Juniper IDP OS 5.1R1 - RELEASE NOTES REV 1, IDP OS 5.1R1 Release Note

IDP Series Release Notes
IDP OS 5.1r1

February 8, 2011
Revision 01

Contents

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Supported Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

New and Changed Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Unsupported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Known Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Supported Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Downgrading or Reverting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Compatibility with Network and Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . 6

Compatibility with Juniper Networks Infranet Controller . . . . . . . . . . . . . . . . . . . . . 7

Browser Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Upgrading IDP Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Upgrading with NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Upgrading with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1Copyright © 2011, Juniper Networks, Inc.

Juniper Networks Intrusion Detection and Prevention Release Notes

Overview

Juniper Networks Intrusion Detection and Prevention Series devices enable you to enforce
a security policy that leverages continuous security research by the Juniper Security Center
to protect your network from attacks. The IDP Series also includes features that enable
you to gather information about applications and servers in your network.

These release notes contain information about what is included in this product release:
supported features, unsupported features, changed features, known problems, and
resolved problems. If the information in the release notes differs from the information
found in the documentation set, follow the release notes.

Supported Hardware

IDP 5.1r1 is supported on the following platforms:

•

IDP8200, IDP800, IDP250, IDP75

•

IDP1100, IDP600, IDP200

New and Changed Features

The following table summarizes new and changed features.

Table 1: New Features

DescriptionFeature

High availability

Simulation mode

IDP OS Release 5.1 supports high availability in network designs where you have deployed
redundant network paths and use the failure detection features of a firewall, router, or switch
to manage the cutover from the primary path to the backup path in cases of failure. For details,
see IDP Series Deployment Scenarios.

Beginning in IDP OS Release 5.1, you can operate the IDP Series device in simulation mode. In
simulation mode, the original packets are forwarded immediately and the IDP Series device
processes a copy, logging actions that would have been taken if simulation mode were not
enabled.

You operate an IDP Series device in simulation mode in the following situations:

•

When you first deploy the IDP Series device in your network and you want to evaluate the
security actions it takes without disrupting traffic.

•

When you implement a new feature or change a security policy and you want to evaluate the
impact without disrupting traffic.

•

As a workaround to avoid traffic outages when IDP processing is resulting in crashes and other
failures.

For details, see Simulation Mode Overview and its related topics.

Enhanced system resource
instrumentation

IDP OS Release 5.1 supports extensive system resource instrumentation, so you can use SNMP
utilities to monitor device health and load. For details, see SNMP Statistic Reporting and

Traps Task Summary and its related topics.

Copyright © 2011, Juniper Networks, Inc.2

Table 1: New Features (continued)

DescriptionFeature

New and Changed Features

Enhanced application
identification

Enhanced APE rulebase
features

Beginning with IDP OS Release 5.1, the application identification feature can match extended
application signaturesusedinAPE rulebaserules.Extended application signatures are also called
nested application signatures. The predefined extended application signatures developed for
IDP OS Release 5.1 include the most prevalent Web 2.0 applications running over HTTP. If your
security policy includes APE rules configured to match extended application signatures, the
application identification process identifies and generates the following HTTP contexts:
http-url-parsed,http-url-parsed-param-parsed,http-header-host,and http-header-content-type.
The application identification feature can then match application signature patterns in those
contexts.

J-Security Centerupdatesapplication signatures and develops new ones as necessary. Beginning
with IDP OS Release 5.1, you can use NSM to browse predefined application objects, predefined
extended application objects, and application groups. You can also use NSM to create custom
application definitions, if needed. You cannot, however, create custom extended application
definitions.

For details, see Using Application Identification, Using Application Objects, and their related
topics.

Beginning with IDP OS Release 5.1:

•

You can create rules that match extended application objects (also called nested application
objects).

•

You can apply a new action to matching rules: DiffServ + Ratelimiting.

•

If you use user-role based matching, you can set a global option to enable an aggregate limit
for matching user-roles (default) or a per-subscriber rate limit (by using a CLI command).

For details, see Understanding the APE Rulebase and its related topics.

Enhanced attack signature

Configurable syslog
communication

Bidirectional packetcapture

IDP OS Release 5.1 supports the following configurable constraints to enable you to fine-tune
custom attack signatures:

•

Within bytes—Configure a byte range where the attack pattern must be detected.

•

Within packets—Configure a packet range where the attack pattern must be detected.

•

Context checking—Configure a byte-length requirement for matching contexts.

This release also supports bit-level matching for binary protocols.

For details, see the IDP Series Custom Attack Object Reference and Examples Guide.

Beginning with IDP OS Release 5.1, you can specify the protocol and port to use for syslog
messages. See Configuring Syslog Collection (NSM Procedure).

Beginning with IDP OS Release 5.1,youcan use a new utility to capture packets at the Rx interface
(receiving interface) and also at the Tx interface (transmitting interface). See Using

jnetTcpdump to Capture Packets.

3Copyright © 2011, Juniper Networks, Inc.

Juniper Networks Intrusion Detection and Prevention Release Notes

Table 1: New Features (continued)

DescriptionFeature

Enhanced debugging and
troubleshooting tools

Unsupported Features

The following features are not supported in IDP OS Release 5.1:

•

•

•

Note that IDP75 does not have an HA interface. We do not support an HA deployment
with IDP75 devices. Also, IDP75 has only one pair of traffic interfaces. We do not support
a mixed mode deployment with IDP75 devices.

You can use the following CLI command enhancements to display system information:

•

scio app cache—A new option, listall, allows you to list the entire application identification

cache. Previously, only the most recent 32 were listed.

•

scio logview—A new command that enables you to troubleshoot log collection by NSM. The

command allows you to view raw log data on the IDP Series device so you can compare it to
the logs seen at NSM.

•

scio subs—A new option displays aggregate statistics for all IDP engines on IDP8200. IDP8200

has multiple IDP engines. To view an aggregation, use scio subs aggregatestatus s0. To view
statistics per engine, use scio subs status s0.

•

scio var—The TCP and UDP flow tables now include a column for application.

SSL decryption using IDEA-based algorithms or ciphers. Also not supported in IDP OS
Release 5.0.x.

On IDP8200, 10 gigabyte fiber interfaces do not support interface signaling or peer
port modulation. Also not supported in IDP OS Release 5.0.x.

Authentication to the ACM via RADIUS with RSA SecurID (authentication via RADIUS
server is supported). Same as IDP OS Release 5.0.x.

Known Limitations

For single core platforms (IDP75, IDP200, IDP600), we recommend you disable
application volume tracking (AVT). The AVT feature is fully functional, but the AVT
process is CPU intensive. During stress testing, high CPU usage by the AVT feature resulted
in link flapping.

Note that if you disable AVT, IDP Reporter application volume reports are empty.

To disable AVT:

1. From NSM Device Manager, double-click a device and then click Profiler Settings.

2. Click the General tab.

3. Deselect Enable AVT.

4. Click Apply.

5. From NSM Device Manager, right-click the device and select Update Device to push

your configuration change to the device.

Copyright © 2011, Juniper Networks, Inc.4

Supported Upgrade Paths

You can upgrade directly from any of the following versions:

•

5.0r2

•

5.0r1

•

4.1r4

Beginning with IDP OS Release 5.0, IDP Series does not support bridge, proxy-arp, or
router mode. Before upgrading to IDP OS 5.1, you must redeploy the IDP Series device in
transparent or sniffer mode.

Supported Upgrade Paths

NOTE: The upgrade paths assume your current IDP Series device has been

in use and the device had been added to NSM. You might encounter
unexpected behavior during the upgrade if you are upgrading from a newly
reimaged,undeployed IDP OS 4.2 or 4.1 device (such as a 2009 factory image
of the IDP OS). In these cases, we recommend you add the IDP device to NSM
and import the device configurationinto NSM prior to performing the upgrade.
Doing so will avoid the file permissions issue described in KB 15071.

Table 2 on page 5 describes the changes to files and directories you will notice when
you upgrade.

Table 2: Changes to Files and Directories

Files and DirectoriesUpgrade Path

No changes to attend to before upgrade.From 5.0r2

From 5.0r1

Before you upgrade, take note of the following changes and recommended actions:

•

IDP 5.1r1 stores packetlogsinnumberedsubdirectories of /usr/idp/device/var/pktlogs/.Toimplement
this change, your existing /usr/idp/device/var/pktlogs/ directory will be overwritten. If you have
been using the option to maintain packet data locally and send to NSM on demand, copy any packet
logs you want saved from /usr/idp/device/var/pktlogs/ to a remote location before you upgrade.
Previously collected packet capture logs will not be available to NSM. This action is not required if
you have been using the option to always include packet data when NSM sends the event log.

