IPS How To. Version 8.0.0

Similar documents
Hyper-V Installation Guide. Version 8.0.0

Internet Redundancy How To. Version 8.0.0

axsguard Gatekeeper Internet Redundancy How To v1.2

DIGIPASS as a Service. Google Apps Integration

axsguard Gatekeeper Open VPN How To v1.4

IPSec XAUTH How To. Version 8.0.0

IDENTIKEY Appliance Administrator Guide

axsguard Gatekeeper System Administration How To v1.7

Reverse Proxy How To. Version 8.0.0

axsguard Gatekeeper IPsec XAUTH How To v1.6

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

MIGRATION GUIDE. Authentication Server

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Identikey Server Getting Started Guide 3.1

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

DIGIPASS Authentication for Cisco ASA 5500 Series

INTEGRATION GUIDE. General Radius Config

axsguard Gatekeeper Reverse Proxy How To 1.5

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

DIGIPASS Authentication for GajShield GS Series

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

DIGIPASS Authentication for Windows Logon Product Guide 1.1

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

OVERVIEW. DIGIPASS Authentication for Office 365

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS as a Service. Product Guide

axs GUARD Gatekeeper Firewall How To

Contents Firewall Monitor Overview Getting Started Setting Up Firewall Monitor Attack Alerts Viewing Firewall Monitor Attack Alerts

Identikey Server Windows Installation Guide 3.1

Radius Integration Guide Version 9

Interworks. Interworks Cloud Platform Installation Guide

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

CITRIX SYSTEMS, INC. SOFTWARE LICENSE AGREEMENT

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

An Oracle Technical White Paper May How to Configure Kaspersky Anti-Virus Software for the Oracle ZFS Storage Appliance

DIGIPASS Authentication for SonicWALL SSL-VPN

SafeNet Cisco AnyConnect Client. Configuration Guide

IDENTIKEY Server Windows Installation Guide 3.2

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

GRAVITYZONE HERE. Deployment Guide VLE Environment

PHD Virtual Backup for Hyper-V

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Encryption. Administrator Guide

SafeNet Authentication Service

CA Performance Center

SOA Software: Troubleshooting Guide for Agents

TIBCO Nimbus Cloud Service

How To Install Caarcserve Backup Patch Manager (Carcserver) On A Pc Or Mac Or Mac (Or Mac)

High Availability Configuration Guide Version 9

DameWare Server. Administrator Guide

Enterprise Self Service Quick start Guide

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Sage 100 ERP. Installation and System Administrator s Guide

Configuring Symantec AntiVirus for Hitachi High-performance NAS Platform, powered by BlueArc

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Reference Architecture: Enterprise Security For The Cloud

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

How To Secure An Rsa Authentication Agent

Steps for Basic Configuration

Terms and Conditions- OnAER Remote Monitoring Service

Security Analytics Engine 1.0. Help Desk User Guide

DIGIPASS CertiID. Getting Started 3.1.0

SPECIFIC TERMS AND CONDITIONS ON THE RENTAL OF A KS (KIMSUFI) DEDICATED SERVER

IDENTIKEY Server Windows Installation Guide 3.1

Identikey Server Performance and Deployment Guide 3.1

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Configuring Symantec Protection Engine for Network Attached Storage 7.5 for NetApp Data ONTAP

MDM Zinc 3.0 End User License Agreement (EULA)

Dell Statistica Statistica Enterprise Installation Instructions

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Configuration Information

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Getting Started with Symantec Endpoint Protection

DIGIPASS Authentication for Juniper ScreenOS

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Endpoint Security Console. Version 3.0 User Guide

Installation Guide Supplement

Getting Ahead of Malware

VASCO Consulting Services

Identikey Server Product Guide

Upgrade Guide. CA Application Delivery Analysis 10.1

Check Point FDE integration with Digipass Key devices

axsguard Gatekeeper Command Line Interface How To v1.6

IDENTIKEY Server Product Guide

Transcription:

IPS How To Version 8.0.0

Table of Contents 1. Introduction... 1 1.1. About this Document... 1 1.2. Examples used in this Guide... 1 1.3. Documentation and Training... 1 1.4. About the AXS GUARD... 2 1.4.1. Introduction... 2 1.4.2. Spare Units... 2 1.4.3. Licensed Units... 2 1.4.4. Configuration Wizards... 3 1.5. About VASCO... 3 2. General Concepts... 4 2.1. Overview... 4 2.2. What is IPS?... 4 2.3. Control Mechanisms of IPS... 5 2.3.1. Overview... 5 2.3.2. Preprocessors... 5 2.3.3. Dynamic Rules... 6 2.4. IPS Actions... 6 2.5. False Positives and False Negatives... 7 2.6. Corrective Measures... 7 3. IPS Configuration... 9 3.1. Configuration Overview... 9 3.2. Online Registration... 9 3.3. Feature Activation... 9 3.4. General Settings... 9 3.5. Viewing IPS Categories and Rules... 10 3.5.1. Overview... 10 3.5.2. IPS Categories... 10 3.5.3. IPS Rules... 11 3.6. Activating and Deactivating Categories and Rules... 11 3.6.1. Overview... 11 3.6.2. Excluding Categories... 12 3.6.3. Excluding Rules... 12 3.7. Configuring IPS Targets... 12 3.8. Viewing Rule Information... 13 3.8.1. Embedded Information... 13 3.8.2. External References... 13 3.9. Logging... 13 3.9.1. Overview... 13 3.9.2. IPS Logs... 14 3.9.3. Network Security Logs... 14 4. Troubleshooting... 16 5. Support... 18 VASCO Data Security 2014 ii

5.1. If you encounter a problem... 18 5.2. RMA Procedures for Replacement... 18 5.2.1. Information needed by VASCO Support... 18 5.2.2. How to request an RMA Number... 18 Alphabetical Index... 22 VASCO Data Security 2014 iii

VASCO Products VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as VASCO. VASCO Products comprise Hardware, Software, Services and Documentation. This document addresses potential and existing VASCO customers and has been provided to you and your organization for the sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to use VASCO Software or a contractual agreement to use VASCO Products. Disclaimer of Warranties and Limitations of Liabilities VASCO Products are provided as is without warranty or conditions of any kind, whether implied, statutory, or related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, merchantability, title, non-infringement or fitness for a particular purpose. VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. Intellectual Property and Copyright VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights. No part of these Products may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. This document is protected under US and international copyright law as an unpublished work of authorship. No part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized licensee. VASCO Trademarks VASCO, VACMAN, IDENTIKEY, axsguard, AXS GUARD, GATEKEEPER, DIGIPASS, DIGIPASS as a Service, MYDIGIPASS.COM and the logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. Other company brand or product names or other designations, denominations, labels and/ or other tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks or registered trademarks or be part of any other entitlement of their respective owners. Other Trademarks Citrix and XenServer are trademarks or registered trademarks of Citrix Systems, Inc. VMware and vsphere are registered trademarks or trademarks of VMware, Inc. Hyper-V is a registered trademark of Microsoft Corporation. Copyright 2014 VASCO Data Security, VASCO Data Security International GmbH. All rights reserved. VASCO Data Security 2014 iv

Chapter 1. Introduction 1.1. About this Document This document has been written for AXS GUARD version 8.0.0 and is based on changes and features that have been implemented since version 7.7.3. This document was last updated on 3 Dec 2014. This AXS GUARD IPS How To guide serves as a reference source for technical personnel or system administrators. In Chapter 1, Introduction, we introduce the AXS GUARD and explain the difference between licensed and spare units. In Chapter 2, General Concepts, we explain the general concept underpinning the AXS GUARD IPS Module, such as Preprocessors and Rules. In Chapter 3, IPS Configuration, we explain the registration process and how to configure the AXS GUARD IPS Module. You will also learn how to obtain useful information about attacks and software exploits. In Chapter 4, Troubleshooting, some solutions are offered to solve difficulties. In Chapter 5, Support, we explain how to request support and how to return hardware for replacement. 1.2. Examples used in this Guide All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log on as a full administrator or a user with lower privileges. The administrator levels are explained in the system administration guide. As software development and documentation are ongoing processes, screenshots shown in this guide may slightly vary from the screens of the software version installed on your appliance. 1.3. Documentation and Training A complete, searchable documentation set is available in HTML and the Adobe Portable Document Format (PDF) on http://documentation.axsguard.net/manuals/gatekeeper/8.0.0/. You can also access this documentation by clicking on the Documentation button in the appliance s web-based administrator tool. Documents in the set of the AXS GUARD documentation include: The AXS GUARD Installation Guide, where we explain how to set up an AXS GUARD appliance from scratch. The AXS GUARD System Administration How To, where we explain how to administer and maintain the appliance, e.g. how to schedule backups, install upgrade packages and how to configure various network components. Other manuals, where we provide detailed information on how to configure each of the available features, for example: AXS GUARD Authentication services AXS GUARD Virtual appliances AXS GUARD Firewall rules and policies AXS GUARD Single Sign-On for Firewall and Web Access VASCO Data Security 2014 1

Chapter 1. Introduction AXS GUARD VPN solutions AXS GUARD Reverse Proxy AXS GUARD Directory Services (LDAP Sync) Other resources are also available, including: Context-sensitive help, via the web-based AXS GUARD administrator tool (the Help button). Training courses which cover each of the features in detail. These courses are organized on demand and address all levels of expertise. Please see http://www.vasco.com for further information. 1.4. About the AXS GUARD 1.4.1. Introduction The AXS GUARD is an authentication appliance, intended for small and medium sized enterprises. In addition to strong authentication, the AXS GUARD has the potential to manage all of your Internet security needs. Its modular design means that optional features can be purchased at any time to support, for example, e-mail and Web access control. The AXS GUARD can easily be integrated into existing IT infrastructures as a standalone authentication appliance or as a gateway providing both authentication services and Internet Security. Authentication and other features such as firewall, e-mail and Web access, are managed by security policies, which implement a combination of rules, for example, whether a user must use a DIGIPASS One-Time Password in combination with a static password for authentication. Security Policies are applied to specific users or groups of users and can also be applied to specific computers and the entire system. 1.4.2. Spare Units A Spare Unit is an unlicensed appliance, with limited configuration possibilities and allows you to swiftly replace a defective appliance. It can also be licensed as a new appliance. In fact, all appliances can be considered spare units until they are licensed. Restoring to a Spare Unit is restricted to: the same hardware version (e.g. AG-3XXX, AG-5XXX or AG7XXX) as the unit being replaced. the same software version as the appliance being replaced (or a higher version on which data migration is supported; please contact VASCO support (support@vasco.com) for guidance. Once a backup is restored on a Spare Unit, full functionality is available. The configuration tool of the appliance can then be accessed by any user with administrative privileges (see the AXS GUARD System Administration How To.) The license from the backup is also restored on the Spare Unit. However, an appliance with a restored license only remains operational for a grace period of 30 days, during which the System Administrator needs to acquire a new license. If a new license has not been issued after this grace period, all services on the appliance will be stopped. Only the Administrator Tool will remain accessible. Contact VASCO support (support@vasco.com) to release the restored license of the original appliance. To relicense the appliance, follow the same procedure as used during first-time licensing. 1.4.3. Licensed Units With a licensed appliance, a user with full administrative privileges has access to all the configuration options on the AXS GUARD. Use the sysadmin account to create a user with administrative privileges. Since the sysadmin user can create new administrators, you should change the default password of this account when you log in to the appliance for the first time. Licensing and accessing a fully operational in-service appliance requires the following steps: 1. Logging on to the AXS GUARD as the default sysadmin user and changing the sysadmin password VASCO Data Security 2014 2

