IDP-based threat detection

Before you start you will see IDP not activated independently if you already have the license deployed on it or not. Mist Cloud will handle downloading of signatures and enabling the IDP features.

Intrusion detection is the process of monitoring the events occurring in your network and analyzing them for signs of possible incidents, violations, or imminent threats to your security policies. Intrusion prevention is the process of performing intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.

You can apply a profile (Alert, Standard, Strict) to an access-policy. Each profile has an associated traffic action. These actions define how the ruleset is handled on each service or access policy. Actions are not user-configurable. The following IDP profiles apply the policy enforcement.

  • Alert – When the IDP engine detects malicious traffic on the network, only an alert is generated; no additional measures are taken by the system to prevent the attack. The IDP signature and rules are the same as the Standard profile. Alerts are typically only for low severity attacks, or when the administrator explicitly configures the alert action for a service and tenant.
  • Standard – The Standard profile is the default and represents the set of IDP signatures and rules recommended by Juniper. Each type and severity of attack has a Juniper-defined, non-configurable action that is enforced when an attack is detected. These actions include:
    • Close the client and server TCP connection.
    • Drop current and all subsequent packets.
    • Alert only, no additional action taken.
  • Strict – The Strict profile contains a similar set of IDP signatures and rules as the Standard profile. However, when an attack is detected the actions are more likely to actively block any malicious traffic or other attacks detected in the network.

Go to the Spoke-Template via Organization -> WAN Edge Templates -> Select=”Spokes” and set on all Application Policies IDP=Alert and then save your changes so that they get applied on all Spokes.

Note: The Policy Action must be PERMIT as the IDP setting will override the DENY statement

Unseen for the End-user the feature configuration will be enabled on the device and the IDP-Policies download to the Device as well.

After a while the Feature will be displayed as activated for the device.


To see the effects of the IDP based security scanner one must launch some attacks at least for testing. Security / Penetration Testing Linux distributions such as Kali-Linux give you a wide variety of tools at hand for this task.

In the below we leverage the desktop1 VM of the Lab to install a simple security scanner for webservers called “nikto” and let it run against the unhardened Apache Tomcat webserver local to this Lab. We’ve done this for simplicity of the setup as we only need this additional tool installed and a local webserver where we can send plain/unencrypted HTTP-Requests to that the IDP can inspect. Below is an example of the process where we install the Tool, check the presence of the HTTP-Server and then forge the attacks.

virsh console desktop1

apt-get update

apt-get install -y nikto

# Check the Apache Tomcat Server of the local lab
wget http://172.16.77.155:8080
--2022-09-16 15:47:32-- http://172.16.77.155:8080/
Connecting to 172.16.77.155:8080... connected.
HTTP request sent, awaiting response... 200
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html [ <=> ] 10.92K --.-KB/s in 0s

2022-09-16 15:47:32 (85.3 MB/s) - ‘index.html’ saved [11184]

# Now start our security scanner for the first time
nikto -h http://172.16.77.155:8080
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 172.16.77.155
+ Target Hostname: 172.16.77.155
+ Target Port: 8080
+ Start Time: 2022-09-16 15:48:22 (GMT0)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xW/21630 0x1556961512000
+ OSVDB-39272: favicon.ico file identifies this server as: Apache Tomcat
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ Cookie JSESSIONID created without the httponly flag
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ OSVDB-3233: /manager/manager-howto.html: Tomcat documentation found.
+ /manager/html: Default Tomcat Manager interface found
+ 6544 items checked: 1 error(s) and 10 item(s) reported on remote host
+ End Time: 2022-09-16 15:50:03 (GMT0) (101 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

After we did generate enough events, we can inspect them. Now go to Site -> Secure WAN Edge IDP/URL Events

 

For the SRX the detected events should look like this.

So far, we have only used the passive logging of those Events and did not stop/mitigate them. We have now become more aggressive and will start stopping those events. With the strict Policy the IDP tries to close TCP-Connections of ongoing Attacks it finds.

Change the used Spoke Template and wherever you had formally configured IDP=Alert change it to now IDP=Strict as seen below.

Run the security scanner a second time and you will notice to now runs longer, has way more errors and detects less items.

nikto -h http://172.16.77.155:8080
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 172.16.77.155
+ Target Hostname: 172.16.77.155
+ Target Port: 8080
+ Start Time: 2022-09-16 16:01:51 (GMT0)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0xW/21630 0x1556961512000
+ OSVDB-39272: favicon.ico file identifies this server as: Apache Tomcat
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ 6544 items checked: 5657 error(s) and 6 item(s) reported on remote host
+ End Time: 2022-09-16 16:05:27 (GMT0) (216 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Back on the Events overview you will now notice that the Action on some events was to close the session to mitigate it.

Some other mitigated events.