Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
To verify that the configuration is working properly, use the following command: [edit] show security alarms View the configured alarms to verify at least one option for potential-violation is set to “idp”. If a potential-violation alarm is not defined for “idp”, this is a finding.
A Routing Engine configuration option allows the enabling and disabling of IDP alarms. By default, the IDP attack event triggers the current logs without raising any alarms. When the option is set and the system is configured appropriately, the IDP logs on the Packet Forwarding Engine will be forwarded to Routing Engine, which then parses the IDP attack logs and raises IDP alarms as necessary. To enable an IDP alarm, use the set security alarms potential-violation idp command. To turn on logging, you must first turn on notification to log attacks: set security idp idp-policy recommended rulebase-ips rule-1 then notification log-attacks Configure Syslog (adding to the firewall stanza). syslog { file IDP_Log { any any; match RT_IDP;
Review the list of authorized Junos applications, endpoints, services, and protocols that are installed on the PPSM CAL. Use the following command to show the IDP-specific policies: [edit] show security idp Next, use the show security policies command to display a summary of all the security policies. [edit] show security policies Note: Also inspect the organization's central events log server (e.g., syslog server) for Deny events that match the restrictions in the PPSM CAL. If security policies do not exist to block or restrict communications traffic that is identified as harmful or suspicious by the PPSM and vulnerability assessment, this is a finding.
Specify an active IDP policy prior to enabling IDP within a security policy. To configure the active IDP policy, execute the following command in configuration mode: [edit] set security idp active-policy <policy name> Configure Security Policies for IDP inspection. Once the IDP policy is configured, IDP must be enabled on a security policy in order for IDP inspection to be performed. IDP inspection will only be performed on the traffic matching the security policies where IDP is enabled. To enable IDP on a security policy, enter the following command: [edit] set security policies from-zone <FROM ZONE NAME> to-zone <TO ZONE NAME> policy <POLICY NAME> then permit application-services idp
Verify custom rules exist to drop packets or terminate sessions upon detection of malicious code. [edit] show security idp policy View the rulebase action option for the IDP policies. View the action options of the zone configurations with the IDP option. If rulebases in active policies are configured for No-Action or Ignore when harmful or suspicious content is detected by signatures, rules, or policies, this is a finding.
Specify an active IDP policy prior to enabling IDP within a security policy. To configure the active IDP policy, execute the following command in configuration mode: [edit] set security idp active-policy <policy name> Configure Security Policies for IDP inspection. Once the IDP policy is configured, IDP must be enabled on a security policy in order for IDP inspection to be performed. IDP inspection will only be performed on the traffic matching the security policies where IDP is enabled. To enable IDP on a security policy, enter the following command: [edit] set security policies from-zone <FROM ZONE NAME> to-zone <TO ZONE NAME> policy <POLICY NAME> then permit application-services idp
Use the following command to view the IDP rules: [edit] show security idp status The IDP traffic log can also be inspected to verify that IDP detection events contain a severity level in the log record. If active IDP rules exist that do not include a severity level, this is a finding.
Example configuration to set the severity level on the IDP rules: Define an attack as match criteria. [edit security idp idp-policy base-policy rulebase-ips rule R1] set match attacks predefined-attack-groups "TELNET-Critical" Specify an action for the rule. [edit security idp idp-policy base-policy rulebase-ips rule R1] set then action drop-connection Specify notification and logging options for the rule. [edit security idp idp-policy base-policy rulebase-ips rule R1] set then notification log-attacks alert Set the severity level for the rule. [edit security idp idp-policy base-policy rulebase-ips rule R1] set then severity critical
Determine the names of the IDP policies by asking the site representative. From operational mode, enter the following command to verify outbound zones are configured with an IDP policy. show security policies If zones bound to the outbound interfaces, including VPN zones, are not configured with an IDP policy, this is a finding.
To enable IDP services on outbound traffic on the device, first create a security policy for the traffic flowing in one direction, then specify the action to be taken on traffic that matches conditions specified in the policy. [edit security policies from-zone <trusted-zone1-name> to-zone <untrusted-zone-name> policy idp-app-policy-1] set match source-address any destination-address any application any [edit security policies from-zone <trusted-zone-name> to-zone untrusted-zone-name> policy <idp-app-policy-name>] set then permit application-services idp
From operational mode, enter the following command to verify that the signature-based attack object was created: show security idp policies If signature-based attack objects are not created, bound to a zone, and active, this is a finding.
Specify a name for the attack. Specify common properties for the attack. Specify the attack type and context. Specify the attack direction and the shellcode flag. Set the protocol and its fields. Specify the protocol binding and ports. Specify the direction. [edit] edit security idp custom-attack sig1 set severity major set recommended-action drop-packet set time-binding scope source count 10 set attack-type signature context packet set attack-type signature <signature object name> set attack-type signature protocol ip ttl value 128 match equal set attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100 set attack-type signature direction any
From operational mode, enter the following command to verify that the anomaly-based attack object was created. show idp security policies If anomaly-based attack objects are not created, bound to a zone, and active, this is a finding.
