Juniper SRX Series by Rob Cameron, Brad Woodberg

So we know that AppSecure is a suite of features that relies on AI to identify the applications communicating within firewall sessions, and that these results are shared among other components that can perform some action on the traffic; let’s talk about how the AI process actually identifies the applications themselves. There are essentially five different mechanisms that AI can use to identify traffic at the time of writing this book.

Additionally, just like IPS, to ensure that the AI process is not vulnerable to network evasions, the firewall flow engine helps with packet serialization and reassembly before a match is made for identification purposes.

What’s important to note is that the SRX need not take port numbers or even protocol into account when identifying applications with signature-based or heuristic pattern match (cached and manually defined are not really applicable to this statement because they are not really detection mechanisms but rather predetermined results). Rather than just relying on the fact that HTTP’s well-known port is TCP port 80 to identify the result. The AppID performed by the SRX will actually dig into the traffic stream itself to determine what the identity of the traffic is based on well-known patterns and behaviors of these applications.

As we alluded to earlier, signature-based pattern matching is one of the most common mechanisms to identify applications, particularly those that are not evasive. Signature-based matching leverages the same pattern-matching technology that is used by the IPS engine to match attacks, but it has been repurposed (particularly from a UI perspective) to be leveraged by the AI engine. AI primarily uses Deterministic Finite Automaton (DFA) technology for pattern matching. The details of this mechanism, shown in Figure 12-8, are beyond the scope of this book, but you can think of it as a state machine that matches patterns based on evaluating different pattern-matching states at each bit of the traffic stream compared to match criteria. When a match occurs, a result can be determined.

Figure 12-8. Pattern matching with finite state machines

All of Juniper’s AI objects are fully open and can be viewed on the SRX—a really nice feature that most competitive platforms do not provide with closed source signatures. The benefit here is that you can not only view the signatures yourself, but also leverage them to create new signatures of your own.

Let’s look at an example that shows the content of the HTTP object.

root@srx3600n0> show services application-identification application detail junos:HTTP
Application Name: junos:HTTP
Application type: HTTP
Description: This signature detects HyperText Transfer Protocol (HTTP), which is a protocol used by the World Wide Web. It defines how messages are formatted and transmitted and what actions Web servers
             and browsers should take in response to various commands. HTTP usually runs on TCP port 80.
Application ID: 64
Disabled: No
Number of Parent Group(s): 1
Application Groups:
    junos:web
Application Tags:
    characteristic        : Can Leak Information
    characteristic        : Supports File Transfer
    characteristic        : Prone to Misuse
    characteristic        : Known Vulnerabilities
    characteristic        : Carrier of Malware
    characteristic        : Capable of Tunneling
    risk                  : 5
    category              : Web
Port Mapping:
    Default ports: TCP/80,3128,8000,8080
Signature:
    Port range: TCP/0-65535
    Client-to-server
        DFA Pattern: (\[OPTIONS|HEAD|GET|POST|PUT|B?DELETE|TRACE|SEARCH|B?PROPFIND|PROPPATCH|MKCOL|B?COPY|B?MOVE|LOCK|UNLOCK|CHECKOUT|CHECKIN|UNCHECKOUT|VERSION-CONTROL|CONTINUE|REPORT|UPDATE|MKWORKSPACE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|CMD|RPC_CONNECT|PATCH|UNLINK|POLL|CONNECT|BPROPPATCH|(UN)?SUBSCRIBE|RPC_IN_DATA|INDEX|REVLOG|CCM_POST|RPC_OUT_DATA|INVOKE|BITS_POST|SMS_POST|B?PROPPATCH|NOTIFY|X-MS-ENUMATTS|DESCRIBE\])[\s\x07\x0b\x1b].+

        Regex Pattern: None
    Server-to-client
        DFA Pattern: (.*HTTP/1\.[01]\s|.?.?\u[\x3C]!\[DOCTYPE\]\u|.?.?\u[\x3C]\[HTML\]\u|.?.?\u[\x3C]\?\[xml\]\u|\[Content-type\]: ).*
        Regex Pattern: None
    Minimum data client-to-server: 8
    Minimum data server-to-client: 8
    Order: 186

Looking at the output of the AI object, we can see a few things. First, there is a lot of detail around descriptions and characteristics of the signature, but most important we can see how the application is being detected. The port range shows that we’re looking for this on any port 0-65535. There is a default port setting, but that’s only used when AI is disabled for services like IPS that normally rely on it. A very important feature that the SRX has is that we match patterns on both client to server and server to client. If you match patterns only on one direction, it could not only be more prone to false positives, but also could be prone to evasions. There are specific patterns that are matched in the client-to-server and in the server-to-client portions of the communication. If we don’t match both directions, we do not have a match.

There is also a regex field, but this refers to PCRE regex rather than the standard Juniper Regex engine. Most signatures just use the Juniper Regex rather than both engines (more performing impacting).

root@srx3600n0> show services application-identification application detail junos:GOOGLE
Application Name: junos:GOOGLE
Application type: GOOGLE
Description: This signature detects traffic to Google.com.
Application ID: 987
Disabled: No
Number of Parent Group(s): 1
Application Groups:
    junos:web:portal
Application Tags:
    characteristic        : Loss of Productivity
    characteristic        : Bandwidth Consumer
    risk                  : 2
    subcategory           : Portal
    category              : Web
Signature NestedApplication:GOOGLE
    Layer-7 Protocol: HTTP
    Chain Order: Yes
    Maximum Transactions: 15
    Order: 33459
    Member(s): 1
        Member 0
            Context: http-header-host
            Pattern: (.*\.)?google\.com
            Direction: CTS

Another mechanism that the SRX can use to identify evasive applications that do not provide any obvious patterns to match is by leveraging heuristics. Heuristics allow the SRX to look at the traffic in an analytical fashion to detect what application is running. For instance, the SRX supports detecting unknown encrypted applications. If the AI engine cannot detect the application as being another protocol, it can then examine the byte stream to determine if it is encrypted by measuring the randomness of the payload bytes. Any application stream that is encrypted (or compressed) will exhibit a highly randomized byte stream. Again, this isn’t looking for any specific pattern, but looking at the behavior of the traffic. Heuristic-based detection is very similar to the protocol anomalies in the IPS engine, in that it is not something for which we can publish the signatures, because it is code that’s built into the IPS engine itself.

Heuristics is a very powerful mechanism that will likely become even more and more important going into the future as applications become more and more evasive to avoid traditional pattern-matching techniques. Of course, we also have an application named “junos:UNKNOWN,” which means that a pattern match was not possible, so it is also possible to catch any others with this and perform an action accordingly.

Sometimes the SRX can identify that a future session will be based on other sessions or activity. For instance, with ALGs (assuming they are enabled) the SRX can identify that the data (auxiliary) session will be based on the control session that negotiates the port or protocol between the client and server dynamically. This is supported for any ALG supported on the SRX. Additionally, using the heuristic engine, the SRX can identify applications based on other information exchanged. For instance, the SRX can look at the distributed hash tables exchanged by peer-to-peer (P2P) applications to determine what servers are super nodes or other server infrastructure for P2P apps, which often change frequently. This ability is called predictive session identification, another mechanism that can be used to identify applications. This won’t appear as a signature with a pattern per se, but will be used to identify application objects that can be used in enforcement control of other components like AppFW and AppQoS.

Application caching is a technique that can be used so that the engine does not have to go through the effort of processing the session with AI each and every time that the traffic is sent through the box. Essentially, application caching (enabled by default) will do a lookup on the first pass of processing traffic to determine if it already knows the identity of the application. This is based on the server IP address, server port, Layer 3/Layer 4 protocol, and LSYS (if used). If the system can identify what the application is, it will make an entry for it so that this isn’t required next time (with a default timeout of 60 minutes).

{primary:node0}
root@SRX100HM> show services application-identification application-system-cache
node0:
-----------------------------------------
Application System Cache Configurations:
  application-cache: on
  nested-application-cache: on
  cache-unknown-result: on
  cache-entry-timeout: 3600 seconds
pic: 0/0
Logical system name: 0
IP address: 173.255.241.134                Port: 53     Protocol: UDP
Application: DNS                           Encrypted: No

Logical system name: 0
IP address: 172.16.42.205                  Port: 445    Protocol: TCP
Application: SMB                           Encrypted: No

Logical system name: 0
IP address: 192.168.222.50                 Port: 1096   Protocol: TCP
Application: MSRPC                         Encrypted: No

Logical system name: 0
IP address: 68.169.198.3                   Port: 80     Protocol: TCP
Application: HTTP                          Encrypted: No

Logical system name: 0
IP address: 192.168.222.35                 Port: 80     Protocol: TCP
Application: HTTP                          Encrypted: No

Logical system name: 0
IP address: 172.16.42.204                  Port: 445    Protocol: TCP
Application: SMB                           Encrypted: No

Logical system name: 0
IP address: 64.208.138.126                 Port: 80     Protocol: TCP
Application: HTTP                          Encrypted: No

We can see from this example that a table is maintained that has a breakdown of each server, destination port, and protocol. This helps to improve performance for AI to near firewall performance when in use, assuming a decent number of cache hits. If a cache hit does occur, the AI engine does not need to inspect the traffic, although other functions will still occur like IPS, AppFW, UTM, and so on.

