when does application identification occur?

In the IPS packet processing flow on an SRX Series device, when does application
identification occur?

A.
after protocol decoding

B.
before SSL decryption

C.
before fragmentation processing

D.
after attack signature matching

Show Hint

← Previous question

Next question →

Leave a Reply 9

JunosFan

If referring to IPS processing flow chart (figure 13-7) from Juniper SRX series book.
AppID execute after fragmentation processing.
all answers seem to be wrong.
http://chimera.labs.oreilly.com/books/1234000001633/ch13.html#ips_packet_processing_on_the_srx

Joe´s

Its “A” respect to JIPS Chapter 2 page 27

Lucas

Yes, answer is “A”, after protocol decoding

Alex

All wrong 🙁

ama

who write exam questions in juniper really drunk 😀 or may be do exam for another vendor 😀 , I had the question in the exam with same chooses …..
they meant in other direction XD , since SRX go both direction ..

Stage 5: Application identification

the SRX uses both directions of the traffic to identify the application. If SSL Forward Proxy is enabled, it will take place after application identification has identified the traffic as SSL and proxy is enabled.
so it will happen before fragmentation …
what a logic …..

Its “A” respect to JIPS Chapter 2 page 23

SRX IPS Packet Processing

The slide illustrates the procedure used by the SRX to process traffic marked for IPS inspection.

A firewall security policy must first mark the traffic for IPS processing.
Once the firewall security policy match has occurred, each packet must be reordered and reassembled. Duplicate, oversized, undersized, overlapping, and other invalid fragments are discarded.

Then, the IPS session table is examined to determine whether a previous session is present. Next, if no current IPS session table entry is present, the IP actions table is consulted for existing entries, and if no IP actions exist for the current session in process, the session is created.

Also, at this time, if the destination is marked for SSL decryption, a copy of the HTTPS traffic is sent to the decryption engine; the original packet will be the queue until inspection is complete.

Once the SRX device creates the session, it must reorder and reassemble the packets into a complete application message. Once the packet reordering and reassembly is complete, the AppID module performs pattern matching to determine which application is present in the traffic. It is important to note that sometimes an application is not identifiable, however in these instances, application DDoS protection can still occur.

After the application identification step, the protocol parsing and decoding can start. The messages in the session are deconstructed into application contexts, which help identify components of the messages. Once the context of the messages are visible, IPS can begin classifying the traffic. Then, signature matches are detected through DFA matching. Finally, if any IPS or IP actions are being taken on the traffic, the SRX implements those actions.

Dubious

The passage quoted from the study materials above directly contradicts the diagram that accompanies it. In the diagram, App identification DOES in fact take place after the protocol decoding step. However, read the text above – specifically: “After the application identification step, the protocol parsing and decoding can start.”

It also doesn’t make sense for protocol decoding (otherwise known as looking for application contexts) before the application has even been identified. If you don’t know what the application is, how can you search for relevant contexts?

The other comment above that suggests the test writer meant for the question to be interpreted for traffic in the “other direction” is also incorrect. The process flow will be the same whether the traffic is client-to-server, or server-to-client.

Hassan

OH My GOD !!!
it seems all the answers are wrong again..
1. Fragmentation Processing
2. SSL Decryption
3. Packet Serialization
4. Application ID
5. Protocol Decoding
6. Attack Signature Matching

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Hassan

here check that:
https://www.google.de/search?q=IPS+packet+processing+flow+on+an+SRX+Series&safe=strict&source=lnms&tbm=isch&sa=X&ved=0ahUKEwio15-_rdvSAhVMDMAKHUmUCWIQ_AUICCgB&biw=1536&bih=711&dpr=1.25#imgrc=gP57nJfdZlQL6M: