IPS Attack Protection Configuration Example



Similar documents
IPS Anti-Virus Configuration Example

H3C SSL VPN RADIUS Authentication Configuration Example

H3C SecPath UTM Series Anti-Spam Configuration Example

How To Load Balance On A Libl Card On A S7503E With A Network Switch On A Server On A Network With A Pnet 2.5V2.5 (Vlan) On A Pbnet 2 (Vnet

Portal Authentication Technology White Paper

Cisco - Configure the 1721 Router for VLANs Using a Switch Module (WIC-4ESW)

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Deployment Guide: Transparent Mode

DDoS Protection Technology White Paper

Using SonicWALL NetExtender to Access FTP Servers

SANGFOR SSL VPN. Quick Start Guide

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

HP A-IMC Firewall Manager

Wireless G Broadband quick install

HP IMC Firewall Manager

H3C SSL VPN Configuration Examples

How To - Deploy Cyberoam in Gateway Mode

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

SSL-VPN 200 Getting Started Guide

Managed Devices - Web Browser/HiView

USER GUIDE. Ethernet Configuration Guide (Lantronix) P/N: Rev 6

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

M2M Series Routers. Port Forwarding / DMZ Setup

If you are unable to set up your Linksys Router by using one of the above options, use the steps below to manually configure your router.

PaperCut Payment Gateway Module - RBS WorldPay Quick Start Guide

Trend Micro OfficeScan Best Practice Guide for Malware

SSL VPN Technology White Paper

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Best Practice Configurations for OfficeScan (OSCE) 10.6

Steps for Basic Configuration

Qvis Security Technical Support Field Manual LX Series

Lab Configuring Access Policies and DMZ Settings

Optimum Business SIP Trunk Set-up Guide

Best Practices: Pass-Through w/bypass (Bridge Mode)

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Multi-Homing Dual WAN Firewall Router

Internet Filtering Appliance. User s Guide VERSION 1.2

SonicWALL Security Quick Start Guide. Version 4.6

Ethernet Radio Configuration Guide

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Networking Guide Redwood Manager 3.0 August 2013

Volume. Instruction Manual

If you re not using VMware vsphere Client 5.1, your screens may vary.

How to configure Linksys SPA for VOIP Connections

Technical Note. Monitoring Ethernet Traffic with Tolomatic ACS & Managed Switch. Contents

VoIP Intercom with Allworx 6x Server Setup Guide

User manual Remote access VNC V 0.2

Configuring PA Firewalls for a Layer 3 Deployment

Application Notes for Multi-Tech FaxFinder IP with Avaya IP Office Issue 1.0

Best Practice Configurations for OfficeScan (OSCE) 10.6

Sonicwall Reporting Server

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

P-660R-T1 v3 QUICK START GUIDE. ADSL2+ Access Router DEFAULT LOGIN DETAILS. Firmware v3.40 Edition 1, 09/2008. IP Address:

Full Install Setup Guide Actiontec F2250 Gateway

Scan to Quick Setup Guide

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

ViPNet ThinClient 3.3. Quick Start

Broadband Phone Gateway BPG510 Technical Users Guide

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

ASTi Voisus Server Quick Start Guide Document: DOC-05-VS-QSG-1

Using a USB 3.0 Dual Gigabit Ethernet Bypass Adapter with VMware vsphere for VXOA

Grandstream Networks, Inc.

User Manual. Page 2 of 38

Multi-Homing Security Gateway

How To Set Up A Firewall Enterprise, Multi Firewall Edition And Virtual Firewall

SOFTWARE LICENSE LIMITED WARRANTY

Intel Active Management Technology with System Defense Feature Quick Start Guide

< Introduction > This technical note explains how to connect New SVR Series to DSL Modem or DSL Router. Samsung Techwin Co., Ltd.

How To Create A Virtual Private Cloud In A Lab On Ec2 (Vpn)

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

SonicWALL Security Dashboard

This document is an application note for connecting the GS8 modular gateway with Zed-3 SE family IP PBX.

Huawei Network Edge Security Solution

SNMP-1 Configuration Guide

How To - Implement Clientless Single Sign On Authentication with Active Directory

Riverbed Steelhead. Configure Hardware Client

Grandstream Networks, Inc.

VPNC Interoperability Profile

HUAWEI HG655a. Home Gateway Quick Start

Equinox L5300 Installation and Configuration Guide Version 1.0 Innovative Payment Processing Solutions for Businesses

Manual Wireless Extender Setup Instructions. Before you start, there are two things you will need. 1. Laptop computer 2. Router s security key

Application Notes for Configuring a SonicWALL Continuous Data Protection (CDP) backup solution with Avaya Voic Pro - Issue 1.

Dynamic DNS How-To Guide

NF3ADV VoIP Setup Guide (for TPG)

Network Setup Guide. 1 Glossary. 2 Operation. 1.1 Static IP. 1.2 Point-to-Point Protocol over Ethernet (PPPoE)

Digi Connect WAN Application Guide Using the Digi Connect WAN and Digi Connect VPN with a Wireless Router/Access Point

MAS-PC QuickConnect. A utility program for connection of a PC to MAS711

ON HOLD ANNOUNCER. Once you receive your audio announcer, check the packaging to ensure that all of the following items are enclosed:

RingCentral Office. Configure Grandstream phones with RingCentral. To contact RingCentral, please visit or call

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

RF550VPN and RF560VPN

emerge 50P emerge 5000P

Configuring PPP And SIP

V310 Support Note Version 1.0 November, 2011

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Chapter 1 Configuring Basic Connectivity

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Connecting to the Internet. LAN Hardware Requirements. Computer Requirements. LAN Configuration Requirements

Ethernet Port Quick Start Manual

Transcription:

IPS Attack Protection Configuration Example Keywords: IPS Abstract: This document presents a configuration example for the attack protection feature of the IPS devices. Acronyms: Acronym Full spelling IPS Intrusion Prevention Systems Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/12

Table of Contents Feature Overview 3 Application Scenarios 3 Configuration Guidelines 3 Configuration Example 3 Network Requirements 3 Configuration Considerations 4 Configuration Procedures 4 Logging In to the Web Interface 4 Creating a Security Zone 5 Adding a Segment 7 Configuring an IPS Segment Policy 8 Modifying Rules of the Policy 9 Activating Configurations 10 Saving Configurations 11 Verifying the Configurations 11 Hangzhou H3C Technologies Co., Ltd. www.h3c.com 2/12

Feature Overview The Intrusion Prevention System (IPS) devices are deployed at the network backbone in inline mode. The attack protection module is a very important module of the IPS devices. With this module, the IPS devices can monitor and analyze traffic in real time, block abnormal packets automatically, protecting hosts against suspicious programs. You can configure IPS policies to monitor and analyze traffic in real time, and take corresponding actions accordingly, and you can view the attack reports to get an idea of the attack trend. Thousands of common attack signatures have been defined on the IPS devices, and the attack signatures definition can be updated automatically, so that the intrusion protection system can always use the up-to-date attack signatures definition. Application Scenarios With the popularity of network technologies and the development of attack tools, network attacks are more likely to happen. An IPS device is usually deployed in inline mode, so that it can identify and block attacks from the Internet to the internal users, such as attacks targeting the system vulnerabilities and attacks using worms and spyware. All traffic from the Internet to the internal network has to pass the IPS device. Once detecting an attack behavior, such as worm, backdoor, Trojan horse, spyware, suspicious program, or Phishing, the IPS module will immediately block the attack, quarantine the attack source, log the event, and notify the network administrator of the event. Configuration Guidelines None. Configuration Example Network Requirements As shown in Figure 1, the IPS device is deployed in inline mode at the egress link of the enterprise network. It is required that traffic from the Internet to the internal network first be processed by the attack protection module of the IPS device, which then blocks traffic containing worms, backdoors, and the like, if any, and then forwards the normal traffic to the switch. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 3/12

Figure 1 Network diagram for IPS configuration Configuration Considerations 1) To configure the attack protection feature, you need to configure an IPS policy and then the rules to be used to detect and block the attacks. 2) After configuring the attack protection feature, you need to activate the configuration. Then, once detecting attack traffic on the link, the IPS device will block the attack, and you can view the corresponding record in the attack logs and view the attack trend in a period in the attack report. Configuration Procedures Logging In to the Web Interface The IPS devices support web-based management and are configured with Web login information by default. The following are the default Web login information: Username: admin Password: admin IP address of the management interface: 192.168.1.1/24 If the Web login information of an IPS device has been changed, you need to use the up-to-date login information to log in to the device; otherwise, you can use the default Web login information. To use the default Web login information to log in to the IPS device, follow these steps: 1) Connect the PC to the IPS device Use a crossover Ethernet cable to connect the network interface of the PC to the management interface of the IPS device. 2) Configure an IP address for the network interface of the PC Hangzhou H3C Technologies Co., Ltd. www.h3c.com 4/12