The benefit to using cache is performance, and the disadvantage is that if a client and server are colluding they might be able to evade the AI engine if they change the session between each round. Running IPS can help to better detect this behavior with the use of anomaly detection, or you can also disable the AI cache so that AI examines the traffic every time.

As we showed in Figure 12-2, once the AI engine has produced a match (or unknown), it will publish this application to other components internally that are “interested” in the result. There is nothing that you as the administrator need to do make this data exchange occur, assuming that you haven’t altered any default options (as you can technically disable AI for services like IPS).

Application caching is a feature that allows you to improve performance by caching the results of application detection for a given server IP, protocol, or protocol combination so that in the future the SRX won’t need to run AppID again until the session ages out (one hour by default). Application caching poses the traditional performance versus security dilemma. For the most security-sensitive environments, it’s best to disable this so that AppID runs every time (along with running other services like IPS, UTM, and others). Although the potential for application cache attacks is not very common, it is technically possible if the client and server are both colluding (e.g., with a very intentionally evasive application). There aren’t many common examples of this on the Internet, but we never know how things could change in the future. Running other services (particularly IPS) on top of AppID really solidifies the threat vector because noncompliant applications will more than likely light up the protocol anomaly engine like a Christmas tree.

There are a few options that you have when working with application caching:

In this example, we alter the default settings on two different devices. On the SRX100 we disable application caching entirely, whereas on our SRX3600 we disable the caching of nested applications and change the default cache time to 10 minutes.

[edit]
root@SRX100# set services application-identification no-application-system-cache

[edit]
root@SRX100# show services application-identification
no-application-system-cache;

[edit]
root@srx3600n0# set services application-identification nested-application-settings no-application-system-cache

 [edit]
root@srx3600n0# set services application-identification application-system-cache-timeout 600

[edit]
root@srx3600n0# show services application-identification
nested-application-settings {
    no-application-system-cache;
}
application-system-cache-timeout 600;

[edit]
root@srx3600n0# set services application-identification enable-heuristics

[edit]
root@srx3600n0# show services application-identification
enable-heuristics;

Although it isn’t common, you might find yourself in a position where you need to turn off certain AppID objects or groups (or perhaps you turned some off in the past and you need to turn them back on). With Junos 12.1X44+, you can also override applications using Layer 3/Layer 4 applications if you have a false positive, which we show you how to do in this section. Let’s say, though, that you have a signature that is misfiring on applications broadly. You can disable the signature or group as follows:

root@srx3600n0> show services application-identification application summary
Application(s): 233
Nested Application(s): 872
  Applications                        Disabled         ID      Order
  junos:TWITTER-SSL                    No               1287    33694
  junos:EBAY-CLASSIFIEDS               No               1286    33693
  junos:MYSPACE-SSL                    No               1285    33692
  junos:DROPBOX-CLEAR                  No               1284    33689
  junos:IPERNITY                       No               1282    33680
  junos:PLAXO                          No               1281    33681
  junos:PROJECTPLACE                   No               1280    33685
  junos:MICROSOFT-LIVE-SERVICES        No               1279    33686
  junos:CLARIZEN-SSL                   No               1278    33688
  junos:CLARIZEN                       No               1277    33687
  junos:ZORPIA                         No               1276    33678
  junos:PINTEREST                      No               1275    33679
  junos:GATHER                         No               1274    33676
  junos:GAIAONLINE                     No               1273    33675
  junos:FEDGEWING                      No               1272    33677

root@srx3600n0> show services application-identification group summary
Application Group(s): 82
Application Groups                                Disabled  ID
  junos:web:social-networking:business             No        84
  junos:web:infrastructure:encryption              No        83
  junos:web:remote-access:tunneling                No        82
  junos:web:infrastructure:mobile                  No        81
  junos:web:infrastructure:software-update         No        80
  junos:web:infrastructure:database                No        79
  junos:web:infrastructure                         No        78
  junos:web:gaming:protocols                       No        77
  junos:web:p2p:file-sharing                       No        76
  junos:web:p2p                                    No        75
  junos:web:multimedia:audio-streaming             No        74
  junos:web:social-networking:linkedin             No        73
  junos:web:messaging:mail                         No        72
  junos:web:multimedia:adult                       No        71
  junos:web:remote-access:interactive-desktop      No        70
  junos:web:remote-access                          No        69

root@srx3600n0> request services application-identification application disable junos:TWITTER-SSL
Please wait while we are re-compiling signatures ...
Please wait while we are re-compiling signatures ...
Please wait while we are re-compiling signatures ...
Disable application junos:TWITTER-SSL succeed.

root@srx3600n0> show services application-identification application summary
Application(s): 233
Nested Application(s): 872
  Applications                          Disabled         ID      Order
  junos:TWITTER-SSL                      Yes              1287    33694
  junos:EBAY-CLASSIFIEDS                 No               1286    33693
  junos:MYSPACE-SSL                      No               1285    33692
  junos:DROPBOX-CLEAR                    No               1284    33689
  junos:IPERNITY                         No               1282    33680
  junos:PLAXO                            No               1281    33681
  junos:PROJECTPLACE                     No               1280    33685
  junos:MICROSOFT-LIVE-SERVICES          No               1279    33686
  junos:CLARIZEN-SSL                     No               1278    33688


root@srx3600n0> request services application-identification group disable junos:messaging
Disable application group junos:messaging succeed.

root@srx3600n0> request services application-identification group enable junos:messaging
Enable application group junos:messaging succeed.

root@srx3600n0> request services application-identification application enable junos:TWITTER-SSL
Please wait while we are re-compiling signatures ...
Please wait while we are re-compiling signatures ...
Enable application junos:TWITTER-SSL succeed.

In that example, we first viewed a summary of the application status along with the group status (both outputs were trimmed for brevity, but you can run these on your system). Then we disabled a signature and group and reenabled them just for an example. This is how you would disable a signature or group or reenable signatures if need be. By default, all applications and groups in the export are active (a different concept than how it is run in IPS, where you need to explicitly enable objects). There is also a copy function as part of the request command that allows you to copy the signature into a custom signature so you can modify it, as you can’t modify any predefined signatures—although you can copy it to a new one, modify it, and disable the predefined one. Also note that the action of enabling and disabling signatures survives reboots and application package updates, so you must manually undo it.

We already showed how to view the contents of application objects in the preceding section, but you can also view the contents of application groups with the following command (which can be used recursively to dig deeper into the group until only members remain):

root@srx3600n0> show services application-identification group detail junos:web:multimedia
Group Name: junos:web:multimedia
Group ID: 60
Description: N/A
Disabled: No
Number of Applications: 0
Number of Sub-Groups: 4
Number of Parent-Groups: 1
Sub Groups:
    junos:web:multimedia:audio-streaming
    junos:web:multimedia:adult
    junos:web:multimedia:web-based
    junos:web:multimedia:video-streaming
Parent Groups:
    junos:web

root@srx3600n0> show services application-identification group detail junos:web:multimedia:web-based
Group Name: junos:web:multimedia:web-based
Group ID: 64
Description: N/A
Disabled: No
Number of Applications: 65
Number of Sub-Groups: 0
Number of Parent-Groups: 1
Applications:
    junos:NETFLIX
    junos:AAJTAK
    junos:STEREOMOOD
    junos:HULU
    junos:GROOVESHARK-STREAMING
    junos:BABELGUM
    junos:MOG
    junos:VIDEOSURF
    junos:DEEZER
    junos:WE7
    junos:VIMEO
    junos:HTTP-VIDEO
    junos:SOCIALTV
    junos:LAST-FM-STREAMING
    junos:JUSTIN-TV
    junos:PANDORA
    junos:BEEMP3
    junos:PDF
    junos:METACAFE
    junos:FREEETV
    junos:SILVERLIGHT
    junos:CRACKLE
    junos:IMGUR
    junos:NETFLIX-STREAM
    junos:TIDALTV
    junos:TUDOU
    junos:AOL-VIDEO
    junos:LIVEFLASH
    junos:JANGO
    junos:MIXCLOUD
    junos:YOUTUBE-COMMENT
    junos:TAGOO
    junos:ZAYCEV
    junos:LIVE365
    junos:YOUKU
    junos:YUVUTU
    junos:GOOGLE-VIDEOS
    junos:BOXEE-TV
    junos:YOUTUBE
    junos:DAILYMOTION
    junos:NETFLIX-PLAYER
    junos:TED
    junos:MTV-HD-VIDEO-STREAM
    junos:SONGS-PK
    junos:PPLIVE
    junos:TWITVID
    junos:NEWGROUNDS
    junos:STARTV
    junos:MOBILATORY-SEND-TO-PHONE
    junos:YAHOO-DOUGA
    junos:YOUTUBE-STREAM
    junos:USTREAM
    junos:TVUNETWORKS

In this example, we create a Layer 3/Layer 4 application that overrides the application name for the server 192.168.1.2 on TCP port 80 rather than using the standard AppID pattern matching. This is useful when you have a signature that is having false positive issues on a particular server, but is still valid more broadly on the system (e.g., when you have a poorly written application). Rather than disabling the signature entirely, you can make a Layer 3/Layer 4 signature that overrides this setting for the server only while leaving the signature intact. Then this object can be referenced in other AppSecure policies.

