Intrusion Prevention System. Module Objectives By the end of this module, participants will be able...
-
Upload
ralph-moore -
Category
Documents
-
view
218 -
download
1
Transcript of Intrusion Prevention System. Module Objectives By the end of this module, participants will be able...
![Page 1: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/1.jpg)
Intrusion Prevention System
![Page 2: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/2.jpg)
Module Objectives
• By the end of this module, participants will be able to:• Use the FortiGate Intrusion Prevention System (IPS) to
detect network intrusions
• Create custom signatures, IPS filters and sensors
• Design firewall policies that incorporate IPS sensors
• Create Denial of Service (DoS) sensors and firewall policies
![Page 3: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/3.jpg)
Intrusion Prevention System
Click here to read more about FortiGate IPS
Intrusion Prevention System
?
![Page 4: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/4.jpg)
Intrusion Prevention System
Click here to read more about FortiGate IPS
Intrusion Prevention System
?
• FortiGate IPS can detect and log network attacks• Uses signatures to:• Detect known intrusion methods
• Detect anomalies in traffic to identify new or unknown intrusions
• Pre-defined IPS signatures and IPS engine upgraded through FortiGuard Subscription Services
![Page 5: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/5.jpg)
Protocol Decoders
Meets protocol requirements
and standards?
![Page 6: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/6.jpg)
Protocol Decoders
Meets protocol requirements
and standards?
• Protocol decoders are used to identify abnormal traffic patterns that do not meet the requirements and standards of a particular protocol• For example, monitors HTTP traffic to
identify packets that do not conform to the HTTP protocol standards
• Protocol decoders are included in the IPS upgrade packages
![Page 7: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/7.jpg)
Predefined Signatures
Click here to read more about IPS signatures
![Page 8: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/8.jpg)
Predefined Signatures
Click here to read more about IPS signatures
• The FortiGate unit includes a large collection of predefined signatures that can be added to IPS sensors• The signature and log settings can be
fine tuned to provide the best protection and optimize resource usage• Not all systems require all signatures to
be scanned all the time
• Not all systems require all signature actions to be logged
![Page 9: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/9.jpg)
FortiGuard Intrusion Prevention System Service
• FortiGuard IPS Service provides up-to-date defenses against network-level threats• Includes:• Predefined library of attack signatures
• Engines• Anomaly inspection
• Deep packet inspection
• Full content inspection
• Activity inspection
• Supports behavior-based heuristics
![Page 10: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/10.jpg)
Custom Signatures
Predefinedsignatures
Customsignatures
Represents common attacks
Unusual or specialized
applications or platforms
![Page 11: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/11.jpg)
Custom Signatures
Predefinedsignatures
Customsignatures
Represents common attacks
Unusual or specialized
applications or platforms
• Custom signatures provide the flexibility to customize the FortiGate unit’s IPS functions for diverse network environments• Ideal when unusual or specialized
applications or uncommon platforms are being used
• Custom signatures are added to IPS sensors to scan traffic based on the defined characteristics
![Page 12: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/12.jpg)
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
![Page 13: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/13.jpg)
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
Header
All custom signatures
require a header of F-SBID
![Page 14: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/14.jpg)
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
Keyword
Identifies a parameter
![Page 15: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/15.jpg)
Custom Signature Syntax
F-SBID(--KEYWORD VALUE)
Value
Values are set for the parameter
identified by the keyword
![Page 16: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/16.jpg)
Custom Signature Syntax Samples
F-SBID( --name "Ping.Death"; --protocol icmp; --data_size >32000; )
![Page 17: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/17.jpg)
Custom Signature Syntax Samples
F-SBID( --attack_id 1842; --name "Ping.Death"; --protocol icmp; --data_size >32000; )
![Page 18: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/18.jpg)
Custom Signature Syntax Samples
F-SBID( --name "Block.HTTP.POST"; --protocol tcp; --service HTTP; --flow from_client; --pattern "POST "; --context uri; --within 5,context; )
![Page 19: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/19.jpg)
Custom Signature Syntax Samples
