FortiGate_Sec_11_Intrusion_Prevention_S.pptx
RachidNajah
196 views
51 slides
May 29, 2024
Slide 1 of 51
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Slide Content
FortiOS 6.2 FortiGate Security Intrusion Prevention and Denial of Service
Differentiate between exploits and anomalies Identify the different components of an IPS package Manage FortiGuard IPS updates Select an appropriate IPS signature database Configure an IPS sensor Identify the IPS sensor inspection sequence Apply IPS to network traffic Intrusion Prevention System (IPS)
See attacks happening in real time around the world on the FortiGuard Labs live threat map. Increased volume and sophistication of attacks on organizations Driven by previously successful high-profile hacks and a highly profitable black-market demand for stolen data More attacks against client and cloud applications Attacks are no longer targeted only at servers and server-based applications BYOD and remote workers increase risk of exposure Why use IPS?
Exploits and Anomalies Anomaly Can be zero-day or denial of service attacks ( DoS ) Detected by behavioral analysis: Rate-based IPS signatures DoS policies Protocol constraints inspection Example: Abnormally high rate of traffic ( DoS /flood) Exploit A known, confirmed attack Detected when a file or traffic matches a signature pattern: IPS signatures WAF signatures Antivirus signatures Example: Exploit of known application vulnerabilities
IPS Flow-based detection and blocking Known exploits that match signatures Network errors and protocol anomalies IPS components IPS signature databases Protocol decoders IPS engine Application control Antivirus (flow based) Web filter (flow based) Email filter (flow based) Data leak prevention (DLP) (flow-based in one-arm sniffer mode)
What Are Protocol Decoders? Decoders parse protocols. IPS signatures find parts of a protocol that don’t conform. For example, too many HTTP headers, or a buffer overflow attempt Unlike proxy-based scans, IPS often does not require IANA standard ports. Automatically selects decoder for protocol at each OSI layer Meets protocol requirements and standards?
FortiGuard IPS Updates IPS packages are updated by FortiGuard . IPS signature databases Protocol decoders IPS engine Regular updates are required to ensure IPS remains effective. Enable push updates to receive updates as they become available. The Botnet IPs and Botnet Domains subscription is part of a FortiGuard IPS license. System > FortiGuard System > FortiGuard
Choosing the Signature Database Regular Common attacks with fast, certain identification (default action is block) Extended Performance-intensive System > FortiGuard
List of IPS Signatures Active signature database Default action Security Profiles > Intrusion Prevention
Configuring IPS Sensors Add individual signatures Add groups of signatures using filters Security Profiles > Intrusion Prevention
Configuring IPS Sensors Add rate-based signatures to block traffic when the threshold is exceeded during a time period Track the traffic based on source or destination IP address Security Profiles > Intrusion Prevention
IPS Sensor Inspection Sequence Individual signature actions will override any filter-based action. Security Profiles > Intrusion Prevention
Configuring IP Exemptions Exempt specific source or destination IP addresses from specific signatures Only configurable under individual IPS signatures Security Profiles > Intrusion Prevention
IPS Actions Choose what action to take when a signature is triggered Security Profiles > Intrusion Prevention
The botnet database: Now part of the IPS contract Should be used with the IPS profile to maximize the protection of internal endpoints Can be enabled only on the IPS profile starting FortiOS 6.2 Administrators can set the action to Block or Monitor IPS logs are generated Enabling Botnet Protection Security Profiles > Intrusion Prevention
Applying IPS Inspection Add IPS sensors as security profiles to firewall policies Policy & Objects > IPv4 Policy
IPS Logging Log & Report > Intrusion Prevention
Knowledge Check Which one of the following items is evaluated first in an IPS sensor? IPS filter IPS signature Which IPS component is updated most frequently? Protocol decoders IPS signature database
Identify a DoS attack Configure a DoS policy Denial of Service ( DoS )
DoS Attacks Attacker’s sessions consume all resources—RAM, CPU, port numbers Slows down or disables the target until it can’t serve legitimate requests Internet Attacker overloads server with HTTP requests Legitimate requests can’t get through and fail
DoS Policy DoS policies apply the action when the configured threshold is exceeded Half-open connections, source address, destination address, ports, and so on Multiple sensors can detect different anomalies Internet DoS policy Policy & Objects > IPv4 DoS Policy
Types of DoS Attacks TCP SYN flood Attacker floods victim with incomplete TCP/IP connection requests The victim’s connection table becomes full, so legitimate clients can’t connect ICMP sweep Attackers sends ICMP traffic to find targets Attacker then attacks hosts that reply TCP port scan Attacker probes a victim by sending TCP/IP connection requests to varying destination ports Based on replies, attacker can map out which services are running on the victim system Attacker then targets those destination ports to exploit the system
Types of DoS Attacks Distributed DoS Many of the same characteristics of an individual DoS attack However, attack originates from multiple sources
DoS Policy Configuration Can apply multiple DoS policies to any physical or logical interface Types Flood Detects a large volume of the same type of traffic Sweep/scan Detects probing attempts Source (SRC) Detects a large volume of traffic from an individual IP Destination (DST) Detects a large volume of traffic destined for an individual IP Policy & Objects > IPv4 DoS Policy
Knowledge Check Which one of the following behaviors is a characteristic of a DoS attack? Attempts to exploit a known application vulnerability Attempts to overload a server with TCP SYN packets Which DoS anomaly sensor can be used to detect and block a port scanner’s probing attempts? tcp_syn_flood tcp_port_scan
Identify the purpose of WAF on FortiGate Identify common web attacks Configure a WAF profile Web Application Firewall (WAF)
WAF Websites are attractive targets for hackers FortiGuard web filtering is for clients, not servers WAF provides protection for web services Policy & Objects > IPv4 Policy System > Feature Visibility Available only in proxy inspection mode.
Example of a Web Attack–Cross-Site Scripting An attacker inputs JavaScript in an HTML form/parameter. The web app does not reject illegal input. Usually, the web app saves the input to a database. An innocent client requests a page that is retrieved from the database. The page: Now includes malicious script Can cause client’s browser to transmit to third-party, malicious server The variety of attacks based on cross-site scripting (XSS) is limitless, but they commonly include transmitting private data like authentication cookies or other session information to the attacker.
Example of a Web Attack–SQL Injection SQL statements are inserted into entry fields of a web application The web application doesn’t reject illegal input When the web application connects to the database to add input, it can: Download sensitive data from the database ( select * from USERS ) Modify database (insert/update/delete) Perform administrative operations (close management interface)
WAF Configuration Policy & Objects > IPv4 Policy Security Profiles > Web Application Firewall
FortiWeb Provides more specialized web server protection More complete protocol understanding HTTP state attack protection HTTP vulnerability scans/penetration tests HTTP rewriting and application delivery (basic ADC) Better performance for high HTTP traffic
FortiGate-FortiWeb Integration FortiWeb installed standalone (online or offline), usually behind FortiGate FortiGate configured to forward HTTP traffic to FortiWeb for inspection Security Fabric > Settings
Knowledge Check WAF protocol constraints protect against what type of attacks? Buffer overflow ICMP Sweep To use the WAF feature, which inspection mode should be used in the firewall policy? Flow Proxy
Identify the IPS implementation methodology Enable full SSL inspection for IPS-inspected traffic Identify hardware acceleration components for IPS Best Practices
IPS Implementation Analyze requirements Not all policies require IPS Start with the most business-critical services Avoid enabling IPS on internal-to-internal policies Evaluate applicable threats Create IPS sensors specifically for the resources you want to protect Maintain IPS continuously Monitor logs for anomalous traffic patterns Tune IPS profiles based on observations
