Table of Contents
Advertisement
Network and Security Manager Administration Guide
466
You can create your own service objects to use in rules, such as service objects for
protocols that use nonstandard ports. However, you cannot match attack objects to
protocols they do not use.
Configuring Terminal IDP Rules
The normal IDP rule-matching algorithm starts from the top of the rulebase and checks
traffic against all rules in the rulebase that match the source, destination, and service. A
terminal rule is an exception to this normal rule-matching algorithm. When a match is
discovered in a terminal rule for the source, destination, and service, IDP does not continue
to check subsequent rules for the same source, destination, and service. It does not matter
whether or not the traffic matches the attack objects in the matching rule.
You can use a terminal rule for the following purposes:
To set different actions for different attacks for the same Source and Destination. This
is illustrated by rules 3 and 6 in the "Setting Terminal Rules" example below.
To disregard traffic that originates from a known trusted Source. Typically the action
is None for this type of terminal rule. This is illustrated by rule 1 in the "Setting Terminal
Rules" example below.
To disregard traffic that is sent to a server that is only vulnerable to a specific set of
attacks. Typically, the action is Drop Connection for this type of terminal rule.
Use caution when defining terminal rules. You can inadvertently leave your network open
to attacks by creating an inappropriate terminal rule. Remember that traffic matching
the source, destination, and service of a terminal rule is not compared to subsequent
rules, even if the traffic does not match an attack object in the terminal rule. Use a terminal
rule only when you want to examine a certain type of traffic for one specific set of attack
objects and no others. Be particularly careful about terminal rules using " any" for both
the source and destination.
Terminal rules should appear near the top of the rulebase, before other rules that would
match the same traffic. You set a rule as terminal by selecting the box in the Terminate
Match column of the Security Policy window when the rule is created or modified.
NOTE: In many cases, you can use an exempt rule instead of a terminal rule. You might
find it easier and more straightforward to configure an exempt rule than a terminal rule.
See "Configuring Exempt Rules" on page 484.
In the example IDP rulebase shown below, rules 1, 3 and 5 are configured as terminal
rules:
Rule 1 terminates the match algorithm if the source IP of the traffic originates from the
Security Network, a known trusted network. If this rule is matched, IDP disregards traffic
from the Security Network and does not continue monitoring the session for malicious
data.
Rules 3 and 6 set different actions for different attacks when the destination IP is the
Corporate or Europe E-mail server. Rule 3 terminates the match algorithm when the
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
