IPS How To. Version 8.0.0

Transcription

1 IPS How To Version 8.0.0

2 Table of Contents 1. Introduction About this Document Examples used in this Guide Documentation and Training About the AXS GUARD Introduction Spare Units Licensed Units Configuration Wizards About VASCO General Concepts Overview What is IPS? Control Mechanisms of IPS Overview Preprocessors Dynamic Rules IPS Actions False Positives and False Negatives Corrective Measures IPS Configuration Configuration Overview Online Registration Feature Activation General Settings Viewing IPS Categories and Rules Overview IPS Categories IPS Rules Activating and Deactivating Categories and Rules Overview Excluding Categories Excluding Rules Configuring IPS Targets Viewing Rule Information Embedded Information External References Logging Overview IPS Logs Network Security Logs Troubleshooting Support VASCO Data Security 2014 ii

3 5.1. If you encounter a problem RMA Procedures for Replacement Information needed by VASCO Support How to request an RMA Number Alphabetical Index VASCO Data Security 2014 iii

4 VASCO Products VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as VASCO. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products. Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided as is without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. Intellectual Property and Copyright VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee. VASCO Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, AXS GUARD, GATEKEEPER, DIGIPASS, DIGIPASS as a Service, MYDIGIPASS.COM and the logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/ or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners. Other Trademarks Citrix and XenServer are trademarks or registered trademarks of Citrix Systems, Inc. VMware and vsphere are registered trademarks or trademarks of VMware, Inc. Hyper-V is a registered trademark of Microsoft Corporation. Copyright 2014 VASCO Data Security, VASCO Data Security International GmbH. All rights reserved. VASCO Data Security 2014 iv

5 Chapter 1. Introduction 1.1. About this Document This document has been written for AXS GUARD version and is based on changes and features that have been implemented since version This document was last updated on 3 Dec This AXS GUARD IPS How To guide serves as a reference source for technical personnel or system administrators. In Chapter 1, Introduction, we introduce the AXS GUARD and explain the difference between licensed and spare units. In Chapter 2, General Concepts, we explain the general concept underpinning the AXS GUARD IPS Module, such as Preprocessors and Rules. In Chapter 3, IPS Configuration, we explain the registration process and how to configure the AXS GUARD IPS Module. You will also learn how to obtain useful information about attacks and software exploits. In Chapter 4, Troubleshooting, some solutions are offered to solve difficulties. In Chapter 5, Support, we explain how to request support and how to return hardware for replacement Examples used in this Guide All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log on as a full administrator or a user with lower privileges. The administrator levels are explained in the system administration guide. As software development and documentation are ongoing processes, screenshots shown in this guide may slightly vary from the screens of the software version installed on your appliance Documentation and Training A complete, searchable documentation set is available in HTML and the Adobe Portable Document Format (PDF) on You can also access this documentation by clicking on the Documentation button in the appliance s web-based administrator tool. Documents in the set of the AXS GUARD documentation include: The AXS GUARD Installation Guide, where we explain how to set up an AXS GUARD appliance from scratch. The AXS GUARD System Administration How To, where we explain how to administer and maintain the appliance, e.g. how to schedule backups, install upgrade packages and how to configure various network components. Other manuals, where we provide detailed information on how to configure each of the available features, for example: AXS GUARD Authentication services AXS GUARD Virtual appliances AXS GUARD Firewall rules and policies AXS GUARD Single Sign-On for Firewall and Web Access VASCO Data Security