Chapter 1. Introduction 2. Creating a new user with full administration rights, which is required to configure the AXS GUARD 3. Licensing the appliance 1.4.4. Configuration Wizards Wizards are available for easy configuration. 1.5. About VASCO VASCO is a world leader in strong authentication and e-signature solutions, specializing in online accounts, identities and transactions. As a global software company, VASCO serves a customer base of approximately 10,000 companies in over 100 countries, including approximately 1,500 international financial institutions. In addition to the financial sector, VASCO s technologies secure sensitive information and transactions for the enterprise security, e-commerce and e-government industries. For further information, please visit http://www.vasco.com. VASCO Data Security 2014 3

Chapter 2. General Concepts 2.1. Overview In this section, we explain the concepts underpinning the AXS GUARD Intrusion Prevention System (hereafter IPS) Module. Some key definitions, needed for the practical configuration covered in Chapter 3, IPS Configuration, are also provided. Topics covered in this section include: The situation of the IPS Module on the AXS GUARD and within the IP Protocol Stack IPS control mechanisms: Preprocessors and Dynamic Rules IPS Actions False Positives Corrective Actions 2.2. What is IPS? IPS stands for Intrusion Prevention System and is a preemptive approach to network security. IPS identifies potential software exploits and takes immediate action against them. The actions to be taken are based on existing Preprocessors and a set of Dynamic Rules divided in Classes. Preprocessors and Dynamic Rules are explained in Section 2.3, Control Mechanisms of IPS. Situation of IPS Unlike Firewalls, which only filter network traffic based on packet header information, the IPS checks the content of network packets for unusual signatures. A packet may be dropped by the IPS, while allowed by the firewall, e.g. if certain TCP traffic is allowed by the firewall, but the packet s content is flagged as malicious by the IPS. Broadly speaking, the IPS Module provides an additional layer of security by monitoring network traffic from and to the Internet / DMZ. Figure 2.1. IPS Concept IPS in the IP Protocol Stack IPS monitors all layers of the IP Protocol Stack. IPS checks occur after firewall checks and before application layer checks, e.g. e-mail and Web Access controls. VASCO Data Security 2014 4

Chapter 2. General Concepts Figure 2.2. IPS in the IP Protocol Stack 2.3. Control Mechanisms of IPS 2.3.1. Overview The AXS GUARD IPS Module uses two mechanisms to check incoming and outgoing packet signatures, as illustrated below. The first mechanism consists of Preprocessors, which are hard-coded in the IPS system. The second mechanism uses a database of Dynamic Rules, which can be tweaked by system administrators. Figure 2.3. IPS Control Mechanisms 2.3.2. Preprocessors Preprocessors are the hard-coded components of the IPS Module and are automatically triggered whenever necessary. They are activated before the Rule-based detection engine and look for protocol behavior which is commonly considered as unusual or suspect, e.g. port scans. Preprocessors also support further analysis, such as reconstructing TCP segments (illustrated below) or the collection of certain statistical information. VASCO Data Security 2014 5

