Beruflich Dokumente
Kultur Dokumente
FORTINET
In this lesson, we will show you how to use FortiGate IPS. IPS is part of what
makes FortiGate a UTM that can keep pace with the latest attacks.
Beyond simply TCP stateful inspection and masking internal network IPs, modern
FortiGate UTM firewalls can detect and block exploit attempts in higher layer
protocols.
DO NOT REPRINT
FORTINET
After completing this lesson, you should have these practical skills. Essentially, you
will learn how to use your FortiGate to study what is normal for your network, then
detect and block rate anomalies and mechanism attacks.
Lab exercises can help you to test and reinforce your skills.
DO NOT REPRINT
FORTINET
Before we begin, its important to understand: Not all attacks can be 100%
positively identified. Sometimes, there is uncertainty.
What is the difference between an attack and an anomaly? To compare, FortiGate
IPS uses attack signatures where it can detect an attack with relative certainty and
performance. But the IPS engine also can use heuristic methods to find statistical
anomalies unusual order in the packet flow, or suspicious volumes of certain
packet types. An example: the client uses the HTTP MKCOL method, but your web
site has only static web pages, so its suspicious to use a method for dynamic sites.
Many anomalies indicate a DoS attempt. So the IPS engine is also used by DoS
policies, except where its performed in specialized hardware FortiASIC
chips instead of in the kernel, on the CPU.
If an anomaly is actually normal for your specific network, to reduce false positives,
disable that signature in your IPS profile or DoS policy.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
Regular updates are vital. If your FortiGate doesnt have the latest signatures,
your network is vulnerable. Always make sure that your FortiGate has a reliable
Internet connection, and that it is scheduled to often request updates from
FortiGuard.
What is included in a FortiGuard IPS update? Protocol decoders, the engine, and
signatures. The signature database is subdivided into Regular and Extended.
DO NOT REPRINT
FORTINET
Regular signatures are common attacks whose signatures, during testing prior to
release on the FortiGuard Distribution Network, caused rare or no false positives.
So its a smaller database, and its default action is to block the detected attack.
Extended signatures contain everything else. In FortiOS 5.2, the IPS extended
database is enabled by default for all FortiGate models that
have multiple CP8. Otherwise, they are disabled, because either:
Performance impact is significant, or
Nature of the attack doesnt support blocking
By default, the Regular database is selected, not the Extended. In fact, due to its
size, the extended database is not available for FortiGate models with a smaller
disk and/or RAM. But for high security networks, you may be required to enable
extended signatures. In that case, you should mark the Enable Extended IPS
Signature Package option on System > Config > FortiGuard.
DO NOT REPRINT
FORTINET
When your FortiGate downloads new IPS signatures, or a new engine, syntax may
change. So if you write your own custom signatures, especially after upgrading your
FortiGates firmware, you may need to check if its still compatible.
IPS involves anomaly inspection, deep packet inspection, full content inspection,
activity inspection, and heuristic detection. Some software does not maintain a
constant pattern. Skype and other peer-to-peer software, for example, periodically
change in order to avoid detection. So in order to correctly identify it, IPS requires
heuristics and adaptive detection.
As a result, FortiGuard IPS also provides updates for application control, for
example.
DO NOT REPRINT
FORTINET
When your FortiGate downloads a FortiGuard IPS package, new signatures will
appear in the signature list. For each sensor that uses a signature, when
configuring, you can change its Action setting.
The default often is correct, except if:
Your software vendor releases a security patch. Continuing to scan for exploits
will waste FortiGate resources.
Your network has a custom application with traffic that inadvertently triggers an
IPS signature. You can disable it until you notify Fortinet so that FortiGuard can
modify the signature to avoid false positives.
The list of IPS signatures also indicates the severity level. What do the indicators
mean?
DO NOT REPRINT
FORTINET
The FortiGuard severity level is based on the CVSS 2 rating system. There are
many contributing factors. For details, go to the first.org web site.
Do all severity levels match CVSS exactly? No.
Fortinet always marks remote code execution as high or critical severity, regardless
of the CVSS rating. Details are explained on the FortiGuard web site.
DO NOT REPRINT
FORTINET
Do you have the CVE ID or Microsoft ID for a specific vulnerability, but dont know if
there is a corresponding IPS signature yet?
On the FortiGuard web site, you can search for the latest IPS signatures. But you
can also read details about recently discovered zero-day attacks, white papers,
blogs and security advisories.
DO NOT REPRINT
FORTINET
If youre not sure if you should enable an IPS signature on your FortiGate, you can
search the FortiGuard web sites encyclopedia.
The encyclopedia has useful information such as affected systems and
recommended corrective actions. So if you dont use that protocol or dont have a
vulnerable system, you can safely disable the corresponding signature. But if you
are vulnerable, the encyclopedia can provide information about how to protect
yourself.
The FortiGuard encyclopedia only contains publicly disclosed vulnerabilities,
though. Obviously it cant contain vulnerabilities that, for whatever reason, cant yet
be responsibly disclosed.
DO NOT REPRINT
FORTINET
Exploits for unknown vulnerabilities called zero-day attacks are sold for large
amounts of money on the black market. Since these exploits arent known to their
vendors, nor to security experts, theres no available patch or signature for
detection. Thats what makes them so dangerous.
Some companies and organizations like Facebook and Google have offered
bounties for the responsible disclosure of these exploits, but theres a very profitable
market for black hat hackers to sell these discoveries to everyone from covert
government surveillance to organized crime syndicates.
Zero-day attacks are the keys to your networks kingdom.
DO NOT REPRINT
FORTINET
If you notice an attack, your initial self-defense instinct may be to immediately take
the server offline, then format it to remove all traces of malware. But by doing this,
youll alert the attacker, and destroy forensic evidence. For motivated attackers, this
will only educate them their next attack will be harder to detect, and more
sophisticated. Make sure your PSIRT team understands the most appropriate
way to respond to each different type of intrusion.
If youre vigilant, and if you have the resources, you can also write your own custom
IPS signatures. Well talk about how to do that next.
DO NOT REPRINT
FORTINET
Before you write custom IPS signatures, lets first explain how the IPS engine
works.
FortiGate doesnt compare traffic to each signature individually. This would require
the CPU to load from disk and then evaluate each complete signature. In total,
when fully enabled, this would be more than 8,000 disk accesses and comparisons.
So instead, IPS compiles them into a decision tree, similar to the example shown
here.
DO NOT REPRINT
FORTINET
FortiGate loads this entire decision tree into RAM. This can increase memory usage
significantly, especially on desktop FortiGate models that dont have much RAM. So
if your RAM usage is already high, you should reduce it first before enabling IPS.
Otherwise, your FortiGate may immediately enter conserve mode, and refuse to
accept any more configuration changes! But the advantage is that the tree takes
much less CPU and total RAM for a full IPS scan.
To make the tree, FortiGate breaks down signatures into identical pieces port,
protocol, etc. and shares the evaluation. So if traffic does not match that part, then
the IPS engine can bypass comparisons with all similar signatures. But if it does
match, then IPS continues with the next shared segment of the signature. When it
finds a match, FortiGate applies its corresponding action.
Remember discussing the difference between attacks and anomalies? Detecting
uncertain attacks can require even more ongoing analysis, and more RAM to store
traffic statistics. So if your CPU usage or RAM usage is high, and if you dont
require anomaly analysis for all protocols, clients, or servers, disable it. Better yet,
offload it to an NP FortiASIC if your FortiGate model has them. Hardware
accelerated anomaly detection can be configured in the CLI.
DO NOT REPRINT
FORTINET
To write custom signatures, first use packet capture to record packet samples.
Understand and avoid mismatches with normal packets on your network, including
at other OSI layers such as Layer 2 and Layer 3, which will be evaluated first.
Remember: if you misconfigure a custom signature, or if you configure a custom
signature that is no longer supported after you update the FortiGate firmware or IPS
engine, problems like this often arent included in Fortinet Technical Support. So if
possible, you should also test your custom signatures in a lab.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
Once you have created your custom signature, pair it with an action within an IPS
sensor. Then reference that IPS sensor in a firewall policy.