6 Chapter 1. Introduction AXS GUARD VPN solutions AXS GUARD Reverse Proxy AXS GUARD Directory Services (LDAP Sync) Other resources are also available, including: Context-sensitive help, via the web-based AXS GUARD administrator tool (the Help button). Training courses which cover each of the features in detail. These courses are organized on demand and address all levels of expertise. Please see for further information About the AXS GUARD Introduction The AXS GUARD is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the AXS GUARD has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, and Web access control. The AXS GUARD can easily be integrated into existing IT infrastructures as a standalone authentication appliance or as a gateway providing both authentication services and Internet Security. Authentication and other features such as firewall, and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a DIGIPASS One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system Spare Units A Spare Unit is an unlicensed appliance, with limited configuration possibilities and allows you to swiftly replace a defective appliance. It can also be licensed as a new appliance. In fact, all appliances can be considered spare units until they are licensed. Restoring to a Spare Unit is restricted to: the same hardware version (e.g. AG-3XXX, AG-5XXX or AG7XXX) as the unit being replaced. the same software version as the appliance being replaced (or a higher version on which data migration is supported; please contact VASCO support (support@vasco.com) for guidance. Once a backup is restored on a Spare Unit, full functionality is available. The configuration tool of the appliance can then be accessed by any user with administrative privileges (see the AXS GUARD System Administration How To.) The license from the backup is also restored on the Spare Unit. However, an appliance with a restored license only remains operational for a grace period of 30 days, during which the System Administrator needs to acquire a new license. If a new license has not been issued after this grace period, all services on the appliance will be stopped. Only the Administrator Tool will remain accessible. Contact VASCO support (support@vasco.com) to release the restored license of the original appliance. To relicense the appliance, follow the same procedure as used during first-time licensing Licensed Units With a licensed appliance, a user with full administrative privileges has access to all the configuration options on the AXS GUARD. Use the sysadmin account to create a user with administrative privileges. Since the sysadmin user can create new administrators, you should change the default password of this account when you log in to the appliance for the first time. Licensing and accessing a fully operational in-service appliance requires the following steps: 1. Logging on to the AXS GUARD as the default sysadmin user and changing the sysadmin password VASCO Data Security

7 Chapter 1. Introduction 2. Creating a new user with full administration rights, which is required to configure the AXS GUARD 3. Licensing the appliance Configuration Wizards Wizards are available for easy configuration About VASCO VASCO is a world leader in strong authentication and e-signature solutions, specializing in online accounts, identities and transactions. As a global software company, VASCO serves a customer base of approximately 10,000 companies in over 100 countries, including approximately 1,500 international financial institutions. In addition to the financial sector, VASCO s technologies secure sensitive information and transactions for the enterprise security, e-commerce and e-government industries. For further information, please visit VASCO Data Security

8 Chapter 2. General Concepts 2.1. Overview In this section, we explain the concepts underpinning the AXS GUARD Intrusion Prevention System (hereafter IPS) Module. Some key definitions, needed for the practical configuration covered in Chapter 3, IPS Configuration, are also provided. Topics covered in this section include: The situation of the IPS Module on the AXS GUARD and within the IP Protocol Stack IPS control mechanisms: Preprocessors and Dynamic Rules IPS Actions False Positives Corrective Actions 2.2. What is IPS? IPS stands for Intrusion Prevention System and is a preemptive approach to network security. IPS identifies potential software exploits and takes immediate action against them. The actions to be taken are based on existing Preprocessors and a set of Dynamic Rules divided in Classes. Preprocessors and Dynamic Rules are explained in Section 2.3, Control Mechanisms of IPS. Situation of IPS Unlike Firewalls, which only filter network traffic based on packet header information, the IPS checks the content of network packets for unusual signatures. A packet may be dropped by the IPS, while allowed by the firewall, e.g. if certain TCP traffic is allowed by the firewall, but the packet s content is flagged as malicious by the IPS. Broadly speaking, the IPS Module provides an additional layer of security by monitoring network traffic from and to the Internet / DMZ. Figure 2.1. IPS Concept IPS in the IP Protocol Stack IPS monitors all layers of the IP Protocol Stack. IPS checks occur after firewall checks and before application layer checks, e.g. and Web Access controls. VASCO Data Security

