PrepAway - Latest Free Exam Questions & Answers

9 Comments on “when does application identification occur?

  1. ama says:

    who write exam questions in juniper really drunk ๐Ÿ˜€ or may be do exam for another vendor ๐Ÿ˜€ , I had the question in the exam with same chooses …..
    they meant in other direction XD , since SRX go both direction ..

    Stage 5: Application identification

    the SRX uses both directions of the traffic to identify the application. If SSL Forward Proxy is enabled, it will take place after application identification has identified the traffic as SSL and proxy is enabled.
    so it will happen before fragmentation …
    what a logic …..




    0



    0
  2. Fe says:

    Its โ€œAโ€ respect to JIPS Chapter 2 page 23

    SRX IPS Packet Processing

    The slide illustrates the procedure used by the SRX to process traffic marked for IPS inspection.

    A firewall security policy must first mark the traffic for IPS processing.
    Once the firewall security policy match has occurred, each packet must be reordered and reassembled. Duplicate, oversized, undersized, overlapping, and other invalid fragments are discarded.

    Then, the IPS session table is examined to determine whether a previous session is present. Next, if no current IPS session table entry is present, the IP actions table is consulted for existing entries, and if no IP actions exist for the current session in process, the session is created.

    Also, at this time, if the destination is marked for SSL decryption, a copy of the HTTPS traffic is sent to the decryption engine; the original packet will be the queue until inspection is complete.

    Once the SRX device creates the session, it must reorder and reassemble the packets into a complete application message. Once the packet reordering and reassembly is complete, the AppID module performs pattern matching to determine which application is present in the traffic. It is important to note that sometimes an application is not identifiable, however in these instances, application DDoS protection can still occur.

    After the application identification step, the protocol parsing and decoding can start. The messages in the session are deconstructed into application contexts, which help identify components of the messages. Once the context of the messages are visible, IPS can begin classifying the traffic. Then, signature matches are detected through DFA matching. Finally, if any IPS or IP actions are being taken on the traffic, the SRX implements those actions.




    0



    0
  3. Dubious says:

    The passage quoted from the study materials above directly contradicts the diagram that accompanies it. In the diagram, App identification DOES in fact take place after the protocol decoding step. However, read the text above – specifically: “After the application identification step, the protocol parsing and decoding can start.”

    It also doesn’t make sense for protocol decoding (otherwise known as looking for application contexts) before the application has even been identified. If you don’t know what the application is, how can you search for relevant contexts?

    The other comment above that suggests the test writer meant for the question to be interpreted for traffic in the “other direction” is also incorrect. The process flow will be the same whether the traffic is client-to-server, or server-to-client.




    0



    0
  4. Hassan says:

    OH My GOD !!!
    it seems all the answers are wrong again..
    1. Fragmentation Processing
    2. SSL Decryption
    3. Packet Serialization
    4. Application ID
    5. Protocol Decoding
    6. Attack Signature Matching

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!




    0



    0

Leave a Reply