Table 33: Deep Inspection Ip Actions; Working With Idp Attack Objects - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Working with IDP Attack Objects

336
NOTE: Network security is an ongoing process of defining normal traffic for your network.
Eliminating malicious traffic is important, but identifying ambiguous traffic can be
equally important. You do not always want to drop traffic that appears abnormal; you
might want to reset the connection, block the attacker, set an alert for the event, or all
three.
Configure Deep Inspection Alerts. Enable this option to create an event log entry for
matching traffic. If the security device matches network traffic to an attack object
in the rule, NSM creates an event log entry that describes that attack (direction,
service, and Attack object) and displays an alert in the Log Viewer.
Configure IP Action. Enable this option to direct the device to take action against a
brute force attack. When enabled, configure the following IP controls action:
Action. Select the action you want the device to take when it detects a brute force
attack. Table 33 on page 336 lists DI IP actions.

Table 33: Deep Inspection IP Actions

Action Description
IP Block The security device logs the event and drops all further traffic matching the target
definition for the period of time specified in the timeout setting.
IP Close The security device logs the event and drops all further traffic matching the target
definition for the period of time specified in the timeout setting and sends a Reset
(RST) for TCP traffic to the source and destination addresses.
IP Notify The security device logs the event but does not take any action against further
traffic matching the target definition for the period of time specified in the timeout
setting.
Target. Specifies a set of elements that must match for the security device to
consider a packet part of a brute force attack. The specified set of elements in an
IP packet arriving during a specified timeout period must match that in the packet
that the security detected as part of a brute force attack for the subsequent packet
to be considered part of the same attack. Possible values are Source, Destination,
Destination Port, and Protocol; Source; Destination; From Zone, Destination,
Destination Port, and Protocol; and From Zone.
Timeout (sec.). A period of time following brute force attack detection during
which the security device performs an IP action on packets matching specified
target parameters. The default is 60 seconds.
After you have created the DI Profile object, you can use the object in your firewall rules.
NSM contains a database of predefined IDP attack objects and IDP attack object groups
that you can use in security policies to match traffic against known and unknown attacks.
Copyright © 2010, Juniper Networks, Inc.