Table of Contents
Advertisement
Defining Actions For IDP Rules
Copyright © 2010, Juniper Networks, Inc.
NOTE: In many cases, you can use an exempt rule instead of a terminal rule.
You might find it easier and more straightforward to configure an exempt
rule than a terminal rule. See "Configuring Exempt Rules" on page 491.
In the example IDP rulebase shown below, rules 1, 3 and 5 are configured as terminal
rules:
Rule 1 terminates the match algorithm if the source IP of the traffic originates from the
Security Network, a known trusted network. If this rule is matched, IDP disregards traffic
from the Security Network and does not continue monitoring the session for malicious
data.
Rules 3 and 6 set different actions for different attacks when the destination IP is the
Corporate or Europe E-mail server. Rule 3 terminates the match algorithm when the
attack is an e-mail that uses the SMTP context Confidential. Rule 6 closes the server
when the attack is an SMTP attack.
Rule 5 terminates the match algorithm when the source is the Internal Network and
the attack is a Critical, High, or Medium Trojan Backdoor. The rule ensures that IDP
closes both the client and server and does not continue to match the connection.
You can define actions for the security device to perform against attacks that match
rules in your security policy. For each attack that matches a rule, you can choose to either
take action on the packet containing the attack (permit or drop packet) or take action
on the connection or session (permit, ignore, drop or close connection). Refer Table 43
on page 473 for details.
Remember, that the device can drop the packet containing the attack only when IDP is
enabled in the inline mode.
When IDP is enabled in the inline tap mode on ISG-IDP devices, and the action defined
is drop packet or drop connection, IDP causes the firewall to drop the session upon
detection of an attack. However, it cannot prevent the attack packet from reaching its
destination because in the inline tap mode, the IDP only receives a copy of the packet
while the original packet is sent to its destination.
When standalone IDP sensors are deployed in the inline tap or sniffer mode, IDP cannot
perform a drop action and there is no disruption to the session carrying attack traffic.
Table 43 on page 473 lists actions for IDP rules:
Table 43: IDP Rule Actions
Action
Description
None
IDP inspects for attacks but takes no action against the connection if
an attack is found. If a rule that contains an action None is matched,
the corresponding log record displays accept in the action column of
the Log Viewer.
Chapter 9: Configuring Security Policies
473
Advertisement
Table of Contents
