The signatures in the IDP are capable of blocking P2P and IM applications when they use standard ports, but sometimes these applications use non-standard ports nor protocols especially when the signatures are bound to specific protocols/ports.
For example the signature to block eDonkey "P2P:EDONKEY:CLIENT-HELLO" is bound to the TCP port range 4242-4662, so in order to completely block eDonkey you can bind it to any.
Similarly the signatures for Gnutella "P2P:GNUTELLA:CONNECT", "P2P:GNUTELLA:CONNECTION-OK", and "P2P:GNUTELLA:CONNECTION-OK-V06", they can be bound to any protocol/port range instead of a specific ones.
And that's why I prefer using Juniper IDP as it gives you the flexibility to edit the different attack signatures to meet your custom needs. However I think that they have to stop binding the P2P and IM related signatures from the beginning as people are not supposed to do such stuff by hand every time they install a new IDP.
Tags: Security, Juniper, Gr33n Data
No comments:
Post a Comment