6 | Juniper Networks, Inc.
Step 1
C
HOOSE
A
D
EPLOYMENT
M
ODE
The first step in setting up NetScreen-IDP on your network is to decide on a
deployment mode. The figures on pages 7-10 illustrate the five deployment modes
and their primary advantages and disadvantages.
IDP Appliance Placement
You can place the IDP appliance in front of your firewall, behind your firewall
(recommended), or anywhere on your network.
You should choose a location for your IDP appliance based on your existing
network hardware and the networks you want to protect. The examples provided
in this guide place the IDP appliance behind the firewall or router.
IDP Deployment Modes
For configurations without high availability, you can deploy the IDP Sensor as an
active gateway or as a passive sniffer.
•
Active Gateway
. Active Gateway modes take full advantage of IDP
attack prevention capabilities and MultiMethod Detection mechanisms.
Choose bridge, proxy-ARP, transparent, or router mode.
•
Passive Sniffer
. To use IDP as a passive IDS system without
prevention capabilities, deploy IDP in passive sniffer mode to monitor
and log network traffic. If the Sensor is attached to a network switch,
you must configure the switch to mirror all traffic to that port. IDP
defaults to sniffer mode.
Examine the examples on the following pages to determine which deployment
mode to use for your network. When you have chosen a deployment mode,
proceed to “Install the IDP Management Server” on page 11.
NS-IDP-BYP (Bridge or Transparent Mode Only)
The IDP Bypass Unit is a fail-open network device for your IDP system. If traffic
flow through the IDP appliance is disrupted, the Bypass Unit can automatically
reroute traffic. To use a Bypass Unit for fail-open protection with a NetScreen-
IDP appliance, you must deploy the IDP Sensor in bridge or transparent mode.