9 Chapter 2. General Concepts Figure 2.2. IPS in the IP Protocol Stack 2.3. Control Mechanisms of IPS Overview The AXS GUARD IPS Module uses two mechanisms to check incoming and outgoing packet signatures, as illustrated below. The first mechanism consists of Preprocessors, which are hard-coded in the IPS system. The second mechanism uses a database of Dynamic Rules, which can be tweaked by system administrators. Figure 2.3. IPS Control Mechanisms Preprocessors Preprocessors are the hard-coded components of the IPS Module and are automatically triggered whenever necessary. They are activated before the Rule-based detection engine and look for protocol behavior which is commonly considered as unusual or suspect, e.g. port scans. Preprocessors also support further analysis, such as reconstructing TCP segments (illustrated below) or the collection of certain statistical information. VASCO Data Security

10 Chapter 2. General Concepts Figure 2.4. Reconstructing Segments and Checking Payload Dynamic Rules IPS Rules contain the necessary information to detect several types of malicious network activity. Rules consist of packet signatures, malicious program lists and anomaly-based detection techniques to identify and / or block known and potentially unknown attacks. In short, they are blueprints of attack patterns. Rules are organized in Classes which describe the type of attack, e.g. an attempted Denial of Service Attack. In turn, the Classes are organized in Categories, e.g. chat, DoS, etc. The table below provides some examples of Classes. Class Type Attempted-Recon Attempted-Dos Trojan-Activity Policy-Violation Description A remote host is running some type of scanning software in an attempt to detect software or network vulnerabilities. A remote host is running some type of software in an attempt to cripple computer resources in your network, a.k.a. a Denial of Service attack. Activity involving a malicious program pretending to be a legitimate application or file. A host in your network is running a program that may be in violation with your company s computer policies. Table 2.1. Class Types IPS Rules are dynamic because: They are updated daily after registration. They can be activated / deactivated by system administrators. Their actions can be tweaked. As soon as malicious network activity is detected, the IPS performs a specific action (see Section 2.4, IPS Actions ) as specified in the Rule IPS Actions An IPS action is a decision which determines how detected network traffic should be handled. The actions can be tweaked by system administrators, e.g. to reduce the amount of false positives. (Also see Section 2.5, False Positives and False Negatives ). Action Description Pass Alert Network traffic is allowed. Network traffic is logged, allowed and the AXS GUARD administrator is notified by . VASCO Data Security

11 Chapter 2. General Concepts Action Description Drop Silent Drop Network traffic is logged, dropped and the AXS GUARD administrator is notified by . Network traffic is dropped without notifying the AXS GUARD administrator. Table 2.2. IPS Actions Silent Drops reduce the amount of AXS GUARD notification s, making IPS network troubleshooting and / or follow-up easier for administrators False Positives and False Negatives Altering the configuration of the IPS to decrease false positives might prevent attacks from being detected and blocked. It is not recommended to alter the default configuration, unless you are fully aware about possible consequences. When the IPS incorrectly identifies legitimate activity as malicious, a false positive has occurred. When the IPS fails to identify malicious activity, a false negative has occurred. It is not possible to eliminate all false positives; in most cases, reducing the occurrences of false positives increases the occurrences of possible false negatives, which constitutes a security risk. Many organizations choose to decrease false negatives at the cost of increasing false positives, which means that more malicious events are detected and / or blocked, but more analysis resources are needed to differentiate false positives from true malicious events Corrective Measures Every IPS Rule includes the necessary information and references describing how to counter an attack. It is up to system administrators to assess and decide whether Corrective Actions should be taken or not (see the image below). How to access IPS Rule information is explained in Section 3.8, Viewing Rule Information. The type of attack information provided in the Rules is explained in the table below. Information Type Description Summary Detailed Information False Negatives Additional References Ease of Attack Corrective Action Impact False Positives Attack Scenarios A short description of the attack. Detailed information for advanced administrators, such as datagram types, protocol IDs and sequence numbers used by the attack. Information about possible false negatives. External references pertaining to the attack, if any. The level of difficulty to set up or initiate the attack. The steps which should be taken by system administrators to counter the attack. Information about possible consequences of the attack. Information about possible false positives. Information about the purpose, expectations and motivations of the attack. Table 2.3. Rule details VASCO Data Security

