[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]
IDP Policies Overview
An IDP policy defines how your device handles the network traffic.
It allows you to enforce various attack detection and prevention techniques
on traffic traversing your network.
A policy is made up of rulebases and each
rulebase contains a set of rules. You define
rule parameters, such as traffic match conditions, action, and logging
requirements, then add the rules to rule bases. After you create an
IDP Policy by adding rules in one or more rulebases, you can select
that policy to be the active policy on your device.
JUNOS Software allows you to configure multiple IDP policies,
but a device can have only one active IDP policy at a time. You can
install the same IDP policy on multiple devices, or you can install
a unique IDP policy on each device in your network. A single policy
can contain only one instance of any type of rulebase.
IDP Policy Terms
Before configuring IDP policies, become familiar with the terms
defined in Table 72.
Table 72: IDP Terms
Term
|
Definition
|
Attacks
|
Attacks attempt to exploit vulnerabilities in computer hardware
and software. Depending on the severity of the attack, it might disable
your system completely, allow an attacker to gain confidential information
stored on your system, or use your network to attack other networks.
|
Attack objects
|
A signature or protocol anomaly that is combined with context
information. Attack objects are used in Main rulebase rules to match
malicious traffic patterns. Each attack object detects a known attack
or protocol anomaly that can be used by an attacker to compromise
your network.
|
False positives
|
Any situation in which benign traffic causes an intrusion detection
service to generate an alert; also known as a false alert.
|
Protocol anomaly
|
A deviation from the RFC specifications that dictate how communications
between two entities should be implemented. Most legitimate traffic
does not deviate from the protocols; when anomalies are detected,
they are often a sign of malicious traffic and seen as a threat to
the system.
|
Rule
|
A user-defined match/action sequence. Rules are represented
graphically in the Security Policy Editor, where you can create, modify,
delete, and reorder them in a rulebase.
|
Rulebase
|
A set of rules that uses a specific detection mechanism to identify
and prevent attacks.
|
Severity
|
The designated threat level of an attack (critical, high, medium,
low, or informational). Attack objects use the severity setting that
matches the threat level of the attack they detect.
|
Working with IDP Policies
You can perform the following tasks to manage IDP policies:
- Create new IDP policies starting from scratch (see Defining Rules for an IPS Rulebase).
- Create an IDP policy starting with one of the predefined
templates provided by Juniper Networks (see Using Predefined Policy Templates).
- Add or delete rules within a rulebase. You can use any
of the following IDP objects to create rules:
- Zone and network objects available in the base system
- Predefined service objects provided by Juniper Networks
- Custom application objects
- Predefined attack objects provided by Juniper Networks
- Create custom attack objects (see Configuring Signature-Based Attacks).
- Update the signature database provided by Juniper Networks.
This database contains all predefined objects.
- Maintain multiple IDP policies. Any one of the policies
can be applied to the device.
[
Contents]
[
Prev]
[
Next]
[
Index]
[
Report an Error]