[edit]
root@srx3600n0# set services application-identification application Override-192.168.1.2:TCP80 address-mapping Override destination ip 192.168.1.2 port-range tcp 80

[edit]
root@srx3600n0# set services application-identification application Override-192.168.1.2:TCP80 address-mapping Override order 1500

[edit]
root@srx3600n0# show services application-identification
application Override-192.168.1.2:TCP80 {
    address-mapping Override {
        destination {
            ip 192.168.1.2/32;
            port-range {
                tcp 80;
            }
        }
        order 1500;
    }
}

In that example, we specified a new AppID object that is based on a particular destination IP address and protocol and port match. We also need to define the order when using multiple Layer 3/Layer 4 application signatures for the match. Note that you would also use the same base command to define custom applications with pattern regex, but that is a more advanced topic that is outside the scope of this book.

The SRX allows you to define your own custom application group, which can be composed of predefined applications, as well as custom applications and groups. This group can then be referenced in the AppSecure policies just like any other Application object.

[edit]
root@srx3600n0# set services application-identification application-group Web-and-Games application-groups junos:web

[edit]
root@srx3600n0# set services application-identification application-group Web-and-Games application-groups junos:gaming


[edit]
root@srx3600n0# set services application-identification application-group Web-and-Games applications junos:BITTORRENT-UDP

[edit]
root@srx3600n0# show services application-identification
application-group Web-and-Games {
    application-groups {
        junos:gaming;
        junos:web;
    }
    applications {
        junos:BITTORRENT-UDP;
    }
}

In that example, we created a new group called Web and Games that contains all applications in the Junos:web group, Junos:gaming group, and a standalone application junos:BITTORRENT-UDP, just for example.

Turning on AppTrack is very simple once you’ve licensed the box and downloaded signature packs (assuming you’re not using your own custom applications). All you need to do is to enable AppTrack on a zone-by-zone basis. This will enable the AppTrack function for any traffic that traverses the zone, whether the zone is the source or destination zone. This provides some granularity when it comes to enabling AI. Once you have AppTrack enabled, the only other thing that you need to do is to make sure that you have data plane logging enabled, either to a syslog server or locally through the control plane. We discussed how to configure this at length in Chapter 5.

In this example, we enable AppTrack in the trust and untrust zone, along with a syslog server to send the logs to our STRM at 192.168.1.20.

[edit]
root@srx3600n0# set security zones security-zone trust application-tracking

[edit]
root@srx3600n0# set security zones security-zone untrust application-tracking

[edit]
root@srx3600n0# set security log mode stream format sd-syslog stream STRM host 192.168.1.20

[edit]
root@srx3600n0# show security zones
security-zone trust {
    interfaces {
        xe-1/0/0.0;
    }
    application-tracking;
}
security-zone untrust {
    interfaces {
        xe-1/0/1.0;
    }
    application-tracking;
}


[edit]
root@srx3600n0# show security log
mode stream;
format sd-syslog;
stream STRM {
    host {
        192.168.1.20;
    }
}

In this example, we extend AppTrack from our last example to turn on logging when the session is first created, and set the update interval to every five minutes for long-lived sessions.

[edit]
root@srx3600n0# set security application-tracking first-update session-update-interval 5

[edit]
root@srx3600n0# show security application-tracking
first-update;
session-update-interval 5;

There are three types of AppFW rulesets: blacklist, whitelist, and hybrid. Actually, hybrid is a new feature starting in Junos 12.1X44. As we mentioned earlier, you can define match criteria for the rules in the ruleset and the action criteria, along with a default action. If you were using a blacklist approach, you would define the rules with actions of deny/reject/redirect and the default action as permit. If you were using the whitelist approach, you would define rules with the action of permit, and the default action would be deny/reject/redirect. The hybrid technique comes from the challenge of nested applications. For instance, let’s say you wanted to define a rule that blocked Facebook, allowed all other HTTP-based web traffic, and denied all other applications. Prior to Junos 12.1X44 you could not do this, because you could not mix permit and deny in the rules; all of the rules had to be either permit or deny, with the default action the opposite. As of version 12.1X45, we added the ability to also leverage redirect as an action of the firewall ruleset for HTTP and HTTPS traffic to redirect to a local splash page, or send the results externally. Just like standard firewall rules, the AppFW ruleset is evaluated from top to bottom until a match is made or the default action is reached.

Let’s take a look at setting up each one of these examples.

[edit]
root@srx3600n0# set security application-firewall rule-sets Facebook-Games rule 1 match dynamic-application junos:FACEBOOK-FARMVILLE

[edit]
root@srx3600n0# set security application-firewall rule-sets Facebook-Games rule 1 then deny

[edit]
root@srx3600n0# set security application-firewall rule-sets Facebook-Games rule 2 match dynamic-application-group junos:gaming

[edit]
root@srx3600n0# set security application-firewall rule-sets Facebook-Games rule 2 then deny

[edit]
root@srx3600n0# set security application-firewall rule-sets Facebook-Games default-rule permit

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound match source-address any destination-address any application junos-http

root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then permit application-services application-firewall rule-set Facebook-Games

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then log session-close

[edit]
root@srx3600n0# show security application-firewall rule-sets Facebook-Games
rule 1 {
    match {
        dynamic-application junos:FACEBOOK-FARMVILLE;
    }
    then {
        deny;
    }
}
rule 2 {
    match {
        dynamic-application-group junos:gaming;
    }
    then {
        deny;
    }
}
default-rule {
    permit;
}

[edit]
root@srx3600n0# show security policies from-zone trust to-zone untrust policy Allowed-Outbound
match {
    source-address any;
    destination-address any;
    application junos-http;
}
then {
    permit {
        application-services {
            application-firewall {
                rule-set Facebook-Games;
            }
        }
    }
    log {
        session-close;
    }
}

root@srx3600n0# run show services application-identification application detail junos:FACEBOOK-FARMVILLE
Application Name: junos:FACEBOOK-FARMVILLE
Application type: FACEBOOK-FARMVILLE
Description: This signature detects the Facebook embedded version of FarmVille. FarmVille is a social game that allows the user to control a virtual farm and share the farming experience with other users.
Application ID: 510
Disabled: No
Number of Parent Group(s): 1
Application Groups:
    junos:web:social-networking:facebook
Application Tags:
    characteristic        : Loss of Productivity
    risk                  : 1
    subcategory           : Social-Networking
    category              : Web
Signature NestedApplication:FACEBOOK-FARMVILLE
    Layer-7 Protocol: HTTP
    Chain Order: no
    Maximum Transactions: 1
    Order: 33048
    Member(s): 2
        Member 0
            Context: http-header-host
            Pattern: apps\.facebook\.com
            Direction: CTS
        Member 1
            Context: http-url-parsed
            Pattern: /onthefarm/.*
            Direction: CTS

 [edit]
root@srx3600n0# run show services application-identification group detail junos:gaming
Group Name: junos:gaming
Group ID: 3
Description: N/A
Disabled: No
Number of Applications: 0
Number of Sub-Groups: 2
Number of Parent-Groups: 1
Sub Groups:
    junos:gaming:web-based
    junos:gaming:protocols

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web rule 1 match dynamic-application-group junos:web

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web rule 1 then permit

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web default-rule deny

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound match source-address any destination-address any application junos-http

root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then permit application-services application-firewall rule-set Allow-Web

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then log session-close

[edit]
root@srx3600n0# show security policies from-zone trust to-zone untrust policy Allowed-Outbound
match {
    source-address any;
    destination-address any;
    application junos-http;
}
then {
    permit {
        application-services {
            application-firewall {
                rule-set Allow-Web;
            }
        }
    }
    log {
        session-close;
    }
}


[edit]
root@srx3600n0# show security application-firewall rule-sets Allow-Web
rule 1 {
    match {
        dynamic-application-group junos:web;
    }
    then {
        permit;
    }
}
default-rule {
    deny;
}

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web-No-Facebook rule 1 match dynamic-application-group junos:web:social-networking:facebook

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web-No-Facebook rule 1 then deny

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web-No-Facebook rule 2 match dynamic-application-group junos:web

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web-No-Facebook rule 2 then permit

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web-No-Facebook default-rule reject

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound match source-address any destination-address any application junos-http

root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then permit application-services application-firewall rule-set Allow-Web-No-Facebook

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then log session-close

[edit]
root@srx3600n0# show security policies from-zone trust to-zone untrust policy Allowed-Outbound
match {
    source-address any;
    destination-address any;
    application junos-http;
}
then {
    permit {
        application-services {
            application-firewall {
                rule-set Allow-Web-No-Facebook;
            }
        }
    }
    log {
        session-close;
    }
}

[edit]
root@srx3600n0# show security application-firewall rule-sets Allow-Web-No-Facebook
rule 1 {
    match {
        dynamic-application-group junos:web:social-networking:facebook;
    }
    then {
        deny;
    }
}
rule 2 {
    match {
        dynamic-application-group junos:web;
    }
    then {
        permit;
    }
}
default-rule {
    reject;
}

[edit]
root@srx3600n0# set security application-firewall profile Redirect block-message type custom-text content "YOUR APPLICATION IS BLOCKED DUE TO POLICY VIOLATION"

 [edit]
root@srx3600n0# set security application-firewall rule-sets Facebook-Games profile Redirect

 [edit]
root@srx3600n0# set security application-firewall rule-sets Facebook-Games rule 1 then reject block-message

[edit]
root@srx3600n0# set security application-firewall profile Redirect-Server block-message type custom-redirect-url content "http://blockpage.company.local/ ?JNI_SRCIP=<src-ip>&JNI_SRCPORT=<src-port>&JNI_DSTIP=<dst-ip>&JNI_DSTPORT=<dst-port>&JNI_USER=<username>&JNI_APPNAME=<appname>""

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web profile Redirect-Server

[edit]
root@srx3600n0# set security application-firewall rule-sets Allow-Web default-rule reject block-message

[edit]
root@srx3600n0# show security application-firewall
profile Redirect {
    block-message {
        type {
            custom-text {
                content "YOUR APPLICATION IS BLOCKED DUE TO POLICY VIOLATION";
            }
        }
    }
}
profile Redirect-Server {
    block-message {
        type {
            custom-redirect-url {
                content http://blockpage.company.local/ ?JNI_SRCIP=<src-ip>&JNI_SRCPORT=<src-port>&JNI_DSTIP=<dst-ip>&JNI_DSTPORT=<dst-port>&JNI_USER=<username>&JNI_APPNAME=<appname>";
            }
        }
    }
}
rule-sets Facebook-Games {
    rule 1 {
        match {
            dynamic-application junos:FACEBOOK-FARMVILLE;
        }
        then {
            reject {
                block-message;
            }
        }
    }
    rule 2 {
        match {
            dynamic-application-group junos:gaming;
        }
        then {
            deny;
        }
    }
    default-rule {
        permit;
    }
    profile Redirect;
}
rule-sets Allow-Web {
    rule 1 {
        match {
            dynamic-application-group junos:web;
        }
        then {
            permit;
        }
    }
    default-rule {
        reject {
            block-message;
        }
    }
    profile Redirect-Server;
}

DSCP is a standard 6-bit field in the IP header that is well understood by networking equipment like routers, switches, firewalls and other devices. This field can be leveraged to make class of service, routing, and filtering decisions by upstream and downstream devices in the data path. The advantage of setting this on the SRX is that the SRX is application aware, whereas most of the routers and switches are not or would have to incur a major performance tax. The SRX could therefore be used to identify that the traffic is, say, VoIP, and rewrite the DSCP so that other devices in the network will give it low latency prioritized forwarding. On the other hand, you could change the bits for unknown or P2P traffic so that at your edge router it could give it the lowest service. This is particularly useful if you have multiple firewalls that do not sit directly on the edge but rather an edge router like an MX.

Forwarding classes are a concept that is used to define how traffic is mapped to different hardware queues in the network processor (or in software on the branch SRX). These different queues are serviced by the engine in different ways, depending on the settings. Junos includes four default forwarding classes or queues: Best Effort, Expedited Forwarding, Assured Forwarding, and Network Control. Typically, you would put general traffic in Best Effort, higher priority traffic that needs better service in Expedited Forwarding, sensitive latency traffic into Assured Forwarding, and leave network protocol traffic for the Network Control queue. This allows you to better service traffic when bandwidth is in contention on the egress interface and decisions need to be made on which traffic to service first (queuing strategies).

Forwarding classes can be very complex and offer a lot of different tuning knobs that are outside the scope of this book. We recommend that you review the Class of Service Configuration guide if you’re interested in deeper detail with custom forwarding classes. For the purposes of this book, we focus on leveraging the predefined forwarding classes.

This is a simple on–off setting that can be defined on a per-rule basis. When it is enabled and a QoS action is triggered, like exceeding a rate limit, a separate AppQoS log message will be generated (on the data plane via syslog), which informs that a QoS action was taken on the traffic.

Loss priority is a concept that is used to define if the traffic should be dropped when there is congestion. The SRX supports four different loss priorities, Low, Medium Low, Medium High, and High. Different loss priorities define at what level of queue saturation (in percentage) the probability of dropping traffic will be. By default, all of the loss priorities have the default drop priority, but you can set your own as well (in fact you will need to; otherwise, it won’t have an effect until the interface is at 100 percent capacity which isn’t of much use). This is because Juniper has no idea how individual customers will want their system to behave when the queue begins to fill so this makes sense and is considered an advanced feature.

Rate limiters are really at the core of AppQoS and allow you to define a rate at which traffic will be permitted to flow out of the SRX. This allows you to specifically set caps on the traffic in both the client-to-server and the server-to-client directions. Setting a bidirectional limiter is very important because your circuit might have asymmetric data rates—very common in broadband environments. The rate limiter allows you to set the bandwidth limit as well as the burst size. The bandwidth limit is the base amount of bandwidth that you want to allow the traffic to be allowed to use, although the burst size is the amount of traffic that you will allow the traffic to use if there is room available.

We’ve examined what AppQoS looks like from a high level, but there’s nothing better than looking at an example to see how it is actually leveraged. In this example, we configure AppQoS on a firewall rule called allowed outbound in a university environment where no traffic filtering can be performed, but traffic can be classified and rate limited based on type. We assume the following criteria:

[edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 1 match application-group junos:p2p

 [edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 1 then forwarding-class best-effort log rate-limit client-to-server 100Mbps server-to-client 100Mbps

[edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 2 match application-group junos:multimedia

[edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 2 then forwarding-class expedited-forwarding rate-limit client-to-server 50Mbps server-to-client 200Mbps

 [edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 3 match application-unknown

[edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 3 then dscp-code-point 000000

[edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 3 then forwarding-class best-effort rate-limit client-to-server 25Mbps server-to-client 25Mbps

[edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 4 match application-known

[edit]
root@srx3600n0# set class-of-service application-traffic-control rule-sets AppQoS rule 4 then rate-limit client-to-server 50Mbps server-to-client 50Mbps

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound match source-address any destination-address any application any

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then permit application-services application-traffic-control rule-set AppQoS

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy Allowed-Outbound then log session-close

[edit]
root@srx3600n0# show class-of-service
application-traffic-control {
    rate-limiters HTTP {
        bandwidth-limit 5000;
    }
    rate-limiters P2P {
        bandwidth-limit 100000;
    }
    rate-limiters 100Mbps {
        bandwidth-limit 100000;
    }
    rate-limiters 200Mbps {
        bandwidth-limit 200000;
    }
    rate-limiters 50Mbps {
        bandwidth-limit 50000;
    }
    rate-limiters 25Mbps {
        bandwidth-limit 25000;
    }
    rule-sets AppQoS {
        rule 1 {
            match {
                application-group junos:p2p;
            }
            then {
                forwarding-class best-effort;
                rate-limit {
                    client-to-server 100Mbps;
                    server-to-client 100Mbps;
                }
                log;
            }
        }
        rule 2 {
            match {
                application-group junos:multimedia;
            }
            then {
                forwarding-class expedited-forwarding;
                rate-limit {
                    client-to-server 50Mbps;
                    server-to-client 200Mbps;
                }
            }
        }
        rule 3 {
            match {
                application-unknown;
            }
            then {
                dscp-code-point 000000;
                forwarding-class best-effort;
                rate-limit {
                    client-to-server 25Mbps;
                    server-to-client 25Mbps;
                }
            }
        }
        rule 4 {
            match {
                application-known;
            }
            then {
                rate-limit {
                    client-to-server 50Mbps;
                    server-to-client 50Mbps;
                }
            }
        }
    }
}

