Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Published byRalph Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System."— Presentation transcript:

1 Intrusion Prevention System

2 Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System (IPS) to detect network intrusions Create custom signatures, IPS filters and sensors Design firewall policies that incorporate IPS sensors Create Denial of Service (DoS) sensors and firewall policies

3 Intrusion Prevention System Click here to read more about FortiGate IPS Intrusion Prevention System ?

4 Click here to read more about FortiGate IPS Intrusion Prevention System ? FortiGate IPS can detect and log network attacks Uses signatures to: Detect known intrusion methods Detect anomalies in traffic to identify new or unknown intrusions Pre-defined IPS signatures and IPS engine upgraded through FortiGuard Subscription Services

5 Protocol Decoders Meets protocol requirements and standards?

6 Protocol Decoders Meets protocol requirements and standards? Protocol decoders are used to identify abnormal traffic patterns that do not meet the requirements and standards of a particular protocol For example, monitors HTTP traffic to identify packets that do not conform to the HTTP protocol standards Protocol decoders are included in the IPS upgrade packages

7 Predefined Signatures Click here to read more about IPS signatures

8 Predefined Signatures Click here to read more about IPS signatures The FortiGate unit includes a large collection of predefined signatures that can be added to IPS sensors The signature and log settings can be fine tuned to provide the best protection and optimize resource usage Not all systems require all signatures to be scanned all the time Not all systems require all signature actions to be logged

9 FortiGuard Intrusion Prevention System Service FortiGuard IPS Service provides up-to-date defenses against network-level threats Includes: Predefined library of attack signatures Engines Anomaly inspection Deep packet inspection Full content inspection Activity inspection Supports behavior-based heuristics

10 Custom Signatures Predefined signatures Custom signatures Represents common attacks Unusual or specialized applications or platforms

11 Custom Signatures Predefined signatures Custom signatures Represents common attacks Unusual or specialized applications or platforms Custom signatures provide the flexibility to customize the FortiGate unit’s IPS functions for diverse network environments Ideal when unusual or specialized applications or uncommon platforms are being used Custom signatures are added to IPS sensors to scan traffic based on the defined characteristics

12 Custom Signature Syntax F-SBID(--KEYWORD VALUE)

13 Custom Signature Syntax F-SBID(--KEYWORD VALUE) Header All custom signatures require a header of F-SBID

14 Custom Signature Syntax F-SBID(--KEYWORD VALUE) Keyword Identifies a parameter

15 Custom Signature Syntax F-SBID(--KEYWORD VALUE) Value Values are set for the parameter identified by the keyword

16 Custom Signature Syntax Samples F-SBID( --name "Ping.Death"; --protocol icmp; -- data_size >32000; )

17 Custom Signature Syntax Samples F-SBID( --attack_id 1842; --name "Ping.Death"; --protocol icmp; --data_size >32000; )

18 Custom Signature Syntax Samples F-SBID( --name "Block.HTTP.POST"; --protocol tcp; -- service HTTP; --flow from_client; --pattern "POST "; --context uri; --within 5,context; )

19 Custom Signature Syntax Samples F-SBID( --attack_id 6168; --name "MSN.Image.SafeSearch.Off"; --protocol tcp; -- service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "/images/"; --context uri; -- no_case; --pattern "q="; --context uri; --no_case; - -distance 0; --pattern "Referer:"; --no_case; -- context header; --pattern ".live.com/"; --no_case; - -context header; --distance 0; --within 30; -- pattern "Cookie:"; --context header; --no_case; -- pattern "ADLT=OFF"; --context header; --no_case; -- distance 0; --within 700;)

20 Signature Threshold In some cases, a single instance of a signature being triggered does not constitute an attack The signature threshold value defines how many times the signature must triggered over a period of time before considering the event as an attack Signature must be triggered N times in X seconds Syntax: F-SBID ( --name “brute force”; --threshold 100,60; )

21 IPS Sensors Click here to read more about IPS sensors Predefined signature Custom signature Predefined signature Custom signature Sensor Firewall Policy

22 IPS Sensors Click here to read more about IPS sensors Predefined signature Custom signature Predefined signature Custom signature Sensor Firewall Policy IPS signatures are grouped into sensors A sensor is then applied to a firewall policy Any traffic processed by the firewall policy will be filtered against the signatures in the sensor

23 Filters Predefined signature Custom signature Predefined signature Custom signature Predefined signature Custom signature Filters Overrides Which signatures should traffic be checked against? Modify the behavior of signatures in the filter Library of signatures

24 Filters Predefined signature Custom signature Predefined signature Custom signature Predefined signature Custom signature Filters Overrides Which signatures should traffic be checked against? Modify the behavior of signatures in the filter Library of signatures IPS filters define the attributes used to identify which signatures traffic will be checked against If a match is found in the traffic flow, the appropriate action is taken Multiple filters can be defined in a sensor and they are checked one at a time, from top of the list to the bottom IPS overrides modify the behavior of signatures specified in a filter

25 SeverityAllorInfoMediumHighCritical TargetAllorServerClient OSAllorOtherWindowsLinuxBSDSolarisMacOS ProtocolAllorSpecify ApplicationAllorSpecify Filters

