IDP Policies Overview

The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IDP-enabled device. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic.

An IDP policy defines how your device handles the network traffic. It allows you to enforce various attack detection and prevention techniques on traffic traversing your network.

A policy is made up of rulebases and each rulebase contains a set of rules. You define rule parameters, such as traffic match conditions, action, and logging requirements, then add the rules to rule bases. After you create an IDP Policy by adding rules in one or more rulebases, you can select that policy to be the active policy on your device.

Junos OS allows you to configure multiple IDP policies, but a device can have only one active IDP policy at a time. You can install the same IDP policy on multiple devices, or you can install a unique IDP policy on each device in your network. A single policy can contain only one instance of any type of rulebase.

This topic includes the following sections:

IDP Policy Terms

Before configuring IDP policies, become familiar with the terms defined in Table 41.

Table 41: IDP Terms

Term	Definition
Attacks	Attacks attempt to exploit vulnerabilities in computer hardware and software. Depending on the severity of the attack, it might disable your system completely, allow an attacker to gain confidential information stored on your system, or use your network to attack other networks.
Attack objects	A signature or protocol anomaly that is combined with context information. Attack objects are used in Main rulebase rules to match malicious traffic patterns. Each attack object detects a known attack or protocol anomaly that can be used by an attacker to compromise your network.
False positives	Any situation in which benign traffic causes an intrusion detection service to generate an alert; also known as a false alert.
Protocol anomaly	A deviation from the RFC specifications that dictate how communications between two entities should be implemented. Most legitimate traffic does not deviate from the protocols; when anomalies are detected, they are often a sign of malicious traffic and seen as a threat to the system.
Rule	A user-defined match/action sequence. Rules are represented graphically in the Security Policy Editor, where you can create, modify, delete, and reorder them in a rulebase.
Rulebase	A set of rules that uses a specific detection mechanism to identify and prevent attacks.
Severity	The designated threat level of an attack (critical, high, medium, low, or informational). Attack objects use the severity setting that matches the threat level of the attack they detect.

Working with IDP Policies

You can perform the following tasks to manage IDP policies:

Create new IDP policies starting from scratch. See Example: Defining Rules for an IDP IPS Rulebase.
Create an IDP policy starting with one of the predefined templates provided by Juniper Networks (see Understanding Predefined IDP Policy Templates).
Add or delete rules within a rulebase. You can use any of the following IDP objects to create rules:
- Zone and network objects available in the base system
- Predefined service objects provided by Juniper Networks
- Custom application objects
- Predefined attack objects provided by Juniper Networks
Create custom attack objects (see Example: Configuring IDP Signature-Based Attacks ).
Update the signature database provided by Juniper Networks. This database contains all predefined objects.
Maintain multiple IDP policies. Any one of the policies can be applied to the device.

IDP Policies Overview

IDP Policy Terms

Working with IDP Policies

Related Topics