12 Chapter 2. General Concepts Figure 2.5. Information about Corrective Actions VASCO Data Security

13 Chapter 3. IPS Configuration 3.1. Configuration Overview 1. Go to and sign up. 2. Copy your Oinkcode. 3. Log in to the AXS GUARD appliance, go to System > Feature Activation and enable the IPS feature. 4. Go to Monitoring > Intrusion Prevention > General and copy the Oikcode to the IP Registration Code field. 5. Update your AXS GUARD configuration Online Registration 1. Go to: 2. Sign up for an account. After registration, a message with further instructions is sent to the address associated with your account. 3. Log in to your account and copy the Snort Oinkcode. Enter this code in the IPS general settings on the AXS GUARD appliance (see Section 3.4, General Settings ). Figure 3.1. IPS Online Registration 3.3. Feature Activation 1. Log in to the AXS GUARD. 2. Navigate to System Feature Activation Monitoring. 3. Check the Do you use the AXS GUARD IPS? option and update your configuration. Figure 3.2. IPS Feature Activation 3.4. General Settings 1. Go to Monitoring Intrusion Prevention General. VASCO Data Security

14 Chapter 3. IPS Configuration 2. Enter the settings as explained in the table below. 3. Update your configuration. Figure 3.3. IPS General Settings Field Description Reporting Frequency Select the frequency of IPS reports from the drop-down list (Daily / Hourly / every 15 minutes). Reports are sent to the address(es) specified under System # General. Extended Header Extended Footer Automatic Updates of IPS Rules Registration Code for Rule Updates If this option is enabled, additional headers will be included in the IPS reports. These provide additional information about detected network activities and preventive measures to be taken. If this option is enabled, additional footers will be included in the IPS reports. In the footers you will find additional information about abnormal network activities. If this option is enabled, the AXS GUARD IPS engine will automatically download new rule sets on a daily basis (recommended). Your Snort Oinkcode. Table 3.1. IPS General Options 3.5. Viewing IPS Categories and Rules Overview IPS Rules are organized in categories. Each Category describes the type of software or protocol used to perform an attack, e.g. pop3, backdoor, etc. Categories contain the individual Rules, with their own classification (see Section 2.3.3, Dynamic Rules ). Rules can only be downloaded automatically by the AXS GUARD once the online registration procedure explained in Section 3.2, Online Registration and Section 3.4, General Settings has been completed. The Categories and Rules can be viewed by following the procedure explained below IPS Categories 1. Log on to the AXS GUARD appliance. 2. Navigate to Monitoring Intrusion Prevention Rules. VASCO Data Security

15 Chapter 3. IPS Configuration Figure 3.4. Viewing Categories IPS Rules 1. Follow the procedure as explained in Section 3.5.2, IPS Categories. 2. Click on the category name to view included rules. Figure 3.5. Viewing IPS Rules 3.6. Activating and Deactivating Categories and Rules Overview Altering the default configuration of the IPS to decrease false positives (see Section 2.5, False Positives and False Negatives ) might prevent attacks from being detected and blocked. It is not recommended to alter the default configuration, unless you are fully aware about potential consequences. You can activate and deactivate (exclude) an entire category of rules or select rules individually. The procedure is explained further. VASCO Data Security

