Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 100

Network and Security Manager Administration Guide
50
Inline—In the inline mode, IDP is directly in the path of traffic on your network and
can detect and block attacks. For example, you can deploy the ISG2000 or ISG1000
with integrated firewall/VPN/IDP capabilities between the Internet and the enterprise
LAN, WAN, or special zones such as DMZ.
Inline Tap—In the inline tap mode, IDP can detect attacks and provide notification.
IDP receives a copy of a packet while the original packet is forwarded on the network.
IDP examines the copy of the packet and flags any potential problems. IDP's
inspection of packets does not affect the forwarding of the packet on the network.
NOTE: You must deploy the ISG2000 or ISG1000 device inline. You
cannot connect a device that is in the inline tap mode to an external
TAP or SPAN port on a switch.
Selecting either mode enables IDP for the firewall rule, and configures the security device
to forward all permitted traffic to the IDP rulebases for further processing.
Adding the IDP Rulebases
After you have enabled one or more firewall rules to pass traffic to the IDP rulebases,
you must add one or more of the following IDP rulebases to the security policy:
The IDP Rulebase—This is the main rulebase for IDP rules. Add this rulebase when you
want to configure rules that use attack objects to detect specific malicious or
anomalous activity in your network traffic.
For an overview of creating rules in the IDP rulebase, see "Configuring a Security Policy
for IDP" on page 48. For details, see "Configuring IDP Rules" on page 468.
The Exempt Rulebase—This rulebase works in conjunction with the IDP rulebase. When
traffic matches a rule in the IDP rulebase, the security module attempts to match the
traffic against the Exempt rulebase before performing the specified action or creating
a log record for the event.
Add the Exempt rulebase:
When an IDP rule uses attack object groups containing one or more attack objects
that produce false positives or irrelevant log records.
To exclude a specific source, destination, or source and destination pair from matching
an IDP rule (prevents unnecessary alarms).
When the IDP rulebase uses static or dynamic attack object groups that contain one
or more attack objects that produce false positives or irrelevant log records.
For details on creating rules in the Exempt Rulebase, see "Configuring Exempt Rules"
on page 491.
The Backdoor Detection Rulebase—This rulebase detects backdoor traffic from
components on your internal network. A backdoor is a mechanism installed on a host
computer that facilitates unauthorized access to the system. Attackers who have
already compromised a system often install a backdoor to make future attacks easier.
Copyright © 2010, Juniper Networks, Inc.