[edit]
root@srx3600n0# show security policies from-zone trust to-zone untrust policy Allowed-Outbound
match {
    source-address any;
    destination-address any;
    application any ;
}
then {
    permit {
        application-services {
            application-traffic-control {
                rule-set AppQoS;
            }
        }
    }
    log {
        session-close;
    }
}

So let’s talk a bit about this example. The first thing that we had to do is to configure the AppQoS infrastructure, which in this case was rate limiters. If you were doing all sorts of advanced options like configuring custom forwarding classes, queues, schedulers, loss priority, and so on, then you would also want to do this first. Each of these values are configured under the set class-of-service stanzas, which is common to standard Junos QoS rather than in the security configuration. This is because these components are shared with the standard QoS facilities in Junos, although the application-traffic-control ruleset is unique to AppQoS today. Next you create an AppQoS ruleset that is similar to AppFW from the perspective that it matches applications and groups and then applies a QoS action. Finally, this ruleset is applied to a firewall rule if the action is permit. In this example, we only set the bandwidth limit without configuring a burst size, because the system can automatically generate one for us and that’s fine for most cases. We had to define a rate limit for each bandwidth amount leveraged, in this case 25 Mbps, 50 Mbps, 100 Mbps, and 200 Mbps. The setting itself is in Kbps not Mbps (1 Mb is 1,000 Kb) and remember we’re talking about bits not bytes (1 byte = 8 bits)—although the burst size is actually defined in bytes, which is no doubt a gotcha. By letting the system define it, you don’t have to worry much about it.

For the rulesets, order is important. And like AppFW we try to leverage application groups wherever possible because they can encompass numerous applications of the same type and are automatically updated with new members when they are created. There are three constructs in AppQoS that are a bit unique to AppQoS versus AppFW, which are Application Any, Application Known, and Application Unknown. Basically, Application Any is any application known or unknown, Application Known is any application that is not Unknown (so we have a match for it in the AppID database), and Application Unknown is any application for which we do not have a match in the database. We leveraged these identities for the last two rules. Unknown apps in particular are often items that you would want to rate limit because they could be some sort of P2P or evasive application that could consume a lot of bandwidth (if you can’t outright block them due to organizational policy).

At the time of writing this book, the UserFW feature leverages both the SRX and the UAC solution that is available in a UAC, Juniper MAG Gateways, or VM appliance. In terms of functionality, this is how UserFW operates:

All of this might sound a little bit more complex than competitive solutions, and in truth it is; however, it is also more secure. Many competitive solutions merely place an agent on a domain controller in the hopes that the client will “log in” to the machine without cached credentials and the domain controller will know about it. In reality, we know that this doesn’t always happen. Second, these solutions can’t account for the fact that users log off (which Active Directory doesn’t do a great job of tracking) nor that they might simply drop from the network—particularly on Wi-Fi. All of this opens them up to another user coming along and leveraging the IP address of the said client and gaining their privileges. This isn’t possible with the SRX solution. The aforementioned competitive approach might be fine for environments that merely want a best effort security implementation, but for those that want deterministic security, the SRX and UAC solution is the way to go—and for even more powerful security, the full UAC NAC solution can offer end-to-end deterministic security.

Additionally, the SRX solution scales considerably better than the competitive solutions, with up to 50,000 concurrent users per platform on the high-end SRX at the time of writing this book (hopefully much higher in the future). It also functions well in domains with multiple domain controllers, trusts, and forests, something that other competitive solutions cannot boast, as they would need to install agents on every domain controller.

As we pointed out, the UserFW solution today does require the use of the UAC platform. The good news is that Juniper has packaged this in a way that it isn’t cost or administratively prohibitive to deploy. First, on the SRX itself, there are no additional licensing or cost requirements; you simply need to be running Junos 12.1+. On the UAC, the MAG2600 starts at $1,500, with licensing for 25 role-based firewall users at $300, making this affordable for all but the smallest of SMB deployments. This can scale up to massive deployments with tens of thousands of users on the high-end SRX with full HA capabilities on both the SRX and the UAC platforms.

The initial deployment of the UserFW feature is a little bit complex, but if you follow these steps, you should be able to get it up and running without issues. The good news is that once the UserFW setup is up and running, you should be able to operate it without much effort because the overhead is quite small. In terms of setting things up, the tasks break down into three areas:

In the following sections, we look at what must be done in each of these three areas to ensure that your infrastructure is set up to run UserFW properly. We use Figure 12-11 as a model for our configuration, with clients in the trust zone, a server zone that houses our Active Directory infrastructure, and the Infranet controller, and resources that our users want to access on the Internet.

Figure 12-11. UserFW topology

There are a few required and some optional configuration elements that we discuss in this section to help prepare the SRX to act as a UserFW enforcer.

Required steps include the following:

Optionally, depending on your deployment, you might want or need to do the following:

Let’s look at configuring this example with the required components just mentioned. Let’s assume the following information:

Let’s start by configuring the SRX to IC communication.

[edit]
root@srx3600n0# set services unified-access-control certificate-verification warning timeout-action open

[edit]
root@srx3600n0# set services unified-access-control captive-portal IC-Redirect redirect-traffic unauthenticated redirect-url "https://ic.company.local/"

[edit]
root@srx3600n0# set services unified-access-control infranet-controller ic.company.local address 172.16.1.50 interface ge-0/0/0 password onetimepassword

[edit]
root@srx3600n0# set system name-server 172.16.1.60

[edit]
root@srx3600n0# set system ntp server 172.16.1.60

[edit]
root@srx3600n0# show services unified-access-control
infranet-controller ic.company.local {
    address 172.16.1.50;
    interface ge-0/0/0.0;
    password "$9$T39peK8-dsWLs4aU.mz36/pBIRSeMXhS4ZjqQzhSrlK8"; ## SECRET-DATA
}
certificate-verification warning;
timeout-action open;
captive-portal IC-Redirect {
    redirect-traffic unauthenticated;
    redirect-url https://ic.company.local/;
}

[edit]
root@srx3600n0# show system ntp
server 172.16.1.60;

[edit]
root@srx3600n0# show system name-server
172.16.1.60;

There are a few things going on in the preceding example. First, we specify the high-level configuration parameters for the UAC communication. Because the IC and SRX communicate via an encrypted SSL channel, you need to upload trusted certificates and a CA to the SRX and IC. In this example, we’re going to skip this and just configure the SRX to warn us if the certificate between the SRX and IC are not trusted (which it won’t be). To make it trusted, you will need to install the public CA certificate on both the SRX and IC and generate a certificate for both separately and install them using the certificate for communication.

Next, we specified the captive portal configuration. This will be used in the firewall policy configuration to determine where the users should be redirected. This must be to the IC and is best in the FQDN format. If you are using a separate realm, you would also post it at the end of the URL as well. For this example, we assume the realm is just at the base URL for the IC. We specify that all unauthenticated traffic be sent to the IC, but this is really overridden at the firewall policy level.

Finally, we specified the IP address and password along with the optional source interface for the SRX to communicate with the IC from. The SRX will always contact the IC, so if there is any firewall filtering device between the SRX and the IC, you need to make sure that it allows communication between the two. The default port is TCP 11122 for the secure control channel communication. We did add DNS and NTP to resolve from the AD domain controller because we want to make sure time and name resolution are in sync with the domain.

Next let’s look at configuring the security policy infrastructure.

