Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
vSRX Deployment Guide for AWS Quick Start
Modified: 2019-03-28
Copyright © 2019, Juniper Networks, Inc.
Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United Statesand other countries. All other trademarks, service marks, registeredmarks, or registered service marks are the property of their respectiveowners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
vSRX Deployment Guide for AWSQuick StartCopyright © 2019 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.
ENDUSER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.
Copyright © 2019, Juniper Networks, Inc.ii
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Creating a Service Request with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Chapter 1 vSRX Test Environment on AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
AWS Quick Start Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
vSRX Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
vSRX Architecture on AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 2 Deploying the vSRX Virtual Appliance on AWSQuick Start . . . . . . . . . . . . . . 17
Deploying the vSRX Virtual Appliance on AWS Quick Start . . . . . . . . . . . . . . . . . . 17
Before You Deploy the vSRX Virtual Appliance on AWS Quick Start . . . . . . . . 17
User Credentials for VMs in the AWS Quick Start Environment . . . . . . . . 17
Deployment Instructions for the VMs in the Quick Start
Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Deploy the vSRX Virtual Appliance on AWS Quick Start . . . . . . . . . . . . . . . . . 18
Chapter 3 Setting Up Attacks Using the AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . 19
Setting Up Attacks Using the AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
SQL Injection Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Run an SQL Injection Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Nmap Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Run an Nmap Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
iiiCopyright © 2019, Juniper Networks, Inc.
Copyright © 2019, Juniper Networks, Inc.iv
vSRX Deployment Guide for AWSQuick Start
List of Figures
Chapter 1 vSRX Test Environment on AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 1: AWS Quick Start Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 3 Setting Up Attacks Using the AWS Quick Start . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 2: Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 3: All Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 4: Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 5: Event Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 6: Detailed Event Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
vCopyright © 2019, Juniper Networks, Inc.
Copyright © 2019, Juniper Networks, Inc.vi
vSRX Deployment Guide for AWSQuick Start
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 2 Deploying the vSRX Virtual Appliance on AWSQuick Start . . . . . . . . . . . . . . 17
Table 3: User Credentials for VMs in the Quick Start Environment? . . . . . . . . . . . . 17
viiCopyright © 2019, Juniper Networks, Inc.
Copyright © 2019, Juniper Networks, Inc.viii
vSRX Deployment Guide for AWSQuick Start
About the Documentation
• Documentation and Release Notes on page ix
• Documentation Conventions on page ix
• Documentation Feedback on page xi
• Requesting Technical Support on page xii
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page x defines notice icons used in this guide.
ixCopyright © 2019, Juniper Networks, Inc.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page x defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type theconfigure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structurethat defines match conditions andactions.
• Junos OS CLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes importantnew terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure themachine’s domain name:
[edit]root@# set system domain-namedomain-name
Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.
Italic text like this
Copyright © 2019, Juniper Networks, Inc.x
vSRX Deployment Guide for AWSQuick Start
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
• To configure a stub area, include thestub statement at the [edit protocolsospf area area-id] hierarchy level.
• Theconsoleport is labeledCONSOLE.
Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.
Text like this
stub <default-metricmetric>;Encloses optional keywords or variables.< > (angle brackets)
broadcast | multicast
(string1 | string2 | string3)
Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.
# (pound sign)
community namemembers [community-ids ]
Encloses a variable for which you cansubstitute one or more values.
[ ] (square brackets)
[edit]routing-options {static {route default {nexthop address;retain;
}}
}
Identifies a level in the configurationhierarchy.
Indention and braces ( { } )
Identifies a leaf statement at aconfiguration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, selectAll Interfaces.
• To cancel the configuration, clickCancel.
Representsgraphicaluser interface(GUI)items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You
can use either of the following methods:
• Online feedback system—Click TechLibrary Feedback, on the lower right of any page
on the Juniper Networks TechLibrary site, and do one of the following:
xiCopyright © 2019, Juniper Networks, Inc.
About the Documentation
• Click the thumbs-up icon if the information on the page was helpful to you.
• Click the thumbs-down icon if the information on the page was not helpful to you
or if you have suggestions for improvement, and use the pop-up form to provide
feedback.
• E-mail—Sendyourcommentsto [email protected]. Includethedocument
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active Juniper Care or Partner Support
Services support contract, or are covered under warranty, and need post-sales technical
support, you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
https://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: https://www.juniper.net/customers/support/
• Search for known bugs: https://prsearch.juniper.net/
• Find product documentation: https://www.juniper.net/documentation/
• Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
• Download the latest versions of software and review release notes:
https://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://kb.juniper.net/InfoCenter/
Copyright © 2019, Juniper Networks, Inc.xii
vSRX Deployment Guide for AWSQuick Start
• Join and participate in the Juniper Networks Community Forum:
https://www.juniper.net/company/communities/
• Create a service request online: https://myjuniper.juniper.net
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on theWeb or by telephone.
• Visit https://myjuniper.juniper.net.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
xiiiCopyright © 2019, Juniper Networks, Inc.
About the Documentation
Copyright © 2019, Juniper Networks, Inc.xiv
vSRX Deployment Guide for AWSQuick Start
CHAPTER 1
vSRX Test Environment on AWS QuickStart
• Overview on page 15
Overview
The following topics provide more information about AWSQuick Start and vSRX.
• AWSQuick Start Overview on page 15
• vSRX Overview on page 15
• vSRX Architecture on AWSQuick Start on page 16
AWSQuick Start Overview
AmazonWeb Services (AWS) Quick Starts enable you to deploy popular solutions on
AWS, based on AWS best practices for security and high availability. These reference
deployments implement key technologies automatically on the AWS Cloud, often with
a single click and in less than an hour. You can build your test or production environment
in a few steps, and start using it immediately. For more information about AWSQuick
Starts, see frequently asked questions about AWSQuick Starts.
Benefits
Whenaproduct isprovisionedonAWSQuickStart, youcan test theproduct inasimulated
environment.
vSRXOverview
JuniperNetworks vSRXVirtual Firewall is a virtual security appliance thatprovides security
and networking services at the perimeter or edge in virtualized private or public cloud
environments. vSRX runs as a virtual machine (VM) on a standard x86 server. vSRX is
built on the Junos operating system (Junos OS) and delivers networking and security
features similar to those available on the software releases for the SRX Series Services
Gateways. For more information about vSRX, see vSRXOverview.
You can set up a vSRX virtual security appliance on AWSQuick Start. You can test the
key features of the vSRX appliance in the Quick Start test environment.
15Copyright © 2019, Juniper Networks, Inc.
vSRX Architecture on AWSQuick Start
Figure 1 on page 16 illustrates the vSRX architecture that is automatically deployed on
AWSQuick Start.
Figure 1: AWSQuick Start Environment
Untrust192.168.10.0/24
wordpressvsrx-gw
if-vsrx-gw-ge-0-0-1192.168.20.20
if-vsrx-gw-ge-0-0-0192.168.10.20
if-vsrx-gw-fxp0
DynamicPIP
VPC10.0.0.0/16
StaticPIP
VPN tunnelIPsec IKE2 site-to-site
Dynamic PIP Dynamic PIP
g300
317
kali
VPC192.168.0.0/16
mgmt-subnet10.0.3.0/24
private-subnet10.0.0.0/24
Trust192.168.20.0/24
Internet
AWS Quick Start user
mgmt-subnet192.168.0.0/24
The AWSQuick Start environment has the following two virtual private clouds (VPCs):
• The left VPC includes a Kali linux virtual machine (VM) called kali, which has two
interfaces—one on the private subnet and the other on themanagement subnet that
has a public IP address.
• The right VPC includes the following two VMs:
• An Ubuntu VMwithWordPress,wordpress.
• A Juniper Networks vSRX virtual security appliance, vsrx-gw, with three
interfaces—one each on the untrusted subnet, trusted subnet, andmanagement
subnet. The one on the untrusted subnet has a public IP address.
Copyright © 2019, Juniper Networks, Inc.16
vSRX Deployment Guide for AWSQuick Start
CHAPTER 2
Deploying the vSRX Virtual Appliance onAWSQuick Start
• Deploying the vSRX Virtual Appliance on AWSQuick Start on page 17
Deploying the vSRX Virtual Appliance on AWSQuick Start
• Before You Deploy the vSRX Virtual Appliance on AWSQuick Start on page 17
• Deploy the vSRX Virtual Appliance on AWSQuick Start on page 18
Before You Deploy the vSRX Virtual Appliance on AWSQuick Start
You can deploy a vSRX virtual appliance directly on AWSQuick Start. Use a
browser-based UI to deploy and configure virtual machines (VMs) and all related
resources.
Before you deploy the vSRX virtual appliance on AWSQuick Start:
• See “vSRX Architecture on AWSQuick Start” on page 16.
• See “Deployment Instructions for the VMs in the Quick Start Environment” on page 18
• See Table 3 on page 17.
User Credentials for VMs in the AWSQuick Start Environment
Table 3 on page 17 lists the user credentials used for accessing the VMs in the AWSQuick
Start environment.
Table 3: User Credentials for VMs in the Quick Start Environment?
RolePasswordUsernameVirtualMachineName
Attacker
This VM launches the attack.
(Private key) demoJuniper.pemec2-userkali
Victim
This VM receives the attack.
(Private key) demoJuniper.pemec2-userwordpress
vSRX Appliance(Private key) demoJuniper.pemec2-uservsrx-gw
17Copyright © 2019, Juniper Networks, Inc.
NOTE: The public IP addresses required to remotely access each VM aredynamicandareprovidedafter theQuickStart is deployedon theAWSQuickStarts website.
A file nameddemoJuniper.pem is available asanoutput and is providedafterthe Quick Start is deployed on the AWSQuick Starts website This file is aprivate key required to remotely access each VM.
Deployment Instructions for the VMs in the Quick Start Environment
To access the kali, wordpress, and vsrx-gw VMs in the Quick Start environment:
1. Open a Linux terminal console.
2. Use the following command to access each VM:
ssh -l ec2-user -I demoJuniper.pem public ip of the virtual machine
Deploy the vSRX Virtual Appliance on AWSQuick Start
To deploy the vSRX Virtual Appliance on AWSQuick Start:
1. Access the AWSQuick Startswebsite.
2. Select vSRXQuickstart from Juniper.
3. Follow the instructions to deploy the vSRX Virtual Appliance.
You have now successfully deployed the vSRX Virtual Appliance on AWSQuick Start.
After you complete deploying the vSRX Virtual Appliance, you receive a security private
key, along with three public IP addresses, one for each of the following VMs:
• kali
• wordpress
• vsrx-gw
Copyright © 2019, Juniper Networks, Inc.18
vSRX Deployment Guide for AWSQuick Start
CHAPTER 3
Setting Up Attacks Using the AWS QuickStart
• Setting Up Attacks Using the AWSQuick Start on page 19
Setting Up Attacks Using the AWSQuick Start
As the final step in the deployment of the AWSQuick Start, you run different types of
attacks on the virtual machines (VMs). You accomplish this goal by performing the
following tasks:
• Set up attacks from one VM to another.
• Verify the attacks on the vSRX virtual security appliance, vsrx-gw, located before the
wordpress VM.
The deployment described in this guide uses an SQL injection attack and an Nmap
(Network Mapper) attack.
• SQL Injection Attack on page 19
• Nmap Attack on page 26
SQL Injection Attack
SQL injection attack is a code injection technique that inserts SQL statements in an entry
field for running the attack. For more information about SQL injection, see SQL injection.
19Copyright © 2019, Juniper Networks, Inc.
Run an SQL Injection Attack
To run an SQL injection attack:
1. Log in to the kali and vsrx-gw VMs.
2. Reset the root password on the vsrx-gw VM on first login.
a. Enter configuration mode.
ec2-user@vsrx-gw> configure
b. Reset the root password.
ec2-user@vsrx-gw# set system root-authentication plain-text-password
New password:Retype new password:
3. Run the attack procedure from the kali VM. At this time, no firewall policies are
configured on the vsrx-gw VM.
a. Use the following command to initiate the SQL injection attack:
[ec2-user@ip-10-0-0-64 /]$sqlmap -u http://192.168.20.166/index.php?id=1--dbs--risk=3 --level=5
NOTE: The private IP address for this command is provided at the endof the Quick Start deployment.
b. Type Y and press Enter.
[ec2-user@ip-10-0-0-64 /]$ sqlmap -u http://192.168.20.166/index.php?id=1--dbs --risk=3 --level=5 _ ___ ___| |_____ ___ ___ {1.0.4.0#dev}|_ -| . | | | .’| . | . ||___|_ |_|_|_|_|__,| _ | |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:20:23 /2019-02-06
[15:20:24] [INFO] testing connection to the target URLsqlmap got a 301 redirect to 'htttp://192.168.20.166/?id=1--dbs'. Do you wont to follow? [Y/n] y [15:21:59] [INFO] checking if the target is protected by some kind of WAF/IPS[15:21:59] [INFO] testing if the target URL is stable[15:21:59] [WARNING] GET parameter ’id’ does not appear dynamic
Copyright © 2019, Juniper Networks, Inc.20
vSRX Deployment Guide for AWSQuick Start
[15:21:59] [WARNING] heuristic (basic) test shows that GET parameter ’id’ might not be injectable [15:21:59] [INFO] testing for SQL injection on GET parameter ’id’[15:21:59] [INFO] testing ’AND boolean-based blind - WHERE or HAVING clause’[15:21:59] [INFO] testing ’OR boolean-based blind - WHERE or HAVING clause’[15:22:13] [INFO] testing ’OR boolean-based blind - WHERE or HAVING clause (NOT)’[l5:22:20] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'[l5:22:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)’[15:22:29] [INFO] testing 'ANO boolean-based blind - WHERE or HAVING clause (comment)'[l5:22:31] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)[l5:22:32] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - comment)[l5:22:33] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL - comment)
The sqlmap application searches for vulnerabilities and this leads to a timeout.
This procedure can take one hour to complete. You can proceed to the next step
without waiting for the timeout.
c. To stop the attack, press Ctrl+c and wait for a few seconds.
d. Type E and press Enter.
4. Enable Intrusion Prevention Systems (IPS) rules.
Download and install the latest Intrusion Detection and Prevention (IDP) security
package to configure the necessary policies to stop the attack.
a. Download the IDP security package.
ec2-user@vsrx-gw> request security idp security-package download full-update
Will be processed in async mode. Check the status using the status checking CLI
NOTE: Wait for the download process to complete before trying toinstall the security package. Otherwise, the followingmessage isdisplayed:
ec2-user@vsrx-gw> request security idp security-package install
Download is in progress. Please try again later.
b. Check the download status.
ec2-user@vsrx-gw> request security idp security-package download status
21Copyright © 2019, Juniper Networks, Inc.
Chapter 3: Setting Up Attacks Using the AWSQuick Start
Done; Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi)Version info:3135(Fri Jan 18 05:03:55 2019 UTC, Detector-12.6.130180509)
The status shows that the download is successful.
c. Install the IDP security package.
ec2-user@vsrx-gw> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI
d. Check the installation status.
ec2-user@vsrx-gw> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=3135,ExportDate=Fri Jan 18 05:03:55 2019 UTC,Detector=12.6.130180509] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no active policy configured.
The installation of the IDP signatures is successful. The data plane is not updated
because no policies are configured or enabled.
e. Enter configuration mode.
ec2-user@vsrx-gw> configure
Entering configuration mode
f. Enable logs to track traffic sessions coming from theuntrust zone to the trust zone,
and commit the configuration.
ec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then countec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-initec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-closeec2-user@vsrx-gw# commit
commit complete
g. Create a custom IDP policy.
This procedure creates the signature to associate to the firewall rule that detects
the SQL injection attack.
ec2-user@vsrx-gw# set security logmode streamec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch application junos-http attacks predefined-attacksHTTP:SQL:INJ:GENERIC
Copyright © 2019, Juniper Networks, Inc.22
vSRX Deployment Guide for AWSQuick Start
ec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch from-zone untrust to-zone trustec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then action drop-packetec2-user@vsrx-gw# security idp idp-policyDEMOATTACKrulebase-ips ruleDEMOSQLINJthen severity criticalec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then notification log-attacksec2-user@vsrx-gw# set security idp active-policy DEMOATTACKec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then permit application-services idpec2-user@vsrx-gw# commit
5. Run the SQL injection attack again from the kali VM. The vsrx-gwVMnowhas firewall
policies configured.
[ec2-user@ip-10-0-0-64 /]$sqlmap-uhttp://192.168.20.166/index.php?id=1--dbs--risk=3--level=5
[ec2-user@ip-10-0-0-64 /]$ sqlmap -u http://192.168.20.166/index.php?id=1--dbs --risk=3 --level=5 _ ___ ___| |_____ ___ ___ {1.3.2#zip}|_ -| . | | | .’| . | . ||___|_ |_|_|_|_|__,| _ | |_| |_| http://sqlmap.org[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 17:30:44 /2019-02-06/
[17:30:44] [INFO] testing connection to the target URL[17:31:14] [CRITICAL] connection timed out to the target URL or proxy. sqlmap is going to retry the request(s)[17:31:14] [WARNING] if the problem persists please check that the provided target URL is reachableIn case that it is, you can try to rerun with the switch '--random-agent' turned on and/or proxy switches ('--ignore-proxy', '--proxy',...)
23Copyright © 2019, Juniper Networks, Inc.
Chapter 3: Setting Up Attacks Using the AWSQuick Start
vSRX stops the SQL injection attack.
