intrusion prevention system. module objectives by the end of this module, participants will be able...
TRANSCRIPT
Intrusion Prevention System
Module Objectives
• By the end of this module, participants will be able to:• Use the FortiGate Intrusion Prevention System (IPS) to
detect network intrusions
• Create custom signatures, IPS filters and sensors
• Design firewall policies that incorporate IPS sensors
• Create Denial of Service (DoS) sensors and firewall policies
Intrusion Prevention System
Click here to read more about FortiGate IPS
Intrusion Prevention System
?
Intrusion Prevention System
Click here to read more about FortiGate IPS
Intrusion Prevention System
?
• FortiGate IPS can detect and log network attacks• Uses signatures to:• Detect known intrusion methods
• Detect anomalies in traffic to identify new or unknown intrusions
• Pre-defined IPS signatures and IPS engine upgraded through FortiGuard Subscription Services
Protocol Decoders
Meets protocol requirements
and standards?
Protocol Decoders
Meets protocol requirements
and standards?
• Protocol decoders are used to identify abnormal traffic patterns that do not meet the requirements and standards of a particular protocol• For example, monitors HTTP traffic to
identify packets that do not conform to the HTTP protocol standards
• Protocol decoders are included in the IPS upgrade packages
Predefined Signatures
Click here to read more about IPS signatures
Predefined Signatures
Click here to read more about IPS signatures
• The FortiGate unit includes a large collection of predefined signatures that can be added to IPS sensors• The signature and log settings can be
fine tuned to provide the best protection and optimize resource usage• Not all systems require all signatures to
be scanned all the time
• Not all systems require all signature actions to be logged
FortiGuard Intrusion Prevention System Service
• FortiGuard IPS Service provides up-to-date defenses against network-level threats• Includes:• Predefined library of attack signatures
• Engines• Anomaly inspection
• Deep packet inspection
• Full content inspection
• Activity inspection
• Supports behavior-based heuristics
Custom Signatures
Predefinedsignatures
Customsignatures
Represents common attacks
Unusual or specialized
applications or platforms
Custom Signatures
Predefinedsignatures
Customsignatures
Represents common attacks
Unusual or specialized
applications or platforms
• Custom signatures provide the flexibility to customize the FortiGate unit’s IPS functions for diverse network environments• Ideal when unusual or specialized
applications or uncommon platforms are being used
• Custom signatures are added to IPS sensors to scan traffic based on the defined characteristics
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
Header
All custom signatures
require a header of F-SBID
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
Keyword
Identifies a parameter
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
Value
Values are set for the parameter
identified by the keyword
Custom Signature Syntax Samples
F-SBID( --name "Ping.Death"; --protocol icmp; --data_size >32000; )
Custom Signature Syntax Samples
F-SBID( --attack_id 1842; --name "Ping.Death"; --protocol icmp; --data_size >32000; )
Custom Signature Syntax Samples
F-SBID( --name "Block.HTTP.POST"; --protocol tcp; --service HTTP; --flow from_client; --pattern "POST "; --context uri; --within 5,context; )
Custom Signature Syntax Samples
F-SBID( --attack_id 6168; --name "MSN.Image.SafeSearch.Off"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "/images/"; --context uri; --no_case; --pattern "q="; --context uri; --no_case; --distance 0; --pattern "Referer:"; --no_case; --context header; --pattern ".live.com/"; --no_case; --context header; --distance 0; --within 30; --pattern "Cookie:"; --context header; --no_case; --pattern "ADLT=OFF"; --context header; --no_case; --distance 0; --within 700;)
Signature Threshold
• In some cases, a single instance of a signature being triggered does not constitute an attack• The signature threshold value defines how many times the signature must triggered over a period of time before considering the event as an attack• Signature must be triggered N times in X seconds
• Syntax:F-SBID ( --name “brute force”; --threshold 100,60; )
IPS Sensors
Click here to read more about IPS sensors
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Sensor
Sensor
Sensor
FirewallPolicy
IPS Sensors
Click here to read more about IPS sensors
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Sensor
Sensor
Sensor
FirewallPolicy
• IPS signatures are grouped into sensors• A sensor is then applied to a firewall policy• Any traffic processed by the firewall
policy will be filtered against the signatures in the sensor
Filters
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Predefined signature
Predefined signature
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Filters
Overrides
Which signatures should traffic be
checked against?
Modify the behavior of signatures in the
filter
Library of signatures
Filters
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Predefined signature
Predefined signature
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Filters
Overrides
Which signatures should traffic be
checked against?
Modify the behavior of signatures in the
filter
Library of signatures
• IPS filters define the attributes used to identify which signatures traffic will be checked against• If a match is found in the traffic flow,
the appropriate action is taken
• Multiple filters can be defined in a sensor and they are checked one at a time, from top of the list to the bottom
• IPS overrides modify the behavior of signatures specified in a filter
Severity All or Info Medium High Critical
Target All or Server Client
OS All or Other Windows
Linux BSD Solaris
MacOS
Protocol All or Specify
Application All or Specify
Filters
Severity All or Info Medium High Critical
Target All or Server Client
OS All or Other Windows
Linux BSD Solaris
MacOS
Protocol All or Specify
Application All or Specify
Filters
• The signatures included in the filter are only those matching every attribute specified• Select All results in every signature being included in the filter
Overrides
• Signature overrides can modify the behavior of a single signature specified in a filter• Each override defines the behavior of one signature
• Overrides are always checked before filters
• The signature identified in the override is first compared to the traffic, if there is no match then the signatures in the filter are compared to the traffic•When a pre-defined signature is specified in an override, the default status and action attributes have no effect. • These settings must be explicitly set when creating the
override
Click here to read more about IPS filter overrides
Packet Logging
• Packet logging can be enabled for a specific filter• Packet logging can also be enabled for a group of signatures by enabling the feature in the IPS filter• Requires an internal hard disk on the FortiGate device or access to a FortiAnalyzer device
IPS Sensors
IPS Sensor: Sample_Sensor
Firewall policy
IPS Sensors
IPS Sensor: Sample_Sensor
Firewall policy
• Create IPS sensors by identifying the filters to be used• Assign sensor to firewall policy• Any traffic being examined by the
policy will have the signature filter and override operations applied to it
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
•Denial of service occurs when attacking systems start an abnormally high number of sessions with a target system• A high number of sessions slows down
or disables the target system• Can no longer serve legitimate users
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
DoS Sensor
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
DoS Sensor
•Denial of service sensors are capable of detecting and protecting against these attacks• Configure a threshold and an action to take when the threshold is exceeded•Multiple sensors can be created to detect anomalies in traffic with different attributes• Source address, destination address,
ports etc
DoS Sensors
DoS Sensors
DoS Sensor: Class_DoS_Sensor
DoS Policy
DoS Sensors
DoS Sensor: Class_DoS_Sensor
DoS Policy
•DoS firewall policies are used to define the attributes of traffic to be scanned for DoS anomalies• Any traffic passing through the firewall
when the DoS policy is in place will be filtered based on the anomaly configuration in the sensor
SYN Flood Attacks
Click here to read more about SYN flood attacks
Web Server
Internet
Connection Table
SYN Flood Attacks
Click here to read more about SYN flood attacks
Web Server
Internet
Connection Table
• In a SYN flood attack, the attacker attempts to disable the server by flooding it with TCP/IP connection requests• When the table is full, it is not possible to
establish any new connection and the server become inaccessible
• Attacker makes request for connection, but never acknowledges the server’s reply• FortiGate unit uses a pseudo SYN proxy to
prevent SYN flood attacks
ICMP Sweep
Click here to read more about ICMP sweep attacks
ICMP Sweep
Click here to read more about ICMP sweep attacks
• ICMP sweeps can be used by an attacker to scan a target network to discover vulnerabilities• Scans all possible IP addresses in the
range of the network to create a map which can be used to plan an attack
• FortiGate IPS can be used to detect a variety of ICMP sweep methods
Monitoring IPS Attacks
•Monitor IPS attacks by enabling logging and configuring email alerts• Attack signature found
2011-07-01 10:18:28 oid=247 log_id=16384 type=ips subtype=signature pri=alert vd=root severity="high" src="192.168.3.229" dst="192.168.1.195" src_int="port2" dst_int="port1" policyid=1 identidx=0 serial=89365 status="detected" proto=6 service="http" count=4 attack_name="phpBB.viewtopic.highlight.CommandExecution" src_port=31166 dst_port=80 attack_id=12507 sensor="default" ref="http://www.fortinet.com/ids/VID12507" incident_serialno=1445028994 msg="web_server: phpBB.viewtopic.highlight.CommandExecution, repeated 4 times“
• Attack anomaly detected2011-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 51 > threshold 50"
Web proxy
Proxy Avoidance
Click here to read more about proxy avoidance
Web server
Blockedpage.htmlBlockedpage.html
Web proxy
Proxy Avoidance
Click here to read more about proxy avoidance
Web server
Blockedpage.html
• Some proxies can be used to anonymize web surfing as a means of bypassing blocking policies• Users can circumvent the policy, allowing
blocked pages to be viewed
• The FortiGate unit can disallow proxy traffic using web filtering or application control
One-Arm IDS
One-Arm IDS
•One-arm IDS allows a FortiGate unit to operate as an intrusion detection system appliance• Sniffs packets for attacks without
actually receiving and otherwise processing them
• Can not block traffic• Can log detected attacks
Labs
• Lab - Intrusion Prevention System• Defining IPS sensors
• Defining DoS sensors
• Creating custom signatures
Click here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module