Network Device User Guide

ManualsBrandsFortinet ManualsNetwork CardNetwork Device IPS

www.fortinet.com

FortiGate

IPS User Guide

Version 3.0 MR7

USER GUIDE

Summary of content (62 pages)

PAGE 1
USER GUIDE FortiGate IPS User Guide Version 3.0 MR7 www.fortinet.
PAGE 2
FortiGate IPS User Guide Version 3.0 MR7 September 16, 2008 01-30007-0080-20080916 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
PAGE 3
Contents Contents Introduction ........................................................................................ 5 The FortiGate IPS............................................................................................... 5 About this document......................................................................................... 6 Document conventions.................................................................................. 6 Fortinet documentation ...................................
PAGE 4
Creating custom signatures ........................................................................... 23 Custom signature fields .............................................................................. 23 Custom signature syntax ............................................................................ 24 Example custom signatures ........................................................................ 33 Protocol decoders ...........................................................................
PAGE 5
Introduction The FortiGate IPS Introduction This section introduces you to the FortiGate Intrusion Prevention System (IPS) and the following topics: • The FortiGate IPS • About this document • Fortinet documentation • Customer service and technical support The FortiGate IPS Spam and viruses are not the only threats facing enterprises and small businesses.
PAGE 6
About this document Introduction About this document Document conventions The following document conventions are used in this guide: • In the examples, private IP addresses are used for both private and public IP addresses. • Notes and Cautions are used to provide important information: Note: Highlights useful additional information. ! Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
PAGE 7
Introduction Fortinet documentation • FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.
PAGE 8
Customer service and technical support Introduction Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com.
PAGE 9
IPS overview and general configuration The FortiGate IPS IPS overview and general configuration This section contains the following topics: • The FortiGate IPS • Network performance • Monitoring the network and dealing with attacks • Using IPS sensors in a protection profile The FortiGate IPS An IPS is an Intrusion Prevention System for networks.
PAGE 10
Network performance IPS overview and general configuration To create an IPS sensor, go to Intrusion Protection > IPS Sensor. See “IPS sensors” on page 39 for details. To access the protection profile IPS sensor selection, go to Firewall > Protection Profile, select Edit or Create New, and select IPS. To create a DoS Sensor, go to Intrusion Protection > DoS Sensor. See “DoS sensors” on page 45 for details.
PAGE 11
IPS overview and general configuration Monitoring the network and dealing with attacks Controlling sessions Use this command to ignore sessions after a set amount of traffic has passed. The default is 204800 bytes. config ips global set ignore-session-bytes end Setting the buffer size Set the size of the IPS buffer. The size of the buffer is model-dependent.
PAGE 12
Monitoring the network and dealing with attacks IPS overview and general configuration 5 Select and configure authentication if required and enter the email addresses that will receive the alert email. 6 Enter the time interval to wait before sending log messages for each logging severity level. Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. 7 Select Apply.
PAGE 13
IPS overview and general configuration Monitoring the network and dealing with attacks Anomaly The following log message is generated when an attack anomaly is detected: Message ID: 73001 Severity: Alert Message: attack_id= src= dst= src_port= dst_port= interface= src_int= dst_int= status={clear_session | detected | dropped | reset} proto= service= msg="<
PAGE 14
Using IPS sensors in a protection profile IPS overview and general configuration Using IPS sensors in a protection profile IPS can be combined with other FortiGate features – antivirus, spam filtering, web filtering, and web category filtering – to create protection profiles. Protection profiles are then added to individual user groups and then to firewall policies, or added directly to firewall policies.
PAGE 15
IPS overview and general configuration Using IPS sensors in a protection profile Adding protection profiles to user groups When creating a user group, select a protection profile that applies to that group. Then, when configuring a firewall policy that includes user authentication, select one or more user groups to authenticate. Each user group selected for authentication in the firewall policy can have a different protection profile, and therefore different IPS settings, applied to it.
PAGE 16
Using IPS sensors in a protection profile 16 IPS overview and general configuration FortiGate IPS User Guide Version 3.
PAGE 17
Predefined signatures IPS predefined signatures Predefined signatures This section describes: • IPS predefined signatures • Viewing the predefined signature list IPS predefined signatures Predefined signatures are arranged in alphabetical order. By default, some signatures are disabled to prevent interference with common traffic, but logging is enabled for all signatures. Use the IPS sensor to customize the predefined signatures and apply appropriate sensors to different protection profiles.
PAGE 18
Viewing the predefined signature list Predefined signatures By default, the signatures are sorted by name. To sort the table by another column, select the required column header name. Column Settings Select to customize the signature information displayed in the table. You can also readjust the column order. Clear All Filters If you have applied filtering to the predefined signature list display, select this option to clear all filters and display all the signatures.
PAGE 19
Predefined signatures Viewing the predefined signature list You should also review exactly how you use the information provided by the logging feature. If you find that you do not review the information, it is best to turn off IPS logging. Logging is best used to provide actionable intelligence. To create an IPS sensor 1 Go to Intrusion Protection > IPS Sensor. 2 Create a sensor and add IPS filters to it. FortiGate IPS User Guide Version 3.
PAGE 20
Viewing the predefined signature list 20 Predefined signatures FortiGate IPS User Guide Version 3.
PAGE 21
Custom signatures IPS custom signatures Custom signatures Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Protection system for diverse network environments. The FortiGate predefined signatures represent common attacks. If you use an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors.
PAGE 22
Custom signature configuration Custom signatures Create New Select to create a new custom signature. Name The custom signature name. Signature The signature syntax. Delete icon Select to delete the custom signature. Edit icon Select to edit the custom signature. Custom signature configuration Add custom signatures using the web-based manager or the CLI. For more information about custom signature syntax, see “Creating custom signatures” on page 23 and “Custom signature syntax” on page 24.
PAGE 23
Custom signatures Creating custom signatures Creating custom signatures Custom signatures are added separately to each VDOM. In each VDOM, there can be a maximum of 255 custom signatures. A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line. A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( )].
PAGE 24
Creating custom signatures Custom signatures Custom signature syntax Table 2: Information keywords Keyword and value Description --attack_id ; This optional value is used to identify the signature. It cannot be the same value as any other custom rules within the same VDOM. If an attack ID is not specified, the FortiGate automatically assigns an attack ID to the signature. An attack ID you assign must be between 1000 and 9999.
PAGE 25
Custom signatures Creating custom signatures Table 4: Content keywords Keyword and value Description --byte_jump , [, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct] [, align]; Use the byte_jump option to extract a number of bytes from a packet, convert them to their numeric representation, and jump the match reference up that many bytes (for further pattern matching or byte testing).
PAGE 26
Creating custom signatures Custom signatures Table 4: Content keywords (Continued) 26 Keyword and value Description --byte_test , , , [, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct]; The FortiGate unit compares a byte field against a specific value (with operator). This keyword is capable of testing binary values or converting representative byte strings to their binary equivalent and testing them.
PAGE 27
Custom signatures Creating custom signatures Table 4: Content keywords (Continued) Keyword and value Description --context {uri | header | body | host}; Specify the protocol field that the pattern should be looked for. If context is not specified for a pattern, the FortiGate unit searches for the pattern anywhere in the packet buffer. The available context variables are: • uri: Search the pattern in HTTP URI line. • header: Search the pattern in HTTP header lines or SMTP/POP3/SMTP control messages.
PAGE 28
Creating custom signatures Custom signatures Table 4: Content keywords (Continued) 28 Keyword and value Description --pcre [!]"(//|m< regex>)[ismxAEGRU B]"; Similar to the pattern keyword, pcre is used to specify a pattern using Perl-compatible regular expressions (PCRE). A pcre keyword can be followed by a context keyword to define where to look for the pattern in the packet.
PAGE 29
Custom signatures Creating custom signatures Table 5: IP header keywords Keyword and Value Description --dst_addr [!]; The destination IP address. To have the FortiGate search for a packet that does not contain the specified address, add an exclamation mark (!) before the IP address. You can define up to 28 IP addresses or CIDR blocks. Enclose the comma separated list in square brackets. Example: • dst_addr [172.20.0.0/16,10.1.0.0/16, 192.168.0.
PAGE 30
Creating custom signatures Custom signatures Table 6: TCP header keywords 30 Keyword and Value Description --ack ; Check for the specified TCP acknowledge number. --dst_port [!]{ | : | : | :}; The destination port number. You can specify a single port or port range: • is a single port. • : includes the specified port and all lower numbered ports.
PAGE 31
Custom signatures Creating custom signatures Table 6: TCP header keywords (Continued) Keyword and Value Description --tcp_flags [!|*|+] [,]; Specify the TCP flags to match in a packet. • S: Match the SYN flag. • A: Match the ACK flag. • F: Match the FIN flag. • R: Match the RST flag. • U: Match the URG flag. • P: Match the PSH flag. • 1: Match Reserved bit 1. • 2: Match Reserved bit 2. • 0: Match No TCP flags set. • +: Match on the specified bits, plus any others.
PAGE 32
Creating custom signatures Custom signatures Table 7: UDP header keywords Keyword and Value Description --dst_port [!]{ | : | : | :}; The destination port number. You can specify a single port or port range: • is a single port. --src_port [!]{ | : | : | :}; • : includes the specified port and all lower numbered ports.
PAGE 33
Custom signatures Creating custom signatures Table 9: Other keywords (Continued) Keyword and Value Description --rpc_num [, | *][, | *>]; Check for RPC application, version, and procedure numbers in SUNRPC CALL requests. The * wildcard can be used for version and procedure numbers. --same_ip; The source and the destination have the same IP addresses.
PAGE 34
Creating custom signatures Custom signatures The FortiGate unit will limit its search for the pattern to the HTTP protocol. Even though the HTTP protocol uses only TCP traffic, the FortiGate will search for HTTP protocol communication in TCP, UDP, and ICMP traffic. This is a needless waste of system resources. 5 Specifying the traffic type. Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic.
PAGE 35
Custom signatures Creating custom signatures Example 2: signature to block the SMTP ‘vrfy’ command The SMTP vrfy command can be used to verify the existence of a single email address, or it can be used to list all of the valid email accounts on an email server. A spammer could potentially use this command to obtain a list of all valid email users and direct spam to their inboxes. In this example, we will create a custom signature to block the use of the vrfy command.
PAGE 36
Creating custom signatures Custom signatures Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system resources by not unnecessarily scanning UDP and ICMP traffic. F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; --service SMTP; --protocol tcp; ) The FortiGate unit will limit its search for the pattern to TCP traffic and ignore the pattern in UDP and ICMP network traffic.
PAGE 37
Protocol decoders Protocol decoders Protocol decoders This section describes: • Protocol decoders • Upgrading the IPS protocol decoder list • Viewing the protocol decoder list Protocol decoders The FortiGate IPS uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors the HTTP traffic to identify any HTTP packets that do not meet the HTTP protocol standards.
PAGE 38
Viewing the protocol decoder list Protocol decoders Viewing the protocol decoder list To view the decoder list, go to Intrusion Protection > Signature > Protocol Decoder. Figure 6: The protocol decoder list 38 Protocols The protocol decoder names. Port The port number or numbers that the protocol decoder monitors. FortiGate IPS User Guide Version 3.
PAGE 39
IPS sensors Viewing the IPS sensor list IPS sensors You can group signatures into IPS sensors for easy selection in protection profiles. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic.
PAGE 40
Configuring IPS sensors IPS sensors protect_client Includes only the signatures designed to detect attacks against clients; uses the default enable status and action of each signature. protect_email_server Includes only the signatures designed to detect attacks against servers and the SMTP, POP3, or IMAP protocols; uses the default enable status and action of each signature.
PAGE 41
IPS sensors Configuring IPS sensors To view an IPS sensor, go to Intrusion Protection > IPS Sensor and select the Edit icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor attributes, the filters, and the overrides. Figure 9: Edit IPS sensor IPS sensor attributes: Name The name of the IPS sensor. You can change it at any time. Comments An optional comment describing the IPS sensor. You can change it at any time. OK Select to save changes to Name or Comments.
PAGE 42
Configuring IPS sensors IPS sensors Move to icon After selecting this icon, enter the destination position in the window that appears, and select OK. View Rules icon Open a window listing all of the signatures included in the filter. IPS sensor overrides: Add Pre-defined Select to create an override based on a pre-defined signature. Override Add Custom Override Select to create an override based on a custom signature. # Current position of each override in the list. Name The name of the signature.
PAGE 43
IPS sensors Configuring IPS sensors Name Enter or change the name of the IPS filter. Severity Select All, or select Specify and then one or more severity ratings. Severity defines the relative importance of each signature. Signatures rated critical detect the most dangerous attacks while those rated as info pose a much smaller threat. Target Select All, or select Specify and then the type of systems targeted by the attack. The choices are server or client.
PAGE 44
Configuring IPS sensors IPS sensors Note: Before an override can affect network traffic, you must add it to a filter, and you must select the filter in a protection profile applied to a policy. An override does not have the ability to affect network traffic until these steps are taken. To edit a pre-defined or custom override, go to Intrusion Protection > IPS Sensor and select the Edit icon of the IPS sensor containing the override you want to edit.
PAGE 45
DoS sensors DoS sensors The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. For example, one type of flooding is the denial of service (DoS) attack that occurs when an attacking system starts an abnormally high number of sessions with a target system. The high number of sessions slows down or disables the target system so legitimate users can no longer use it.
PAGE 46
Viewing the DoS sensor list DoS sensors Viewing the DoS sensor list To view the anomaly list, go to Intrusion Protection > DoS Sensor. Figure 12: The DoS sensor list Create New Add a new DoS sensor to the bottom of the list. ID A unique identifier for each DoS sensor. The ID does not indicate the sequence in which the sensors examine network traffic. Status Select to enable the DoS sensor. Name The DoS sensor name. Comments An optional description of the DoS sensor.
PAGE 47
DoS sensors Configuring DoS sensors Figure 13: Edit DoS Sensor DoS sensor attributes: Name Enter or change the DoS sensor name. Comments Enter or change an optional description of the DoS sensor. This description will appear in the DoS sensor list. Anomaly configuration: Name The name of the anomaly. Enable Select the check box to enable the DoS sensor to detect when the specified anomaly occurs. Selecting the check box in the header row will enable sensing of all anomalies.
PAGE 48
Understanding the anomalies DoS sensors Protected addresses: Each entry in the protected address table includes a source and destination IP address as well as a destination port. The DoS sensor will be applied to traffic matching the three attributes in any table entry. Note: A new DoS sensor has no protected address table entries. If no addresses are entered, the DoS sensor cannot match any traffic and will not function. Destination The IP address of the traffic destination. 0.0.0.
PAGE 49
DoS sensors Understanding the anomalies Anomaly Description tcp_dst_session If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed. udp_flood If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second.
PAGE 50
Understanding the anomalies 50 DoS sensors FortiGate IPS User Guide Version 3.
PAGE 51
SYN flood attacks What is a SYN flood attack? SYN flood attacks This section describes: • What is a SYN flood attack? • How SYN floods work • The FortiGate IPS Response to SYN flood attacks • Configuring SYN flood protection • Suggested settings for different network conditions What is a SYN flood attack? A SYN flood is a type of Denial of Service (DoS) attack.
PAGE 52
The FortiGate IPS Response to SYN flood attacks SYN flood attacks After the handshaking process is complete the connection is open and data exchange can begin between the originator and the receiver, in this case the web browser and the web server. Between steps 2 and 3 however, the web server keeps a record of any incomplete connections until it receives the ACK packet. A SYN flood attacker sends many SYN packets but never replies with the final ACK packet.
PAGE 53
SYN flood attacks The FortiGate IPS Response to SYN flood attacks A true SYN proxy approach requires that all three packets (SYN, SYN/ACK, and ACK) are cached and replayed even before it is known if a TCP connection request is legitimate. The FortiGate IPS pseudo SYN proxy retransmits every TCP packet immediately from the packet source to the packet destination as soon as it records the necessary information for SYN flood detection.
PAGE 54
Configuring SYN flood protection SYN flood attacks Configuring SYN flood protection To configure the SYN flood protection 1 Go to Intrusion Protection > DoS Sensor. 2 Select Create New. 3 Configure the options for tcp_syn_flood. 4 Select OK. Figure 18: Configuring the syn_flood anomaly Suggested settings for different network conditions The main setting that impacts the efficiency of the pseudo SYN proxy in detecting SYN floods is the threshold value. The default threshold is 2000.
PAGE 55
ICMP sweep attacks What is an ICMP sweep? ICMP sweep attacks This section describes: • What is an ICMP sweep? • How ICMP sweep attacks work • The FortiGate IPS response to ICMP sweep attacks • Configuring ICMP sweep protection • Suggested settings for different network conditions What is an ICMP sweep? ICMP (Internet Control Message Protocol) is a part of the IP protocol and is generally used to send error messages describing packet routing problems.
PAGE 56
The FortiGate IPS response to ICMP sweep attacks ICMP sweep attacks Predefined ICMP signatures Table 11 describes all the ICMP-related predefined signatures and the default settings for each. Note: The predefined signature descriptions in Table 11 are accurate as of the IPS Guide publication date. Predefined signatures may be added or changed with each Attack Definition update. Table 11: Predefined ICMP sweep signatures Signature Description Default settings AddressMask.
PAGE 57
ICMP sweep attacks The FortiGate IPS response to ICMP sweep attacks Table 11: Predefined ICMP sweep signatures Signature Description NMAP.Echo. Request NMAP is a free open source network Signature disabled mapping/security tool that is available for most operating systems. NMAP could be used maliciously to perform an ICMP sweep. ICMP echo request messages sent using this software contain special characters that identify NMAP as the source. Default settings Redirect.Code4. Echo.
PAGE 58
Configuring ICMP sweep protection ICMP sweep attacks Configuring ICMP sweep protection To configure the ICMP sweep anomaly protection settings 1 Go to Intrusion Protection > DoS Sensor. 2 Select Create New. 3 Configure the options for icmp_sweep, icmp_src_session, and icmp_dst_session. 4 Select OK. Suggested settings for different network conditions Enable or disable the ICMP predefined signatures depending on current network traffic and the network scanning tools being used.
PAGE 59
Index Index A alert email configuring 11 anomalies log messages 13 anomaly destination session limit 48 flooding 48 scan 48 source session limit 48 attack log messages 12 anomalies 13 signature 12 C comments, documentation 8 Create New firewall policy 39 custom signature adding 22 customer service 8 anomalies 57 configuring protection 58 introduction Fortinet documentation 6 intrusion protection DoS sensor list 46 IPS sensor list 39 IPS adding custom signatures 22 predefined signature list 17 IPS sensor
PAGE 60
Index T technical support 8 60 FortiGate Version 3.
PAGE 61
www.fortinet.
PAGE 62
www.fortinet.