Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to configure TCP Resets on IDP in the Sniffer mode

0

0

Article ID: KB12607 KB Last Updated: 06 Feb 2013Version: 3.0
Summary:
 This article provides information on how to set up an IDP sensor to send TCP resets in the sniffer mode. TCP resets can be extremely effective in controlling unwanted traffic, as well as stopping attacks, when the IDP device cannot be deployed inline.

Symptoms:
How to set up an IDP sensor to send TCP resets in the sniffer mode
Cause:

Solution:
Perform the following procedure:

  1. Logon to the IDP ACM. You can launch the ACM from NSM by right clicking the device under Device Manager or go to https://SensorIP.

  2. Select Reconfigure IP Networking from the ACM menu.

  3. Click Next on the Configure Management Interface page. This will take you to the Choose Sniffer Interface(s) page.

  4. On the Choose Sniffer Interface(s) page, clear the interface that is not being used for sniffing and click Next; this will take you to the Choose Reset Interface page.

  5. On the Choose Reset Interface page, select the interface that was cleared in the previous step for the reset interface. Click Next; this will take you to the Configure Routing Table page.

  6. No changes are required on the Configure Routing Table page. Confirm that the default route is set and the outgoing interface is set to Any. Click Next to go to to the Brief Configuration Report page.

  7. On the Brief Configuration Report page, scroll down to the bottom and confirm that Save & Apply is selected and click the Confirm Configuration button. The sensor will apply the settings and return a status page, when complete.

  8. (Important) Now connect the reset interface (selected in step 5) into the layer 2 network, from which the sniffing is being done. This is important to insure that the spoofed reset packets are correctly placed on the wire.

    Note: As there is no IP address on the reset interface, you will not be able to see the resets via tcpdump on the IDP sensor reset interface. You will have to either run tcpdump on the sniffing interface or use a packet capture tool on the server or client, for which you have set up the resets under 'Policy Manager' in NSM (Explained in Step 10).

  9. In NSM, you will have to re-import the sensor, if it has been already added. To do this, go to Device Manager, right click the correct IDP device, and select Import. When complete, a confirmation page will be displayed.

  10. Now you have to configure a policy to perform the resets. Under Policy Manager in NSM edit, create a new policy. It might be good to first create a test policy. Under Action, select any of the following options - Close Client, Close Server, or Close Client and Server. Each of these options are explained in detail in Table 6: IDP Rulebase Actions in the Concepts and Examples Guide for IDP.   

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search