User manual JUNIPER NETWORKS NETWORK AND SECURITY MANAGER 2010.4 CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01

[. . . ] Network and Security Manager Configuring Intrusion Detection and Prevention Devices Guide Release 2010. 4 Published: 2010-11-17 Revision 01 Copyright © 2010, Juniper Networks, Inc. Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www. juniper. net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. This program and its documentation were developed at private expense, and no part of them is in the public domain. [. . . ] It is recommended that you retain defaults for APE rulebase. By default: 60 Copyright © 2010, Juniper Networks, Inc. Chapter 4: Configuring Security Policies · IDP does not limit the rate of sessions that do not match APE rules. Rate limiting is done by service based till application is identified in the session i. e. When the application identification feature fails to identify the application, IDP does not try to match the rule but instead applies the default rate limit (if any). You can modify this so that in cases where application identification fails, IDP attempts to match the session to the standard protocol and port for the application. · For more information, see the IDP Concepts & Examples guide. Related Documentation · · Intrusion Detection and Prevention Devices and Security Policies Overview on page 31 Modifying IDP Rulebase Rules (NSM Procedure) on page 36 Copyright © 2010, Juniper Networks, Inc. 61 Configuring Intrusion Detection and Prevention Devices Guide 62 Copyright © 2010, Juniper Networks, Inc. CHAPTER 5 Working with Attack Objects · Attack Objects in Intrusion Detection and Prevention Security Policies Overview on page 63 Loading J-Security-Center Updates (NSM Procedure) on page 64 Viewing Predefined Attack Objects (NSM Procedure) on page 65 Working with Attack Groups (NSM Procedure) on page 66 Creating Custom Attack Objects (NSM Procedure) on page 69 Verifying the Attack Object Database Version (NSM Procedure) on page 77 Updating the IDP Detector Engine (NSM Procedure) on page 78 · · · · · · Attack Objects in Intrusion Detection and Prevention Security Policies Overview You use the NSM Object Manager to manage NSM administrative objects, including the attack objects used in IDP security policies. For more explanation of attack objects and examples, see the Network and Security Manager Administration Guide. For details on how to use NSM Object Manager features to copy objects, find references to objects, search for unused objects, or configure object versions, see the NSM online Help. IDP administration using attack objects can include the following tasks related to attack objects: · · · · · Updating IDP detector engine and the NSM attack database Viewing predefined attack object definitions Viewing attack object groups Creating custom attack objects Updating predefined IDP attack objects and groups Working with Attack Groups (NSM Procedure) on page 66 Viewing Predefined Attack Objects (NSM Procedure) Loading J-Security-Center Updates (NSM Procedure) on page 64 Related Documentation · · · Copyright © 2010, Juniper Networks, Inc. 63 Configuring Intrusion Detection and Prevention Devices Guide Loading J-Security-Center Updates (NSM Procedure) The Juniper Networks Security Center (J-Security Center) routinely makes important updates available to IDP security policy components, including updates to the IDP detector engine and NSM attack database. The IDP detector engine is a dynamic protocol decoder that includes support for decoding more than 60 protocols and more than 500 service contexts. You should update IDP detector engine when you first install the IDP device, whenever you upgrade, and whenever alerted to do so by Juniper Networks. The NSM attack database stores data definitions for the attack objects that are key components of IDP security policies. Updates can include new attack objects, revised severity settings, or removed attack objects. You should schedule daily updates to the NSM attack database. After you have completed the update, any new attack objects are available in the security policy editor. If you use dynamic groups to your IDP rulebase rules and a new attack object belongs to the dynamic group, the rule automatically inherits the new attacks. Table 35 on page 64 provides procedures for updating IDP detector engine and the NSM attack database. Table 35: IDP Detector Engine and NSM Attack Database Update Procedures Task To download IDP detector engine and NSM attack database updates to the NSM GUI server Procedure From the NSM main menu, select Tools > View/Update NSM attack database and complete the wizard steps. NOTE: The default URL from which to obtain updates is https://services. netscreen. com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo. dat. If you encounter connection errors, ensure this setting has not been inadvertently changed. From the NSM main menu, select Tools > Preferences. 2. NSM restores the URL in the Download URL for ScreenOS Devices text box. Click OK. To push an IDP detector engine update from the NSM GUI server to IDP devices From the NSM main menu, select Devices > IDP Detector Engine > Load IDP Detector Engine for ScreenOS and complete the wizard steps. [. . . ] NOTE: The minimum data point count that you can configure in all reports is 5; the maximum data point count is 200. Chart type Select from the following choices: · · · · Horizontal bar (default) Pie Line Vertical bar Save Report In In the first selection box, specify whether to save in the My Reports or Shared Reports node. In the second box, select the Others folder or type a new folder name. Filter Columns for Report Filter Settings The columns you selected on the General tab are passed through. Select the column with the cursor to display the corresponding Filter Settings controls. Specify filter values related to column settings. 138 Copyright © 2010, Juniper Networks, Inc. Chapter 12: Working with NSM Logs and Reports TIP: For information on deleting custom reports, organizing report folders, exporting reports, and using the NSM guiSvrCli. sh command line utility and Linux cron utility to automate reporting jobs, see the NSM online Help. Related Documentation · · NSM Logs and Reports Overview on page 129 Intrusion Detection and Prevention Reporter Overview on page 141 Configuring Log Suppression You can configure log suppression if you want to reduce the number of logs displayed in the NSM log viewer. [. . . ]