vSRX Deployment Guide for AWS Quick Start - Juniper

vSRX Deployment Guide for AWS Quick Start

Modified: 2019-03-28

Copyright © 2019, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United Statesand other countries. All other trademarks, service marks, registeredmarks, or registered service marks are the property of their respectiveowners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

vSRX Deployment Guide for AWSQuick StartCopyright © 2019 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2019, Juniper Networks, Inc.ii

https://support.juniper.net/support/eula/

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

Creating a Service Request with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Chapter 1 vSRX Test Environment on AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

AWS Quick Start Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

vSRX Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

vSRX Architecture on AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 2 Deploying the vSRX Virtual Appliance on AWSQuick Start . . . . . . . . . . . . . . 17

Deploying the vSRX Virtual Appliance on AWS Quick Start . . . . . . . . . . . . . . . . . . 17

Before You Deploy the vSRX Virtual Appliance on AWS Quick Start . . . . . . . . 17

User Credentials for VMs in the AWS Quick Start Environment . . . . . . . . 17

Deployment Instructions for the VMs in the Quick Start

Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Deploy the vSRX Virtual Appliance on AWS Quick Start . . . . . . . . . . . . . . . . . 18

Chapter 3 Setting Up Attacks Using the AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . 19

Setting Up Attacks Using the AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

SQL Injection Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Run an SQL Injection Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Nmap Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Run an Nmap Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

iiiCopyright © 2019, Juniper Networks, Inc.

Copyright © 2019, Juniper Networks, Inc.iv

vSRX Deployment Guide for AWSQuick Start

List of Figures

Chapter 1 vSRX Test Environment on AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 1: AWS Quick Start Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Chapter 3 Setting Up Attacks Using the AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 2: Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 3: All Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 4: Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 5: Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 6: Detailed Event Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

vCopyright © 2019, Juniper Networks, Inc.

Copyright © 2019, Juniper Networks, Inc.vi


List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 2 Deploying the vSRX Virtual Appliance on AWSQuick Start . . . . . . . . . . . . . . 17

Table 3: User Credentials for VMs in the Quick Start Environment? . . . . . . . . . . . . 17

viiCopyright © 2019, Juniper Networks, Inc.

Copyright © 2019, Juniper Networks, Inc.viii


About the Documentation

• Documentation and Release Notes on page ix

• Documentation Conventions on page ix

• Documentation Feedback on page xi

• Requesting Technical Support on page xii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®technical documentation,

see the product documentation page on the Juniper Networks website at

https://www.juniper.net/documentation/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore the

nuances of network architecture, deployment, and administration. The current list can

be viewed at https://www.juniper.net/books.

Documentation Conventions

Table 1 on page x defines notice icons used in this guide.

ixCopyright © 2019, Juniper Networks, Inc.

https://www.juniper.net/documentation/

https://www.juniper.net/books

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page x defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type theconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structurethat defines match conditions andactions.

• Junos OS CLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes importantnew terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure themachine’s domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

Copyright © 2019, Juniper Networks, Inc.x


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.

• Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Encloses a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identifies a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, selectAll Interfaces.

• To cancel the configuration, clickCancel.

Representsgraphicaluser interface(GUI)items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback so that we can improve our documentation. You

can use either of the following methods:

• Online feedback system—Click TechLibrary Feedback, on the lower right of any page

on the Juniper Networks TechLibrary site, and do one of the following:

xiCopyright © 2019, Juniper Networks, Inc.


https://www.juniper.net/documentation/index.html

• Click the thumbs-up icon if the information on the page was helpful to you.

• Click the thumbs-down icon if the information on the page was not helpful to you

or if you have suggestions for improvement, and use the pop-up form to provide

feedback.