Chapter 2. General Concepts Figure 2.4. Reconstructing Segments and Checking Payload 2.3.3. Dynamic Rules IPS Rules contain the necessary information to detect several types of malicious network activity. Rules consist of packet signatures, malicious program lists and anomaly-based detection techniques to identify and / or block known and potentially unknown attacks. In short, they are blueprints of attack patterns. Rules are organized in Classes which describe the type of attack, e.g. an attempted Denial of Service Attack. In turn, the Classes are organized in Categories, e.g. chat, DoS, etc. The table below provides some examples of Classes. Class Type Attempted-Recon Attempted-Dos Trojan-Activity Policy-Violation Description A remote host is running some type of scanning software in an attempt to detect software or network vulnerabilities. A remote host is running some type of software in an attempt to cripple computer resources in your network, a.k.a. a Denial of Service attack. Activity involving a malicious program pretending to be a legitimate application or file. A host in your network is running a program that may be in violation with your company s computer policies. Table 2.1. Class Types IPS Rules are dynamic because: They are updated daily after registration. They can be activated / deactivated by system administrators. Their actions can be tweaked. As soon as malicious network activity is detected, the IPS performs a specific action (see Section 2.4, IPS Actions ) as specified in the Rule. 2.4. IPS Actions An IPS action is a decision which determines how detected network traffic should be handled. The actions can be tweaked by system administrators, e.g. to reduce the amount of false positives. (Also see Section 2.5, False Positives and False Negatives ). Action Description Pass Alert Network traffic is allowed. Network traffic is logged, allowed and the AXS GUARD administrator is notified by e-mail. VASCO Data Security 2014 6

Chapter 2. General Concepts Action Description Drop Silent Drop Network traffic is logged, dropped and the AXS GUARD administrator is notified by e-mail. Network traffic is dropped without notifying the AXS GUARD administrator. Table 2.2. IPS Actions Silent Drops reduce the amount of AXS GUARD notification e-mails, making IPS network troubleshooting and / or follow-up easier for administrators. 2.5. False Positives and False Negatives Altering the configuration of the IPS to decrease false positives might prevent attacks from being detected and blocked. It is not recommended to alter the default configuration, unless you are fully aware about possible consequences. When the IPS incorrectly identifies legitimate activity as malicious, a false positive has occurred. When the IPS fails to identify malicious activity, a false negative has occurred. It is not possible to eliminate all false positives; in most cases, reducing the occurrences of false positives increases the occurrences of possible false negatives, which constitutes a security risk. Many organizations choose to decrease false negatives at the cost of increasing false positives, which means that more malicious events are detected and / or blocked, but more analysis resources are needed to differentiate false positives from true malicious events. 2.6. Corrective Measures Every IPS Rule includes the necessary information and references describing how to counter an attack. It is up to system administrators to assess and decide whether Corrective Actions should be taken or not (see the image below). How to access IPS Rule information is explained in Section 3.8, Viewing Rule Information. The type of attack information provided in the Rules is explained in the table below. Information Type Description Summary Detailed Information False Negatives Additional References Ease of Attack Corrective Action Impact False Positives Attack Scenarios A short description of the attack. Detailed information for advanced administrators, such as datagram types, protocol IDs and sequence numbers used by the attack. Information about possible false negatives. External references pertaining to the attack, if any. The level of difficulty to set up or initiate the attack. The steps which should be taken by system administrators to counter the attack. Information about possible consequences of the attack. Information about possible false positives. Information about the purpose, expectations and motivations of the attack. Table 2.3. Rule details VASCO Data Security 2014 7

Chapter 2. General Concepts Figure 2.5. Information about Corrective Actions VASCO Data Security 2014 8

Chapter 3. IPS Configuration 3.1. Configuration Overview 1. Go to https://www.snort.org/ and sign up. 2. Copy your Oinkcode. 3. Log in to the AXS GUARD appliance, go to System > Feature Activation and enable the IPS feature. 4. Go to Monitoring > Intrusion Prevention > General and copy the Oikcode to the IP Registration Code field. 5. Update your AXS GUARD configuration. 3.2. Online Registration 1. Go to: https://www.snort.org/ 2. Sign up for an account. After registration, a message with further instructions is sent to the e-mail address associated with your account. 3. Log in to your account and copy the Snort Oinkcode. Enter this code in the IPS general settings on the AXS GUARD appliance (see Section 3.4, General Settings ). Figure 3.1. IPS Online Registration 3.3. Feature Activation 1. Log in to the AXS GUARD. 2. Navigate to System Feature Activation Monitoring. 3. Check the Do you use the AXS GUARD IPS? option and update your configuration. Figure 3.2. IPS Feature Activation 3.4. General Settings 1. Go to Monitoring Intrusion Prevention General. VASCO Data Security 2014 9

