Table of Contents
Advertisement
Defining Match For IDP Rules
Copyright © 2010, Juniper Networks, Inc.
The following sections detail each step.
When creating your IDP rules, you must specify the type of network traffic that you want
IDP to monitor for attacks. These characteristics include the network components that
originate and receive the traffic, and the firewall zones the traffic passes through.
You must specify the From Zone, Source, User Role, To Zone, Destination, and Service
in their respective Match columns for all rules in the IDP rulebase. The Terminate Match
selection allows you to designate a rule as terminal; if IDP encounters a match for the
other Match columns in a terminal rule, no other rules in the rulebase are examined. The
matching traffic does not need to match the attacks specified in a terminal rule. (For
more information on terminal rules, see "Configuring Terminal IDP Rules" on page 466.
The following sections detail the Match columns of an IDP rule.
Configuring Source and Destination Zones for IDP Rules (Does not apply to
Standalone IDP Sensor rulebases)
You can select multiple zones for the source and destination, however these zones must
be available on the security devices on which you will install the policy. You can specify
"any" for the source or destination zones to monitor network traffic originating or destined
for any zone.
For standalone IDP rulebases, the zones are always set to "any."
NOTE: You can create custom zones for some security devices. The list of zones from
which you can select source and destination zones includes the predefined and custom
zones that have been configured for all devices managed by NSM. Therefore, you should
only select zones that are applicable for the device on which you will install the security
policy.
Configuring Source and Destination Address Objects for IDP Rules
In the NSM system, address objects are used to represent components on your network:
hosts, networks, servers, etc. Typically, a server or other device on your network is the
destination IP for incoming attacks, and can sometimes be the source IP for interactive
attacks (see "Configuring Backdoor Rules" on page 486 for more information on interactive
attacks). You can specify " any" to monitor network traffic originating from any IPv4
address and " AnyIPv6 " to monitor network traffic originating from any IPv6 address.
You can also "negate" the address objects listed in the Source or Destination column to
specify all sources or destinations except the excluded objects.
You can create address objects either before you create an IDP rule or while creating or
editing an IDP rule. To select or configure an address object, right-click either the Source
or Destination column of a rule and select Select Address. In the Select Source Addresses
dialog box, you can either select an already-created address object or click the Add icon
to create a new host, network, or group object.
To detect incoming attacks that target your internal network, set the From Zone to
Untrust, and the Source IP to any IP. Then, set the To Zone to dmz and trust. Next, select
Chapter 9: Configuring Security Policies
463
Advertisement
Table of Contents