• E-mail—Sendyourcommentsto [email protected]. Includethedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active Juniper Care or Partner Support

Services support contract, or are covered under warranty, and need post-sales technical

support, you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

https://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings: https://www.juniper.net/customers/support/

• Search for known bugs: https://prsearch.juniper.net/

• Find product documentation: https://www.juniper.net/documentation/

• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/

• Download the latest versions of software and review release notes:

https://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://kb.juniper.net/InfoCenter/

Copyright © 2019, Juniper Networks, Inc.xii


mailto:[email protected]?subject=

https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf

https://www.juniper.net/support/warranty/

https://www.juniper.net/customers/support/

https://prsearch.juniper.net/

https://www.juniper.net/documentation/

https://kb.juniper.net/

https://www.juniper.net/customers/csc/software/

https://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

https://www.juniper.net/company/communities/

• Create a service request online: https://myjuniper.juniper.net

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/

Creating a Service Request with JTAC

You can create a service request with JTAC on theWeb or by telephone.

• Visit https://myjuniper.juniper.net.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

https://support.juniper.net/support/requesting-support/.

xiiiCopyright © 2019, Juniper Networks, Inc.


https://www.juniper.net/company/communities/

https://myjuniper.juniper.net

https://entitlementsearch.juniper.net/entitlementsearch/

https://myjuniper.juniper.net

https://support.juniper.net/support/requesting-support/

Copyright © 2019, Juniper Networks, Inc.xiv


CHAPTER 1

vSRX Test Environment on AWS QuickStart

• Overview on page 15

Overview

The following topics provide more information about AWSQuick Start and vSRX.

• AWSQuick Start Overview on page 15

• vSRX Overview on page 15

• vSRX Architecture on AWSQuick Start on page 16

AWSQuick Start Overview

AmazonWeb Services (AWS) Quick Starts enable you to deploy popular solutions on

AWS, based on AWS best practices for security and high availability. These reference

deployments implement key technologies automatically on the AWS Cloud, often with

a single click and in less than an hour. You can build your test or production environment

in a few steps, and start using it immediately. For more information about AWSQuick

Starts, see frequently asked questions about AWSQuick Starts.

Benefits

Whenaproduct isprovisionedonAWSQuickStart, youcan test theproduct inasimulated

environment.

vSRXOverview

JuniperNetworks vSRXVirtual Firewall is a virtual security appliance thatprovides security

and networking services at the perimeter or edge in virtualized private or public cloud

environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is

built on the Junos operating system (Junos OS) and delivers networking and security

features similar to those available on the software releases for the SRX Series Services

Gateways. For more information about vSRX, see vSRXOverview.

You can set up a vSRX virtual security appliance on AWSQuick Start. You can test the

key features of the vSRX appliance in the Quick Start test environment.

15Copyright © 2019, Juniper Networks, Inc.

https://aws.amazon.com/quickstart/faq/

https://www.juniper.net/us/en/products-services/security/srx-series/vsrx/

vSRX Architecture on AWSQuick Start

Figure 1 on page 16 illustrates the vSRX architecture that is automatically deployed on

AWSQuick Start.

Figure 1: AWSQuick Start Environment

Untrust192.168.10.0/24

wordpressvsrx-gw

if-vsrx-gw-ge-0-0-1192.168.20.20

if-vsrx-gw-ge-0-0-0192.168.10.20

if-vsrx-gw-fxp0

DynamicPIP

VPC10.0.0.0/16

StaticPIP

VPN tunnelIPsec IKE2 site-to-site

Dynamic PIP Dynamic PIP

g300

317

kali

VPC192.168.0.0/16

mgmt-subnet10.0.3.0/24

private-subnet10.0.0.0/24

Trust192.168.20.0/24

Internet

AWS Quick Start user

mgmt-subnet192.168.0.0/24

The AWSQuick Start environment has the following two virtual private clouds (VPCs):

• The left VPC includes a Kali linux virtual machine (VM) called kali, which has two

interfaces—one on the private subnet and the other on themanagement subnet that

has a public IP address.

• The right VPC includes the following two VMs:

• An Ubuntu VMwithWordPress,wordpress.

• A Juniper Networks vSRX virtual security appliance, vsrx-gw, with three

interfaces—one each on the untrusted subnet, trusted subnet, andmanagement

subnet. The one on the untrusted subnet has a public IP address.

