Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Deep Inspection Action Overview

0

0

Article ID: KB4250 KB Last Updated: 04 Jun 2010Version: 3.0
Summary:
Deep Inspection Action Overview
Symptoms:

Solution:

When the NetScreen Deep Inspection (DI) module detects an attack, it immediately performs a predefined action. There are seven possible actions that can be specified. They are as follows:

  • None: None means that no action will be taken. None is useful when first identifying attack types during the initial setup phase of your DI implementation. When the NetScreen device detects an attack signature or protocol anomaly, it makes an entry in the event log but takes no action on the traffic itself. The NetScreen device continues to check subsequent traffic in that session and make log entries if it detects other attack signatures and anomalies.
  • Ignore: After detecting an attack signature or anomaly, the NetScreen device makes a log entry and stops checking or ignores the remainder of the connection. If the NetScreen device detects an attack signature or protocol anomaly, it makes an event log entry but does not sever the session itself. Use this option to tweak false positives during the initial setup phase of your DI implementation. Also, use this option when a service uses a standard port number for nonstandard protocol activities; for example, Yahoo Messenger uses port 25 (SMTP port) for non-SMTP traffic. The NetScreen device logs the occurrence once per session (so that it does not fill the log with false positives), but takes no action.
  • Drop Packet: Drop Packet drops a particular packet, but does not terminate the connection. This option drops the packet in which an attack signature or protocol anomaly occurs but does not terminate the session itself. Use this option to drop malformed packets without disrupting the entire session. For example, if the NetScreen device detects an attack signature or protocol anomaly from an AOL proxy, dropping everything would disrupt all AOL service. Instead, dropping just the packet stops the problem packet without stopping the flow of all the other packets.
  • Drop: Drop terminates the connection without sending anyone an RST. Use this option for UDP or other non-TCP connections, such as DNS. The NetScreen device drops all packets in a session, but does not send a TCP RST.
  • Close Client: Close Client terminates the connection and sends an RST to client. Use this option for outbound TCP connections from a protected client to an untrusted server. If, for example, the server sends a malicious URL string, the NetScreen device drops the connection and sends a RST only to the client for it to clear its resources while the server is left hanging.
  • Close Server: Close Server terminates the connection and sends an RST to server. Use this option for inbound TCP connections from an untrusted client to a protected server. If the client tries to launch an attack, the NetScreen device drops the connection and sends a TCP RST only to the server for it to clear its resources while the client is left hanging.
  • Close: Close terminates a connection and sends an RST to client and server. Use this option for TCP connections. The NetScreen device drops the connection and sends a TCP RST to both the client (source) and server (destination). Because the delivery of RST notifications is unreliable, by sending a RST to both client and server, there is a greater chance that at least one gets the RST and closes the session.

Image of note



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search