12-22-2011 05:36 AM
can someone explain me the different between "normal" and "recommended" IDP Sigantures.
Which decision is there behind a recommended flagged signature?
What do you recommend how I should build IDP databases? Should I use only recommended Signatures or all ?
12-22-2011 12:45 PM
Take a look on page 629
All predefined attack objects have a default action associated with
them. This is the action that Juniper Networks recommends when
that attack is detected.
NOTE: This action is supported only for IPS rulebases.
Recommended —A list of all attack objects that Juniper Networks
considers to be serious threats, organized into categories.
Attack type groups attack objects by type (anomaly or signature).
Within each type, attack objects are grouped by severity.
Category groups attack objects by predefined categories. Within
each category, attack objects are grouped by severity.
Operating system groups attack objects by the operating system
to which they apply: BSD, Linux, Solaris, or Windows. Within each
operating system, attack objects are grouped by services and
Severity groups attack objects by the severity assigned to the
attack. IDP has five severity levels: Critical, Major, Minor, Warning,
and Info. Within each severity, attack objects are grouped by
12-23-2011 08:16 AM
so juniper recommends both. To use the recommended flag in a attack-group and to use the recommended flag in the policy action rule.
What do you use normally?
Most of my customers are small business users. So a worry-free automatic protection is what the most of these customergroup wants.
12-26-2011 05:14 PM
Well, recommended is the list that Juniper sees as real threats, so you can probably trust that unless you know of more. As small businesses I would say thats safe, do they host anything internal? If not, it's probably just fine.
I don't actually run and IDP services, I think our core group has an iron port or some other appliance