Configuring IPS
The FortiADC Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS profiles, each containing a complete configuration based on signatures. Then, you can apply any IPS profile to any L4 VS.
Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.
This section describes how to configure the FortiADC Intrusion Prevention settings.
Predefined Profiles
Every individual IPS Signature takes effect for a particular type of attack, for an effective detection and protection, a well-considered combination of different IPS signatures plays a key role for the whole IPS system. FortiADC has 8 predefined Profiles in respect to: action, application, severity, target, etc. are ready for customers for a fast security-set-up
Predefined Profile |
Comment |
---|---|
all_default |
signatures with default setting |
all_default_pass |
signatures with PASS action |
default |
Prevent critical attacks |
high_security |
Blocks all Critical/High/Medium and some Low severity vulnerabilities |
protect_client |
Protect against client-side vulnerabilities |
protect_email_server |
Protect against email server-side vulnerabilities |
protect_http_server |
Protect against HTTP server-side vulnerabilities |
sniffer-profile |
Monitor IPS attacks |
Signature-based defense
Signature-based defense is used against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access and this communication will include particular commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing the FortiADC unit to detect and stop the attack.
Signatures
IPS signatures are the basis of signature-based intrusion prevention. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. Signatures include this information so your FortiADC unit knows what to look for in network traffic.
Signatures also include characteristics about the attack they describe. These characteristics include the network protocol in which the attack will appear, the vulnerable operating system, and the vulnerable application.
The FortiGuard Intrusion Prevention Service (IPS) provides customers with the latest defenses against stealthy network-level threats through a constantly updated database of known threats and behavior-based signatures.
This update service is backed by a team of threat experts and a close relationship with major application vendors. The best-in-class team also uncovers significant zero-day vulnerabilities continuously, providing FortiADC units with advanced protection ahead of vendor patches.
The IPS Signatures Database is able to be updated automatically or manually by System > Settings > FortiGuard page.
Protocol decoders
Before examining network traffic for attacks, the IPS engine uses protocol decoders to identify each protocol appearing in the traffic. Attacks are protocol-specific, so your FortiADC unit conserves resources by looking for attacks only in the protocols used to transmit them. For example, the FortiADC unit will only examine HTTP traffic for the presence of a signature describing an HTTP attack.
IPS engine
Once the protocol decoders separate the network traffic by protocol, the IPS engine examines the network traffic for attack signatures. The engine count is configurable by CLI as well. (The recommendation is configuring the engine count as the same count of CPU of the FortiADC has, an ips-engine per CPU)
IPS profiles
The IPS engine does not examine network traffic for all signatures. You must first create an IPS profile and specify which signatures are included. Add signatures to profile individually using signature entries, or in groups using IPS filters.
To view the IPS profiles, go to Security Profiles > Intrusion Prevention.
You can group signatures into IPS profiles for easy selection when applying to L4 VS Security. You can define signatures for specific types of traffic in separate IPS profiles, and then select those profiles in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS profile, and that the profile can then be applied to a L4 VS Security that controls all of the traffic to and from a web server protected by the unit.
The FortiGuard Service periodically updates the signatures, with signatures added to counter new threats. Since the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.
Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS profile, they are checked against the traffic one at a time, from top to bottom. If a match is found, the unit takes the appropriate action and stops further checking.
The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.
IPS filters
IPS profiles contain one or more IPS filters. A filter is a collection of signature attributes that you specify. The signatures that have all of the attributes specified in a filter are included in the IPS filter.
For example, if your FortiADC unit protects a Linux server running the Apache web server software, you could create a new filter to protect it. By setting OS to Linux, and Application to Apache, the filter will include only the signatures that apply to both Linux and Apache. If you wanted to scan for all the Linux signatures and all the Apache signatures, you would create two filters, one for each.
To view the filters in an IPS profile, go to Security Profiles > Intrusion Prevention, select the IPS profile containing the filters you want to view, and select Edit.
Custom/predefined signature entries
Signature entries allow you to add an individual custom or predefined IPS signature. If you need only one signature, adding a signature entry to an IPS profile is the easiest way. Signature entries are also the only way to include custom signatures in an IPS profile.
Another use for signature entries is to change the settings of individual signatures that are already included in a filter within the same IPS profile. Add a signature entry with the required settings above the filter, and the signature entry will take priority.
Security - L4 VS
To use an IPS profile, you must select it in a L4 VS security options. An IPS profile that it not selected in a policy options will have no effect on network traffic.
IPS does not support NAT46 |
Session timers for IPS sessions
A session time-to-live (TTL) timer for IPS sessions is available to reduce synchronization problems between the FortiADC Kernel and IPS, and to reduce IPS memory usage.
Creating an IPS Profile
You need to create an IPS profile before specific signatures or filters can be chosen. The signatures can be added to a new profile before it is saved. However, it is good practice to keep in mind that the profile and its included filters are separate things, and that they are created separately. (Predefined Profiles)
To create a new IPS Profile
- Go to Security Profiles > Intrusion Prevention.
- Select the Create New icon in the top of the Edit IPS Profile window.
- Enter the name of the new IPS Profile.
- Optionally, enter a comment. The comment will appear in the IPS Profile list.
- Select OK.
- A newly created Profile is empty and contains no filters or signatures. You need to add one or more filters or signatures before the Profile will be of any use.
Adding IPS signatures to a Profile
- Go to Security > Intrusion Prevention.
- Select the IPS Profile to which you want to add the signature and click the pencil icon.
- Under IPS Signatures, select Add Signature.
- Select one or more signatures from the list and click Apply to add them to the sensor.
- After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the signature, has Default, Pass and Block, is changeable.
- Click Apply on the bottom of the IPS Profile page
Adding an IPS filter to a Profile
While individual signatures can be added to a Profile, a filter allows you to add multiple signatures to a Profile by specifying the characteristics of the signatures to be added.
To create a new pattern based signature and filter
- Go to Security Profiles > Intrusion Prevention.
- Select the IPS Profile to which you want to add the signature and click the pencil icon.
- Under IPS Filters, select Add Filter.
-
Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Apply.
Application refers to the application affected by the attack and filter options include over 25 applications.
OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.
Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."
Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.
Target refers to the type of device targeted by the attack. The options include client and server.
Action
Description
Pass
Select Pass to allow traffic to continue to its destination.
Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.
Block
Select Block to drop traffic matching any signatures included in the filter.
Default
Select Default to use the default action of the signature.
- After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the Filter, has Default, Pass and Block, is changeable
- Click Apply on the bottom of the IPS Profile page
Adding rate based signatures
These are a subset of the signatures that are found in the database. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.
Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.
Predefined IPS Profile
FortiADC has 8 predefined IPS Profiles for the convenience and fast-set-up of users to enable the IPS by an easier way, each predefined profile is created under the attributes of each signature and thoughtful consideration. For users demanding a widely protection but yet ready to create a particular customized one, predefined IPS profiles are highly recommended. They will be kept updated resulted from a periodically database update of the FortiGuard Service. These Profiles are available by directly selecting from Security -> IPS in L4 VS options as well as be considered as a Quick-Enabling-IPS.
Enabling IPS
Currently, the IPS Scanning only supports for the L4VS traffic
- The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.
When an IPS Profile is selected in a security option, and all network traffic matching the policy will be checked for the signatures in the IPS Profile.
Configuring Engine Count
For the consideration of varying demands and the performance of different platforms, the Engine-Count of IPS in FortiADC is configurable. The more Engine-Count that a FortiADC has, the better the IPS performs. Every coin has two sides, however, consequently, the more CPU and memory usage will be taken from the whole system.
The default value of the Engine-count is 1, for a better performance accordingly, the configuration could be setting the Engine-Count depends on CPU-Count of the platform has.
Eg: 4-Engine for a 4-Core device. (Refer to the hardware platform reference at the end of this article)
CLI Syntax
config global
config system ips
set engine-count {1-256}
next
end