Table of Contents
Advertisement
Using the Policy Creation Wizard
Copyright © 2010, Juniper Networks, Inc.
For the standalone IDP Sensor and ISG with IDP devices, these policies are a good starting
point for many common usage scenarios.
NSM includes the following security policy templates:
all_with_logging—Includes all attack objects and enables packet logging for all rules.
all_without_logging—Includes all attack objects but does not enable packet logging.
dmz_services—Protects a typical DMZ environment.
dns_server—Protects DNS services.
file_server—Protects file sharing services, such as SMB, NFS, FTP, and others.
getting_started—Contains very open rules. Useful in controlled lab environments, but
should not be deployed on heavy traffic live networks.
idp_default—Contains a good blend of security and performance.
Recommended—Contains only the attack objects tagged as "recommended" by Juniper
Networks security team. All rules have their Actions column set to take the
recommended action for each attack object. By default, this policy is loaded onto all
new IDP Sensors when they are added to NSM with the Add Device Wizard.
web_server—Protects HTTP servers from remote attacks.
Each security policy template contains rules that use the default actions associated with
the attack object severity and protocol groups. You should customize these templates
to work on your network by selecting your own address objects as the Destination IP and
choosing IDP actions that reflect your security needs.
This wizard guides you through the policy creation process. Use the wizard to specify the
type of device the policy is for and the level of security you want. You can create a policy
containing a zone-based firewall rulebase with one any-any-deny rule and/or an IDP
rulebase. All other rulebases are optional and can be added to the policy based on need
and access control permissions.
If you are logged in as an IDP Administrator, firewall-only rulebases are not available.
The Policy Creation wizard lets you select policies for the following devices:
Firewall/VPN—Select this option to create a new policy containing a zone-based
firewall rulebase with one any-any-deny rule. This option has only one set.
Stand Alone IDP—Select this option to create a new policy containing the IDP rulebase.
Integrated Security Gateways/Security Routers—Select this option to create a new
policy containing a zone-based firewall rulebase with one any-any-permit IDP enabled
rule as well as the IDP rulebase.
Chapter 9: Configuring Security Policies
437
Advertisement
Table of Contents
