08-08-2010 03:21 AM
How does Juniper define recommended attacks? And therefore in IDP polices, is it recommended to put Recommended Attacks objects instead of the other predefined ?
I’m asking this because I defined an IDP policy and I put Recommended Worm, Virus and Trojan attacks groups with the recommended action. After that, I released that the original Worm and Virus attacks group contains much more attacks than the recommended one ! So I’m wondering why and how Juniper have selected these attacks and weather it is recommended to use – In case of Trojan Virus and Worm- to used the original groups or the recommended ones ?
Thank you advance
08-12-2010 10:17 AM
I don't believe there is an exact science as to what is put into the recommended attack policy. However, I can see how the sum of all the individual attack policies would be bigger than the "recommended" policy. I think that if one wants to explicitly guard against trojans, etc, than that would be "recommended" but more intensive than the general "recommended" policy. One may be able to view the "recommended" policy as a starting point, but then should be modified (and saved as a custom policy) as the intrusion data is reviewed and changes are needed.
I hope this helps,
08-12-2010 10:20 AM
One more thing that I thought of... I believe they wanted the "recommended" policy to be able to fit on all platforms, as the higher end IDP's have more memory than the lower end models. In not having an complete aggregate recommended policy from all the other attack types (protocol anomoly recommend, backdoor recommen, etc), it makes it so the "recommeneded" policy will fit on all IDP types.
09-17-2010 07:08 AM
Thank you for you help and information,
I was not talking about "recommended POLICY” but I wanted to know about the "recommended attack OBJECT/GROUP".
Of course the recommended policy is a good place to start, as it contains many of common services. But as a security analyst, I can see for attack groups like Trojan, virus... the original groups contain more attacks than the recommended one, so I can not take the risk and ignore the other one, and hence I would utilize the original group with high and critical severity instead of the recommended one.
Thank you again and Best Regards,