Table of Contents
Advertisement
Setting Notification
Copyright © 2010, Juniper Networks, Inc.
Relay. IDP acts as the middleman, or relay, for the connection establishment,
performing the three-way handshake with the client host on behalf of the server.
Relay mode guarantees that the server allocates resources only to connections that
are already in an ESTABLISHED state. The relay is transparent to both the client host
and the server.
IDP receives the initial SYN packet sent by the client host and returns a SYN/ACK packet.
If the client host sends an ACK packet, IDP completes the three-way handshake and
allows the connection to move to an ESTABLISHED state. If IDP does not receive an ACK
packet from the client host, as would be the case during a SYN flood attack, IDP does
not complete the three-way handshake and the connection is not established.
Passive. IDP handles the transfer of packets between the client host and the server,
but does not actively prevent the connection from being established. Instead, IDP uses
a timer to ensure that connections are established promptly, minimizing the use of
server resources. The timer IDP uses for the connection establishment is shorter than
the timer the server uses for the connection queue.
IDP transfers the SYN packet sent by the client host to the server, then transfers the
SYN/ACK packet sent by the server to the client host. If the client host sends an ACK
packet to the server before the IDP connection timer expires, the connection is established.
If the client host does not send an ACK packet to the server, as would be the case during
a SYN flood attack, the IDP connection timer expires. IDP resets the connection to free
resources on the server.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, you can also set an alert
flag to appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure. The Configure Notification dialog box appears.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Don't do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Remember that security policies that
generate too many log records are hazardous to the security of your network, as you
might discover an attack too late or miss a security breach entirely due to sifting through
hundreds of log records. Excessive logging can also affect IDP throughput, performance,
and available disk space. A good security policy generates enough logs to fully document
only the important security events on your network.
Setting Logging
In the Configure Notification dialog box, select Logging and then click OK. Each time the
rule is matched, the IDP system creates a log record that appears in the Log Viewer.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, however, you might want
to be notified immediately by e-mail, have IDP run a script in response to the attack, or
Chapter 9: Configuring Security Policies
489
Advertisement
Table of Contents
