Table of Contents
Advertisement
Adding the Backdoor Rulebase
Copyright © 2010, Juniper Networks, Inc.
Interactive traffic is traffic that indicates human involvement in a normally automated
process, such as a user typing commands. Interactive traffic looks different than other
traffic because humans are manually controlling one end of the connection. In a
connection between two programs, the data transfer is automated; TCP packets can be
batched and sent in bulk for efficiency. In a connection between a program and a user,
packets are sent when they become available; characters display as they are typed (not
after the word is complete). Interactive programs transmit several short IP packets
containing individual keystrokes and their echoes, reflecting the real-time actions of a
user (or attacker).
When attackers type commands to control a backdoor, they generate interactive traffic
that IDP can detect. Unlike antivirus software, which scans for known backdoor files or
executables on the host system, IDP detects the interactive traffic that is produced when
backdoors are used. This method ensures that IDP can detect all backdoors, both known
and unknown. If interactive traffic is detected, IDP can perform IDP actions against the
connection to prevent the attacker from further compromising your network.
When you configure a backdoor rule, you must specify the following:
Source and destination addresses for traffic you want to monitor. To detect incoming
interactive traffic, set the Source to " any" and the Destination to the IP address of
network device you want to protect. To detect outgoing interactive traffic, set the
Source to the IP address of the network device you want to protect and the Destination
to " any" .
Services that are offered by the Source or Destination as well as interactive services
that can be installed and used by attackers.
NOTE: Do not include TELNET, SSH, RSH, NETMEETING, or VNC as services, as these
services are often used to legitimately control a remote system. Including these services
can generate false positives.
Action that the IDP is to perform if interactive traffic is detected. Set the Operation to
" detect" . If you are protecting a large number of network devices from interactive
traffic, you can create a rule that " ignores" accepted forms of interactive traffic from
those devices, then create another rule that " detects" all interactive traffic from those
devices.
NOTE: The Backdoor rulebase is a terminal rulebase. That is, when IDP finds a match
on a rule in the Backdoor rulebase, it does not execute succeeding rules.
Before you can configure a rule in the Backdoor rulebase, you need to add the Backdoor
rulebase to a security policy.
In the main navigation tree, select Policies. Open a security policy by double-clicking
1.
the policy name in the security policies window or click the policy name and then
select the Edit icon.
Chapter 9: Configuring Security Policies
487
Advertisement
Table of Contents
