IPS or intrusion prevention system

Owned by Jean-luc KRIKER
Last updated: May 09, 2022
2 min read


Configuration:   AJSEC Lab7 IPS Rulebase


The Juniper Networks intrusion prevention system (IPS) feature detects and prevents attacks in network traffic.

  • based on signature,  ( Using Deep packet inspection  )
  • Statistical anomaly-based inspection

IDS + dyn creation of FW rule by itself = IPS ( which take action )

>>> Issue is if the traffic is encrypted   >>> use a proxy to open SSL

>> other method: heuristic analysis  and  network behavior anomaly detection 

>> Telemetry data / passive monitoring of netflows or DNS queries

>> use of Passive DNS (help identify shadow and phishing domains)  with Bind RPZ or OpenDNS


Mode:

Integrated Mode:

Inline-tap Mode: ( copy to a IPS Queue and reset the session if packet need tro be drop, !!! delay and not so secure !!! 

Sniffer Mode: 


IPS Signature:    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-ips-signature-database-understanding.html

It contains definitions of different objects, such as

  • service contexts objects,
  • attack objects,
  • application signature objects,

that are used in defining IDP policy rules.

The IPS signature database includes more than 5000 signatures and more than 1200 protocol anomalies.