Intrusion Prevention
Reply
Hic
Contributor
Hic
Posts: 12
Registered: ‎12-01-2008
0

Recommended Attack Objects

Hello,

 

How does Juniper define recommended attacks? And therefore in IDP polices, is it recommended to put Recommended Attacks objects instead of the other predefined ?

 

I’m asking this because I defined an IDP policy and I put Recommended Worm, Virus and Trojan attacks groups with the recommended action. After that,  I released that the original Worm and Virus attacks group contains much more attacks than the recommended one ! So  I’m wondering why and how Juniper have selected these attacks and weather it is recommended to use – In case of Trojan Virus and Worm- to used the original groups or the recommended ones ?

 

Thank you advance

 

Regards,

Juniper Employee
Bluesrocker
Posts: 67
Registered: ‎04-30-2008
0

Re: Recommended Attack Objects

Hic:

 

I don't believe there is an exact science as to what is put into the recommended attack policy. However, I can see how the sum of all the individual attack policies would be bigger than the "recommended" policy. I think that if one wants to explicitly guard against trojans, etc, than that would be "recommended" but more intensive than the general "recommended" policy. One may be able to view the "recommended" policy as a starting point, but then should be modified (and saved as a custom policy) as the intrusion data is reviewed and changes are needed.

 

I hope this helps,

BR

Juniper Employee
Bluesrocker
Posts: 67
Registered: ‎04-30-2008
0

Re: Recommended Attack Objects

Hic:

 

One more thing that I thought of... I believe they wanted the "recommended" policy to be able to fit on all platforms, as the higher end IDP's have more memory than the lower end models. In not having an complete aggregate recommended policy from all the other attack types (protocol anomoly recommend, backdoor recommen, etc), it makes it so the "recommeneded" policy will fit on all IDP types.

 

Regards,

BR 

Hic
Contributor
Hic
Posts: 12
Registered: ‎12-01-2008
0

Re: Recommended Attack Objects

Thank you for you help and  information,

I was not talking about "recommended POLICY” but I wanted to know about the "recommended attack OBJECT/GROUP".

Of course the recommended policy is a good place to start, as it contains many of common services. But as a security analyst, I can see for attack groups like Trojan, virus... the original groups contain more attacks than the recommended one, so I can not take the risk and ignore the other one, and hence I would utilize the original group with high and critical severity instead of the recommended one.

 

Thank you again and Best Regards,

Juniper Employee
Bluesrocker
Posts: 67
Registered: ‎04-30-2008
0

Re: Recommended Attack Objects

Ahhh, ok, I see what you are saying. Our NSM is down as we are moving the lab, I'll have to take a look at the groups.

 

Regards,

-Michael

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.