Chapter 21 IDP
NXC5200 User’s Guide
309
21.4 Creating New Profiles
You may want to create a new profile if not all signatures in a base profile are
applicable to your network. In this case you should disable non-applicable
signatures so as to improve NXC IDP processing efficiency.
You may also find that certain signatures are triggering too many false positives or
false negatives. A false positive is when valid traffic is flagged as an attack. A false
negative is when invalid traffic is wrongly allowed to pass through the NXC. As
each network is different, false positives and false negatives are common on initial
IDP deployment.
You could create a new ‘monitor profile’ that creates logs but all actions are
disabled. Observe the logs over time and try to eliminate the causes of the false
alarms. When you’re satisfied that they have been reduced to an acceptable level,
you could then create an ‘inline profile’ whereby you configure appropriate actions
to be taken when a packet matches a signature.
To create a new profile:
1
Click the Add icon in the Configuration > Anti-X > IDP > Profile screen to
display a pop-up screen allowing you to choose a base profile.
lan
This profile is most suitable for common LAN network services.
Signatures for common services such as DNS, FTP, HTTP, ICMP, IM,
IMAP, MISC, NETBIOS, P2P, POP3, RPC, RSERVICE, SMTP, SNMP, SQL,
TELNET, TFTP, MySQL are enabled. Signatures with a high or severe
severity level (greater than three) generate logs (not log alerts) and
cause packets that trigger them to be dropped. Signatures with a low or
medium severity level (two or three) generate logs (not log alerts) and
no action is taken on packets that trigger them. Signatures with a very
low severity level (one) are disabled.
dmz
This profile is most suitable for networks containing your servers.
Signatures for common services such as DNS, FTP, HTTP, ICMP, IMAP,
MISC, NETBIOS, POP3, RPC, RSERVICE, SMTP, SNMP, SQL, TELNET,
Oracle, MySQL are enabled. Signatures with a high or severe severity
level (greater than three) generate log alerts and cause packets that
trigger them to be dropped. Signatures with a low or medium severity
level (two or three) generate logs (not log alerts) and no action is taken
on packets that trigger them. Signatures with a very low severity level
(one) are disabled.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.
Table 114
Base Profiles (continued)
BASE
PROFILE
DESCRIPTION