Re: [j-nsp] SRX policy action to inject a route in a table??
I'm not aware of any roadmap features that will do this, as we have an existing method to do this today. It's easy enough to divert ingress traffic into a different routing-instance with FBF, then just apply stateful policy to it. Doug -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Clarke Morledge Sent: Friday, March 18, 2011 6:57 AM To: Stefan Fouant Cc: 'juniper-nsp' Subject: Re: [j-nsp] SRX policy action to inject a route in a table?? On Thu, 17 Mar 2011, Stefan Fouant wrote: > Hi Clarke, Doug's suggestion of using a firewall-filter with an action of > then routing-instance is probably the cleanest way to do this. We call this > Filter-Based Forwarding or FBF in Juniper speak but this is no different > from Policy-Based Routing (PBR) on other vendor platforms. Firewall-filters > (stateless) are processed before stateful services so this wouldn't be an > action that you find under the 'security policies' stanza of the > configuration hierarchy, but rather would be configured under > 'firewall-filters'. Hi, Stefan, Yes, the firewall filter idea is a good one, but I was hoping to leverage some of the more stateful and/or "screen" functions that the SRX has to achieve the same thing. The event script concept is intriguing, but the challenge is how to trigger the event appropriately. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX policy action to inject a route in a table??
On Thu, 17 Mar 2011, Brandon Ross wrote: On Thu, 17 Mar 2011, Clarke Morledge wrote: What I have in mind is some way to use the SRX to grab the IPs of misbehaving hosts and put the address in a RIB. Then I can use routing policy to put the route into a BGP feed to a border router that would null route traffic to and from that IP address using tricks with Unicast Reverse Path Forwarding. Cool, so if a miscreant wants to DoS you, all he has to do is spoof source traffic from any destinations that are important to you and you'll do the null routing for him, eh? Brandon, As I mentioned in my original post, there are all sorts of DOS issues to consider, and your point is one of them. However, isn't this an issue with any inline IPS that has some type of quarantining function? Furthermore, doesn't the IDP functionality on the SRX itself suffer the same limitation? My main consideration is to take the IPS-ish intelligence on the SRX and push the quarantining function back to a routing device further upstream. There's a lot of low hanging fruit you could deal with in this way. We already use blacklisting via null routing with uRPF very effectively. But we have to manually add to the blacklist. The question I have is whether you can automate this via the SRX, aside from the DoS concern. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX policy action to inject a route in a table??
On Thu, 17 Mar 2011, Stefan Fouant wrote: Hi Clarke, Doug's suggestion of using a firewall-filter with an action of then routing-instance is probably the cleanest way to do this. We call this Filter-Based Forwarding or FBF in Juniper speak but this is no different from Policy-Based Routing (PBR) on other vendor platforms. Firewall-filters (stateless) are processed before stateful services so this wouldn't be an action that you find under the 'security policies' stanza of the configuration hierarchy, but rather would be configured under 'firewall-filters'. Hi, Stefan, Yes, the firewall filter idea is a good one, but I was hoping to leverage some of the more stateful and/or "screen" functions that the SRX has to achieve the same thing. The event script concept is intriguing, but the challenge is how to trigger the event appropriately. Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX policy action to inject a route in a table??
> -Original Message- > From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- > boun...@puck.nether.net] On Behalf Of Clarke Morledge > Sent: Thursday, March 17, 2011 6:05 PM > To: juniper-nsp > Subject: [j-nsp] SRX policy action to inject a route in a table?? > > The SRX policy actions (count, deny, log, permit, reject) are helpful, > but > a little limited. I am wondering if there might be a way to enforce a > special action such as take the ip address of the source packet and > inject > it into a routing table of some sort. Hi Clarke, Doug's suggestion of using a firewall-filter with an action of then routing-instance is probably the cleanest way to do this. We call this Filter-Based Forwarding or FBF in Juniper speak but this is no different from Policy-Based Routing (PBR) on other vendor platforms. Firewall-filters (stateless) are processed before stateful services so this wouldn't be an action that you find under the 'security policies' stanza of the configuration hierarchy, but rather would be configured under 'firewall-filters'. > What I have in mind is some way to use the SRX to grab the IPs of > misbehaving hosts and put the address in a RIB. Then I can use routing > policy to put the route into a BGP feed to a border router that would > null > route traffic to and from that IP address using tricks with Unicast > Reverse Path Forwarding. > > This would be like using the SRX has a simple honeypot to then enforce > a > host address block at the network perimeter. Of course, there are all > sorts of dangers and challenges involved, such as making sure you don't > end up DOS'ing the SRX yourself, etc. But I still wish there was a > clean > way to proactively do this. > > My other option is to just log the packet to somewhere else, parse the > log, then grab the IP of the offender and populate my BGP feed that > way. > But this could get complicated, too. Honestly, there are a lot of different ways you could do this but one way would be to first establish some visibility into the network using something like Netflow. Once you have flow/visibility, you could use some of this data to identify misbehaving hosts that you want to null-route or simply redirect into a given VRF (a la Filter-Based Forwarding)... If you have a route-server in your environment you could use a myriad of different options like RTBH, S/RTBH or BGP FlowSpec to drive this automatically throughout many devices in your environment with the redirect extended community giving you the simplicity of a big-red button... heck this could even be automated using gear from various vendors or even some open-source tools. Note: For full disclosure, I must admit I work for a vendor which makes commercial gear and tools in this area. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB4C956EC ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX policy action to inject a route in a table??
