Intrusion Prevention

  • 1.  IDP Signature Updates

    Posted 12-03-2009 14:48

    Hi there,

    I'm setting up several pieces of Juniper kit.  We've got an SSG firewall on the outside, then behind that there's an SA4500FIPS box (traffic will come from the firewall to the external interface of the SA and cleartext traffic will be transmitted out of the internal interface) and behind that on the inside there's an IDP75.  Nothing has actually been configured yet but the boxes are racked and waiting.

     

    I was wondering how the IDP 75 would get its signature updates.  The management interface was going to be on the internal network but I was thinking that if this is the case then it wouldn't be able to initiate connections out through the SA box would it?  In order to get signature updates will I need to put the management interface of the IDP75 outside of the SA4500 (but behind the firewall)?

     

    Thanks,

    Pete.



  • 2.  RE: IDP Signature Updates

    Posted 12-04-2009 02:37

    Whoops, sorry!

    I asked a silly question.  I was just going through in my head any of the possible problems and I didn't have a diagram in front of me.  I took a look today and did a sanity check.  The SA box isn't inline on the inside interface of the firewall so it will be fine.

     

    The setup is as follows, we have a firewall with 4 interfaces (external, DMZ 1, DMZ 2 and internal).  Traffic comes in from the external interafce of the firewall and gets NATed to the SA box external interface which is on DMZ 1.  Clear text traffice gets spat out of the internal interface of the SA box which is on DMZ 2 and that traffic gets put through the firewall again.  Finally the traffic gets put out of the internal interface of the firewall.  The management address of the IDP is on the internal network and so can make connections out as it doesn't have to go via the SA box.

     

    Apologies for the daft question, it had been a very long day!

     

    Pete.



  • 3.  RE: IDP Signature Updates
    Best Answer

     
    Posted 12-04-2009 04:46

    Hi Pete,

    I did not really get where the IDP 75 resides in your network, but to answer your questions:
    IDP has out of band management interface. This management interface must be reachable from the NSM (the management system).

    NSM get the signature update (via HTTPS) from Juniper repository, then this signature update can be pushed to IDP.

    The key here, NSM must have HTTP connection to the Internet and NSM must be able to reach the IDP management interface.

    Hth
    Omar