Malicious Url Protection - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Malicious URL Protection

Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
Enable malicious URL protection on a security device to drop incoming HTTP packets
that reference URLs with specific user-defined patterns. You can define up to 48 malicious
URL string patterns per zone, each of which can be up to 64 characters long, for malicious
URL protection at the zone level. When the malicious URL blocking feature is selected,
the security device examines the data payload of all HTTP packets. If it locates a URL
and detects that the beginning of its string—up to a specified number of
characters—matches the pattern you defined, the device blocks that packet from passing
the firewall.
A resourceful attacker, realizing that the string is known and might be guarded against,
can deliberately fragment the IP packets or TCP segments to make the pattern
unrecognizable during a packet-by-packet inspection. However, security devices use
Fragment Reassembly to buffer fragments in a queue, reassemble them into a complete
packet, and then inspect that packet for a malicious URL. Depending on the results of
this reassembly process and subsequent inspection, the device performs one of the
following steps:
If the device discovers a malicious URL, it drops the packet and enters the event in the
log.
If the device cannot complete the reassembly process, a time limit is imposed to age
out and discard fragments.
If the device determines that the URL is not malicious but the reassembled packet is
too big to forward, the device fragments that packet into multiple packets and forwards
them.
If the device determines that the URL is not malicious and does not need to fragment
it, it then forwards the packet.
To configure a malicious URL string, you must specify the following properties:
Malicious URL ID—Enter the ID that you want to use to identify the URL string.
HTTP Header Pattern—Enter the malicious URL string (also called a pattern) that you
want the security device to match.
Minimum Length Before CRLF—Enter the number of characters in the URL string
(pattern) that must be present in a URL—starting from the first character—for a positive
match (not every character is required for a match). CRLF represents "carriage
return/line feed" ; HTTP uses a CR or LF character to mark the end of a code segment.
For more information about malicious URLs on security devices, refer to the Concepts &
Examples ScreenOS Reference Guide: Attack Detection and Defense Mechanisms.
Example: Enabling the Malicious URL Blocking Option (NSM Procedure) on page 50
Predefined Screen Options Overview on page 40
Interface Types in ScreenOS Devices Overview on page 50
Chapter 3: Network Settings
49