Juniper IDP

The unit can operate in either passive mode, or inline mode. Passive mode is just for sniffing the network, and it can block certain types of attacks by landing an RST packet within the TCP window. However, it cannot block non-TCP attacks, only log them. And it is possible that the blocking that is available in passive mode can happen too late, the malicious payload has already been sent by the time the blocking happens.

In inline mode, you have 3 options for installing it. You can use Layer-3, where the IDP gets an IP on each interface and you actually set up routes to it. In Bridge mode it will participate in spanning tree, and transparent mode, it just passes everything unmodified including spanning tree packets.

If you plan on putting the unit inline, Transparent mode is the preferred method. Especially if you have 2 units and are putting them in parallel between two switches as spanning tree will continue to operate as if the units were not even there.

When running in inline mode, you can group interfaces into Virtual Routers. These don't necessarily route, unless you're operating in layer-3 mode. But, the do tell the unit which interfaces are grouped together so you can pass traffic for particular network segments, and VR's will NOT pass traffic between each other. So if I had 8 interfaces, I could create 4 VR's with 2 interfaces each, and effectively put the unit inline on 4 totally separate network segments. Inline mode is the way to go if the unit will handle the throughput.

Set the unit up through the web interface on the unit to configure the modes you want to run in and any Virtual routers. Then install the NSM on your management console and add the device. When creating your policy, it's good practice to only put it in logging mode for at least a couple of weeks to see what kind of alerts you are getting and make sure you don't block legitimate traffic. Then go through and put in any exceptions you need and eventually put it into blocking mode.