[edit]
root@srx3600n0# set security policies from-zone trust to-zone servers policy Clients-to-IC match source-address Clients-192.168.1.0/24 destination-address IC-172.16.1.50/32 application [junos-http junos-https]

[edit]
root@srx3600n0# set security policies from-zone trust to-zone servers policy Clients-to-IC then permit

[edit]
root@srx3600n0# set security policies from-zone trust to-zone servers policy Clients-to-IC then log session-close

[edit]
root@srx3600n0# set security policies from-zone trust to-zone servers policy Allow-AD match source-address Clients-192.168.1.0/24 destination-address AD-172.16.1.60/32 application any

[edit]
root@srx3600n0# set security policies from-zone trust to-zone servers policy Allow-AD then permit

root@srx3600n0# set security policies from-zone trust to-zone servers policy Allow-AD then log session-close

[edit]
root@srx3600n0# set security policies from-zone servers to-zone untrust policy Allow-DNS-NTP match source-address AD-172.16.1.60/32 destination-address any application [junos-dns-udp junos-ntp]

[edit]
root@srx3600n0# set security policies from-zone servers to-zone untrust policy Allow-DNS-NTP then permit

[edit]
root@srx3600n0# set security policies from-zone servers to-zone untrust policy Allow-DNS-NTP then log session-close

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Redirect-Unauthenticated match source-address Clients-192.168.1.0/24 source-identity unauthenticated-user destination-address any application any

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Redirect-Unauthenticated then permit application-services uac-policy captive-portal IC-Redirect

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Redirect-Unauthenticated then log session-close

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Facebook match source-address Clients-192.168.1.0/24 source-identity [CEO Marketing] destination-address www.facebook.com application [junos-https]

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Facebook then permit

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Facebook then log session-close

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Salesforce match source-address Clients-192.168.1.0/24 source-identity [CEO Sales] destination-address www.salesforce.com application [junos-https]

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Salesforce then permit

[edit]
root@srx3600n0# set security policies from-zone trust to-zone internet policy Salesforce then log session-close

[edit]
root@srx3600n0# set security address-book global address Clients-192.168.1.0/24 192.168.1.0/24

[edit]
root@srx3600n0# set security address-book global address IC-172.16.1.50/32 172.16.1.50/32

[edit]
root@srx3600n0# set security address-book global address AD-172.16.1.60/32 172.16.1.60/32

[edit]
root@srx3600n0# set security address-book global address www.facebook.com dns-name www.facebook.com

[edit]
root@srx3600n0# set security address-book global address www.salesforce.com dns-name www.salesforce.com

[edit]
root@srx3600n0# run request security user-identification local-authentication-table add user-name Kevin roles Sales ip-address 192.168.1.100

[edit]
root@srx3600n0# run show security user-identification local-authentication-table all
Total entries: 5
Source IP       Username     Roles
192.168.1.100   kevin        sales

[edit]
root@srx3600n0# show security address-book
global {
    address Clients-192.168.1.0/24 192.168.1.0/24;
    address IC-172.16.1.50/32 172.16.1.50/32;
    address AD-172.16.1.60/32 172.16.1.60/32;
    address www.facebook.com {
        dns-name www.facebook.com;
    }
    address www.salesforce.com {
        dns-name www.salesforce.com;
    }
}

[edit]
root@srx3600n0# show security policies | no-more
from-zone trust to-zone servers {
    policy Clients-to-IC {
        match {
            source-address any;
            destination-address IC-172.16.1.50/32;
            application [ junos-http junos-https ];
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }
    policy Allow-AD {
        match {
            source-address any;
            destination-address AD-172.16.1.60/32;
            application any;
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }
}
from-zone servers to-zone untrust {
    policy Allow-DNS-NTP {
        match {
            source-address AD-172.16.1.60/32;
            destination-address any;
            application [ junos-dns-udp junos-ntp ];
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }
}
from-zone trust to-zone internet {
    policy Redirect-Unauthenticated {
        match {
            source-address Clients-192.168.1.0/24;
            destination-address any;
            application any;
            source-identity [ unauthenticated-user ];
        }
        then {
            permit {
                application-services {
                    uac-policy {
                        captive-portal IC-Redirect;
                    }
                }
            }
            log {
                session-close;
            }
        }
    }
    policy Facebook {
        match {
            source-address Clients-192.168.1.0/24;
            destination-address www.facebook.com;
            application junos-https;
            source-identity [ CEO Marketing ];
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }
    policy Salesforce {
        match {
            source-address Clients-192.168.1.0/24;
            destination-address www.salesforce.com;
            application junos-https;
            source-identity [ CEO Sales ];
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }

}

There are a few more things going on here. Let’s review them. Here we are building out our UserFW policy infrastructure. As we mentioned at first, because the clients and the IC/AD infrastructure are in a different zone, you need to configure rules to allow them to communicate, hence the rules in the “trust to servers” policy context. If they were all in the same zone, like trust, this would not be necessary. However, we would still likely need to create some rules to allow the AD infrastructure to communicate with other areas of the network (like other AD servers) or to the Internet for things like NTP/DNS resolution, as we assume our domain controller is also our DNS server. That is what we have done in the servers to internet policy ruleset. Finally, and the most interesting part, we have set up our security policy infrastructure for our client access out to the Internet. This is where all of the magic really happens, because we can now leverage the “Source-Identity” field! Notice in this example, we do not reference the users by name, but instead by role. This is how the SRX is designed at the time of writing this book, but this will likely change in the future to be able to reference users and AD groups directly. We see how these are mapped in the IC to the domain groups later, and we can also see in this example, how Kevin is mapped locally to the Sales role by local mapping.

Finally, we configure the actual security policy infrastructure for the trust to Internet rules. At the top of this ruleset is the rule that matches any clients with Source-Identity unknown or unauthenticated, with an action of permit and to redirect to the IC. There are three special roles in the SRX: unknown, unauthenticated, and any. Unknown is a role that matches users when the IC communication is down so that you can still leverage fallback policies. Unauthenticated is any IP address that doesn’t have an actively associated identity to it, and any is any user, known, unauthenticated, or unknown. In this example, we choose to use unauthenticated so that these users will be matched and redirected to the IC to have their identity validated. All of their HTTP and HTTPS sessions will be redirected to the IC until they authenticate. All other traffic will be dropped. Once users are authenticated, they will no longer match the unauthenticated user role, but instead will have a role like CEO, Marketing, or Sales and thus will match rules. As you can see, just like with standard firewall policies, rule ordering is very important. If you put the redirect in the wrong place, they might match a different rule (including one without user identity) first and might never be authenticated. Again, once you have the UserFW infrastructure in place, this is a very simple task from an administration perspective, but it does take a bit of extra work up front to get going.

Now that we have configured the SRX, we’ll look at the IC. Technically you can configure the IC first if you want. IC tasks would include the following:

For this example, we assume that you already have the IC up and running on the network, licensed with the User Role or Full User Access licenses, and that it has a certificate that your client devices in your domain trust so that they don’t get warning messages when they get redirected. If you are new to the UAC solution and working with the IC, we suggest you review the Juniper Jump Start guides on the UAC solution for getting the box up and running, along with the appropriate information. Juniper also offers full courses on the UAC solution that are very worthwhile, particularly if you are thinking about extending this configuration to full end-to-end NAC in the future.

For this example, we are going to be working with the IC, not the SRX, so we handle the configuration format a little bit differently because the IC doesn’t have a command line so to speak.

Now that we have the SRX and UAC fully up and running, the last set of tasks is to perform a few tasks in Active Directory. Again, you can do these before the SRX/IC steps if you would like. The exact steps to configure these will largely be outside the scope of this book because they have to do with Microsoft Active Directory tasks, but documentation is largely available online for completing these tasks in your environment. We focus on the how where necessary.

In this example, we focus on the third step as creating DNS entries and SSL certificates are well-known tasks in AD, but creating the Kerberos tickets is probably not. The good news is that you only need to do this once. This ticket should be created on the command line of one of your domain controllers with a domain administrator account. The KTpass command has the following syntax that we are concerned with:

Ktpass -out <kerberos-ticket-output-file> -mapuser <IC Service Account in AD> -prin HTTP/<IC-FQDN>@<kerberos-realm> /pass <Service Account password>

Let’s assume the following information and configure this command for real.

Then the output would look like this:

C:\Documents and Settings\Administrator>ktpass -out kbt-ticket -mapuser ICDomainAdmin@company.local -princ HTTP/ic.company.local@COMPANY /pass onetimepassword
Targeting domain controller: dc.company.local
Successfully mapped HTTP/ic.company.local to ICDomainAdmin.
Output keytab to out:
Keytab version: 0x502
keysize 71 HTTP/ic.company.local@COMPANY ptype 0 (KRB5_NT_UNKNOWN) vno 1
ketype 0x17 (RC4-HMAC) keylength 16 (0xd2b330d2301b3bb5c18f5c0394089938)

We then take the keyfile and upload it into the IC in our Active Directory server by following these steps:

SSL FP essentially supports two different ways to install the CA certificate that will be used to rewrite the traffic in the SSL Proxy example. You can either generate a self-signed certificate on the box or you can import a CA certificate (with private key) that was generated by some external source like OpenSSL or Microsoft Certificate Services.