6. Verify the attack procedure by using the vSRX GUI.
Log in to the vSRX GUI by using aWeb browser, specifying the vsrx-gw public IP
address in the URL. The IP address is provided at the end of the AWSQuick Start
deployment. Use the new root password configured in Step 2. Perform the following
steps to obtain the detailed event information:
a. ClickMonitor in the left-nav bar on the vsrx-gw/VSRX page as shown in
Figure 2 on page 24.
Figure 2: Monitor
The Events screen is displayed.
b. Click All Events under Events as shown in Figure 3 on page 24.
Figure 3: All Events
The Attacks screen is displayed.
Copyright © 2019, Juniper Networks, Inc.24
vSRX Deployment Guide for AWSQuick Start
c. Click the number under Attacks. This number indicates the number of attacks as
shown in Figure 4 on page 25.
Figure 4: Attacks
All events are displayed in a table.
Figure 5: Event Table
d. Click the magnifying glass icon in the first row of the table.
The detailed event information is displayed as shown in Figure 6 on page 26.
25Copyright © 2019, Juniper Networks, Inc.
Chapter 3: Setting Up Attacks Using the AWSQuick Start
Figure 6: Detailed Event Information
You can obtain detailed event information for each event by repeating step d.
The vSRX appliance detects and stops the SQL injection attack.
Nmap Attack
Nmap(NetworkMapper) isa free, open-source tool for vulnerability scanningandnetwork
discovery. Nmap identifies the devices are running on the network, discovers hosts that
are available and the services they offer, finds open ports, and detects security risks.
Run an Nmap Attack
In this procedure, you test whether the vSRX appliance detects and blocks the TCP port
scan and UDP port scan Nmap attacks.
To run an Nmap attack:
1. Log in to the kali and vsrx-gw VMs.
2. (Optional) Enable the IPS rules.
Copyright © 2019, Juniper Networks, Inc.26
vSRX Deployment Guide for AWSQuick Start
NOTE: This step is not required if you had enabled the IPS rules whilerunning the SQL injection attack.
Download and install the latest IDP security package to configure the necessary
policies to stop the attack.
a. Download the IDP security package.
ec2-user@vsrx-gw> request security idp security-package download full-update
Will be processed in async mode. Check the status using the status checking CLI
NOTE: Wait for the download process to complete before trying toinstall the security package. Otherwise, the followingmessage isdisplayed:
ec2-user@vsrx-gw> request security idp security-package install
Download is in progress. Please try again later.
b. Check the download status.
ec2-user@vsrx-gw> request security idp security-package download status
Done; Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi)Version info:3135(Fri Jan 18 05:03:55 2019 UTC, Detector-12.6.130180509)
The status shows that the download is successful.
c. Install the IDP security package.
ec2-user@vsrx-gw> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI
d. Check the installation status.
ec2-user@vsrx-gw> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=3135,ExportDate=Fri Jan 18 05:03:55 2019 UTC,Detector=12.6.130180509] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no active policy configured.
The installation of the IDP signatures is successful. The data plane is not updated
as no policies are configured or enabled.
27Copyright © 2019, Juniper Networks, Inc.
Chapter 3: Setting Up Attacks Using the AWSQuick Start
e. Enter configuration mode.
ec2-user@vsrx-gw> configure
Entering configuration mode
f. Enable logs to track traffic sessions coming from theuntrust zone to the trust zone,
and commit the configuration.
ec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then countec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-initec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then log session-closeec2-user@vsrx-gw# commit
commit complete
g. Create a custom IDP policy.
NOTE: This step is not required if you had created a custom IDP policywhile running the SQL injection attack.
This procedure creates the signature to associate to the firewall rule that detects
the Nmap attack.
ec2-user@vsrx-gw# set security logmode streamec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch application junos-http attacks predefined-attacksHTTP:SQL:INJ:GENERICec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJmatch from-zone untrust to-zone trustec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then action drop-packetec2-user@vsrx-gw# security idp idp-policyDEMOATTACKrulebase-ips ruleDEMOSQLINJthen severity criticalec2-user@vsrx-gw# set security idp idp-policy DEMOATTACK rulebase-ips ruleDEMOSQLINJ then notification log-attacksec2-user@vsrx-gw# set security idp active-policy DEMOATTACKec2-user@vsrx-gw# set security policies from-zone untrust to-zone trust policydefault-permit then permit application-services idpec2-user@vsrx-gw# commit
3. Configure the vSRX port scan protection.
A port scan occurs when one source IP address sends an IP packet containing TCP or
UDP SYN segments to a defined number of different ports at the same destination
IP address within a defined interval.