•

Your custom settings in the /usr/idp/device/bin/user_funcs file are preserved when you upgrade.
No action is required.

5Copyright © 2011, Juniper Networks, Inc.

Juniper Networks Intrusion Detection and Prevention Release Notes

Table 2: Changes to Files and Directories (continued)

Files and DirectoriesUpgrade Path

From 4.1r4

When you upgrade from IDP OS 4.1r4 to IDP OS 5.1r1, you are reimaging the disk with a new operating
system. All partitions except /var/idp are rewritten.

In addition, IDP 5.1r1 stores packet logs in numbered subdirectories of /usr/idp/device/var/pktlogs/.
This is the same directory structure introduced in IDP 4.1r4. Note, however, that the upgrade process
preserves only packet log files in /usr/idp/device/var/pktlogs/0/. Packet log files in other directories
will be lost upon upgrade. If you have been using the option to maintain packet data locally and send
to NSM on demand, copy logs from /usr/idp/device/var/pktlogs/1/ and higher numbered log directories
to a remote location before you upgrade. This action is not required if you have been using the option
to always include packet data when NSM sends the event log.

The upgrade process restores your license and most of your previous settings. The following settings
are not preserved:

•

The upgrade does not retain settings no longer supported in IDP 5.1.

•

The upgrade process saves a backup of your previous /usr/idp/device/bin/user_funcs file, but
installs a new user_funcs file in order to provide appropriate content for IDP 5.1.

Downgrading or Reverting

You cannot downgrade or revert to a previous version. You can reimage the operating
system, if necessary. For details on reimaging, see the installation guide for your IDP
Series device.

Licensing

The upgrade procedure preserves your earlier license configuration. The reimaging
proceduredoes not. If you reimage the appliance, see the installation guide for information
on licensing.

Compatibility with Network and Security Manager

At the time of the IDP OS Release5.1r1, we verified compatibility with the following release
of Network and Security Manager (NSM):

•

NSM 2010.4 build LGB14z2q21

NSM 2010.4 build LGB14z2q21 is required to support new IDP OS Release 5.1 features.

Table 3: Download Locations for NSM 2010.4 (Requires Log In)

URLNSM Software

NSM Client

https://download.juniper.net/software/nsm/2010.4q21/nsm2010.4q21_ui_win_x86.zip

(Windows)

https://download.juniper.net/software/nsm/2010.4q21/nsm2010.4q21_ui_linux_x86.zip(Linux)

Copyright © 2011, Juniper Networks, Inc.6

Compatibility with Juniper Networks Infranet Controller

Table 3: Download Locations for NSM 2010.4 (Requires Log In) (continued)

URLNSM Software

NSM Server

MD5 checksum

https://download.juniper.net/software/nsm/2010.4q21/nsm2010.4q21_servers_sol_sparc.zip

(Solaris)

https://download.juniper.net/software/nsm/2010.4q21/nsm2010.4q21_servers_linux_x86.zip

(Linux)

https://download.juniper.net/software/nsm/2010.4q16/md5sum.txt

NOTE: NSMXpress users should consult KB 13946 for information on how
to upgrade NSMXpress to a patch version of NSM.

Compatibility with Juniper Networks Infranet Controller

The user-role-basedpolicy featuredepends on deployment with IC Series Unified Access
Control (UAC) 4.1r1 or later. Contact your Juniper Networks sales representative for
information on UAC release dates.

Browser Requirements

The ACM, QuickStart utility, and IDP Reporter have been tested on the following browsers:

•

Internet Explorer 7.x, 6.x

•

Firefox 3.x, 2.x

Upgrading IDP Software

During upgrade, the IDP Series appliance is gracefully shut down. If you have configured
bypass for traffic interfaces, you do not need to be concerned about traffic disruption. If
you have not configured bypass, you should plan to complete your upgrade at an
appropriate time.

You can use NSM or the CLI to upgrade the IDP OS. You must use NSM to complete the
IDP detector engine and attack object updates.

TIP: If possible, use a laptop to connect to the console port of the IDP Series

device when you upgrade. This will enable you to view any console messages
that can assist in identifying any issues during upgrade. We understand this
is not possible or desirable in all deployments, so connecting via console is
not required to upgrade.

7Copyright © 2011, Juniper Networks, Inc.