F-SBID( --attack_id 6168; --name "MSN.Image.SafeSearch.Off"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "/images/"; --context uri; --no_case; --pattern "q="; --context uri; --no_case; --distance 0; --pattern "Referer:"; --no_case; --context header; --pattern ".live.com/"; --no_case; --context header; --distance 0; --within 30; --pattern "Cookie:"; --context header; --no_case; --pattern "ADLT=OFF"; --context header; --no_case; --distance 0; --within 700;)
![Page 20: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/20.jpg)
Signature Threshold
• In some cases, a single instance of a signature being triggered does not constitute an attack• The signature threshold value defines how many times the signature must triggered over a period of time before considering the event as an attack• Signature must be triggered N times in X seconds
• Syntax:F-SBID ( --name “brute force”; --threshold 100,60; )
![Page 21: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/21.jpg)
IPS Sensors
Click here to read more about IPS sensors
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Sensor
Sensor
Sensor
FirewallPolicy
![Page 22: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/22.jpg)
IPS Sensors
Click here to read more about IPS sensors
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Sensor
Sensor
Sensor
FirewallPolicy
• IPS signatures are grouped into sensors• A sensor is then applied to a firewall policy• Any traffic processed by the firewall
policy will be filtered against the signatures in the sensor
![Page 23: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/23.jpg)
Filters
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Predefined signature
Predefined signature
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Filters
Overrides
Which signatures should traffic be
checked against?
Modify the behavior of signatures in the
filter
Library of signatures
![Page 24: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/24.jpg)
Filters
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Predefined signature
Custom signature
Predefined signature
Predefined signature
Predefined signature
Predefined signature
Custom signature
Custom signature
Custom signature
Filters
Overrides
Which signatures should traffic be
checked against?
Modify the behavior of signatures in the
filter
Library of signatures
• IPS filters define the attributes used to identify which signatures traffic will be checked against• If a match is found in the traffic flow,
the appropriate action is taken
• Multiple filters can be defined in a sensor and they are checked one at a time, from top of the list to the bottom
• IPS overrides modify the behavior of signatures specified in a filter
![Page 25: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/25.jpg)
Severity All or Info Medium High Critical
Target All or Server Client
OS All or Other Windows
Linux BSD Solaris
MacOS
Protocol All or Specify
Application All or Specify
Filters
![Page 26: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/26.jpg)
Severity All or Info Medium High Critical
Target All or Server Client
OS All or Other Windows
Linux BSD Solaris
MacOS
Protocol All or Specify
Application All or Specify
Filters
• The signatures included in the filter are only those matching every attribute specified• Select All results in every signature being included in the filter
![Page 27: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/27.jpg)
Overrides
• Signature overrides can modify the behavior of a single signature specified in a filter• Each override defines the behavior of one signature
• Overrides are always checked before filters
• The signature identified in the override is first compared to the traffic, if there is no match then the signatures in the filter are compared to the traffic•When a pre-defined signature is specified in an override, the default status and action attributes have no effect. • These settings must be explicitly set when creating the
override
Click here to read more about IPS filter overrides
![Page 28: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/28.jpg)
Packet Logging
• Packet logging can be enabled for a specific filter• Packet logging can also be enabled for a group of signatures by enabling the feature in the IPS filter• Requires an internal hard disk on the FortiGate device or access to a FortiAnalyzer device
![Page 29: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/29.jpg)
IPS Sensors
IPS Sensor: Sample_Sensor
Firewall policy
![Page 30: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/30.jpg)
IPS Sensors
IPS Sensor: Sample_Sensor
Firewall policy
• Create IPS sensors by identifying the filters to be used• Assign sensor to firewall policy• Any traffic being examined by the
policy will have the signature filter and override operations applied to it
![Page 31: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/31.jpg)
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
![Page 32: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/32.jpg)