Copyright © 2019, Juniper Networks, Inc.16


CHAPTER 2

Deploying the vSRX Virtual Appliance onAWSQuick Start

• Deploying the vSRX Virtual Appliance on AWSQuick Start on page 17

Deploying the vSRX Virtual Appliance on AWSQuick Start

• Before You Deploy the vSRX Virtual Appliance on AWSQuick Start on page 17

• Deploy the vSRX Virtual Appliance on AWSQuick Start on page 18

Before You Deploy the vSRX Virtual Appliance on AWSQuick Start

You can deploy a vSRX virtual appliance directly on AWSQuick Start. Use a

browser-based UI to deploy and configure virtual machines (VMs) and all related

resources.

Before you deploy the vSRX virtual appliance on AWSQuick Start:

• See “vSRX Architecture on AWSQuick Start” on page 16.

• See “Deployment Instructions for the VMs in the Quick Start Environment” on page 18

• See Table 3 on page 17.

User Credentials for VMs in the AWSQuick Start Environment

Table 3 on page 17 lists the user credentials used for accessing the VMs in the AWSQuick

Start environment.

Table 3: User Credentials for VMs in the Quick Start Environment?

RolePasswordUsernameVirtualMachineName

Attacker

This VM launches the attack.

(Private key) demoJuniper.pemec2-userkali

Victim

This VM receives the attack.

(Private key) demoJuniper.pemec2-userwordpress

vSRX Appliance(Private key) demoJuniper.pemec2-uservsrx-gw


NOTE: The public IP addresses required to remotely access each VM aredynamicandareprovidedafter theQuickStart is deployedon theAWSQuickStarts website.

A file nameddemoJuniper.pem is available asanoutput and is providedafterthe Quick Start is deployed on the AWSQuick Starts website This file is aprivate key required to remotely access each VM.

Deployment Instructions for the VMs in the Quick Start Environment

To access the kali, wordpress, and vsrx-gw VMs in the Quick Start environment:

1. Open a Linux terminal console.

2. Use the following command to access each VM:

ssh -l ec2-user -I demoJuniper.pem public ip of the virtual machine

Deploy the vSRX Virtual Appliance on AWSQuick Start

To deploy the vSRX Virtual Appliance on AWSQuick Start:

1. Access the AWSQuick Startswebsite.

2. Select vSRXQuickstart from Juniper.

3. Follow the instructions to deploy the vSRX Virtual Appliance.

You have now successfully deployed the vSRX Virtual Appliance on AWSQuick Start.

After you complete deploying the vSRX Virtual Appliance, you receive a security private

key, along with three public IP addresses, one for each of the following VMs:

• kali

• wordpress

• vsrx-gw



https://aws.amazon.com/quickstart/

CHAPTER 3

Setting Up Attacks Using the AWS QuickStart

• Setting Up Attacks Using the AWSQuick Start on page 19

Setting Up Attacks Using the AWSQuick Start

As the final step in the deployment of the AWSQuick Start, you run different types of

attacks on the virtual machines (VMs). You accomplish this goal by performing the

following tasks:

• Set up attacks from one VM to another.

• Verify the attacks on the vSRX virtual security appliance, vsrx-gw, located before the

wordpress VM.

The deployment described in this guide uses an SQL injection attack and an Nmap

(Network Mapper) attack.

• SQL Injection Attack on page 19

• Nmap Attack on page 26

SQL Injection Attack

SQL injection attack is a code injection technique that inserts SQL statements in an entry

field for running the attack. For more information about SQL injection, see SQL injection.


https://en.wikipedia.org/wiki/SQL_injection

Run an SQL Injection Attack

To run an SQL injection attack:

1. Log in to the kali and vsrx-gw VMs.

2. Reset the root password on the vsrx-gw VM on first login.

a. Enter configuration mode.

ec2-user@vsrx-gw> configure

b. Reset the root password.

ec2-user@vsrx-gw# set system root-authentication plain-text-password

New password:Retype new password:

3. Run the attack procedure from the kali VM. At this time, no firewall policies are

configured on the vsrx-gw VM.

a. Use the following command to initiate the SQL injection attack:

[ec2-user@ip-10-0-0-64 /]$sqlmap -u http://192.168.20.166/index.php?id=1--dbs--risk=3 --level=5

NOTE: The private IP address for this command is provided at the endof the Quick Start deployment.

b. Type Y and press Enter.

[ec2-user@ip-10-0-0-64 /]$ sqlmap -u http://192.168.20.166/index.php?id=1--dbs --risk=3 --level=5 _ ___ ___| |_____ ___ ___ {1.0.4.0#dev}|_ -| . | | | .’| . | . ||___|_ |_|_|_|_|__,| _ | |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:20:23 /2019-02-06

[15:20:24] [INFO] testing connection to the target URLsqlmap got a 301 redirect to 'htttp://192.168.20.166/?id=1--dbs'. Do you wont to follow? [Y/n] y [15:21:59] [INFO] checking if the target is protected by some kind of WAF/IPS[15:21:59] [INFO] testing if the target URL is stable[15:21:59] [WARNING] GET parameter ’id’ does not appear dynamic



[15:21:59] [WARNING] heuristic (basic) test shows that GET parameter ’id’ might not be injectable [15:21:59] [INFO] testing for SQL injection on GET parameter ’id’[15:21:59] [INFO] testing ’AND boolean-based blind - WHERE or HAVING clause’[15:21:59] [INFO] testing ’OR boolean-based blind - WHERE or HAVING clause’[15:22:13] [INFO] testing ’OR boolean-based blind - WHERE or HAVING clause (NOT)’[l5:22:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'[l5:22:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)’[15:22:29] [INFO] testing 'ANO boolean-based blind - WHERE or HAVING clause (comment)'[l5:22:31] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)[l5:22:32] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)[l5:22:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL - comment)

The sqlmap application searches for vulnerabilities and this leads to a timeout.

This procedure can take one hour to complete. You can proceed to the next step

without waiting for the timeout.

c. To stop the attack, press Ctrl+c and wait for a few seconds.

d. Type E and press Enter.

4. Enable Intrusion Prevention Systems (IPS) rules.

Download and install the latest Intrusion Detection and Prevention (IDP) security

package to configure the necessary policies to stop the attack.

a. Download the IDP security package.

ec2-user@vsrx-gw> request security idp security-package download full-update

Will be processed in async mode. Check the status using the status checking CLI

NOTE: Wait for the download process to complete before trying toinstall the security package. Otherwise, the followingmessage isdisplayed:

ec2-user@vsrx-gw> request security idp security-package install

Download is in progress. Please try again later.

b. Check the download status.

ec2-user@vsrx-gw> request security idp security-package download status


Chapter 3: Setting Up Attacks Using the AWSQuick Start

Done; Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi)Version info:3135(Fri Jan 18 05:03:55 2019 UTC, Detector-12.6.130180509)

The status shows that the download is successful.

c. Install the IDP security package.



d. Check the installation status.

ec2-user@vsrx-gw> request security idp security-package install status

Done;Attack DB update : successful - [UpdateNumber=3135,ExportDate=Fri Jan 18 05:03:55 2019 UTC,Detector=12.6.130180509] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no active policy configured.

The installation of the IDP signatures is successful. The data plane is not updated

because no policies are configured or enabled.

e. Enter configuration mode.


Entering configuration mode

f. Enable logs to track traffic sessions coming from theuntrust zone to the trust zone,

and commit the configuration.

ec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then countec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-initec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-closeec2-user@vsrx-gw# commit

commit complete

g. Create a custom IDP policy.

This procedure creates the signature to associate to the firewall rule that detects

the SQL injection attack.

ec2-user@vsrx-gw# set security logmode streamec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch application junos-http attacks predefined-attacksHTTP:SQL:INJ:GENERIC



ec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch from-zone untrust to-zone trustec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then action drop-packetec2-user@vsrx-gw# security idp idp-policyDEMOATTACKrulebase-ips ruleDEMOSQLINJthen severity criticalec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then notification log-attacksec2-user@vsrx-gw# set security idp active-policy DEMOATTACKec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then permit application-services idpec2-user@vsrx-gw# commit

5. Run the SQL injection attack again from the kali VM. The vsrx-gwVMnowhas firewall

policies configured.

[ec2-user@ip-10-0-0-64 /]$sqlmap-uhttp://192.168.20.166/index.php?id=1--dbs--risk=3--level=5

[ec2-user@ip-10-0-0-64 /]$ sqlmap -u http://192.168.20.166/index.php?id=1--dbs --risk=3 --level=5 _ ___ ___| |_____ ___ ___ {1.3.2#zip}|_ -| . | | | .’| . | . ||___|_ |_|_|_|_|__,| _ | |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 17:30:44 /2019-02-06/

[17:30:44] [INFO] testing connection to the target URL[17:31:14] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)[17:31:14] [WARNING] if the problem persists please check that the provided target URL is reachableIn case that it is, you can try to rerun with the switch '--random-agent' turned on and/or proxy switches ('--ignore-proxy', '--proxy',...)



vSRX stops the SQL injection attack.

6. Verify the attack procedure by using the vSRX GUI.

Log in to the vSRX GUI by using aWeb browser, specifying the vsrx-gw public IP

address in the URL. The IP address is provided at the end of the AWSQuick Start

deployment. Use the new root password configured in Step 2. Perform the following

steps to obtain the detailed event information:

a. ClickMonitor in the left-nav bar on the vsrx-gw/VSRX page as shown in

Figure 2 on page 24.

Figure 2: Monitor

The Events screen is displayed.

b. Click All Events under Events as shown in Figure 3 on page 24.

Figure 3: All Events

The Attacks screen is displayed.



c. Click the number under Attacks. This number indicates the number of attacks as

shown in Figure 4 on page 25.

Figure 4: Attacks

All events are displayed in a table.

Figure 5: Event Table

d. Click the magnifying glass icon in the first row of the table.

The detailed event information is displayed as shown in Figure 6 on page 26.



Figure 6: Detailed Event Information

You can obtain detailed event information for each event by repeating step d.

The vSRX appliance detects and stops the SQL injection attack.

Nmap Attack

Nmap(NetworkMapper) isa free, open-source tool for vulnerability scanningandnetwork

discovery. Nmap identifies the devices are running on the network, discovers hosts that

are available and the services they offer, finds open ports, and detects security risks.

Run an Nmap Attack

In this procedure, you test whether the vSRX appliance detects and blocks the TCP port

scan and UDP port scan Nmap attacks.

To run an Nmap attack:

1. Log in to the kali and vsrx-gw VMs.

2. (Optional) Enable the IPS rules.



NOTE: This step is not required if you had enabled the IPS rules whilerunning the SQL injection attack.

Download and install the latest IDP security package to configure the necessary

policies to stop the attack.

a. Download the IDP security package.

ec2-user@vsrx-gw> request security idp security-package download full-update


NOTE: Wait for the download process to complete before trying toinstall the security package. Otherwise, the followingmessage isdisplayed:


Download is in progress. Please try again later.

b. Check the download status.

ec2-user@vsrx-gw> request security idp security-package download status

Done; Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi)Version info:3135(Fri Jan 18 05:03:55 2019 UTC, Detector-12.6.130180509)

The status shows that the download is successful.

c. Install the IDP security package.



d. Check the installation status.

ec2-user@vsrx-gw> request security idp security-package install status

Done;Attack DB update : successful - [UpdateNumber=3135,ExportDate=Fri Jan 18 05:03:55 2019 UTC,Detector=12.6.130180509] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no active policy configured.

The installation of the IDP signatures is successful. The data plane is not updated

as no policies are configured or enabled.



e. Enter configuration mode.


Entering configuration mode

f. Enable logs to track traffic sessions coming from theuntrust zone to the trust zone,

and commit the configuration.

ec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then countec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-initec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-closeec2-user@vsrx-gw# commit

commit complete

g. Create a custom IDP policy.

NOTE: This step is not required if you had created a custom IDP policywhile running the SQL injection attack.

This procedure creates the signature to associate to the firewall rule that detects

the Nmap attack.

ec2-user@vsrx-gw# set security logmode streamec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch application junos-http attacks predefined-attacksHTTP:SQL:INJ:GENERICec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch from-zone untrust to-zone trustec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then action drop-packetec2-user@vsrx-gw# security idp idp-policyDEMOATTACKrulebase-ips ruleDEMOSQLINJthen severity criticalec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then notification log-attacksec2-user@vsrx-gw# set security idp active-policy DEMOATTACKec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then permit application-services idpec2-user@vsrx-gw# commit

3. Configure the vSRX port scan protection.

A port scan occurs when one source IP address sends an IP packet containing TCP or

UDP SYN segments to a defined number of different ports at the same destination

IP address within a defined interval.

ec2-user@vsrx-gw# set security screen ids-option DDOSDEMO tcp port-scanec2-user@vsrx-gw# set security screen ids-option DDOSDEMO udp port-scanec2-user@vsrx-gw# set security zones security-zone untrust screen DDOSDEMOec2-user@vsrx-gw# set security logmode eventec2-user@vsrx-gw# set system syslog file idptraffic.log user info



ec2-user@vsrx-gw# set system syslog file idptraffic.logmatch "RT_IDP|RT_IDS"ec2-user@vsrx-gw# commit

4. Use the vSRX CLI to verify that the Nmap port scan is blocked.

Start logging the attack activity in listen mode. Listen mode is the Nmap network

scanning mode.

ec2-user@vsrx-gw# exit

Exiting configuration mode

ec2-user@vsrx-gw> monitor start idptraffic.log

This log shows how vSRX detects and blocks the attack.

5. Run an Nmap TCP port scan attack from the kali VM.

[ec2-user@ip-10-0-0-64 /]$# nmap -sT 192.168.20.166

Starting Nmap 6 .40 ( https://nmap.org ) at 2019-01-22 18:10 UTC Nmap scan report for 192-168-20-166 Host is up (0.0037s latency).Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 8Ø/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds

6. Verify that the Nmap port scan is blocked. To do this, use the vSRX CLI to check the

logs in the session from Step 4.


***idptraffic.log ***Jan 22 18:10:27 vsrx-gw RT_IDS: RT_SCREEN_TCP: TCP port scan! source: 10.3.1.4:55568, destination 192.168.20.4:111, zone name: untrust, interface name: st0.0, action: dropJan 22 18:10:28 vsrx-gw RT_IDS: RT_SCREEN_TCP: TCP port scan! source: 10.3.1.4:53284, destination 192.168.20.4:2022, zone name: untrust, interface name: st0.0, action: dropJan 22 18:10:29 vsrx-gw RT_IDS: RT_SCREEN_TCP: TCP port scan! source: 10.3.1.4:51264, destination 192.168.20.4:10628, zone name: untrust, interface name: st0.0, action: drop

The log confirms that:

• TCP port scan is running.

• vSRX detects the TCP port scan attack.

7. Run an Nmap UDP port scan attack from the kali VM.

[ec2-user@ip-10-0-0-64 /]$# sudo su -[rootr@ip-10-0-0-64 /]$# nmap -sU 192.168.20.4



Starting Nmap 7 .01 ( https://nmap.org ) at 2019-01-22 18:12 UTC Nmap scan report for 192.168.20.4 Host is up (0.0040s latency).Not shown: 997 closed ports PORT STATE SERVICE 68/udp openfiltered dhcpc517/udp openfiltered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1086.13 seconds

8. Verify that the Nmap port scan is blocked. Use the vSRX CLI to check the logs in the

session from Step 4.


***idptraffic.log ***Jan 22 18:12:27 vsrx-gw RT_IDS: RT_SCREEN_UDP: UDP port scan! source: 10.3.1.4:52474, destination 192.168.20.4:687, zone name: untrust, interface name: st0.0, action: dropJan 22 18:12:29 vsrx-gw RT_IDS: RT_SCREEN_UDP: UDP port scan! source: 10.3.1.4:52476, destination 192.168.20.4:48186, zone name: untrust, interface name: st0.0, action: dropJan 22 18:12:29 vsrx-gw RT_IDS: RT_SCREEN_UDP: UDP port scan! source: 10.3.1.4:52477, destination 192.168.20.4:47765, zone name: untrust, interface name: st0.0, action: drop

The log confirms that:

• UDP port scan is running.

• vSRX detects the UDP port scan attack.

This test confirms that the vSRXappliance detects andblocks theNmapattack and that

you canmonitor the attack activity logs.



Documents

vSRX Deployment Guide for AWS Quick Start - Juniper