Chapter 3. IPS Configuration 2. Enter the settings as explained in the table below. 3. Update your configuration. Figure 3.3. IPS General Settings Field Description Reporting Frequency Select the frequency of IPS e-mail reports from the drop-down list (Daily / Hourly / every 15 minutes). Reports are sent to the e-mail address(es) specified under System # General. Extended Header Extended Footer Automatic Updates of IPS Rules Registration Code for Rule Updates If this option is enabled, additional headers will be included in the IPS reports. These provide additional information about detected network activities and preventive measures to be taken. If this option is enabled, additional footers will be included in the IPS reports. In the footers you will find additional information about abnormal network activities. If this option is enabled, the AXS GUARD IPS engine will automatically download new rule sets on a daily basis (recommended). Your Snort Oinkcode. Table 3.1. IPS General Options 3.5. Viewing IPS Categories and Rules 3.5.1. Overview IPS Rules are organized in categories. Each Category describes the type of software or protocol used to perform an attack, e.g. pop3, backdoor, etc. Categories contain the individual Rules, with their own classification (see Section 2.3.3, Dynamic Rules ). Rules can only be downloaded automatically by the AXS GUARD once the online registration procedure explained in Section 3.2, Online Registration and Section 3.4, General Settings has been completed. The Categories and Rules can be viewed by following the procedure explained below. 3.5.2. IPS Categories 1. Log on to the AXS GUARD appliance. 2. Navigate to Monitoring Intrusion Prevention Rules. VASCO Data Security 2014 10

Chapter 3. IPS Configuration Figure 3.4. Viewing Categories 3.5.3. IPS Rules 1. Follow the procedure as explained in Section 3.5.2, IPS Categories. 2. Click on the category name to view included rules. Figure 3.5. Viewing IPS Rules 3.6. Activating and Deactivating Categories and Rules 3.6.1. Overview Altering the default configuration of the IPS to decrease false positives (see Section 2.5, False Positives and False Negatives ) might prevent attacks from being detected and blocked. It is not recommended to alter the default configuration, unless you are fully aware about potential consequences. You can activate and deactivate (exclude) an entire category of rules or select rules individually. The procedure is explained further. VASCO Data Security 2014 11

Chapter 3. IPS Configuration 3.6.2. Excluding Categories 1. Log on to the AXS GUARD appliance. 2. Navigate to Monitoring Intrusion Prevention Rules. 3. Check the category of rules you wish to deactivate (exclude). 4. Save your configuration. Figure 3.6. Excluding Entire Categories Excluding IPS rules for services which are not running in your network (and therefore not susceptible to attack) improves overall system performance, e.g. if you are not running a Coldfusion Web Server, disable the web-coldfusion category. 3.6.3. Excluding Rules 1. Follow steps 1 and 2 as explained in section Section 3.6.2, Excluding Categories. 2. Click on a category name to access its rules. 3. Uncheck the rule(s) to be excluded. 4. Update your configuration. Figure 3.7. Excluding Rules 3.7. Configuring IPS Targets Altering the default configuration of the IPS engine to decrease false positives (see Section 2.5, False Positives and False Negatives ) might prevent attacks from being detected and blocked. It is not recommended to alter the default configuration, unless you are fully aware about potential consequences. 1. Log in to the AXS GUARD appliance. VASCO Data Security 2014 12

Chapter 3. IPS Configuration 2. Navigate to Monitoring Intrusion Prevention Rules. 3. Click on the desired category. 4. Select the desired action for a specific rule from the target drop-down list. The targets are explained in Section 2.4, IPS Actions. 5. Update your configuration. Figure 3.8. Rule Actions 3.8. Viewing Rule Information 3.8.1. Embedded Information 1. Log in to the AXS GUARD appliance. 2. Navigate to Monitoring Intrusion Prevention Rules. 3. Select the desired category. 4. Click on Info to view the embedded information. Figure 3.9. Accessing Rule Information 3.8.2. External References Click on the Reference link(s), if any. They lead to information on the Internet where more specific details are provided about the attack. Guidance for system administrators is also provided. 3.9. Logging 3.9.1. Overview The IPS logs contain two types of entries. An entry can be Preprocessor-based or Rule-based (see Section 2.3.2, Preprocessors and Section 2.3.3, Dynamic Rules ). Preprocessor-based entries are displayed between brackets. Rule-based entries are not and list the Category (see Section 3.5, Viewing IPS Categories and Rules ) of the exploit in capitals, followed by the Class Type (see Section 2.3.3, Dynamic Rules ). The image below shows the difference between both. VASCO Data Security 2014 13

Chapter 3. IPS Configuration 3.9.2. IPS Logs 1. Log in to the AXS GUARD appliance. 2. Navigate to Monitoring Logs IPS. 3. Click on the desired log file (date). Figure 3.10. Preprocessor vs. Rule-based Log Entries Use a search filter to look for a specific log entry. Example 3.1. To locate the IPS Rule which blocked certain traffic 1. Follow the procedure as explained in Section 3.5.2, IPS Categories and select the rule category. 2. Click on the appropriate category Name, e.g. attack-responses. 3. Enter 25 as a search string in the search filter field and press enter. 14:43:54 snort snortrule: ACTION=Drop MSG=Reset outside window GID=129 SID=15 REV=1 CLASSIFICATION=Potentially Bad Traffic PRIORITY=2 PROTO=TCP SRC=194.78.97.254 SPT=40332 DST=212.27.48.6 DPT=25 14:43:54 snort snortrule: ACTION=Drop MSG=Reset outside window GID=129 SID=15 REV=1 CLASSIFICATION=Potentially Bad Traffic PRIORITY=2 PROTO=TCP SRC=194.78.97.254 SPT=40332 DST=212.27.48.6 DPT=25, repeated 1 times 3.9.3. Network Security Logs About The network security logs are a compilation of information related to traffic dropped by the AXS GUARD firewall, IPS and application control system. Accessing the Network Security Logs 1. Go to System > Logs > Network Security. 2. Click on the desired log file to open it. VASCO Data Security 2014 14

Chapter 3. IPS Configuration Figure 3.11. Network Security Logs VASCO Data Security 2014 15

Chapter 4. Troubleshooting The IPS Module fails to start. If you see the following message: Make sure you followed the registration procedure, as explained in Section 3.2, Online Registration and Section 3.4, General Settings. Why is authorized traffic is blocked by the IPS? As explained in Section 2.2, What is IPS? and Section 2.3, Control Mechanisms of IPS, the IPS operates between the Firewall and Application Control Modules. In the event authorized traffic is blocked and no entries are available in the Firewall and / or Application Control logs: 1. Check the IPS logs. 2. Use the Search Filters as explained in Section 3.9, Logging. 3. Disable the Rule blocking the traffic only if necessary, by following the procedure explained in Section 3.6.3, Excluding Rules. Disabling Rules might prevent attacks from being detected and blocked. This is not recommended, unless you are fully aware of potential consequences. It is highly recommended to read the included Rule information, as explained in Section 3.8, Viewing Rule Information and to take the suggested corrective actions (see Section 2.6, Corrective Measures ), before you decide to disable the IPS Rule definitively. Proxy Server timeouts with Internet Explorer Proxy Server timeouts may occur when the IPS blocks network traffic to malicious websites, i.e. when a toolbar containing spyware or malware has been installed in Internet Explorer. Following is a troubleshooting example of a log entry. 12:29:59 snort [1:6250:2] SPYWARE-PUT Adware hotbar runtime detection - hotbar user-agent [Classification: Misc activity] [Priority: 3]: {TCP} 192.168.254.2:38985 -> 62.23.182.133:80 1. Update the client s anti-virus and / or anti-malware software, if present and scan the system. 2. If the IPS log contains the following entry: SSLv2 openssl get shared ciphers overflow attempt, download and install the latest Microsoft Updates to update the SSL libraries. 3. If the timeouts persist, exclude the IPS SSLv2 openssl get shared ciphers overflow attempt Rule in the Web-Misc Category, by following the procedure explained in Section 3.6.3, Excluding Rules. VASCO Data Security 2014 16

