ISG 1000 with IDP blade

Posted on 2009-02-21
Last Modified: 2012-05-06
HI  i am going to be implementing a juniper an  isg 1000  firewall with IDP (  i will use an nsm express appliance to manage to the IDP and the firewall ) my network consists of the following zones:
trust: (contains the users , Domain controller and DNS server)
untrust: (Internet)
DMZ 1( FTP server and Email server)
DMZ 2 (Web servers and Application servers)

traffic will be allowed from trust to untrust
dmz1 to untrust
dmz2 to untrust
untrus to dmz1 and dmz2

i need assistance in creating IDP rules . I want to know what are the recomended IDP rules that i should create and what attack objects that i should use

Question by:mzhaim
    LVL 18

    Accepted Solution

    There a re a list of recommended rules within the IDP policy section on the NSM.  These give a little more of an idea as to what the policy is and does.

    However, adding an IDP rulebase is very dependant on what traffic you want to scan, what intruders do you want to detect and also what you want to do with the intruders (ie monitor or drop).

    You obviously have the FTP and mail in one zone, so only apply relevant rules there, and for the other DMZ zone, you can enter the web and any application specific detection.

    The main admin guide can give an idea on how to customise the recommended rules, but I would suggest, having a look at what attack objects you want to check for and then apply a custom rule to each set of traffic
    LVL 2

    Expert Comment

    "deimark" is correct about the IDP ruleset being very dependent on traffic. There are "default" and recommended lists of ports and traffic that you should consider blocking, however the best way to determine your needs is to follow a baseline approach: Find or create a small list of traffic that you know for sure you do not want to allow (IE access to the domain controller from untrusted). You can copy one of the Juniper recommended or default lists and trim it down to your need. Then put the device online to IDS not IPS for a test period and watch the traffic. Once you are sure those rules won't halt legitimate traffic push them to IPS status to stop things. Juniper actually provides some free online training videos for the ISG 1000/2000 and a few other products. I actually just went through the ISG 1000 one myself a few days ago while researching these devices:

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Read about achieving the basic levels of HRIS security in the workplace.
    Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
    This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in… provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now