Web: Example for Configuring Intrusion Prevention to Protect Users on the Intranet

The intrusion prevention function protects the users and web servers on an enterprise intranet from attacks on the Internet.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW as the security gateway at the network border. In the networking, an intranet user can access the Internet web server.

The enterprise wants to enable intrusion prevention on the FW to protect intranet users from attacks, such as an attacker launched from a website with malicious code, when the users access the Internet web server.

Figure 1 Networking diagram for configuring intrusion prevention

Data Planning

Based on the enterprise requirements, intrusion prevention must be configured as follows:

Set the severity of worms, Trojan horses, and botnets in signatures to High.

Protect intranet users.

Configure security policies to filter traffic from the Internet web server to the intranet users.
Attacks are caused by intranet users' access to the Internet web server and the target is the intranet users acting as a client. Therefore, set the protocol to HTTP, object to Client, and severity to High for the signature filter.

Table 1 shows the data planning for protecting the users on the intranet.

**Table 1** Data planning for protecting the users on the intranet
Item	Description
Intrusion prevention profiles	Name: Profile_ips_pc Signature filter: Name: filter1 Object: Client Severity: High Protocol: HTTP Action: Default
Security policies	Name: policy_sec_1 Source security zone: Trust Destination security zone: Untrust Source address/region: 10.3.0.0/24 Service: HTTP Action: Permit Content security: Profile_ips_pc

Configuration Roadmap

Configure scheduled IPS signature database update.
Set interface IP addresses and assign the interfaces to security zones.
Configure intrusion prevention profiles Profile_ips_pc and configure signature filters to satisfy security requirements.
Create security policies policy_sec_1 that references profile Profile_ips_pc to protect intranet users from Internet attacks.

Procedure

Configure scheduled IPS signature database update.
Configuring scheduled IPS signature database update can minimize false positives and false negatives. For configuration details, see Scheduled Update.
Set interface IP addresses and assign the interfaces to security zones.
1. Choose Network > Interface.
2. Click of GE0/0/1 and set the parameters as follows.
  
  Security zone
  
  untrust
  
  IPv4
  
  IP address
  
  1.1.1.1/24
3. Click OK.
4. Configure GE0/0/3 based on the preceding step.
  
  Security zone
  
  trust
  
  IPv4
  
  IP address
  
  10.3.0.1/24
Create intrusion prevention profiles and configure signature filters.
1. Choose Object > Security Profiles > Intrusion Prevention.
2. In Intrusion Prevention Profile List, click Add and create Profile_ips_pc to be referenced by the security policy for the Trust -> Untrust interzone. Click OK to complete the configuration of the intrusion prevention profiles.
  
  According to service requirements, you can set the actions of the signature filters to alert or default. Setting all actions to block is not recommended.
Click Commit on the upper right and then click OK in the dialog box displayed.

Security zone	untrust
IPv4
IP address	1.1.1.1/24

Security zone	trust
IPv4
IP address	10.3.0.1/24

Configure security policies and apply the intrusion prevention profiles to the security policies.

Choose Policy > Security Policy > Security Policy.

Click Add Security Policy and set the parameters of the security policy for the Trust -> Untrust interzone as follows.

Content security
Name	policy_sec_1
Source zone	trust
Destination zone	untrust
Source address/region	10.3.0.0/24
Destination address/region	any
Service	HTTP
Action	Permit
Intrusion prevention	Profile_ips_pc

Click OK.

Click save on the upper right and then click OK in the dialog box displayed.

Result

After the intrusion prevention function is configured, an administrator who is familiar with the current network is in need to periodically check and adjust configurations so that intrusion behaviors can be detected and blocked without affecting services. When intranet servers are attacked, corresponding threat logs are generated. However, a large number of false positives may exist. To adjust configurations based on threat logs, perform the following steps:

Step	Operation	Description
1	Select a suspicious attack.	Based on threat logs and threat reports, collect statistics from multiple dimensions, such as time, attack source, attack target, and attack type, to find out anomalies. For example, if a large number of attack events occur in a certain period of time, IP addresses and events involved in this period shall be filtered out for further analysis.
2	Check whether the attack is a false positive and whether it may affect services.	Check the attack source or target. For example: If the attack source is an IP address on the intranet, check whether the access is initiated during normal service running. If so, permit the access. If the attack source is an IP address on the Internet initiating access to intranet servers with abnormal access frequency or time, continue to analyze whether the threat event type generated by the IP address affects services. Check the attack type. Check whether the attack type is relevant to the service running on the server corresponding to the attacked IP address. For example, if the attack type is SQL injection and the target server does not run any database, the SQL injection attack is invalid. You can shield signatures as required in either of the following ways: Permitting the action: You can configure an exception signature to permit the action. The exception signature applies only to the current profile. Disabling the signature: Signature disabling takes effect globally. Once a signature is disabled in a profile, it is disabled in all profiles.
3	Perform security hardening or upgrade based on the threat countermeasure.	For certain attacks, perform security hardening or upgrade operations based on the countermeasure information in the signature details. You can process attacks of the same type in a similar way, or analyze and process attacks by category. Attacks can be classified as follows: Attacks exploiting OS and software vulnerabilities: A large number of threat logs record such attacks. For such attacks, you are advised to check whether the OS or software of the intranet server or host has been upgraded to a non-vulnerability version. After the upgrade, you can disable such signatures to reduce the number of logs. Database attacks: To defend against such attacks, perform database security hardening. High-risk attacks, such as Trojan horses: If the default action is alert or permit, you can set the action to block on the premise that services are not affected.
4	Adjust configurations (security policies and IPS profiles).	After the preceding steps, if you have confirmed that the block action does not affect services, you can modify the configurations to block the attack. For example, you can restrict an IP address in a security policy or blacklist the IP address. You can also configure an exception signature in the IPS profile to change the action of the signature. If you cannot determine whether services will be affected after the attack is blocked, exercise caution when modifying the response action.
5	Monitor the network status and attack event.	Monitor the network status and attack event for a period of time to check whether services are affected. If services are affected, query configuration logs to check whether the configurations of the affected services are logged.
6	Periodically check logs and adjust configurations.	The configurations of the intrusion prevention function cannot be completed at one stroke. Instead, you need to periodically check logs and adjust configurations. This is especially the case if large-scale attacks burst.

Several examples are provided for your reference:

Choose Monitor > Log > Threat Log.
Determine whether an event is an attack based on the behavior of the threat source.

Example 1:

When viewing threat logs, you can find that an IP address from the Untrust zone continuously initiates intrusion attacks to multiple IP addresses in the destination security zone.

Enter the time range and IP address of the attack source in the search conditions to query the attack.

The search result shows that the attacker continuously initiates multiple types of intrusion attacks in a certain period of time. It can be confirmed that the attack source is initiating a malicious attack. In this case, configure the security policy to block traffic from this IP address to block the attack.
Based on the information about the threat event, check whether the event is an attack.

Certain attacks last for a short period of time, occur at a low frequency, and have only a few attack sources. This makes it difficult to identify the attack behavior based on the association between logs. In this case, you need to determine whether an event is an attack based on the information about the event.

Example 2:

When viewing threat logs, you can view several threat logs of the intrusion type, with a low occurrence frequency and only a few attack sources. In this case, you need to determine whether the event is an attack based on the information about the event.

Choose Object > Signature and enter the threat ID recorded in the threat log in the search box. In the search result, click this signature to view details.

This vulnerability is a major OpenSSL vulnerability found at the end of 2014. It will cause information leaks and affect all software programs or services that use OpenSSL and is therefore graded as a high-risk vulnerability whose CVSS score is 10. This type of threat needs to be taken seriously, even if it occurs only once. You can block the threat or perform operations according to the countermeasure in the details.
Adjust configurations.
You need to adjust existing configurations based on the acquired information about the attack. For example:
- An attack may pose a threat in some scenarios, but may not in other scenarios, or even some special services may also have the threat feature. In this case, you need to identify whether the blocked threat is an attack in the existing network environment. If no, configure an exception signature and set the action to alert.
- In a scenario where security has a higher priority, if certain alarms are triggered by abnormal services and the behaviors comply with attack behaviors, you can configure them as exception signatures and set the actions to block.
- If a source IP address is identified as one with intrusion behaviors, you can blacklist it, or add it to the security policy rule and set the action to block.

Configuration Scripts

#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/1
#
profile type ips name Profile_ips_pc
 signature-set name filter1
  os windows
  target client
  severity high 
  protocol HTTP
  category all
 #
security-policy
 rule name policy_sec_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 mask 255.255.255.0
  service http
  profile ips Profile_ips_pc             
  action permit