Table of Contents
Advertisement
Setting Target Devices for IDP Rules
Entering Comments for IDP Rules
Configuring multiple IDP policies for an MX Series Router
Copyright © 2010, Juniper Networks, Inc.
For each rule in the IDP rulebase, you can select which devices the rule applies to. When
you install the security policy that the rule belongs to, the rule becomes active only on
the devices you selected in the Install On column of the rulebase.
NOTE: NSM supports IDP on ISG gateways running ScreenOS 5.0.0-IDP1 and
later, standalone IDP appliances running IDP 5.0 and later, J Series routers,
SRX Series gateways, and MX Series routers .
You can enter notations about the rule in the Comments column. Anything you enter in
the Comments column is not pushed to the target devices. To enter a comment, right-click
the Comments column and select Edit Comments. The Edit Comments dialog box
appears. You can enter up to 1024 characters in the Comments field.
You can deploy an ISG2000 or ISG1000 gateway as a standalone IDP security system
protecting critical segments of your private network. For example, you might already
have a security device actively screening traffic between the Internet and your private
network (some device can optionally use Deep Inspection to inspect this traffic), but you
still need to protect internal systems, such as mail servers, from attacks that might
originate from user machines in an otherwise trusted network. In this case, you need a
security system that provides IDP instead of firewall functions.
Standalone IDP Sensors function in this mode by default and do not have to be specifically
configured for it.
In this example, you are deploying an ISG2000 device as a standalone IDP security system
between the Trust zone and the custom "Data_Center" zone in your network. Your
company's file, mail, and database servers reside in the Data_Center zone. While you
want to allow users in the Trust zone to be able to access the servers in the Data_Center
zone, you also need to protect the servers from attacks that inadvertently might have
been introduced into a user machine in the Trust zone. You create a firewall rule from
the Trust to the Data_Center zone that allows traffic from any source to any destination
for any service, then enable IDP in the Rule Options column.
You would then add and configure IDP rulebases for the security policy to detect possible
attacks against servers in the Data_Center zone.
You can configure multiple IDP policies for an MX Series device by associating existing
IDP rules in the security policy assigned to the device, to multiple IDP policies. IDP services
on MX series routers allow administrators to provide security services to service provider
subscribers. Multiple IDP policies allow administrators to reference a service set associated
with a subscriber to a pre-configured IDP policy. This IDP policy is used to enforce security
inspection for traffic per subscriber. Service set configuration is supported in-device in
Chapter 9: Configuring Security Policies
481
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers