IPS Anti-Virus Configuration Example Keywords: IPS, AV Abstract: This document presents a configuration example for the AV feature of the IPS devices. Acronyms: Acronym Full spelling IPS AV Intrusion Prevention System Anti-Virus Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/14
Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Example 3 Network Requirements 3 Configuration Considerations 4 Configuration Procedures 4 Logging In to the Web Interface 4 Creating a Security Zone 5 Adding a Segment 7 Configuring the AV Segment Policy 8 Modifying AV Rules 10 Activating the Configurations 12 Saving Configurations 12 Verifying the Configurations 13 Hangzhou H3C Technologies Co., Ltd. www.h3c.com 2/14
Feature Overview The Intrusion Prevention System (IPS) runs on the important links of networks in inline mode or bypass mode. The anti-virus (AV) module is a very important module of the IPS devices. It supports analyzing traffic, logging events, and blocking packets with viruses on the network, protecting hosts on the network against viruses. Usually, upon detecting a packet with viruses, the feature blocks the packet to prevent virus infection, logs the event, and sends a report to the network administrator. You can configure policies to implement realtime traffic analysis, traffic detection, and automatic tackling of problems. In addition, you can also view the virus intrusion trend of the network through AV reports. The AV feature provides a virus signature package with tens of thousands of virus signatures and supports signature package update, allowing you to deploy the up-to-date signature package to IPS devices in time. Application Scenarios With the popularity and globalization of networks, more and more viruses are emerging and threatening the security of networks. An IPS device is usually deployed on a network in inline mode to identify and block virus intrusions from the Internet to hosts on the network. All traffic from the Internet to the internal network will undergo the virus inspection of the IPS device. Once a worm, backdoor program, Trojan horse, or phishing attack is detected, the AV module will issue an alarm, log the AV event, and take actions in response. Configuration Guidelines None. Configuration Example Network Requirements As shown in Figure 1, the IPS device is connected to the internal interface of the egress router of the corporate network in inline mode. Any packet from the Internet to the internal network must pass the IPS device. It is required to configure the AV module of the IPS device to inspect the packets and, if detecting viruses, block the packets. Only packets permitted by the AV module can reach the switch and then enter the internal network. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 3/14
Figure 1 Network diagram for anti-virus configuration Internet Router IPS SecCenter (IPS Manager) Switch PC1 LAN PC2 Configuration Considerations When configuring the AV feature, you need to: 1) Configure the AV policy to be applied to the link. 2) Configure rules for inspecting packets selectively and blocking infected packets. 3) Activate the configurations. After completing the above operations, infected packets will be blocked and logged by the AV module. You can view the logs and the virus intrusion trend through virus reports. Configuration Procedures Logging In to the Web Interface The IPS devices support web-based management and are configured with Web login information by default. The following are the default Web login information: Username: admin Password: admin IP address of the management interface: 192.168.1.1/24 If the Web login information of an IPS device has been changed, you need to use the up-to-date login information to log in to the device; otherwise, you can use the default Web login information. To use the default Web login information to log in to the IPS device, follow these steps: 1) Connect the PC to the IPS device Use a crossover Ethernet cable to connect the network interface of the PC to the management interface of the IPS device. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 4/14
2) Configure an IP address for the network interface of the PC Configure an IP address on subnet 192.168.1.0/24 (except for 192.168.1.1) for the network interface of the PC, for example, 192.168.1.2. This is to ensure that the PC can communicate with the IPS device. 3) Launch the Web browser and enter the login information On the PC, launch the IE browser (it is recommended to use Internet Explorer 6.0 SP2 or later), and then type https://192.168.1.1 in the address bar and press the Enter key. The Web interface login page of the IPS device appears, as shown in Figure 2. Click the language link on the page to select a language for the Web interface, type the username (admin), password (admin), and verification code, and then click Login to log in to the web interface. Figure 2 Log in to the Web interface Creating a Security Zone Select System Management > Network Management > Security Zone from the navigation tree to enter the security zone management page, as shown in Figure 3. Figure 3 Security zone management page Hangzhou H3C Technologies Co., Ltd. www.h3c.com 5/14
Click Add to enter the page for adding a security zone, as shown in Figure 4. Figure 4 Add a security zone IPS Anti-Virus Configuration Example Create internal zone in and add port g-ethernet0/0/0 to the zone, as shown in Figure 5. Figure 5 Assign interface g-ethernet0/0/0 to the internal zone Create external zone out and add port g-ethernet0/0/1 to the zone, as shown in Figure 6. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 6/14
Figure 6 Assign interface g-ethernet0/0/1 to the external zone Figure 7 Security zones created Adding a Segment Select System Management > Network Management > Segment Configuration from the navigation tree to enter the segment management page, as shown in Figure 8. Figure 8 Segment management page Click Add Segment to enter the page for adding a segment and add a segment (segment 0 in this example) to connect the internal network and the external network, as shown in Figure 9. Figure 10 shows the newly added segment on the segment list. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 7/14
Figure 9 Add a segment Figure 10 Segment management page with the newly added segment Configuring the AV Segment Policy Select Anti-Virus > Segment Policies from the navigation tree to enter the segment policy management page, as shown in Figure 11. Figure 11 Create a segment Then, click Add to enter the page for adding an AV segment policy, as shown in Figure 12. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 8/14
Figure 12 Create an AV segment policy The number of internal zone IP address and internal zone excluded IP address veries with device models. Select the default AV policy Anti-Virus Policy, select Both for the Direction field, and then click Apply to create the AV segment policy and jump to the segment policy management page, as shown in Figure 13. Figure 13 segment policy management page with the AV segment policy added Hangzhou H3C Technologies Co., Ltd. www.h3c.com 9/14
Modifying AV Rules Click the policy name link Anti-Virus in Figure 13 to enter the AV rule management page. You can see tens of rules. Figure 14 AV rule list Each rule is against a type of virus. Enabling all rules will consume a lot of system resources and reduce the system performance greatly. Therefore, some rules are disabled by default. You can enable some rules as required to inspect packets for the corresponding viruses and block the infected packets. For example, if you want to inspect the traffic of the backdoor and Email-Worm types, select the check boxes before Backdoor and Email-Worm, select the Modify selected rules on this page option at the bottom of the page, and then click Enable Rule. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 10/14
Figure 15 Modify AV rules The page as shown in Figure 16 appears, showing that the Email-Worm and Backdoor rules have been enabled. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 11/14
Figure 16 Two AV rules have been modified You can also select the Modify all matched rules option at the bottom of the AV rule list page and then click Enable Rule to enable all rules. Activating the Configurations Click Activate at the bottom of the AV rule list page to activate the above configurations. Figure 17 Confirm the operation Saving Configurations To ensure that the above configurations can survive reboots, select System Management > Device Management > Configuration Maintenance from the navigation tree and then in the Save Current Configuration area, click Save. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 12/14
Figure 18 Save configurations Verifying the Configurations When packets carrying Backdoor virus or Email-Worm virus reach the device, the device will detect the viruses, block the traffic, and log the events. Selecting Log Management > Virus Logs > Recent Logs from the navigation tree, you can see the logs shown in Figure 19. Figure 19 Blocked virus intrusions Selecting Reports > Virus Report > Virus Report from the navigation tree, you can view the virus information of the network during a specified period of time. Specify the report type, virus name, virus type, action, time range, and segment, and click Query. Figure 20 Query virus information Virus information during the specified period of time will be displayed, as shown in Figure 21. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 13/14
Figure 21 View the virus report Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 14/14