Full SSL Inspection Enable a full SSL inspection profile to ensure you’re inspecting encrypted traffic Policy & Objects > IPv4 Policy Security Profiles > SSL/SSH Inspection
Hardware Acceleration FortiGate models with NP4, NP6, and SoC3 can benefit from NTurbo acceleration ( np- accel -mode ). FortiGate models that have a CP8 or CP9, support offloading of IPS pattern matching to the content processor ( cp - accel -mode ). fgt # get hardware status Model name: FortiGate-300D ASIC version: CP8 ASIC SRAM: 64M CPU: Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz Number of CPUs: 4 RAM: 7996 MB Compact Flash: 15331 MB /dev/ sda Hard disk: 114473 MB /dev/ sdb USB Flash: not available Network Card chipset: Intel(R) Gigabit Ethernet Network Driver (rev.0003) Network Card chipset: FortiASIC NP6 Adapter (rev.) # config ips global # set np- accel -mode [ basic | none ] # set cp - accel -mode [ basic | advanced | none ] # end np- accel -mode basic : offloads IPS processing to NP cp - accel -mode basic : offloads basic IPS pattern matching to CP8 or CP9 advanced : offloads more types of IPS pattern matching Only available in units with two or more CP8s or one or more CP9s
Knowledge Check Which chipset uses NTurbo to accelerate IPS sessions? CP9 SoC3 Which of the following features requires full SSL inspection to maximize it’s detection capability? WAF DoS
Troubleshoot FortiGuard IPS updates Troubleshoot IPS high-CPU usage Manage IPS fail-open events Investigate false-positive detection Troubleshooting
FortiGuard IPS Troubleshooting All IPS update requests are sent to update.fortiguard.net on TCP port 443 Can be configured to connect through a web proxy (CLI only): config system autoupdate tunneling Verify update status in GUI Enable real-time debug in CLI System > FortiGuard # diagnose debug application update -1 # diagnose debug enable # execute update-now After enabling real-time debugging, force a manual update of all FortiGuard packages.
IPS and High-CPU Use # diagnose test application ipsmonitor ? 1: Display IPS engine information 2: Toggle IPS engine enable/disable status 3: Display restart log 4: Clear restart log 5: Toggle bypass status 6: Submit attack characteristics now 10: IPS queue length 11: Clear IPS queue length 12: IPS L7 socket statistics 13: IPS session list 14: IPS NTurbo statistics 15: IPS A statistics 97: Start all IPS engines 98: Stop all IPS engines 99: Restart all IPS engines and monitor IPS engine remains active, but does not inspect traffic Shuts down IPS engine completely
Fail open is triggered when the IPS socket buffer is full and new packets can’t be added for inspection . # config ips global # set fail-open < enable|disable > # ... # end IPS fail open entry log : date=2017-09-21 time=09:07:59 logid =0100022700 type=event subtype=system level=critical vd ="root" logdesc ="IPS session scan paused" action="drop" msg ="IPS session scan, enter fail open mode" When troubleshooting IPS fail open events, try to identify a pattern. Has the traffic volume increased recently? Does fail open trigger at specific times during the day? Create IPS profiles specifically for the traffic type. An IPS sensor configured to protect Windows servers doesn’t need Linux signatures. Disable IPS on internal-to-internal policies. IPS Fail Open Packets dropped!
False-Positive Detection Check the logs to determine which signature is triggering the false-positive. Use IP exemptions on the signature as a temporary bypass for the affected endpoints. Collect samples of the traffic: Use the Packet Logging action. Provide the traffic samples and the IPS logs to the FortiGuard team for further investigation.
Knowledge Check Which FQDN does FortiGate use to obtain IPS updates? update.fortiguard.net service.fortiguard.com When IPS fail open is triggered, what is the expected behavior, if the IPS fail open option is set to enabled? New packets will pass through without inspection New packets will be dropped
Manage FortiGuard IPS updates Configure an IPS sensor Apply IPS to network traffic Identify a DoS attack Configure a DoS policy Identify common web attacks Configure a WAF profile Identify IPS implementation methodology Troubleshoot common IPS issues
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 196
- Slides 51
- Age 550 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views