Table 46: Actions For Backdoor Rule; Configuring Services; Setting Operation; Setting Actions - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Setting Operation

Setting Actions

Setting Notification

496

Configuring Services

Select interactive service objects. Be sure to include services that are offered by the
source or destination IP as well as interactive services that are not; attackers can use a
backdoor to install any interactive service. Do not include telnet, SSH, RSH, netmeeting,
or VNC, as these services are often used to remotely control a system legitimately and
their inclusion might generate false positives.
Set the Operation to detect or ignore. If you select detect, choose an action to perform
if backdoor traffic is detected. If you are protecting a large number of address objects
from interactive traffic, you can create a rule that ignores accepted forms of interactive
traffic from those objects, then create a succeeding rule that detects all interactive traffic
from those objects.
Choose an action to perform from Table 46 on page 496 if IDP detects interactive traffic:

Table 46: Actions for Backdoor Rule:

Action Description
Accept IDP accepts the interactive traffic.
Drop IDP drops the interactive connection without sending a RST packet to the
Connection sender, preventing the traffic from reaching its destination. Use this action to
drop connections for traffic that is not prone to spoofing.
Close Client IDP closes the interactive connection and sends a RST packet to both the
and Server client and the server. If the IDP is in sniffer mode, IDP sends a RST packet to
both the client and server but does NOT close the connection.
Close Client IDP closes the interactive connection to the client, but not to the server.
Close Server IDP closes the interactive connection to the server, but not to the client.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, you can also set an alert
flag to appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure. The Configure Notification dialog box appears.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Don't do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Remember that security policies that
generate too many log records are hazardous to the security of your network, as you
might discover an attack too late or miss a security breach entirely due to sifting through
Copyright © 2010, Juniper Networks, Inc.