IPS Info of Juniper

Beyond all of what we see, our perimeter networks are under continuous attack every day. As someone who has been increasingly more involved with malware testing and IPS, I recently decided that I wanted to setup a HoneyNet to capture some of these exploitation attempts in action, so that I could analyze them offline to gain a better understanding of what types of threats my network is under. While most security engineers are quite familiar with the so called 'best practices' of network security, your network is still going to be exposed to certain extent.

There are open source and commercial honeypot applications, which simulate real hosts and daemons, and record all of the interaction with the 'client'. These applications certainly have their use, but in part, I was interested to see how strong my defenses are against real attacks, and at the same time, what those attacks are. For this reason, I decided not to use off the shelf honeynet applications, but to deploy real instances of some well known systems. To make administration easier, I deployed these systems as virtual machines, which not only helps due to the energy/space footprint, but also you can easily roll the machines back to various states as well as clone them for research.

However, we know that Juniper IPS is configured to track outbound connections, and the vGW will also be able to track attempts to infect other hosts on the network, with all logs (including my firewall which is not filtering but just logging) the traffic sent to an STRM to help correlate and changes in behavior. Finally just so I'm able to analyze everything later, I keep a rolling packet capture of all of the action in my honeynet, though I'm also capturing attack PCAP's from my IDP. This can be done with TCPDump, Wireshark, or other packet capture methods.

With the HoneyNet infrastructure in place, all I had to do is wait for the attacks to start streaming in. I was quite amazed that attacks started streaming in immediately! Normally our Stateful firewalls can do a good job of filtering out inbound connections, but most organizations must expose some of their infrastructure for services like Web, Email, File Sharing, and other services they may allow inbound, and this is where IPS and other Layer 7 security protections can come in handy. It certainly appears that most of the activity that I'm seeing inbound is scans followed by automated attacks. Everything from various IP/Port sweeps to actual exploits. There are also several attacks which are geared towards information leakage and gaining access to the system including brute force attempts on FTP/SSH/SMB, and also attempts to gain system level access due to wrong configuration. But it's amazing, indeed.