Create a protocol anomaly-based attack object: Specify a name for the attack. [edit] security idp custom-attack anomaly1 Specify common properties for the attack. [edit security idp custom-attack anomaly1] set severity info set time-binding scope peer count 2 Specify the attack type and test condition. [edit] security idp custom-attack anomaly1 set attack-type anomaly test OPTIONS_UNSUPPORTED Specify other properties for the anomaly attack. [edit] security idp custom-attack anomaly1 set attack-type anomaly service TCP u set attack-type anomaly direction any attack-type anomaly shellcode spark
From operational mode, enter the following command to verify that the signature-based attack object was created: show security idp policies If signature-based attack objects are not created and used, this is a finding.
Specify a name for the attack. Specify common properties for the attack. Specify the attack type and context. Specify the attack direction and the shellcode flag. Set the protocol and its fields. Specify the protocol binding and ports. Specify the direction. [edit] edit security idp custom-attack <signature-name> set severity major set recommended-action drop-packet set time-binding scope source count 10 set attack-type signature context packet set attack-type signature shellcode intel set attack-type signature protocol ip ttl value 128 match equal set attack-type signature protocol-binding tcp minimum-port 50 maximum-port 100 set attack-type signature direction any
From operational mode, enter the following command to verify outbound zones are configured with an IDP policy: show security idp policies If zones bound to the outbound interfaces, including VPN zones, are not configured with policy filters, rules, signatures, and anomaly analysis, this is a finding.
To enable IDP services to drop traffic when there is a detection event on a zone based on the IDP policy: Once the IDP policy is configured, IDP must be enabled on a security policy in order for IDP inspection to be performed. Keep in mind that IDP inspection will only be performed on the traffic matching the security policies where IDP is enabled. To enable IDP on a security policy, enter the following command: set security policies from-zone <FROM ZONE NAME> to-zone <TO ZONE NAME> policy <POLICY NAME> then permit application-services idp
To check the version of the security package installed, enter the following command from the root on the device: show security idp security-package-version Compare the installed release with the latest available and approved release. If a new release is available and not installed, this is a finding.
Since DoD does not allow the management port of security devices to be connected directly to the Internet, the required security package must be uploaded using the Juniper SRX offline process. Directions are available in the document “How to perform offline IDP and Application signature database update in SRX” on the Juniper Networks support site. DoD network policy requires a local file repository be used to automate the update for network devices. Before uploading updates, the IDP administrator must verify the updates are approved by the site's CCB procedures and are authorized for installation. Once all files have been downloaded and approved, install the security package on SRX from root. Request security idp security-package install source-path /var/db/idpd/sec-download
Verify attack group is configured. [edit] show security idp policies If an attack group or rule(s) is not implemented to block the packets or terminate the session associated with code injection attacks that could be launched against databases, this is a finding.
Configure an attack group for "INJ" and "CMDEXEC" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule. Specify a match criteria and IDP action to block the IP packet or terminate the connection.
Verify attack group is configured. [edit] show security idp policies If an attack group or rule(s) is not implemented to block the packets or terminate the session associated with code injection attacks that could be launched against applications, this is a finding.
Configure an attack group for "INJ" and "CMDEXEC" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule. Specify a match criteria and IDP action to block the IP packet or terminate the connection.
Verify an attack group is configured. [edit] show security idp policies If an attack group or rule(s) is not implemented to block the packets or terminate the session associated with SQL injection attacks that could be launched against data storage objects, this is a finding.
Configure an attack group for "SQL" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule. Specify a match criteria and IDP action to block the IP packet or terminate the connection.
Verify an attack group is configured. [edit] show security idp policies If an attack group or rule(s) is not implemented to monitor for code injection attacks that could be launched against data storage objects, this is a finding.
Configure an attack group for "INJ" and "CMDEXEC" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule.
Verify an attack group or rule is configured. [edit] show security idp policies If an attack group or rule(s) is not implemented to monitor for code injection attacks that could be launched against application objects, this is a finding.
Configure an attack group for "INJ", "SQL", and "CMDEXEC" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule.
Verify an attack group or rule is configured. [edit] show security idp policies If an attack group or rule(s) is not implemented to monitor for SQL injection attacks that could be launched against data storage objects, this is a finding.
Configure an attack group for "SQL" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule.
From operational mode, enter the following command to verify that the anomaly-based attack object was created: show idp security policies If anomaly-based attack objects are not created, bound to a zone, and active, this is a finding.
Create a protocol anomaly-based attack object: Specify a name for the attack. [edit] security idp custom-attack anomaly1 Specify common properties for the attack. [edit security idp custom-attack anomaly1] set severity info set time-binding scope peer count 2 Specify the attack type and test condition. [edit] security idp custom-attack anomaly1set attack-type anomaly test OPTIONS_UNSUPPORTED Specify other properties for the anomaly attack. [edit] security idp custom-attack anomaly1] set attack-type anomaly service TCP u set attack-type anomaly direction any attack-type anomaly shellcode spark
Verify that the anomaly-based attack object was created. [edit] show idp security policies If anomaly-based attack objects are not created, bound to a zone, and active, this is a finding.
