< Home

Protecting Users Against Intrusion During Internet Access

This section describes how to apply the intrusion prevention function on the FW to protect users against intrusion during Internet access.

Faced Problems

As shown in Figure 1, an enterprise deploys the FW as a gateway to connect the intranet to the Internet.

When intranet users access the Internet, the users experience intrusion and attacks targeting browsers and OSs, threatening network security.

Figure 1 Protecting users against intrusion during Internet access

Solution

With the intrusion prevention function, the FW detects and blocks various intrusion behavior to secure the network.

The FW provides an intrusion prevention signature database that contains the signatures of known intrusion behavior. The FW matches a behavior with signatures in the intrusion prevention signature database. If a match is found, the behavior is considered as an intrusion behavior.

To ensure the accuracy of the intrusion detection result, you are advised to update the intrusion prevention signature database every week.

Reference the intrusion prevention profile in the security policy that permits intranet users to access the Internet to detect intrusion behavior on the network.

  1. Log in to the web UI of the FW as the administrator.

  2. Choose Object > Security Profiles > Intrusion Prevention.

  3. Click Add to create intrusion prevention profile client. In the profile, set Target to Client for the signature filter and use the default values of the other configuration items.

    Click Preview to view the signature filtering result.

  4. Click OK.

  5. After the configurations are complete, click Commit on the upper right of the web page to commit the intrusion prevention profile.

  6. Choose Policy > Security Policy > Security Policy.

  7. Click Add Security Policy. Configure matching conditions for the security policy as required and reference intrusion prevention profile client in the security policy.

    Name policy1
    Source Zone trust
    Destination Zone untrust
    Source Address/Region 192.168.0.0/255.255.255.0
    Action Permit
    Content Security
    Intrusion Prevention client
  8. Click OK.

Verification

Access a malicious website that hosts Trojan horses on the Internet from an intranet host. The FW blocks the access.

Choose Monitor > Log > Threat Log. You can view the intrusion logs generated by the FW.

Configuration Scripts

The configuration script related to the example is as follows:

#                                                                                                                                   
profile type ips name client                                                                                                        
 signature-set name protect_client                                                                                                  
  os unix-like windows android ios other                                                                                            
  target client                                                                                                                     
  severity low medium high information                                                                                              
  protocol all                                                                                                                      
  category all                                                                                                                      
  application all                                                                                                                   
#                                                                                                                                   
security-policy                                                                                                                     
 rule name policy1                                                                                                                  
  source-zone trust                                                                                                                 
  destination-zone untrust                                                                                                          
  source-address 192.168.0.0 mask 255.255.255.0                                                                                     
  profile ips client                                                                                                                
  action permit                                                                                                                     
#
Parent Topic: Best Practices for Intrusion Prevention
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic