Configuring Services; Setting Detect Options; Setting Response Options; Setting Notification - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Setting Detect Options

Setting Response Options

Setting Notification

Copyright © 2010, Juniper Networks, Inc.

Configuring Services

Set the Service to Any, unless you want to tailor different rules to different services.
Right-click the rulebase cell in the Traffic anomalies column and select Detect. In the
View Detect Options dialog, set the Port Count and Time Threshold values for each value
you want to monitor. The values are measure in number of hits (Port Count) in a particular
number of seconds (Time Threshold).
The IP Action column governs what action the IDP Sensor takes when it finds a matching
condition.
Right-click the rulebase cell in the IP Action column and select Configure. The Configure
IP Action dialog displays.
Configure your IP Action settings as appropriate for your network.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, you can also set an alert
flag to appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure. The Configure Notification dialog box appears.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Don't do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Remember that security policies that
generate too many log records are hazardous to the security of your network, as you
might discover an attack too late or miss a security breach entirely due to sifting through
hundreds of log records. Excessive logging can also affect IDP throughput, performance,
and available disk space. A good security policy generates enough logs to fully document
only the important security events on your network.

Setting Logging

In the Configure Notification dialog box, select Logging and then click OK. Each time the
rule is matched, the IDP system creates a log record that appears in the Log Viewer.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, however, you might want
to be notified immediately by e-mail, have IDP run a script in response to the attack, or
set an alarm flag to appear in the log record. Your goal is to fine-tune the attack
notifications in your security policy to your individual security needs.
Chapter 9: Configuring Security Policies
497