IDP Extended Package Configuration Overview
The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IDP-enabled device. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic.
An IDP policy defines how your device handles the network traffic. It allows you to enforce various attack detection and prevention techniques on traffic traversing your network.
A policy is made up of rule bases, and each rule base contains a set of rules. You define rule parameters, such as traffic match conditions, action, and logging requirements, then add the rules to rule bases. After you create an IDP policy by adding rules in one or more rule bases, you can select that policy to be the active policy on your device.
To configure the IDP extended package (IPS-EP) perform the following steps:
Enable IPS in a security policy. See IDP Policy Rules and IDP Rule Bases.
Configure the TOE to result in applicable IPS data logging:
user@host# set security idp idp-policy <policy> rulebase-ips rule <rule> then notification log-attacks <severity>
Configure IDP policy rules, IDP rule bases, and IDP rule actions. See IDP Policy Rules and IDP Rule Bases.
Configure IDP custom signatures. See Understanding IDP Signature-Based Attacks.
Update the IDP signature database. See Updating the IDP Signature Database Overview.
Configure the TOE to configure the TOE behavior regarding the logging of the similar events.
user@host# set security idp sensor-configuration log suppression start-log <total events> user@host# set security idp sensor-configuration log suppression max-time-report <total events>
When the IDP hits a resource limit, the default behavior is to ignore the flow and let the flow pass without inspection. To avoid this behavior, configure the
drop-on-limitoption. This command ensures IDP attack inspection of all traffic and does not allow any traffic without inspection.[edit] user@host# set security idp sensor-configuration flow drop-on-limit
Additionally, the intrusion detection capabilities can be configured based on the throughput of the
TOE, time of the day, frequency of the event, and network bandwidth threshold using the following commands:Throughput of the TOE;
set firewall policer <policer_name> if-exceeding burst-size-limit <bytes>
Time of the day:
set schedulers scheduler <scheduler_name> daily start-time <hh:mm:ss> stop-time <hh:mm:ss> set security policies from-zone trust to-zone untrust policy <policy_name> scheduler-name <scheduler_name>
Frequency of the event:
set security idp custom-attack <attack_name> severity major set security idp custom-attack <attack_name> time-binding count <packet_count> scope source set security idp custom-attack <attack_name> attack-type signature protocol <protocol> destination-port match equal value <port> set security idp custom-attack <attack_name> attack-type signature context packet direction client-to-server
Network bandwidth thresholds:
set firewall policer <policer_name> if-exceeding bandwidth-limit <bytes>
Also, see IDP Sensor Configuration.