything worked as a charm. A couple of days later we we were not able to connect to the wireless network.
The error reported in the ISE Authentications overview was:

Dynamic Authorization Failed : 11213 No responds received from Network Access Device

Posted on April 2, 2013 by Willem and filed under Annoying, Security, Tips'n Tricks and tagged Cisco Prime ISE LAN wireless.

Juniper SRX With DNS Proxy Service Enabled

Since the release of Junos v12.1x44D10 for branche SRX firewalls, Juniper added a feature called DNS-Proxy. This features enables the Junos device as a caching DNS server with several additional options. One of those feature is to define a Fully Qualified Domain Name (FQDN) with an IP address which overrides (if it exists) the entry in the 'official' DNS system on the Internet.

Posted on February 20, 2013 by Willem and filed under Tips'n Tricks, Security, Junos and tagged DNS Juniper Proxy Junos srx.