16 Chapter 3. IPS Configuration Excluding Categories 1. Log on to the AXS GUARD appliance. 2. Navigate to Monitoring Intrusion Prevention Rules. 3. Check the category of rules you wish to deactivate (exclude). 4. Save your configuration. Figure 3.6. Excluding Entire Categories Excluding IPS rules for services which are not running in your network (and therefore not susceptible to attack) improves overall system performance, e.g. if you are not running a Coldfusion Web Server, disable the web-coldfusion category Excluding Rules 1. Follow steps 1 and 2 as explained in section Section 3.6.2, Excluding Categories. 2. Click on a category name to access its rules. 3. Uncheck the rule(s) to be excluded. 4. Update your configuration. Figure 3.7. Excluding Rules 3.7. Configuring IPS Targets Altering the default configuration of the IPS engine to decrease false positives (see Section 2.5, False Positives and False Negatives ) might prevent attacks from being detected and blocked. It is not recommended to alter the default configuration, unless you are fully aware about potential consequences. 1. Log in to the AXS GUARD appliance. VASCO Data Security

17 Chapter 3. IPS Configuration 2. Navigate to Monitoring Intrusion Prevention Rules. 3. Click on the desired category. 4. Select the desired action for a specific rule from the target drop-down list. The targets are explained in Section 2.4, IPS Actions. 5. Update your configuration. Figure 3.8. Rule Actions 3.8. Viewing Rule Information Embedded Information 1. Log in to the AXS GUARD appliance. 2. Navigate to Monitoring Intrusion Prevention Rules. 3. Select the desired category. 4. Click on Info to view the embedded information. Figure 3.9. Accessing Rule Information External References Click on the Reference link(s), if any. They lead to information on the Internet where more specific details are provided about the attack. Guidance for system administrators is also provided Logging Overview The IPS logs contain two types of entries. An entry can be Preprocessor-based or Rule-based (see Section 2.3.2, Preprocessors and Section 2.3.3, Dynamic Rules ). Preprocessor-based entries are displayed between brackets. Rule-based entries are not and list the Category (see Section 3.5, Viewing IPS Categories and Rules ) of the exploit in capitals, followed by the Class Type (see Section 2.3.3, Dynamic Rules ). The image below shows the difference between both. VASCO Data Security

18 Chapter 3. IPS Configuration IPS Logs 1. Log in to the AXS GUARD appliance. 2. Navigate to Monitoring Logs IPS. 3. Click on the desired log file (date). Figure Preprocessor vs. Rule-based Log Entries Use a search filter to look for a specific log entry. Example 3.1. To locate the IPS Rule which blocked certain traffic 1. Follow the procedure as explained in Section 3.5.2, IPS Categories and select the rule category. 2. Click on the appropriate category Name, e.g. attack-responses. 3. Enter 25 as a search string in the search filter field and press enter. 14:43:54 snort snortrule: ACTION=Drop MSG=Reset outside window GID=129 SID=15 REV=1 CLASSIFICATION=Potentially Bad Traffic PRIORITY=2 PROTO=TCP SRC= SPT=40332 DST= DPT=25 14:43:54 snort snortrule: ACTION=Drop MSG=Reset outside window GID=129 SID=15 REV=1 CLASSIFICATION=Potentially Bad Traffic PRIORITY=2 PROTO=TCP SRC= SPT=40332 DST= DPT=25, repeated 1 times Network Security Logs About The network security logs are a compilation of information related to traffic dropped by the AXS GUARD firewall, IPS and application control system. Accessing the Network Security Logs 1. Go to System > Logs > Network Security. 2. Click on the desired log file to open it. VASCO Data Security