Generating a self-signed certificate is usually fine for lab and Proof of Concept (PoC) testing because it is very quick to set up, but generally in real-world deployments you would opt for a certificate that was part of the greater certificate infrastructure that your clients would implicitly trust—otherwise you will need to manually import the CA certificates into all of your clients.

In this example, we show both ways of installing the CA certificate along with configuring an SSL profile in a firewall rule. We use an AppFW ruleset that is already configured from previous examples, along with IPS for this rule.

Creating a self-signed CA certificate.

root@srx3600n0> request security pki generate-key-pair certificate-id SELF-SIGNED size 2048 type ?
Possible completions:
  dsa                  DSA encryption with SHA-1 hash
  rsa                  RSA encryption
root@srx3600n0> request security pki generate-key-pair certificate-id SELF-SIGNED size 2048 type rsa
Generated key pair SELF-SIGNED, key size 2048 bits

root@srx3600n0> req  uest security pki local-certificate generate-self-signed add-ca-constraint certificate-id SELF-SIGNED domain-name company.local email admin@company.local ip-address 192.168.1.1 subject "DC=company, DC=local"
Self-signed certificate generated and loaded successfully

root@srx3600n0> show security pki local-certificate
Certificate identifier: SELF-SIGNED
  Issued to: (null), Issued by: DC = company, DC = local
  Validity:
    Not before: 02- 5-2013 01:41
    Not after: 02- 4-2018 01:41
  Public key algorithm: rsaEncryption(2048 bits)

So we can see that first we generate a key pair, then we locally sign that on our box. We can also check its output as well. When signing the certificate, you would provide your own information that would be present in the certificate so others can identify it.

Importing an external certificate assumes that you loaded the certificate onto the device via SCP or another mechanism.

root@srx3600n0> request security pki local-certificate load certificate-id External filename ca.cer key ca.key passphrase onetimepassword
Local certificate External loaded successfully

Now that you have chosen one of those two routes, the rest of the configuration will be the same as follows.

[edit]
root@srx3600n0# set services ssl proxy profile SSL-FP root-ca SELF-SIGNED whitelist www.salesforce.com preferred-ciphers strong

 [edit]
root@srx3600n0# set services ssl proxy profile SSL-FP actions disable-session-resumption renegotiation allow-secure

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy SSLFP match source-address Clients-192.168.1.0/24 destination-address any application any

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy SSLFP then permit application-services idp application-firewall rule-set Allow-Web-No-Facebook

[edit]
root@srx3600n0# set security policies from-zone trust to-zone untrust policy SSLFP then permit application-services ssl-proxy profile-name SSL-FP

[edit]
root@srx3600n0# show services ssl
proxy {
    profile SSL-FP {
        preferred-ciphers strong;
        root-ca SELF-SIGNED;
        whitelist www.salesforce.com;
        actions {
            renegotiation allow-secure;
            disable-session-resumption;
        }
    }
}

[edit]
root@srx3600n0# show security policies from-zone trust to-zone untrust policy SSLFP
match {
    source-address Clients-192.168.1.0/24;
    destination-address any;
    application any;
}
then {
    permit {
        application-services {
            idp;
            ssl-proxy {
                profile-name SSL-FP;
            }
            application-firewall {
                rule-set Allow-Web-No-Facebook;
            }
        }
    }
}

There’s a lot going on here, but actually it’s not as complex as it seems. First, remember that once you have the SSL profile set up, it’s as simple as referencing it in a policy as we did for the policy SSL FP.

Starting with the SSL profile itself, we’ve already generated and uploaded our CA certificate (in this example, we just used the self-signed one, but there’s no difference from the configuration perspective if it is self-signed or uploaded). We then create an SSL Proxy profile, which you will notice is under the set services stanza rather than set security because this is a service that might be able to be leveraged by other components in the future. In the SSL Proxy profile itself there is really only one required field that we need to configure: the root-ca field, which specifies the CA certificate that we just generated and uploaded to the SRX. The rest of the fields are optional but are worth mentioning.

Once we’ve defined the SSL profile, then we merely need to reference it in the desired firewall rules. In this case, we did so in the SSL FP firewall rule. The one thing that you’ll notice is that we left the application as any. We could have restricted it down to TCP port 443 with junos-https, but the SRX can automatically detect an SSL session using AppID and will be able to inspect it regardless of the port on which it is operating.

Using the SSL Proxy by itself wouldn’t do us too much good; we would still want to have additional services like AppFW or IPS enabled to provide inspection now that we’ve cracked open the SSL sessions.

Finally, as we mentioned earlier, you can define multiple profiles, so this provides you with the ability to do different SSL profiles on a firewall rule-by-rule basis if you want to provide different options for the SSL processing.

There is a special use case that we want to consider when it comes to AppFW and SSL encrypted sessions. Prior to the Junos 12.1 release when SSL FP was introduced, the SRX had another way to detect SSL-enabled applications without leveraging SSL Proxy, similar to how many URL filters do it: we would look at the certificate exchange to check the certificate name compared to the FQDN for the site. Because most sites (e.g., Facebook) would use the FQDN in the SSL certificate, this is a fairly decent way to detect SSL apps without having to crack them open. We would create a separate AppID object for this such as FACEBOOK-ACCESS-SSL versus standard HTTP access of FACEBOOK-ACCESS. The challenge here is how to properly rectify this when you now have an option to detect Facebook as HTTP, SSL Enabled, or within SSL Forward Proxy. In this case, FACEBOOK-ACCESS-SSL would still be the same because it detects it without cracking open the session, but how would you be able to block FACEBOOK-ACCESS if it looked the same unencrypted versus SSL encrypted? Many customers might want to block an application regardless of how it is delivered, whereas others might want to block a specific method while allowing others (like blocking unencrypted forms but allowing encrypted ones). For this we have developed a special option within the AppFW ruleset that defines if you want to enforce if it’s SSL encrypted, not, or either.

[edit security application-firewall rule-sets Block-Facebook]
root@srx3600n0# show
rule 1 {
    match {
        dynamic-application junos:FACEBOOK-ACCESS;
    }
    then {
        deny;
    }
}
default-rule {
    permit;
}

[edit security application-firewall rule-sets Block-Facebook]
root@srx3600n0# set rule 1 ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> match                Specify security rule  match-criteria
> then                 Specify rule action to take when packet match criteria
  |                    Pipe through a command
[edit security application-firewall rule-sets Block-Facebook]
root@srx3600n0# set rule 1 then ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  deny                 Deny packets
  permit               Permit packets
  reject               Reject packets
  |                    Pipe through a command
[edit security application-firewall rule-sets Block-Facebook]
root@srx3600n0# set rule 1 match ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
+ dynamic-application  Dynamic application
+ dynamic-application-group  Dynamic application group
  ssl-encryption       Select SSL encryption rules
  |                    Pipe through a command
[edit security application-firewall rule-sets Block-Facebook]
root@srx3600n0# set rule 1 match ssl-encryption ?
Possible completions:
  any                  Encrypted and non-encrypted rule
  no                   Non-encrypted rule
  yes                  Encrypted rule
[edit security application-firewall rule-sets Block-Facebook]
root@srx3600n0# set rule 1 match ssl-encryption any

[edit security application-firewall rule-sets Block-Facebook]
root@srx3600n0# show
rule 1 {
    match {
        dynamic-application junos:FACEBOOK-ACCESS;
        ssl-encryption any;
    }
    then {
        deny;
    }
}
default-rule {
    permit;
}

Per this example, we will block FACEBOOK-ACCESS if we see it encrypted or not encrypted. If we chose No, then we’d block it only if it was unencrypted and not if it was encrypted with SSL FP. If the answer was Yes, then we’d only block it if it was encrypted.

You have two options when checking the AppID package. If you are using AppID by itself, then use the show services application-identification version command. If you are running IPS as well, you can check the show security idp security-package-version.

root@srx3600n0> show services application-identification version
  Application package version: 2227


root@srx3600n0> show security idp security-package-version
  Attack database version:2227(Wed Jan 23 19:12:53 2013 UTC)
  Detector version :12.6.140121210
  Policy template version :N/A

These packages should typically be the same unless you updated the AppID independently of the IDP package. If you are running into issues with installing the AppID package itself, it can be a good idea to run the request services application-identification uninstall command, followed by the request services application-identification download and finally the request services application-identification install command. After Junos 11.4, it is very rare to have AppID itself fail to install now that the applications have been moved to their own database instance rather than being part of the Junos configuration.

