SD-WAN

 View Only
last person joined: yesterday 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).

Feature Friday: Intrusion Detection and Prevention

  • 1.  Feature Friday: Intrusion Detection and Prevention

     
    Posted 10-10-2022 15:20

    Hey Everyone,

    It's October. In the States, October ends with Halloween. With Halloween comes scary movies and haunted happenings. I'm actually not too far from Salem, MA where we had some infamous witch trials in 1692. 330 years later, if you visit Salem, you will see all sorts of spooky things: witches, ghosts, ghouls, and demons. It's actually a fun time, but can be pretty scary too. 

     

    But you know what is scarier than witches and ghosts? 

     

    SECURITY BREACHES!  

     

    But hey, it's Feature Friday (my favorite day of the week), so to give you a little ease this Halloween season, I thought I would discuss the Session Smart Router's Intrusion Detection and Prevention or IDP.


    What is IDP?

    Let's start by defining what IDP is. IDP is actually the term used to describe two function: IDS or Intrusion Detection System and IPS or Intrusion Prevention Systems. IDS or Intrusion Detection System is the process of monitoring your network traffic and analyzing it for signs of intrusions. With an IDS, if an attack is detected, then an alert will be sent out, thus the name. IPS or Intrusion Prevention Systems is the process of stopping any detected incidents. So, noticing behavior that doesn't seem right and then not allowing it to happen, basically blocking bad traffic. 

     

    Did you know that the Session Smart Router has Intrusion Detection and Prevention functionality???

     

    That's right, you can use your SSR, which is already doing your routing, to add an additional layer of security to your network. Since traffic is already passing through your SSR, why not have it alert and prevent malicious activity as well? That makes sense to me!

     
    IDP in the SSR

    So how does IDP work in the SSR? Well, the SSR's Intrusion Detection and Prevention System leverages the Juniper IDP Signature Database, providing state of the art protection against the most up-to-date vulnerabilities. The database contains definitions of attack objects and application signatures defined in the form of an IDP policy ruleset that is updated regularly. By automatically downloading the latest definitions and application signatures, the SSR is able to provide cutting edge security solutions for your network.

     

    Enabling this functionality is super-easy. All you do is apply a profile to your access-policies. The currently available profiles are:

    • Alert – When the IDP engine detects malicious traffic on the network, only an alert is generated. 
    • Standard – Each type and severity of attack has a Juniper-defined, non-configurable action that is enforced when an attack is detected. These actions include:
      • Close the client and server TCP connection.
      • Drop current and all subsequent packets.
      • Alert only, no additional action taken.
    • Strict – Similar to Standard, but when an attack is detected, it is more likely to get blocked than the Standard profile. 


    Thin or Thick Branch?

    Ok, so here's the real question, Thin Branch or Thick Branch? No, I'm not talking about trees or the type of kindling you use for your fires here, I'm asking you, do you prefer to have your security done at the branch (Thick Branch) or send the traffic up to the cloud and have it done in the cloud keeping your branch footprint small (Thin Branch). You could always do both too and have some protection done at the branch and some done up in the cloud. For a Thin Branch, I might set my IDP profile to Alert or Standard and then send my traffic up to some of my SaaS Security products. For a Thick Branch, I would choose Standard or Strict and then I can send my traffic directly to the Datacenter or internet. 

     
    SD-Branch or SASE?

    This comes to mind a debate I recently had with my friends over SASE vs SD-Branch. With SASE, you will have a Thin Branch approach where you do all of your protection in the cloud:

    • FWaaS
    • SWG
    • CASB
    • ZTNA

     

    With SD-Branch, you are doing all the work at the Branch, making your branches like tiny fortresses that you manage with one system. Both approaches have very valid use cases, it's really just which approach do you prefer. 

     

    One thing I do want to point out is that Juniper offers solutions for both approaches. If you want the SD-Branch, then I would recommend going with the Full Stack where you have wired, wireless and WAN, as well as on-prem security: https://www.juniper.net/us/en/solutions/artificial-intelligence-for-it-operations-aiops.html

     

    To get the full SASE architecture, just add the Secure Edge to your Full Stack: https://www.juniper.net/us/en/solutions/sase.html

     

    Anyway, I got way more excited about this post than I thought I would. I really love cyber security. On that note, I want to hear from you. Tell me about your feelings towards cyber security or answer any of the questions below:

    • Have you used the SSR's IDP feature yet?
    • Do you prefer your SSR not using IDP, using IDP as an IDS (with Alert), using IDP on the Standard profile, or using IDP on the Strict profile?
    • When it comes to security, which camp are you in: Thin Branch or Thick Branch?
    • What are your thoughts on SASE and SD-Branch?
    • What are you doing for Halloween?

     

    Useful links:

     

    I hope you have a great October and I can't wait to write to you again right before Halloween! Take care!

    #FeatureFridays #IDP #ids #IPS #FullStack #SD-WAN #SD-Branch #SASE 

    ​​​​​​​​​​​​

    ------------------------------
    Justin Melloni
    ------------------------------