Configuration: AJSEC Lab7 IPS Rulebase
...
The Juniper Networks intrusion prevention system (IPS) feature detects and prevents attacks in network traffic.
- based on signature, ( Using Deep packet inspection )
- Statistical anomaly-based inspection
IDS + dyn creation of FW rule by itself = IPS ( which take action )
>>> Issue is if the traffic is encrypted >>> use a proxy to open SSL
>> other method: heuristic analysis and network behavior anomaly detection
>> Telemetry data / passive monitoring of netflows or DNS queries
>> use of Passive DNS (help identify shadow and phishing domains) with Bind RPZ or OpenDNS
Mode:
Integrated Mode:
Inline-tap Mode: ( copy to a IPS Queue and reset the session if packet need tro be drop, !!! delay and not so secure !!!
...
IPS Signature: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-ips-signature-database-understanding.html
It contains definitions of different objects, such as
- service contexts objects,
- attack objects,
- application signature objects,
that are used in defining IDP policy rules.
The IPS signature database includes more than 5000 signatures and more than 1200 protocol anomalies.