This operation is one and the same. You use the show services application-identification application-system-cache command. At the top, you see the engine setting followed by the application cache entries. You can clear the cache with the clear services application-identification application-system-cache command.

root@srx3600n0> show services application-identification application-system-cache
Application System Cache Configurations:
  application-cache: on
  nested-application-cache: off
  cache-unknown-result: on
  cache-entry-timeout: 600 seconds
pic: 2/0
Logical system name: root-logical-system
IP address: 10.102.2.36                      Port: 48929  Protocol: TCP
Application: EDONKEY-TCP                     Encrypted: No

Logical system name: root-logical-system
IP address: 10.102.2.122                     Port: 43604  Protocol: TCP
Application: UNSPECIFIED-ENCRYPTED           Encrypted: Yes

Logical system name: root-logical-system
IP address: 10.102.2.72                      Port: 50365  Protocol: TCP
Application: SKYPE                           Encrypted: No

Logical system name: root-logical-system
IP address: 10.102.2.244                     Port: 5060   Protocol: UDP
Application: SIP                             Encrypted: No

Sometimes it can be helpful to take a look at the counters when having operational or performance issues with AppID. There can be some self-explanatory information in the output.

root@srx3600n0> show services application-identification counter
pic: 2/0
  Counter type                                           Value
 AI cache hits                                                63920
 AI cache hits by nested application                          0
 AI cache misses                                              49272
 AI matches                                                   13589
 AI uni-matches                                               0
 AI no-matches                                                11630
 AI partial matches                                           11111
 AI no-partial matches                                        16154
 AI address based matches                                     0
 AI ICMP based matches                                        0
 AI IP protocol based matches                                 0
 Sessions that triggered Appid create session API             113192
 Sessions that do not incur signature match or decoding       43880
 Sessions that incur signature match or decoding              68715
 Client-to-server packets processed                           154218
 Server-to-client packets processed                           92944
 Client-to-server layer-7 bytes processed                     45026050
 Server-to-client layer-7 bytes processed                     35646345
 Terminal first data packets on both direction                22623
 Unspecified encrypted sessions                               798
 Encrypted P2P sessions                                       0

One thing to call out here is the AI cache hits and misses. Because we disabled the Nested AppID cache, there are no hits there, but we do have base application hits. Misses means that we did not have a cache hit and had to do inspection. If you have a lot of misses (and the cache is enabled), it means that your traffic is highly variable. The AI matches means that we were able to match the application. Partial means that we matched individual patterns or a single direction but not both. The rest of the information provides data about bytes and sessions processed.

The SRX allows you to capture statistics locally on the SRX about application matches. At the time of writing this book, this is only enabled when you have AppTrack on for the respective zones, but check the release notes for potential changes in the future. These stats provide a very quick way to see the type of applications that you are matching in your environment. You can do this both from an application level and an application group level.

root@srx3600n0> show services application-identification statistics applications
Last Reset: 2013-02-10 16:58:35 UTC
                Application     Sessions          Bytes    Encrypted
                 ACTIVESYNC            7         178571           No
                        AIM        35772      226465959           No
                 APPLEJUICE         6791        1328038           No
                       ARES         6919       18396477           No
                        BGP         5161        6046977           No
                 BITTORRENT       131942        8095152           No
             BITTORRENT-DHT         2708         430654           No
                 BITTRACKER        28028       43695052           No
                    CHARGEN         5250      226980076           No
                    DISCARD         5234        4100251           No
                        DNS       287945       47335266           No
                       DRDA         5262       29171426           No
                       EBAY         2623       44445540           No
                       ECHO         5414        7790964           No
                EDONKEY-TCP         7872        4075097           No
                ENCODED-DNS          314          46890           No
                     FINGER         5481        2927491           No
                        FTP        10651       35538633           No
                      GMAIL         7478       98487632           No
                   GNUTELLA         2742       13844306           No
               GNUTELLA-URN         2741       65261900           No
                     GOOGLE         8810       44408708           No
               GOOGLE-EARTH         2802       14751472           No
             GOOGLE-WEBCHAT           20          25415           No
                 GOOGLETALK           40         243520           No
                     GOPHER         5380        2896172           No
                    H225RAS         9236        3930742           No
                    H225SGN         2742        3683995           No
                       HTTP         3889        6389789          Yes
                       HTTP       100371     1035498048           No
         HTTP-AUDIO-CONTENT         5829      153265606           No
                 HTTP-VIDEO         9915      249373068           No
                        ICA            4            440           No
                    ICA-TCP         1045      832631416           No
                      IDENT         5369        2703354           No
                     IEC104         2617        1413180           No
                       IMAP        12873       90780242           No
                        IRC        10141      948940888           No
                     JABBER         4347      380166729           No
                       KRB5        77536       21185825           No
                       LDAP         5536        8486227           No
                        LPR         8183       10536126           No
                       MAPI         2613        4446501           No
    MICROSOFT-LIVE-SERVICES         7762       28117770           No
           MICROSOFT-UPDATE         2659       18645790           No
                  MINECRAFT         3176       60556222           No
              MMS-OVER-HTTP         3521       11057295           No
                     MODBUS         2698        1524370           No
                        MSN        20587      292382563           No
                      MSRPC         7894        9245891           No
                      MYSQL         5955      120751897           No
             NETFLIX-PLAYER         5426      100469152           No
                        NFS         2594        9677987           No
                       NNTP         2676        5555376           No
                        NTP        15716        2336032           No
                 PCANYWHERE         2636         110712           No
                       POP3        13457     8141896095           No
                POPO163-P2P        10920      154547955           No
                 PORTMAPPER         8178        1803490           No

root@srx3600n0> show services application-identification statistics application-groups
Last Reset: 2013-02-10 16:58:35 UTC
                Application Group        Sessions         Kilo Bytes
                     junos:gaming            3178              56640
           junos:gaming:protocols            3178              56640
             junos:infrastructure          610438            2449716
junos:infrastructure:authentication          4017               1315
    junos:infrastructure:database           16384             190020
   junos:infrastructure:directory           16976               5536
  junos:infrastructure:encryption          119560              51553
junos:infrastructure:file-servers           35331            1838589
junos:infrastructure:file-sharing            5380                  0
      junos:infrastructure:legacy           15898             228438
      junos:infrastructure:mobile             513                513
  junos:infrastructure:monitoring            5319               2609
  junos:infrastructure:networking          317319               9243
         junos:infrastructure:rpc           18672               6002
       junos:infrastructure:scada            5315                  0
        junos:infrastructure:voip           49754             115898
                  junos:messaging          127355           10085786
junos:messaging:instant-messaging           89602            2027110
             junos:messaging:mail           37753            8058676
                 junos:multimedia            2614                  0
       junos:multimedia:transport            2614                  0
                        junos:p2p          158974              24725
           junos:p2p:file-sharing          158974              24725
              junos:remote-access           31741             957306
      junos:remote-access:command           12042              73500
junos:remote-access:interactive-desktop     17092             881199
    junos:remote-access:tunneling            2607               2607
                        junos:web          195405            2203529
           junos:web:applications           10564              35551
           junos:web:file-sharing           28028              27799
         junos:web:infrastructure            2666              16974
  junos:web:infrastructure:mobile               7                171
junos:web:infrastructure:software-update     2659              16803
              junos:web:messaging           11019             100226
junos:web:messaging:instant-messaging          20                 20
         junos:web:messaging:mail            7478              91825
             junos:web:multimedia           24694             917247
junos:web:multimedia:audio-streaming         5829             146691
   junos:web:multimedia:web-based           18865             770556
                    junos:web:p2p            2741              62158
       junos:web:p2p:file-sharing            2741              62158
                 junos:web:portal            8810              37992
               junos:web:shopping            2623              41874
                       unassigned            2651                  0
                          unknown          250807           12064862

We also covered how to show which AppID signatures and groups are active in the SRX earlier in this chapter. That output can also be helpful for troubleshooting operations if you have altered the default behavior, which is all signatures enabled.

AppTrack is relatively simple from an operational perspective. You only need to enable it per zone. There is only one troubleshooting command at the time of writing this book, which is to view the update messages. The presence of any failed messages would mean there is some sort of an issue that you should raise with JTAC. The other part of troubleshooting involves checking the AppTrack configuration and the zone configuration to ensure it is enabled.

root@srx3600n0> show configuration security application-tracking
first-update;
session-update-interval 5;

root@srx3600n0> show security application-tracking counters
Application tracking counters:

    AppTrack counter type                             Value
 Session create messages                                3683662
 Session close messages                                 3587760
 Session volume updates                                 0
 Failed messages                                        0

root@srx3600n0> show configuration security zones
security-zone trust {
    interfaces {
        xe-1/0/0.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
    application-tracking;
}
security-zone untrust {
    host-inbound-traffic {
        system-services {
            ssh;
            http;
        }
    }
    interfaces {
        xe-1/0/1.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
    application-tracking;
}