Table of Contents
Advertisement
Configuring Attack Objects in IDP Rules
Copyright © 2010, Juniper Networks, Inc.
Attack objects represent specific patterns of malicious activity within a connection, and
are a method for detecting attacks. Each attack object detects a known or unknown
attack that can be used to compromise your network. .
To add attack objects to a rule, right-click the Attacks column of the rule and select
Select Attacks. In the Add Attacks dialog box, you can add attacks using one or both of
the following options:
Attack List—Select this option to add individual attack objects from an alphabetically
list of all predefined and custom attack objects. Attack objects are listed alphabetically
by name of attack.
Selecting individual attacks is a good option if you know the exact name of the attack
you want to add to a rule. To locate a specific word or string in the attack object name,
use the integrated search function in NSM.
Attack Groups—Select this option to add attack object groups from three predefined
dynamic attack groups (Category, OS, Severity); if you have created a custom dynamic
group, that group is also listed.
Selecting attack groups is a good option when you are unsure of the exact attack you
want to add to a rule, but you know the type of attack protection you want the security
device to provide. Within the Attack Groups, you can:
Add all attack objects (select All Attacks). Consider carefully before selecting this
option; using all attack objects in a rule can severely impact performance on the
security device.
Add one or more attack groups (hold down CTL to select multiple groups). Predefined
dynamic groups might contain subgroups as well.
Add individual attack objects (hold down CTL to select multiple objects)
The following sections detail each predefined dynamic attack group.
Adding IDP Attack Object Groups by Category
The Category group includes attack objects organized by services. Services are application
layer protocols that define how data is structured as it travels across the network. A
protocol is a specification that indicates how communication between two entities
(applications, servers, Ethernet cards, etc.) occurs.
When attacking a system, attackers use the protocol of a supported service to
communicate their malicious activity to the server. However, attackers can only use
protocols that are supported by the system they are attacking. You can add a category
group to the Attacks column in your rule; however, you need to select only the categories
that are used by the address objects you are protecting with the rule.
For example, if you rely extensively on FTP and HTTP for file transfers to and from your
Web servers, choose the FTP and HTTP category groups to carefully monitor all traffic
that uses these services.
Chapter 9: Configuring Security Policies
465
Advertisement
Table of Contents
