Best Policy Practice on IDP
Guest last edited by
Any recommendation on best practices when it comes to POLICIES?
Like policy hardening, fine tuning…etc.
My rule on IDP right now is…
Is to accept all traffic from any any to my network with all major and severity accepted
Im going to gather all reports then fine tune the policy with DROP as action…
you have a nice tool in juniper idp for this! (profiler)
you can create a violation rule base and then let profiler run for 3 weeks and compare this rulebase with the profiler database.
you will then see all the traffic that isn’t included in your violation rulebase.
bwalker last edited by
That’s basically what I did. I don’t use Juniper, I prefer Stonesoft’s IDS/IPS solution but I approached the implementation in the same way.
The last thing you want to do (especially if you are introducing inline IPS) is to put the device in and have it blocking legitimate traffic. As with all IDS/IPS you have to base-line it - let it log and then you can determine what is the “norm” for your environment. This can take as long as you like (I did it for 4-6 weeks) and then from the information it found I fine tuned my policy.
The nice thing about the StoneGate IPS is that it has a “passive termination” feature which means that it allowed all traffic to pass but logged any traffic that it would have blocked in “active termination” in a different colour which made it loads easier for me to decipher the logs and build my policy.
Good luck with your implementation.