Have you looked into an inline IPS in front of the SRX to just block misbehaving host? I've had a lot of success with this. - Original Message - From: juniper-nsp-boun...@puck.nether.net To: juniper-nsp Sent: Thu Mar 17 18:04:36 2011 Subject: [j-nsp] SRX policy action to inject a route in a table?? The SRX policy actions (count, deny, log, permit, reject) are helpful, but a little limited. I am wondering if there might be a way to enforce a special action such as take the ip address of the source packet and inject it into a routing table of some sort. What I have in mind is some way to use the SRX to grab the IPs of misbehaving hosts and put the address in a RIB. Then I can use routing policy to put the route into a BGP feed to a border router that would null route traffic to and from that IP address using tricks with Unicast Reverse Path Forwarding. This would be like using the SRX has a simple honeypot to then enforce a host address block at the network perimeter. Of course, there are all sorts of dangers and challenges involved, such as making sure you don't end up DOS'ing the SRX yourself, etc. But I still wish there was a clean way to proactively do this. My other option is to just log the packet to somewhere else, parse the log, then grab the IP of the offender and populate my BGP feed that way. But this could get complicated, too. It could be a handy feature to do all of this task on the SRX. Anybody have any ideas on this? Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp This message contains confidential information and is intended only for the individual named. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX policy action to inject a route in a table??
You can create a firewall filter and using the routing-instance knob. -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Clarke Morledge Sent: Thursday, March 17, 2011 3:05 PM To: juniper-nsp Subject: [j-nsp] SRX policy action to inject a route in a table?? The SRX policy actions (count, deny, log, permit, reject) are helpful, but a little limited. I am wondering if there might be a way to enforce a special action such as take the ip address of the source packet and inject it into a routing table of some sort. What I have in mind is some way to use the SRX to grab the IPs of misbehaving hosts and put the address in a RIB. Then I can use routing policy to put the route into a BGP feed to a border router that would null route traffic to and from that IP address using tricks with Unicast Reverse Path Forwarding. This would be like using the SRX has a simple honeypot to then enforce a host address block at the network perimeter. Of course, there are all sorts of dangers and challenges involved, such as making sure you don't end up DOS'ing the SRX yourself, etc. But I still wish there was a clean way to proactively do this. My other option is to just log the packet to somewhere else, parse the log, then grab the IP of the offender and populate my BGP feed that way. But this could get complicated, too. It could be a handy feature to do all of this task on the SRX. Anybody have any ideas on this? Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX policy action to inject a route in a table??
>>> On 3/17/2011 at 3:04 PM, Clarke Morledge wrote: > The SRX policy actions (count, deny, log, permit, reject) are helpful, but > a little limited. I am wondering if there might be a way to enforce a > special action such as take the ip address of the source packet and inject > it into a routing table of some sort. > > What I have in mind is some way to use the SRX to grab the IPs of > misbehaving hosts and put the address in a RIB. Then I can use routing > policy to put the route into a BGP feed to a border router that would null > route traffic to and from that IP address using tricks with Unicast > Reverse Path Forwarding. > > This would be like using the SRX has a simple honeypot to then enforce a > host address block at the network perimeter. Of course, there are all > sorts of dangers and challenges involved, such as making sure you don't > end up DOS'ing the SRX yourself, etc. But I still wish there was a clean > way to proactively do this. > > My other option is to just log the packet to somewhere else, parse the > log, then grab the IP of the offender and populate my BGP feed that way. > But this could get complicated, too. > > It could be a handy feature to do all of this task on the SRX. > > Anybody have any ideas on this? Event script. SLAX scripts are a bit hard to wrap your head around at first, but this Day One document is a pretty good primer, http://www.juniper.net/us/en/community/junos/training-certification/day-one/automation-series/applying-junos-automation/ You may want to hit up, http://code.google.com/p/junoscriptorium/ And see if something even close already exists there. BTW, anyone else know of good sources of JUNOS script examples? -- Crist Clark Network Security Specialist, Information Systems Globalstar 408 933 4387 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX policy action to inject a route in a table??
The SRX policy actions (count, deny, log, permit, reject) are helpful, but a little limited. I am wondering if there might be a way to enforce a special action such as take the ip address of the source packet and inject it into a routing table of some sort. What I have in mind is some way to use the SRX to grab the IPs of misbehaving hosts and put the address in a RIB. Then I can use routing policy to put the route into a BGP feed to a border router that would null route traffic to and from that IP address using tricks with Unicast Reverse Path Forwarding. This would be like using the SRX has a simple honeypot to then enforce a host address block at the network perimeter. Of course, there are all sorts of dangers and challenges involved, such as making sure you don't end up DOS'ing the SRX yourself, etc. But I still wish there was a clean way to proactively do this. My other option is to just log the packet to somewhere else, parse the log, then grab the IP of the offender and populate my BGP feed that way. But this could get complicated, too. It could be a handy feature to do all of this task on the SRX. Anybody have any ideas on this? Clarke Morledge College of William and Mary Information Technology - Network Engineering Jones Hall (Room 18) Williamsburg VA 23187 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp