Intrusion prevention
Intrusion Prevention System (IPS) detects network attacks and prevents threats from compromising the network, including protected devices. IPS can be in the form of a standalone appliance, or part of the feature set of a Next Generation Firewall (NGFW), such as FortiGate. IPS utilizes signatures, protocol decoders, heuristics (or behavioral monitoring), threat intelligence (such as FortiGuard Labs), and advanced threat detection in order to prevent exploitation of known and unknown zero-day threats. FortiGate IPS is even capable of performing deep packet inspection to scan encrypted payloads in order to detect and prevent threats from attackers.
Networks and devices are often exploited through vulnerabilities. Software vulnerabilities are one such example where a bug or inherent weakness in the code provides attackers an opportunity to gain access to the software. More severe vulnerabilities allow unauthorized access, data leakage, and execution of malicious code. Exploitation of these vulnerabilities can cause damage to the machine and infect others. While the best solution is to patch vulnerabilities as soon as patches are available, IPS signatures offer a solution to detect and block exploitation of many vulnerabilities before they enter the network.
IPS signatures
Fortinet’s solution combines industry-leading threat intelligence from FortiGuard Labs with the FortiGate NGFW to identify the latest threats and prevent them from entering your network. IPS signatures are one such method for delivering the latest protection. FortiGuard Labs uses AI and Machine Learning (ML) to analyze billions of events every day. The FortiGuard Labs research team also proactively performs threat research to discover new vulnerabilities and exploitation, and produces signatures to identify such threats. These IPS signatures are delivered to each FortiGate daily, so that the IPS engine is armed with the latest databases to match the latest threats.
IPS sensors
A FortiGate IPS sensor is a collection of IPS signatures and filters that define the scope of what the IPS engine will scan when the IPS sensor is applied. An IPS sensor can have multiple sets of signatures and/or filters. A set of IPS signatures consists of manually selected signatures, while a set of IPS filters consists of filters based on signature attributes like target, severity, protocol, OS, and application. Each signature has predefined attributes and an action, such as block, allow, monitor (pass), quarantine, and reset. It is also possible to create custom IPS signatures to apply to an IPS sensor.
From the Security Profiles > Intrusion Prevention pane, you can create new IPS sensors and view a list of predefined sensors.
FortiOS includes the following predefined IPS sensors with associated predefined signatures:
|
Predefined IPS sensors |
Description |
|---|---|
|
all_default |
Filters all predefined signatures, and sets action to the signature’s default action. |
|
all_default_pass |
Filters all predefined signatures, and sets action to pass/monitor. |
|
default |
Filters all predefined signatures with severity of Critical/High/Medium. Sets action to signature’s default action. |
|
high_security |
Filters all predefined signatures with severity of Critical/High/Medium, and sets action to Block. For Low severity signatures, sets action to signature’s default action. |
|
protect_client |
Protects against client-side vulnerabilities by filtering on Target=Client. Sets action to signature’s default action. |
|
protect_email_server |
Protects against email server-side vulnerabilities by filtering on |
|
protect_http_server |
Protects against HTTP server-side vulnerabilities by filtering on |
|
wifi-default |
Filters all predefined signatures with severity of Critical/High/Medium. Sets action to signature’s default action. Used in profile for offloading WiFi traffic. |
New signatures
When new vulnerabilities are discovered and the FortiGuard team creates signatures to match them, the priority is to match the malicious traffic and release the signature as quickly as possible. As a result, the signatures are more broad at the start and become refined over time, incidentally causing some false positives. For this reason, the signatures are often released with an action of pass.
You must decide on the tradeoff between protection and usability with potential false positives. The high_security IPS sensor (or any custom sensor which overwrites the default action of Medium/High/Critical) should be used when false positives are acceptable to provide a higher level of security.
DDoS attacks
Besides protecting against threats and exploitation of vulnerabilities, the IPS engine is also responsible for mitigating Denial of Service (DoS) attacks where attackers attempt to bring a service down by flooding the target with traffic from distributed systems. Using anomaly-based defense, FortiGate can detect a variety of L3 and L4 anomalies and take action against these attacks. This can be configured under IPv4 and IPv6 DoS Policies, which is discussed in detail under DoS policy.
This section contains the following topics:
- Signature-based defense
- Configuring an IPS sensor
- IPS configuration options
- IPS signature filter options
This section also provides the following examples about IPS sensors: