AppSecure real-world application

snadam

Just wondering if anyone has seen or used the AppSecure suite or IDP module on an SRX platform before. Been reading about it, and it seems pretty cool. However, after some basic googlin', I haven't really seen any indication people are using IDP/AppSecure in the wild. There are some features in the suite that look interesting to me, and I can conceptually see using them in production. Looking for some feedback, if at all possible.


Thanks in advance!

snadam

Whoa, not all at once people! .

I figured that it would be a quiet thread; worth a shot though.

networknubbin

I don't check these forums that often...

We have IDP active on almost all SRX (few hundred high-end), AppSecure is only really worth it post-overhaul (12.1X47 and above). There are still some issues with uncategorised and/or encrypted apps and how to handle them best, but for the most part it's well done.

networknubbin

Figured I'd paste the release notes for those who can't see them re: the AppFW overhaul:
[h=2]Release 12.1X47-D10 Software Features[/h][h=3]Application Identification and Tracking[/h]

• Application-level distributed denial of service [SRX Series]—As announced in Junos OS Release 12.1X46-D10, application-level distributed denial of service is being deprecated in Junos OS Release 12.1X47-D10. This feature will be removed in a future release per the Juniper Networks deprecation process. As a replacement product for this feature, we recommend that you migrate to the Juniper Networks DDoS Secure product line. For more details, contact your sales engineer.
• Default trusted CA certificates for SSL forward proxy [High-end SRX Series]—SSL forward proxy uses trusted CA certificates for server authentication. Junos OS provides a default list of trusted CA certificates that you can easily load on to your system using a default command option. Alternatively, you can continue to use the CA profile feature to define your own list of trusted CA certificates and import them on to your system.[See Services Offloading Overview.]
  
• Next-generation application identification [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Next-generation application identification recognizes Web-based and other applications and protocols at different network layers using characteristics other than port number.With next-generation application identification, applications are identified by using a downloadable protocol bundle containing application signatures and parsing information. Here, identification is based on protocol behavior and session management.
  Next-generation application identification builds on the legacy application identification functionality and provides more effective detection capabilities for evasive applications such as Skype, BitTorrent, and Tor. It improves the accuracy of existing applications, enables dynamic update of the detector engine without requiring Junos OS code upgrade, and increases the application count to around 2900.
  [See Application Identification Feature Guide for Security Devices.]
  
• Next-generation application identification predefined signatures [SRX100H2, SRX110H2-VA, SRX110H2-VB, SRX210HE2, SRX210HE2-POE, SRX220H2, SRX220H2-POE, SRX240H2, SRX550, SRX650, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and SRX5800]—Next-generation application identification eliminates previously implemented pattern-based matching technology and particular signature constructs for each application. The new detection mechanism has its own data feed and constructs to identify applications. Next-generation application identification eliminates the generation of nested application and treats nested application as normal applications.[See Application Identification Feature Guide for Security Devices.]

snadam

thanks for the reply! I may wait and see what juniper has up their sleeve for their next-gen FWs before I go implementing any AppSecure stuff in production.