ec2-user@vsrx-gw# set security screen ids-option DDOSDEMO tcp port-scanec2-user@vsrx-gw# set security screen ids-option DDOSDEMO udp port-scanec2-user@vsrx-gw# set security zones security-zone untrust screen DDOSDEMOec2-user@vsrx-gw# set security logmode eventec2-user@vsrx-gw# set system syslog file idptraffic.log user info
Copyright © 2019, Juniper Networks, Inc.28
vSRX Deployment Guide for AWSQuick Start
ec2-user@vsrx-gw# set system syslog file idptraffic.logmatch "RT_IDP|RT_IDS"ec2-user@vsrx-gw# commit
4. Use the vSRX CLI to verify that the Nmap port scan is blocked.
Start logging the attack activity in listen mode. Listen mode is the Nmap network
scanning mode.
ec2-user@vsrx-gw# exit
Exiting configuration mode
ec2-user@vsrx-gw> monitor start idptraffic.log
This log shows how vSRX detects and blocks the attack.
5. Run an Nmap TCP port scan attack from the kali VM.
[ec2-user@ip-10-0-0-64 /]$# nmap -sT 192.168.20.166
Starting Nmap 6 .40 ( https://nmap.org ) at 2019-01-22 18:10 UTC Nmap scan report for 192-168-20-166 Host is up (0.0037s latency).Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 8Ø/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 5.05 seconds
6. Verify that the Nmap port scan is blocked. To do this, use the vSRX CLI to check the
logs in the session from Step 4.
ec2-user@vsrx-gw> monitor start idptraffic.log
***idptraffic.log ***Jan 22 18:10:27 vsrx-gw RT_IDS: RT_SCREEN_TCP: TCP port scan! source: 10.3.1.4:55568, destination 192.168.20.4:111, zone name: untrust, interface name: st0.0, action: dropJan 22 18:10:28 vsrx-gw RT_IDS: RT_SCREEN_TCP: TCP port scan! source: 10.3.1.4:53284, destination 192.168.20.4:2022, zone name: untrust, interface name: st0.0, action: dropJan 22 18:10:29 vsrx-gw RT_IDS: RT_SCREEN_TCP: TCP port scan! source: 10.3.1.4:51264, destination 192.168.20.4:10628, zone name: untrust, interface name: st0.0, action: drop
The log confirms that:
• TCP port scan is running.
• vSRX detects the TCP port scan attack.
7. Run an Nmap UDP port scan attack from the kali VM.
[ec2-user@ip-10-0-0-64 /]$# sudo su -[rootr@ip-10-0-0-64 /]$# nmap -sU 192.168.20.4
29Copyright © 2019, Juniper Networks, Inc.
Chapter 3: Setting Up Attacks Using the AWSQuick Start
Starting Nmap 7 .01 ( https://nmap.org ) at 2019-01-22 18:12 UTC Nmap scan report for 192.168.20.4 Host is up (0.0040s latency).Not shown: 997 closed ports PORT STATE SERVICE 68/udp openfiltered dhcpc517/udp openfiltered dhcpc
Nmap done: 1 IP address (1 host up) scanned in 1086.13 seconds
8. Verify that the Nmap port scan is blocked. Use the vSRX CLI to check the logs in the
session from Step 4.
ec2-user@vsrx-gw> monitor start idptraffic.log
***idptraffic.log ***Jan 22 18:12:27 vsrx-gw RT_IDS: RT_SCREEN_UDP: UDP port scan! source: 10.3.1.4:52474, destination 192.168.20.4:687, zone name: untrust, interface name: st0.0, action: dropJan 22 18:12:29 vsrx-gw RT_IDS: RT_SCREEN_UDP: UDP port scan! source: 10.3.1.4:52476, destination 192.168.20.4:48186, zone name: untrust, interface name: st0.0, action: dropJan 22 18:12:29 vsrx-gw RT_IDS: RT_SCREEN_UDP: UDP port scan! source: 10.3.1.4:52477, destination 192.168.20.4:47765, zone name: untrust, interface name: st0.0, action: drop
The log confirms that:
• UDP port scan is running.
• vSRX detects the UDP port scan attack.
This test confirms that the vSRXappliance detects andblocks theNmapattack and that
you canmonitor the attack activity logs.
Copyright © 2019, Juniper Networks, Inc.30
vSRX Deployment Guide for AWSQuick Start