Chapter 4. Troubleshooting Disabling Rules might prevent attacks from being detected and blocked. This is not recommended, unless you are fully aware of potential consequences. It is highly recommended to read the included Rule information, as explained in Section 3.8, Viewing Rule Information and to take the suggested corrective actions (see Section 2.6, Corrective Measures ), before you decide to disable the IPS Rule definitively. VASCO Data Security 2014 17

Chapter 5. Support 5.1. If you encounter a problem If you encounter a problem with a VASCO product, follow the steps below: 1. Check the troubleshooting section of the feature-specific manual. 2. Check the knowledge base for information on known issues, i.e. http://www.vasco.com/support. 3. Check the white papers section on http://documentation.axsguard.net/manuals/gatekeeper/8.0.0/ for information about special configurations. 4. If no solution is available in any of the above sources, contact your VASCO supplier. For additional information about support capabilities, visit: http://www.vasco.com/support/ support_services/types_of_customes.aspx 5.2. RMA Procedures for Replacement 5.2.1. Information needed by VASCO Support Prior to contacting VASCO Support, we kindly ask you to collect the information below. This will allow our services to save time and ensure a swift replacement of the defective unit. Customer s Name / Company Name Serial number of the defective AXS GUARD License number of the defective AXS GUARD Reseller s Name Serial number of the spare unit License number of the spare unit Return delivery address for the spare unit 5.2.2. How to request an RMA Number If your AXS GUARD appliance has a hardware defect and you have collected all the information listed above, contact the VASCO support department either by phone or by e-mail to request an RMA number. Once your request has been received by VASCO, it will be carefully examined by our support engineers before an RMA number is assigned. Please note that replacement requests must have a valid RMA number before they can be processed by our production facility. VASCO Support Phone: (+32) 2-609-9770 VASCO Support E-mail: support@vasco.com VASCO Data Security 2014 18

List of Figures 2.1. IPS Concept... 4 2.2. IPS in the IP Protocol Stack... 5 2.3. IPS Control Mechanisms... 5 2.4. Reconstructing Segments and Checking Payload... 6 2.5. Information about Corrective Actions... 8 3.1. IPS Online Registration... 9 3.2. IPS Feature Activation... 9 3.3. IPS General Settings... 10 3.4. Viewing Categories... 11 3.5. Viewing IPS Rules... 11 3.6. Excluding Entire Categories... 12 3.7. Excluding Rules... 12 3.8. Rule Actions... 13 3.9. Accessing Rule Information... 13 3.10. Preprocessor vs. Rule-based Log Entries... 14 3.11. Network Security Logs... 15 VASCO Data Security 2014 xix

List of Tables 2.1. Class Types... 6 2.2. IPS Actions... 6 2.3. Rule details... 7 3.1. IPS General Options... 10 VASCO Data Security 2014 xx

List of Examples 3.1. To locate the IPS Rule which blocked certain traffic... 14 VASCO Data Security 2014 xxi

Alphabetical Index A AXS GUARD, 2 C Categories, 6 Classes, 6 D Documentation, 1 F False negatives, 7 False positives, 7 I Intrusion prevention system, 4 IPS, 4 IPS actions, 6 L Licensed appliance, 2 P Preprocessors, 5 R RMA, 18 Rules, 6 S Signatures, 6 Spare unit, 2 Support, 18 T Troubleshooting, 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information