AJSEC Lab3 AppSecure
- Jean-luc KRIKER
Overview In this lab, you will implement features of the AppSecure suite.
You will begin by configuring AppID and AppFW features to protect the server against Application Layer attacks.
Then, you will configure a custom application signature to restrict access to certain sections of the server.
Next, you will configure AppTrack to monitor FTP exchanges between the client and the server.
Finally, you will configure APBR to route traffic based on the application in use.
By completing this lab, you will perform the following tasks:
• Configure and monitor AppID and AppFW features.
• Configure and use custom application signatures.
• Configure and monitor AppTrack.
• Configure and monitor APBR.
Configure and monitor AppID and AppFW features. | allow traffic IN (to local server): http 80 and 8080 + DNS: TCP and UDP |
Configure and use custom application signatures. | |
Configure and monitor AppTrack. | Monitor FTP traffic |
Configure and monitor APBR. |
Part 1: |
lab config Expand source
lab@vSRX-1# show | display set set version 15.1X49-D90.7 set system host-name vSRX-1 set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS eqM.tFF5yOxs6oQpxsy0." set system login user lab uid 2000 set system login user lab class super-user set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6 mr7/tZhlRpTSShhqcWav5uHO1/oWWW6" set system services ssh set system services web-management http interface fxp0.0 set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system syslog file AppSecure-log any any set system syslog file AppSecure-log match RT_FLOW set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security policies global policy Untrust-HTTP match source-address any set security policies global policy Untrust-HTTP match destination-address any set security policies global policy Untrust-HTTP match application junos-http set security policies global policy Untrust-HTTP match application custom-http-8080 set security policies global policy Untrust-HTTP match from-zone Untrust set security policies global policy Untrust-HTTP match to-zone Server set security policies global policy Untrust-HTTP then permit set security policies global policy Untrust-DNS match source-address any set security policies global policy Untrust-DNS match destination-address any set security policies global policy Untrust-DNS match application junos-dns-tcp set security policies global policy Untrust-DNS match application junos-dns-udp set security policies global policy Untrust-DNS match from-zone Untrust set security policies global policy Untrust-DNS match to-zone Server set security policies global policy Untrust-DNS then permit set security zones security-zone Server host-inbound-traffic system-services any-service set security zones security-zone Server interfaces ge-0/0/4.0 set security zones security-zone Server interfaces ge-0/0/2.0 set security zones security-zone Untrust interfaces ge-0/0/3.0 set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.1/24 set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.1/24 set interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30 set interfaces ge-0/0/4 unit 0 family inet policer input RL set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24 set interfaces fxp0 unit 0 family inet address 172.25.11.1/24 set interfaces lo0 unit 0 family inet address 192.168.1.1/32 set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1 set firewall policer RL if-exceeding bandwidth-limit 1m set firewall policer RL if-exceeding burst-size-limit 20k set firewall policer RL then discard set applications application custom-http-8080 protocol tcp set applications application custom-http-8080 destination-port 8080 lab@vSRX-2# show | display set set version 15.1X49-D70.3 set system host-name vSRX-2 set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS eqM.tFF5yOxs6oQpxsy0." set system login user lab uid 2000 set system login user lab class super-user set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6mr7/tZhlRpTSShhqcWav5uHO1/oWWW6" set system services ssh set system services web-management http interface fxp0.0 set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security forwarding-options family mpls mode packet-based set security zones security-zone all host-inbound-traffic system-services any-service set security zones security-zone all host-inbound-traffic protocols all set security zones security-zone all interfaces all deactivate security zones set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.2/24 set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.2/24 set interfaces ge-0/0/2 unit 0 family iso set interfaces ge-0/0/3 unit 0 family inet address 172.18.2.2/30 set interfaces ge-0/0/6 unit 0 family inet address 172.16.10.200/24 set interfaces fxp0 unit 0 family inet address 172.25.11.2/24 set interfaces lo0 unit 0 family inet address 192.168.1.2/32 set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1002.00 set routing-options static route 0.0.0.0/0 next-hop 172.18.2.1 set routing-options static route 172.16.1.100/32 next-hop 172.18.2.1 set protocols isis interface ge-0/0/2.0 level 1 disable set protocols isis interface lo0.0 level 1 disable deactivate protocols |
Part 2: AppFW and AppID |
part 2 Expand source
show configuration security application-firewall show configuration security policies global policy Untrust-HTTP show configuration system syslog [edit] lab@vSRX-1# show security application-firewall | display set set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP set security application-firewall rule-sets protect-server rule HTTP then permit set security application-firewall rule-sets protect-server default-rule deny [edit] lab@vSRX-1# show security policies global policy Untrust-HTTP | display set set security policies global policy Untrust-HTTP match source-address any set security policies global policy Untrust-HTTP match destination-address any set security policies global policy Untrust-HTTP match application junos-http set security policies global policy Untrust-HTTP match application custom-http-8080 set security policies global policy Untrust-HTTP match from-zone Untrust set security policies global policy Untrust-HTTP match to-zone Server set security policies global policy Untrust-HTTP then permit application-services application-firewall rule-set protect-server set security policies global policy Untrust-HTTP then log session-init set security policies global policy Untrust-HTTP then log session-close [edit] lab@vSRX-1# show system syslog | display set set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system syslog file AppSecure-log any any set system syslog file AppSecure-log match RT_FLOW |
Part 3: Custom Application Signature |
