Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1 Manual page 48

Configuring Intrusion Detection and Prevention Devices Guide
Table 14: IDP Security Policy Rulebases
Rulebase
Application Rulebase
IDP Rulebase
Exempt Rulebase
Backdoor Rulebase
SYN Protector Rulebase
Traffic Anomalies
Rulebase
Network Honeypot
Rulebase
Related Topics
32
Description
Enables you to limit bandwidth for specified users and applications and thus helps to manage
network traffic. APE rules do not use attack objects..
Protects your network from attacks by using attack objects to detect known and unknown attacks.
Juniper Networks provides predefined attack objects that you can use in IDP rules. You can also
configure your own custom attack objects.
You configure rules in this rulebase to exclude known false positives or to exclude a specific source,
destination, or source/destination pair from matching an IDP rule. If traffic matches a rule in the
IDP rulebase, IDP attempts to match the traffic against the Exempt rulebase before performing
the action specified.
Protects your network from mechanisms installed on a host computer that facilitates unauthorized
access to the system. Attackers who have already compromised a system typically install backdoors
(such as Trojans) to make future attacks easier. When attackers send and retrieve information to
and from the backdoor program (as when typing commands), they generate interactive traffic that
IDP can detect.
Protects your network from SYN-floods by ensuring that the three-way handshake is performed
successfully for specified TCP traffic. If you know that your network is vulnerable to a SYN-flood,
use the SYN-Protector rulebase to prevent it.
Protects your network from attacks by using traffic flow analysis to identify attacks that occur over
multiple connections and sessions (such as scans).
Protects your network by impersonating open ports on existing servers on your network, alerting
you to attackers performing port scans and other information-gathering activities.
Within rulebases, configure rules.
3.
Rules are instructions that provide context to detection methods. Rules specify:
A source/destination/service match condition that determines which traffic to
inspect
Attack objects that determine what to look for (IDP rulebase and Exempt rulebase)
Actions that determine what to do when an attack is detected
Notification options, including logs, alerts, and packet captures
Each rulebase can contain up to 40,000 rules.
Fine-tune your security policy as you learn more about your network and security
4.
requirements and IDP capabilities.
Configuring Predefined Security Policies (NSM Procedure) on page 33
Creating a New Security Policy (NSM Procedure) on page 34
Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM
Procedure) on page 117
Copyright © 2010, Juniper Networks, Inc.