Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
After making your changes, save the policy, and then update the device. Ensure that the
device reflects the correct user role information.
The role-based access control feature has the following limitations:
The role names in IDP policy must match those of the Infranet Controller (IC).
Username-based IDP policy is not supported. The firewall must map either a source
IP or the username to a user role before it can forward a packet.
While the firewall supports 200 roles for one user, the IDP policy supports only 100
roles for each user.
JUMBO FRAME or IPv6 mode is not supported.
SYN Proxy or First UDP packet with fragment is not supported.
Vsys is not supported.
Configuring Services for IDP Rules
Services are application layer protocols that define how data is structured as it travels
across the network. Because the services you support on your network are the same
services that attackers must use to attack your network, you can specify which services
are supported by the destination IP to make your rule more efficient.
NOTE: All services rely on a transport layer protocol to transmit data. IDP
includes services that use TCP, UDP, RPC, and ICMP transport layer protocols.
Service objects represent the services running on your network. NSM includes predefined
service objects that are based on industry-standard services. You use these service
objects in rules to specify the service an attack uses to access your network. You can
also create custom service objects to represent protocols that are not included in the
predefined services.
In the Service column you select the service of the traffic you want IDP to match:
Select Default to accept the service specified by the attack object you select in the
Attacks column. When you select an attack object in the Attack column, the service
associated with that attack object becomes the default service for the rule. To see the
exact service, view the attack object details.
Select Any to set any service.
Select Service to choose specific services from the list of defined service objects.
You want to protect your FTP server from FTP attacks. Set the service to Default, and
add an attack object that detects FTP buffer overflow attempts. The Service column in
the rule still displays " Default" , but the rule actually uses the default service of TCP-FTP,
which is specified in the attack object.
Chapter 9: Configuring Security Policies
471
Advertisement
Table of Contents