Create a protocol anomaly-based attack object: Specify a name for the attack. [edit] security idp custom-attack anomaly1 Specify common properties for the attack. [edit security idp custom-attack anomaly1] set severity info set time-binding scope peer count 2 Specify the attack type and test condition. [edit] security idp custom-attack anomaly1set attack-type anomaly test OPTIONS_UNSUPPORTED Specify other properties for the anomaly attack. [edit] security idp custom-attack anomaly1] set attack-type anomaly service TCP u set attack-type anomaly direction any attack-type anomaly shellcode spark
Verify an attack group or rule is configured. [edit] show security idp policies If an attack group(s) or rules are not implemented to detect flood and DOS attacks, this is a finding.
Configure an attack group for "FLOOD" and "DOS" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule.
Verify an attack group or rule is configured. [edit] show security idp policies If an attack group or rule is not implemented to detect root-level intrusion attacks or the match condition is not configured for an alert, this is a finding.
Create a custom rule that identifies the Junos application which is prohibited on the network. Add the option "alert" onto the rule to send an alert when that rule is invoked. Alerts should be sent only on critical and other site-selected items to prevent an excess of alerts. [edit] set security idp idp-policy recommended rulebase-ips rule-1 then notification log-attacks alert
Verify an attack group or rule is configured. [edit] show security idp policies If an attack group or rules are not configured to detect root-level intrusion attacks or the match condition is not configured for an alert, this is a finding.
Configure an attack group for "ROOT" attacks in the signature database which are recommended. Consult the Junos Security Intelligence Center IDP signatures website for a list and details of each attack, along with recommended action upon detection. Then add the attack group to a policy. Specify the attack group as match criteria in an IDP policy rule.
Verify alerts are configured to implement this requirement. [edit] show security alarms potential-violation If alerts are not configured to notify the ISSO and ISSM of potential-violation IDP events, this is a finding.
Configure alerts for IDP attack by using the [edit security alarms potential-violation] command. Add the option "alert" onto the rule to send an alert when that rule is invoked. Alerts should be sent only on critical and other site-selected items to prevent an excess of alerts. [edit] set security idp idp-policy recommended rulebase-ips rule-1 then notification log-attacks alert
Verify automatic updates are configured. [edit] show security idp If updates are not automatically installed, this is a finding.
The following example configures automatic updates of the IDP signature database: Specify the URL to use. [edit] set security idp security-package url <DoD repository> Create a schedule for the automatic downloads. set security idp security-package automatic interval <interval> set security idp security-package automatic enable Also, recommend a local log be created to track when automated updates are performed for troubleshooting purposes. set system syslog file IDP_OPERATIONS any any match IDP_SCHEDULE
Verify a dynamic custom attack group which includes attack objects for malicious code monitoring of files. show security idp dynamic-attack-group If a custom attack group exists containing members which include malicious code attack categories, this is a finding.
Configure a dynamic custom attack group which includes attack objects for malicious code monitoring of files. There are many ways to accomplish this; thus, the following is only an example: [edit] security idp dynamic-attack-group Malicious-Activity set category values [ SHELLCODE VIRUS WORMS SPYWARE TROJAN]
Verify custom rules exist to drop packets or terminate sessions upon detection of malicious code. [edit] show security idp policy View the rulebase action option for the IDP policies. If rulebases for IDP policies which detect malicious code are not configured with an action of Drop-Packet, Drop-Connection, or some form of session termination, this is a finding.
This requirement can be met through a custom rule within a policy or drop action option on the zone configuration to which the policy is applied. The following is an example of the command that can be added to the IDP policy. The policy is called Malicious-Activity and the rule is called R1 in this example. [edit] set security idp idp-policy Malicious-Activity rulebase-ips rule R1 then action drop-connection
Verify an alert is sent when malicious code is detected. [edit] show security idp policy View the rulebase options for the IDP policies. If the rulebase options for the IDP policies that detect malicious code do not contain the "alert" option, this is a finding.
This requirement can be met using an alert. Alerts must be enabled and configured and then added to the IDP policy rulebase command as an option. The following is an example of the command that can be added to the IDP policy. The policy is called Malicious-Activity and the rule is called R1 in this example. [edit] set security idp idp-policy Malicious-Activity rulebase-ips rule R1 then notification log-attacks alert
In operational mode, enter show system license. If the license expiration for idp-sig and all other licenses installed are past today's date, this is a finding.
Update the expired licenses immediately following the procedures on the vendor website.
Verify UTM and AV policies are configured. [edit] show security utm If a stanza does not exist for at least one UTM and one AV policy, this is a finding. If the IDPS does not have UTM and AV capabilities and traffic is not forwarded to be inspected for AV and UTM threats, this is a finding.
Configure at least one policy for the UTM and AV policy using the commands and options for the [edit security utm] hierarchy. If the UTM and AV licenses are not installed, IDPS must be installed in the architecture so that traffic is forwarded for deeper AV and UTM inspection. This can be accomplished by using a zone stanza to direct the traffic to an interface or IP destination address.