Configure an IP address on subnet 192.168.1.0/24 (except for 192.168.1.1) for the network interface of the PC, for example, 192.168.1.2. This is to ensure that the PC can communicate with the IPS device. 3) Launch the Web browser and enter the login information On the PC, launch the IE browser (it is recommended to use Internet Explorer 6.0 SP2 or later), and then type https://192.168.1.1 in the address bar and press the Enter key. The Web interface login page of the IPS device appears, as shown in Figure 2. Click the language link on the page to select a language for the Web interface, type the username (admin), password (admin), and verification code, and then click Login to log in to the web interface. Figure 2 Log in to the Web interface Creating a Security Zone Select System Management > Network Management > Security Zone from the navigation tree to enter the security zone management page, as shown in Figure 3. Figure 3 Security zone management page Click Add to enter the page for adding a security zone, as shown in Figure 4. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 5/12

Figure 4 Add a security zone Create internal zone in and add port g-ethernet0/0/0 to the zone, as shown in Figure 5. Figure 5 Assign interface g-ethernet0/0/0 to the internal zone Create external zone out and add port g-ethernet0/0/1 to the zone, as shown in Figure 6. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 6/12

Figure 6 Assign interface g-ethernet0/0/1 to the external zone IPS Attack Protection Configuration Example Figure 7 Security zones created Adding a Segment Select System Management > Network Management > Segment Configuration from the navigation tree to enter the segment management page, as shown in Figure 8. Figure 8 Segment management page Hangzhou H3C Technologies Co., Ltd. www.h3c.com 7/12

Click Add Segment to enter the page for adding a segment and add a segment (segment 0 in this example) to connect the internal network and the external network, as shown in Figure 9. Figure 10 shows the newly added segment on the segment list. Figure 9 Add a segment Figure 10 Segment management page with the newly added segment Configuring an IPS Segment Policy Select IPS > Fast Application from the navigation tree to enter the IPS policy fast application page, as shown in Figure 11. Enter a name and description for the IPS policy to be created, select the segment and direction, and then click Apply. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 8/12

Figure 11 Configure an IPS segment policy After the above configuration, select IPS > Segment Policies from the navigation tree to enter the segment policy management page, as shown in Figure 12. You can see that the newly added policy ips is on the list. Figure 12 Newly added segment policy on the policy list Modifying Rules of the Policy Click the name link of policy ips to enter the policy s rule management page, as shown in Figure 13. You will see thousands of rules. You can detect and block attacks of one category or all categories. For example, to detect and block backdoor attacks, select Backdoor from the Category drop-down list and click Query. All backdoor attacks that can be detected by the system will be displayed. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 9/12

Figure 13 Modify IPS rules Select Modify all matched rules at the bottom of the page and click Enable Rule. All the rules will be enabled. Select Modify all matched rules, select Block+Notify from the Action Set drop-down list, and then click Modify Action Set. All backdoor attacks will be blocked and logged. To detect and block all categories of attacks, select -- (means all categories) from the Category dropdown list and click Query. All rules of the policy will be displayed. Modify the rules as needed. Activating Configurations Click Activate to activate the above configurations. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 10/12

Figure 14 Confirm the operation Saving Configurations To ensure that the above configurations can survive reboots, select System Management > Device Management > Configuration Maintenance from the navigation tree and then in the Save Current Configuration area, click Save to save the current configurations. Figure 15 Save configurations Verifying the Configurations When there are backdoor attacks from the external network to PCs in the internal network, the IPS device can block and log the attacks. You can see attack prevention information like those in Figure 16 on the page you enter by selecting Log Management > Attack Logs > Recent Logs. Figure 16 Blocked attacks Select Reports > Attack Report > Attack Report from the navigation to enter the page shown as Figure 17. Select the report type, attack ID, severity level, action, time range, and segment and click Query. You can see the attack information recorded in the specified period of time, as shown in Figure 18. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 11/12

Figure 17 Query the attacks Figure 18 View the attack report Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. www.h3c.com 12/12