part 3 Expand source
show configuration services application-identification show configuration security application-firewall lab@vSRX-1> show configuration services application-identification | display set set services application-identification no-application-system-cache set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 context http-header-host set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 pattern "(.*\.)?(ajsecserver.ajsec.juniper.net)" set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 direction client-to-server set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 context http-url-parsed set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 pattern /files/ set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 direction client-to-server lab@vSRX-1> show configuration security application-firewall | display set set security application-firewall rule-sets protect-server rule AJSEC-FILES match dynamic-application AJSEC-FILES set security application-firewall rule-sets protect-server rule AJSEC-FILES then deny set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP set security application-firewall rule-sets protect-server rule HTTP then permit set security application-firewall rule-sets protect-server default-rule deny |
Part 4: AppTrack |
Apptrack Expand source
show configuration firewall show configuration interfaces ge-0/0/4 show configuration security application-tracking show configuration security zones security-zone Server show configuration security policies global policy FTP-Unstrust lab@vSRX-1> show configuration firewall | display set set firewall policer RL if-exceeding bandwidth-limit 1m set firewall policer RL if-exceeding burst-size-limit 20k set firewall policer RL then discard set firewall policer ftp-policer if-exceeding bandwidth-limit 1m set firewall policer ftp-policer if-exceeding burst-size-limit 20k set firewall policer ftp-policer then discard lab@vSRX-1> show configuration interfaces ge-0/0/4 | display set set interfaces ge-0/0/4 unit 0 family inet policer input ftp-policer set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24 lab@vSRX-1> show configuration security application-tracking | display set set security application-tracking first-update set security application-tracking session-update-interval 2 lab@vSRX-1> show configuration security zones security-zone Server | display set set security zones security-zone Server host-inbound-traffic system-services any-service set security zones security-zone Server interfaces ge-0/0/4.0 set security zones security-zone Server interfaces ge-0/0/2.0 set security zones security-zone Server application-tracking lab@vSRX-1> show configuration security policies global policy FTP-Unstrust | display set set security policies global policy FTP-Unstrust match source-address any set security policies global policy FTP-Unstrust match destination-address any set security policies global policy FTP-Unstrust match application junos-ftp set security policies global policy FTP-Unstrust match from-zone Untrust set security policies global policy FTP-Unstrust match to-zone Server set security policies global policy FTP-Unstrust then permit |
Part 5: APBR |
APBR configuration Expand source
lab@vSRX-1> show configuration security policies global policy Untrust-SSH | display set set security policies global policy Untrust-SSH match source-address any set security policies global policy Untrust-SSH match destination-address any set security policies global policy Untrust-SSH match application junos-ssh set security policies global policy Untrust-SSH match from-zone Untrust set security policies global policy Untrust-SSH match to-zone Server set security policies global policy Untrust-SSH then permit lab@vSRX-1> show configuration routing-instances APBR | display set set routing-instances APBR instance-type forwarding set routing-instances APBR routing-options static route 0.0.0.0/0 next-hop 10.0.1.2 lab@vSRX-1> show configuration routing-options rib-groups | display set set routing-options rib-groups APBR import-rib inet.0 set routing-options rib-groups APBR import-rib APBR.inet.0 set routing-options rib-groups APBR import-policy block-rts ## add this one lab@vSRX-1> show configuration routing-options interface-routes | display set set routing-options interface-routes rib-group inet APBR lab@vSRX-1> show configuration security advance-policy-based-routing | display set set security advance-policy-based-routing profile SSH-APBR rule 1 match dynamic-application junos:SSH set security advance-policy-based-routing profile SSH-APBR rule 1 then routing-instance APBR # Delete: no-application-system-cache # #lab@vSRX-1> show configuration services application-identification | display set #set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 context http-header-host #set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 pattern "(.*\.)?(ajsecserver.ajsec.juniper.net)" #set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 direction client-to-server #set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 context http-url-parsed #set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 pattern /files/ #set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 direction client-to-server lab@vSRX-1> show configuration policy-options | display set set policy-options policy-statement block-rts term 1 from interface ge-0/0/2.0 set policy-options policy-statement block-rts term 1 to rib APBR.inet.0 set policy-options policy-statement block-rts term 1 then accept set policy-options policy-statement block-rts term 2 then reject
APBR show commands Expand source
show services application-identification application-system-cache show security advance-policy-based-routing statistics show security flow session [edit routing-options] lab@vSRX-1# run show security flow session Session ID: 46634, Policy name: Untrust-SSH/7, Timeout: 1202, Valid In: 172.16.1.100/41256 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, Out: 172.16.10.100/22 --> 172.16.1.100/41256;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 20, Bytes: 4436, Total sessions: 1 [edit routing-options] lab@vSRX-1# run show security flow session Session ID: 46798, Policy name: Untrust-SSH/7, Timeout: 1796, Valid In: 172.16.1.100/41005 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, Out: 172.16.10.100/22 --> 172.16.1.100/41005;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 20, Bytes: 4436, Total sessions: 1 lab@vSRX-1# run show security advance-policy-based-routing statistics Advance Profile Based Routing statistics: Session Processed: 214 ASC Success: 2 Rule match success: 2 Route modified: 2 AppID Requested: 158 [edit routing-options] lab@vSRX-1# |