19 Chapter 3. IPS Configuration Figure Network Security Logs VASCO Data Security

20 Chapter 4. Troubleshooting The IPS Module fails to start. If you see the following message: Make sure you followed the registration procedure, as explained in Section 3.2, Online Registration and Section 3.4, General Settings. Why is authorized traffic is blocked by the IPS? As explained in Section 2.2, What is IPS? and Section 2.3, Control Mechanisms of IPS, the IPS operates between the Firewall and Application Control Modules. In the event authorized traffic is blocked and no entries are available in the Firewall and / or Application Control logs: 1. Check the IPS logs. 2. Use the Search Filters as explained in Section 3.9, Logging. 3. Disable the Rule blocking the traffic only if necessary, by following the procedure explained in Section 3.6.3, Excluding Rules. Disabling Rules might prevent attacks from being detected and blocked. This is not recommended, unless you are fully aware of potential consequences. It is highly recommended to read the included Rule information, as explained in Section 3.8, Viewing Rule Information and to take the suggested corrective actions (see Section 2.6, Corrective Measures ), before you decide to disable the IPS Rule definitively. Proxy Server timeouts with Internet Explorer Proxy Server timeouts may occur when the IPS blocks network traffic to malicious websites, i.e. when a toolbar containing spyware or malware has been installed in Internet Explorer. Following is a troubleshooting example of a log entry. 12:29:59 snort [1:6250:2] SPYWARE-PUT Adware hotbar runtime detection - hotbar user-agent [Classification: Misc activity] [Priority: 3]: {TCP} : > :80 1. Update the client s anti-virus and / or anti-malware software, if present and scan the system. 2. If the IPS log contains the following entry: SSLv2 openssl get shared ciphers overflow attempt, download and install the latest Microsoft Updates to update the SSL libraries. 3. If the timeouts persist, exclude the IPS SSLv2 openssl get shared ciphers overflow attempt Rule in the Web-Misc Category, by following the procedure explained in Section 3.6.3, Excluding Rules. VASCO Data Security

21 Chapter 4. Troubleshooting Disabling Rules might prevent attacks from being detected and blocked. This is not recommended, unless you are fully aware of potential consequences. It is highly recommended to read the included Rule information, as explained in Section 3.8, Viewing Rule Information and to take the suggested corrective actions (see Section 2.6, Corrective Measures ), before you decide to disable the IPS Rule definitively. VASCO Data Security

22 Chapter 5. Support 5.1. If you encounter a problem If you encounter a problem with a VASCO product, follow the steps below: 1. Check the troubleshooting section of the feature-specific manual. 2. Check the knowledge base for information on known issues, i.e Check the white papers section on for information about special configurations. 4. If no solution is available in any of the above sources, contact your VASCO supplier. For additional information about support capabilities, visit: support_services/types_of_customes.aspx 5.2. RMA Procedures for Replacement Information needed by VASCO Support Prior to contacting VASCO Support, we kindly ask you to collect the information below. This will allow our services to save time and ensure a swift replacement of the defective unit. Customer s Name / Company Name Serial number of the defective AXS GUARD License number of the defective AXS GUARD Reseller s Name Serial number of the spare unit License number of the spare unit Return delivery address for the spare unit How to request an RMA Number If your AXS GUARD appliance has a hardware defect and you have collected all the information listed above, contact the VASCO support department either by phone or by to request an RMA number. Once your request has been received by VASCO, it will be carefully examined by our support engineers before an RMA number is assigned. Please note that replacement requests must have a valid RMA number before they can be processed by our production facility. VASCO Support Phone: (+32) VASCO Support support@vasco.com VASCO Data Security

23 List of Figures 2.1. IPS Concept IPS in the IP Protocol Stack IPS Control Mechanisms Reconstructing Segments and Checking Payload Information about Corrective Actions IPS Online Registration IPS Feature Activation IPS General Settings Viewing Categories Viewing IPS Rules Excluding Entire Categories Excluding Rules Rule Actions Accessing Rule Information Preprocessor vs. Rule-based Log Entries Network Security Logs VASCO Data Security 2014 xix

24 List of Tables 2.1. Class Types IPS Actions Rule details IPS General Options VASCO Data Security 2014 xx

25 List of Examples 3.1. To locate the IPS Rule which blocked certain traffic VASCO Data Security 2014 xxi

26 Alphabetical Index A AXS GUARD, 2 C Categories, 6 Classes, 6 D Documentation, 1 F False negatives, 7 False positives, 7 I Intrusion prevention system, 4 IPS, 4 IPS actions, 6 L Licensed appliance, 2 P Preprocessors, 5 R RMA, 18 Rules, 6 S Signatures, 6 Spare unit, 2 Support, 18 T Troubleshooting, 16