Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
and IDP rules that use the default actions associated with the attack object severity and
protocol groups. You can customize these rules to work on your network as needed, such
as selecting your own address objects as the Destination IP and choosing IDP actions
and notifications that reflect your security needs.
If you do not use a security policy template, you must add the IDP rulebase manually, as
detailed in "Adding the IDP Rulebases" on page 50.
Configure Firewall Rules (ISG Only)
You can enable IDP within an existing rule, or create a new rule. Configure the firewall
rule as you would normally, setting the source and destination zones, address objects,
services, and so on to define the type of network traffic you want to permit.
When configuring the firewall rule, consider the following:
Traffic that is denied by a firewall rule cannot be passed to IDP rules. To enable IDP in
a firewall rule, the action must be permitted.
When deploying the ISG2000 or ISG1000 device as a dedicated IDP system, configure
a single firewall rule that directs all traffic to the IDP rules. (By default, the firewall
denies all traffic.)
NOTE: When operating the security device in a nontransparent mode, you must have
configured basic security device settings, such as assigning interfaces to zones, setting
the administrative password, and configuring default routes. For details about
configuring these settings, see the user guide that shipped with the device.
When operating the security device in transparent mode and using it as a dedicated
IDP system, you do not need to configure additional firewall settings.
For firewall rules that pass traffic to the IDP rulebases, the Install On column must
include IDP-capable devices only.
Setting the IDP Mode (ISG Only)
Because the security module is part of the inline security device, IDP protects your network
while directly in the path of traffic coming and going on your network.
To set the IDP mode:
In the Configure panel of the main navigation tree, select Policy Manager > Security
1.
Policies, and then double-click the policy name in the Security Policies window to
open the firewall rulebase.
In the Rule Options column of a firewall rule, select IDP.
2.
Select one of the following modes:
3.
Inline—In the inline mode, IDP is directly in the path of traffic on your network and
can detect and block attacks. For example, you can deploy the ISG2000 or ISG1000
with integrated firewall/VPN/IDP capabilities between the Internet and the
enterprise LAN, WAN, or special zones such as DMZ.
Chapter 2: Planning Your Virtual Network
49
Advertisement
Table of Contents
Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
Related Products for Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - API GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING J SERIES SERVICES ROUTERS AND SRX SERIES SERVICES GATEWAYS GUIDE REV
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - M-SERIES AND MX-SERIES DEVICES GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.2
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper 200 Series