FortiGate IPS

FortiOS 4.0: IDS/IPS

FortiGate IPS

The FortiGate IPS detects intrusions by using attack signatures for known intrusion methods, and detects anomalies in network traffic to identify new or unknown intrusions. Not only can the IPS detect and log attacks, but users can choose actions to take on the session when an attack is detected.

FortiOS IPS offers a wide range of tools so that you can monitor and block malicious activity. These tools are predefined signatures, out-of-band mode (or one-arm IPS mode), protocol decoders, custom signature entries, packet logging, and IPS sensors.

FortiGate IDS (one-arm IPS mode)

• FortiOS IPS is operating as an Intrusion Detection System (IDS) detecting attacks and reporting them, but not taking any action against them.

• The unit does not process network traffic. Instead a FortiGate interface operates in sniffer mode and is connected to a spanning or mirrored port of a switch that processes all of the traffic to be analyzed.

FortiGate IPS General Overview

• The FortiGate IPS is composed of several tools that can be used to monitor and block malicious activity:

• Predefined signatures• Custom Signatures• Protocol Decoders


Predefined Signatures:• Predefined signatures are provided to

FortiOS through the FortiGuard network.

• These signatures are used to detect attacks and FortiOS supports more than 4000 attack signatures, that can detect everything, from attacks against unpatched operating system vulnerabilities to invalid checksums in UDP packets.


Custom Signatures:

Custom signatures provide the ability to customize the FortiGate IPS Engine to meet diverse network environments.

Custom signatures can be developed to protect specialized environments or custom applications.


Protocol decoders:

• Before examining network traffic, the IPS engine uses protocol decoders to identify each protocol appearing in the traffic.

• Attacks are protocol-specific, so your FortiGate unit conserves resources by looking for attacks only in the protocols used to transmit them. Ex: the FortiGate will only examine HTTP traffic for the presence of a signature describing an HTTP attack.


Protocol decoders:

FortiGate IPS Engine

• Once the protocol decoders separate the network traffic by protocol, the IPS engine examines the network traffic for the attack signatures.

IPS sensors• The IPS engine does not examine network

traffic for all signatures, however. You must first create an IPS sensor and specify which signatures are included. Add signatures to sensors individually using signature entries, or in groups using IPS filters.

FortiGate IPS filters

• A filter is a collection of signature attributes that you specify. The signatures that have all of the attributes specified in a filter are included in the IPS filter.

• Ex: if your FortiGate unit protects a Linux server running the Apache web server software, you could create a new filter to protect it. By setting OS to Linux, and Application to Apache, the filter will include only the signatures that apply to both Linux and Apache. If you wanted to scan for all the Linux signatures and all the Apache signatures, you would create two filters, one for each.

FortiGate IPS Tuning

Network Design Considerations:

• Trusted vs Non-Trusted Networks• Number of Protected Segments• Physical Media (Copper or Fiber)• Operating Systems / Databases / Applications• Traffic Distribution

Reduce the number of signatures that will be used to analyze traffic that will never represent an issue. i.e. Analyze traffic from a network segment that has only Windows Server with Signatures for Linux.



Trusted vs Non-Trusted Networks• Apply IPS Sensors to networks with non-encrypted information.• Never apply IPS Sensors that you are not willing to monitor or tune.

Try to enforce IPS Inspection to important traffic (Consider FW vs IPS Performance)



Number of Protected Segments

• Try to define IPS Sensors for each network segment you are willing to inspect.

• As every network segment is different, each IPS Sensor should be different.



Operating Systems/Applications/Databases

• Tune IPS Sensor according to the operating system being protected.



Operating Systems/Applications/Databases

• Tune IPS Sensor according to the Application/Database being protected.

FortiGuard Intrusion Prevention Service

• Provides to customers with the latest defenses against stealthy network-level threats. It uses a customizable database of more than 4000 known threats to enable FortiGate and FortiWiFi appliances.

• It also provides behavior-based heuristics, enabling the system to recognize threats for which no signature has yet been developed.

General Configuration Steps

1. Create an IPS sensor.

2. Add filters and/or predefined signatures and custom signatures to the sensor.

3. Select a security policy or create a new one.

4. In the security policy, turn on IPS, and choose the IPS sensor from the list.

For More Information

• http://kb.fortinet.com (Knowledge base)

• http://docs.fortinet.com/fos50hlp/50/index.html (Handbook)

• http://docs.fortinet.com/cb/fortigate-cookbook.pdf (Cookbook)

• http://www.fortiguard.com/

http://kb.fortinet.com/

http://kb.fortinet.com/

http://docs.fortinet.com/fos50hlp/50/index.html

http://docs.fortinet.com/fos50hlp/50/index.html

http://docs.fortinet.com/cb/fortigate-cookbook.pdf

http://docs.fortinet.com/cb/fortigate-cookbook.pdf

http://www.fortiguard.com/

FortiGate IPS

Documents

Transcript of FortiGate IPS