• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 833
  • Last Modified:

ISG 1000 with IDP blade

HI  i am going to be implementing a juniper an  isg 1000  firewall with IDP (  i will use an nsm express appliance to manage to the IDP and the firewall ) my network consists of the following zones:
trust: (contains the users , Domain controller and DNS server)
untrust: (Internet)
DMZ 1( FTP server and Email server)
DMZ 2 (Web servers and Application servers)

traffic will be allowed from trust to untrust
dmz1 to untrust
dmz2 to untrust
untrus to dmz1 and dmz2

i need assistance in creating IDP rules . I want to know what are the recomended IDP rules that i should create and what attack objects that i should use

0
mzhaim
Asked:
mzhaim
1 Solution
 
deimarkCommented:
There a re a list of recommended rules within the IDP policy section on the NSM.  These give a little more of an idea as to what the policy is and does.

However, adding an IDP rulebase is very dependant on what traffic you want to scan, what intruders do you want to detect and also what you want to do with the intruders (ie monitor or drop).

You obviously have the FTP and mail in one zone, so only apply relevant rules there, and for the other DMZ zone, you can enter the web and any application specific detection.

The main admin guide can give an idea on how to customise the recommended rules, but I would suggest, having a look at what attack objects you want to check for and then apply a custom rule to each set of traffic
0
 
ishCommented:
"deimark" is correct about the IDP ruleset being very dependent on traffic. There are "default" and recommended lists of ports and traffic that you should consider blocking, however the best way to determine your needs is to follow a baseline approach: Find or create a small list of traffic that you know for sure you do not want to allow (IE access to the domain controller from untrusted). You can copy one of the Juniper recommended or default lists and trim it down to your need. Then put the device online to IDS not IPS for a test period and watch the traffic. Once you are sure those rules won't halt legitimate traffic push them to IPS status to stop things. Juniper actually provides some free online training videos for the ISG 1000/2000 and a few other products. I actually just went through the ISG 1000 one myself a few days ago while researching these devices: http://www.juniper.net/us/en/training/elearning/isg1000_2000.html
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now