Author Topic: Best Policy Practice on IDP  (Read 2977 times)

Capt_Winters

  • Sr. Member
  • ****
  • Posts: 320
  • Karma: +0/-0
    • View Profile
Best Policy Practice on IDP
« on: September 09, 2008, 03:56:16 am »

Hi Gurus,

  Any recommendation on best practices when it comes to POLICIES?

  Like policy hardening, fine tuning..etc.

  My rule on IDP right now is..


  Is to accept all traffic from any any to my network with all major and severity accepted

 Im going to gather all reports then fine tune the policy with DROP as action..

any suggestions?

thank you..

winters

bwalker

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Best Policy Practice on IDP
« Reply #1 on: September 11, 2008, 09:41:48 am »

Hello Winters,

That's basically what I did.  I don't use Juniper, I prefer Stonesoft's IDS/IPS solution but I approached the implementation in the same way.

The last thing you want to do (especially if you are introducing inline IPS) is to put the device in and have it blocking legitimate traffic.  As with all IDS/IPS you have to base-line it - let it log and then you can determine what is the "norm" for your environment.  This can take as long as you like (I did it for 4-6 weeks) and then from the information it found I fine tuned my policy.

The nice thing about the StoneGate IPS is that it has a "passive termination" feature which means that it allowed all traffic to pass but logged any traffic that it would have blocked in "active termination" in a different colour which made it loads easier for me to decipher the logs and build my policy.

Good luck with your implementation.

Brian

Frac

  • Hero Member
  • *****
  • Posts: 784
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Best Policy Practice on IDP
« Reply #2 on: September 22, 2008, 07:16:25 am »
Hi,

you have a nice tool in juniper idp for this! (profiler)

you can create a violation rule base and then let profiler run for 3 weeks and compare this rulebase with the profiler database.

you will then see all the traffic that isn't included in your violation rulebase.

GreetZ,
Frac
JNCIS-FWV, JNCIS-ER, JNCIA-EX, JNCIA-IDP http://juniper-frac.blogspot.com