26 SeverityAllorInfoMediumHighCritical TargetAllorServerClient OSAllorOtherWindowsLinuxBSDSolarisMacOS ProtocolAllorSpecify ApplicationAllorSpecify Filters The signatures included in the filter are only those matching every attribute specified Select All results in every signature being included in the filter

27 Overrides Signature overrides can modify the behavior of a single signature specified in a filter Each override defines the behavior of one signature Overrides are always checked before filters The signature identified in the override is first compared to the traffic, if there is no match then the signatures in the filter are compared to the traffic When a pre-defined signature is specified in an override, the default status and action attributes have no effect. These settings must be explicitly set when creating the override Click here to read more about IPS filter overrides

28 Packet Logging Packet logging can be enabled for a specific filter Packet logging can also be enabled for a group of signatures by enabling the feature in the IPS filter Requires an internal hard disk on the FortiGate device or access to a FortiAnalyzer device

29 IPS Sensors IPS Sensor: Sample_Sensor Firewall policy

30 IPS Sensors IPS Sensor: Sample_Sensor Firewall policy Create IPS sensors by identifying the filters to be used Assign sensor to firewall policy Any traffic being examined by the policy will have the signature filter and override operations applied to it

31 Denial of Service Attacks Click here to read more about denial of service attacks Web Server Internet

32 Denial of Service Attacks Click here to read more about denial of service attacks Web Server Internet Denial of service occurs when attacking systems start an abnormally high number of sessions with a target system A high number of sessions slows down or disables the target system Can no longer serve legitimate users

33 Denial of Service Attacks Click here to read more about denial of service attacks Web Server Internet DoS Sensor

34 Denial of Service Attacks Click here to read more about denial of service attacks Web Server Internet DoS Sensor Denial of service sensors are capable of detecting and protecting against these attacks Configure a threshold and an action to take when the threshold is exceeded Multiple sensors can be created to detect anomalies in traffic with different attributes Source address, destination address, ports etc

35 DoS Sensors

36 DoS Sensor: Class_DoS_Sensor DoS Policy

37 DoS Sensors DoS Sensor: Class_DoS_Sensor DoS Policy DoS firewall policies are used to define the attributes of traffic to be scanned for DoS anomalies Any traffic passing through the firewall when the DoS policy is in place will be filtered based on the anomaly configuration in the sensor

38 SYN Flood Attacks Click here to read more about SYN flood attacks Web Server Internet Connection Table

39 SYN Flood Attacks Click here to read more about SYN flood attacks Web Server Internet Connection Table In a SYN flood attack, the attacker attempts to disable the server by flooding it with TCP/IP connection requests When the table is full, it is not possible to establish any new connection and the server become inaccessible Attacker makes request for connection, but never acknowledges the server’s reply FortiGate unit uses a pseudo SYN proxy to prevent SYN flood attacks

40 ICMP Sweep Click here to read more about ICMP sweep attacks

41 ICMP Sweep Click here to read more about ICMP sweep attacks ICMP sweeps can be used by an attacker to scan a target network to discover vulnerabilities Scans all possible IP addresses in the range of the network to create a map which can be used to plan an attack FortiGate IPS can be used to detect a variety of ICMP sweep methods

42 Monitoring IPS Attacks Monitor IPS attacks by enabling logging and configuring email alerts Attack signature found 2011-07-01 10:18:28 oid=247 log_id=16384 type=ips subtype=signature pri=alert vd=root severity="high" src="192.168.3.229" dst="192.168.1.195" src_int="port2" dst_int="port1" policyid=1 identidx=0 serial=89365 status="detected" proto=6 service="http" count=4 attack_name="phpBB.viewtopic.highlight.CommandExecution" src_port=31166 dst_port=80 attack_id=12507 sensor="default" ref="http://www.fortinet.com/ids/VID12507" incident_serialno=1445028994 msg="web_server: phpBB.viewtopic.highlight.CommandExecution, repeated 4 times“ Attack anomaly detected 2011-07-01 09:54:28 oid=2 log_id=18433 type=ips subtype=anomaly pri=alert vd=root severity="critical" src="192.168.3.168" dst="192.168.3.170" src_int="port2" serial=0 status="detected" proto=1 service="icmp" count=1 attack_name="icmp_flood" icmp_id="0xa8a4" icmp_type="0x08" icmp_code="0x00" attack_id=16777316 sensor="1" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 51 > threshold 50"

43 Web proxy Proxy Avoidance Click here to read more about proxy avoidance Web server Blockedpage.html

44 Web proxy Proxy Avoidance Click here to read more about proxy avoidance Web server Blockedpage.html Some proxies can be used to anonymize web surfing as a means of bypassing blocking policies Users can circumvent the policy, allowing blocked pages to be viewed The FortiGate unit can disallow proxy traffic using web filtering or application control

45 One-Arm IDS

46 One-arm IDS allows a FortiGate unit to operate as an intrusion detection system appliance Sniffs packets for attacks without actually receiving and otherwise processing them Can not block traffic Can log detected attacks

47 Labs Lab - Intrusion Prevention System Defining IPS sensors Defining DoS sensors Creating custom signatures Click here for step-by-step instructions on completing this lab

48 Student Resources Click hereClick here to view the list of resources used in this module

Download ppt "Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System."

Similar presentations

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.

Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.
Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat Management
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Department Of Computer Engineering

Department Of Computer Engineering

Similar presentations

Ads by Google