The steps are the same, by the way, regardless of whether you want to use custom
signatures or ones predefined by FortiGuard.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
When the IPS engine compares traffic with the signatures in each filter, order
matters. The rules are similar to firewall policy matching: topmost filters are
evaluated first, and the first match applies. Subsequent filters are skipped.
So position most likely matching filters at the top of the list, unless they might cause
false positives. (Position those last, so that FortiGate will test them only if no
previous, more sure signature matches.) Avoid making too many filters, since this
will increase evaluations and CPU usage. Also avoid making very large signature
trees in each filter, which will increase RAM usage all unique pieces of the attack
pattern must be loaded into RAM. Strike a balance. If an attack can be prevented in
hardware (by NP FortiASIC chips, for example), or by another method (by
disallowing an unnecessary protocol at the firewall level, for example), do this first.
Then, for the remaining, craft careful IPS sensors to protect relevant vulnerabilities.
For rate-based signatures (previously called anomalies), you can choose how to
match: by source IP, destination IP, DHCP Client MAC, or DNS Domain Name.
Choose whichever will generate the least entries yet behave correctly. For Internetfacing policies, this is unfortunately one that requires IPS to analyze many clients
connections: Source IP. So enable only rate-based signatures for vulnerable
protocols you actually use. Then block malicious clients for extended periods. This
saves system resources and can discourage a repeat attack: FortiGate will not track
statistics for that client while it is temporarily blacklisted.
DO NOT REPRINT
FORTINET
To apply an IPS sensor, enable IPS and then select the sensor in a firewall policy.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
To block DoS attacks, apply a DoS policy on a FortiGate that is between attackers
and all resources that you want to protect.
DO NOT REPRINT
FORTINET
DoS protection exists for 4 protocols: TCP, UDP, ICMP and SCTP. Each one has 4
different types of anomaly detection.
A flood sensor detects a high volume of that particular protocol, or signal in the
protocol.
Sweep/Scan detects attempts to map which of a hosts ports respond and
therefore may be vulnerable.
Source signatures look for large volumes of traffic originating from a single IP.
Destination signatures looks for large volumes of traffic destined for a single IP.
DO NOT REPRINT
FORTINET
If you do not have an accurate baseline for your network, then when you implement
DoS for the first time, be careful not to completely block network services. To
prevent this, initially configure the DoS policy to log but not block. Using the logs,
you can analyze and determine normal and peak levels for each protocol. Then
adjust the thresholds to comfortably, but not loosely, allow the usual peaks.
Thresholds that are too high can allow your resources to be exhausted before the
DoS policies trigger. Thresholds that are too low will cause FortiGate to drop normal
traffic.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
Everything we have shown so far is inline scanning: traffic passes through FortiGate
from one interface to another. But you can also deploy FortiGate outside of the
direct path of packets, in a one-arm topology with a monitor-only mechanism. This
is also called sniffer mode because it detects but does not block.
To do this, connect FortiGate to a switchs SPAN or mirroring port. The switch will
send a duplicate of egressing packets to FortiGate, which FortiGate then scans.
Notice that because its scanning a copy not the original packet it cant modify or
block the original packet.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
Before sniffer mode, the only way you could demonstrate a FortiGate without
changing IP addresses was to put it transparently inline with the traffic. This could
potentially disrupt the network if you didnt understand the Layer 2 topology. But
now, there is no risk.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
IPS sensors are not the only way that IPS can generate logs, however. When DoS
policies generate logs, they are aggregated. When several incidents occur together,
this reduces the number of log messages.
In large attacks, the number of incidents can easily reach 100,000 in a few
seconds. Generating a log entry for every packet that matches would completely
utilize the CPU. So instead, FortiGate collapses incidents by periodically recording
only one message for all of them, and noting the number of incidents.
Here, the detection threshold was 50, and the total count is 75. So FortiGate
doesnt make 24 separate log entries (1 for each incident above 50). Its just one log
message.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET
Another command that can be used is troubleshoot the IPS is diag test app
ipsm.
For example, you could type diag test app ipsm 99.
DO NOT REPRINT
FORTINET
DO NOT REPRINT
FORTINET