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
•Denial of service occurs when attacking systems start an abnormally high number of sessions with a target system• A high number of sessions slows down
or disables the target system• Can no longer serve legitimate users
![Page 33: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/33.jpg)
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
DoS Sensor
![Page 34: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/34.jpg)
Denial of Service Attacks
Click here to read more about denial of service attacks
Web Server
Internet
DoS Sensor
•Denial of service sensors are capable of detecting and protecting against these attacks• Configure a threshold and an action to take when the threshold is exceeded•Multiple sensors can be created to detect anomalies in traffic with different attributes• Source address, destination address,
ports etc
![Page 35: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/35.jpg)
DoS Sensors
![Page 36: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/36.jpg)
DoS Sensors
DoS Sensor: Class_DoS_Sensor
DoS Policy
![Page 37: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/37.jpg)
DoS Sensors
DoS Sensor: Class_DoS_Sensor
DoS Policy
•DoS firewall policies are used to define the attributes of traffic to be scanned for DoS anomalies• Any traffic passing through the firewall
when the DoS policy is in place will be filtered based on the anomaly configuration in the sensor
![Page 38: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/38.jpg)
SYN Flood Attacks
Click here to read more about SYN flood attacks
Web Server
Internet
Connection Table
![Page 39: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/39.jpg)
SYN Flood Attacks
Click here to read more about SYN flood attacks
Web Server
Internet
Connection Table
• In a SYN flood attack, the attacker attempts to disable the server by flooding it with TCP/IP connection requests• When the table is full, it is not possible to
establish any new connection and the server become inaccessible
• Attacker makes request for connection, but never acknowledges the server’s reply• FortiGate unit uses a pseudo SYN proxy to
prevent SYN flood attacks
![Page 40: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/40.jpg)
ICMP Sweep
Click here to read more about ICMP sweep attacks
![Page 41: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/41.jpg)
ICMP Sweep
Click here to read more about ICMP sweep attacks
• ICMP sweeps can be used by an attacker to scan a target network to discover vulnerabilities• Scans all possible IP addresses in the
range of the network to create a map which can be used to plan an attack
• FortiGate IPS can be used to detect a variety of ICMP sweep methods
![Page 42: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/42.jpg)
Monitoring IPS Attacks
•Monitor IPS attacks by enabling logging and configuring email alerts• Attack signature found
2011-07-01 10:18:28 oid=247 log_id=16384 type=ips subtype=signature pri=alert vd=root severity="high" src="192.168.3.229" dst="192.168.1.195" src_int="port2" dst_int="port1" policyid=1 identidx=0 serial=89365 status="detected" proto=6 service="http" count=4 attack_name="phpBB.viewtopic.highlight.CommandExecution" src_port=31166 dst_port=80 attack_id=12507 sensor="default" ref="http://www.fortinet.com/ids/VID12507" incident_serialno=1445028994 msg="web_server: phpBB.viewtopic.highlight.CommandExecution, repeated 4 times“
• Attack anomaly detected2011-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 51 > threshold 50"
![Page 43: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/43.jpg)
Web proxy
Proxy Avoidance
Click here to read more about proxy avoidance
Web server
Blockedpage.htmlBlockedpage.html
![Page 44: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/44.jpg)
Web proxy
Proxy Avoidance
Click here to read more about proxy avoidance
Web server
Blockedpage.html
• Some proxies can be used to anonymize web surfing as a means of bypassing blocking policies• Users can circumvent the policy, allowing
blocked pages to be viewed
• The FortiGate unit can disallow proxy traffic using web filtering or application control
![Page 45: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/45.jpg)
One-Arm IDS
![Page 46: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/46.jpg)
One-Arm IDS
•One-arm IDS allows a FortiGate unit to operate as an intrusion detection system appliance• Sniffs packets for attacks without
actually receiving and otherwise processing them
• Can not block traffic• Can log detected attacks
![Page 47: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/47.jpg)
Labs
• Lab - Intrusion Prevention System• Defining IPS sensors
• Defining DoS sensors
• Creating custom signatures
Click here for step-by-step instructions on completing this lab
![Page 48: Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.](https://reader036.fdocuments.us/reader036/viewer/2022062717/56649e505503460f94b476dd/html5/thumbnails/48.jpg)
Student Resources
Click here to view the list of resources used in this module