Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 100

Network and Security Manager Administration Guide
50
Inline Tap—In the inline tap mode, IDP can detect attacks and provide notification.
IDP receives a copy of a packet while the original packet is forwarded on the
network. IDP examines the copy of the packet and flags any potential problems.
IDP's inspection of packets does not affect the forwarding of the packet on the
network.
NOTE: You must deploy the ISG2000 or ISG1000 device inline. You cannot connect a
device that is in the inline tap mode to an external TAP or SPAN port on a switch.
Selecting either mode enables IDP for the firewall rule, and configures the security device
to forward all permitted traffic to the IDP rulebases for further processing.
Adding the IDP Rulebases
After you have enabled one or more firewall rules to pass traffic to the IDP rulebases,
you must add one or more of the following IDP rulebases to the security policy:
The IDP Rulebase—This is the main rulebase for IDP rules. Add this rulebase when you
want to configure rules that use attack objects to detect specific malicious or
anomalous activity in your network traffic.
For an overview of creating rules in the IDP rulebase, see "Configuring a Security Policy
for IDP" on page 48. For details, see "Configuring IDP Rules" on page 462.
The Exempt Rulebase—This rulebase works in conjunction with the IDP rulebase. When
traffic matches a rule in the IDP rulebase, the security module attempts to match the
traffic against the Exempt rulebase before performing the specified action or creating
a log record for the event.
Add the Exempt rulebase:
When an IDP rule uses attack object groups containing one or more attack objects
that produce false positives or irrelevant log records.
To exclude a specific source, destination, or source and destination pair from matching
an IDP rule (prevents unnecessary alarms).
When the IDP rulebase uses static or dynamic attack object groups that contain one
or more attack objects that produce false positives or irrelevant log records.
For details on creating rules in the Exempt Rulebase, see "Configuring Exempt Rules"
on page 484.
The Backdoor Detection Rulebase—This rulebase detects backdoor traffic from
components on your internal network. A backdoor is a mechanism installed on a host
computer that facilitates unauthorized access to the system. Attackers who have
already compromised a system often install a backdoor to make future attacks easier.
However, when attackers enter commands to control a backdoor, they generate
interactive traffic that your security device can detect.
Add this rulebase to your security policy when you want to configure rules that detect
backdoor activity on your internal network. For details on configuring rules in the
Backdoor Detection Rulebase, see "Configuring Backdoor Rules" on page 486.
Copyright © 2010, Juniper Networks, Inc.