[Dr. WoW Season 2] [No 5] Network Threats May Be Deceptive, But Not for an NGFW---Intrusion Prevention Mechanism

Latest reply: May 8, 2018 17:10:04 706 1 2 0

Network threats are destructive and unpredictable. Trojans, worms, bots, spyware, and various types of attacks, such as overflow and injection attacks, are a threat to network security and the vulnerabilities of operating systems and applications can be exploited. The risks caused by known security weaknesses are already problematic, but those from unknown security threats are more so.

For these reasons, Huawei NGFW provides intrusion prevention to comprehensively defend against various attacks. This article describes the intrusion prevention function and first, Dr. WoW is going to introduce the basic concepts and implementation mechanisms of intrusion prevention.


When discussing the Intrusion Prevention System (IPS), we also need to understand the Intrusion Detection System (IDS). These systems may only be one letter different from each other, but they have totally different functions.

IDS focuses on risk management. It monitors network status, detects intrusion behaviors, records intrusion events, but it cannot take action on intrusions. Generally, IDS devices are connected in off-line mode to networks. They detect intrusions and then instruct the firewalls to block the intrusions.




In contrast, IPS focuses on risk control. As the name suggests, IPS not only detects intrusions, but also prevents them. Different from IDS, IPS blocks intrusions upon detection.



This article describes the intrusion prevention function on the NGFW and how to defend against intrusions. In scenarios that require only intrusion detection, we can configure the NGFW as an IDS device.

Intrusions must be identified before we can prevent them. To identify the intrusion behaviors hidden in various types of packets on the network, signature matching is used (just as with the antivirus feature).


A signature describes the characteristics of a type of network intrusion behavior. IPS compares the packet characteristics and signatures to detect intrusions. In addition to the characteristics of an intrusion, a signature also contains an action and other types of necessary information, as shown in the following example.



This signature describes an attack to an Internet Explorer vulnerability. The meaning of each signature field is listed in the following table.



Basic Information


Identifies a signature.


Describes the role of the attack target, including:

l  Server: indicates that the attack is targeted at a server.

l  Client: indicates that the attack is targeted at a client.


Describes the attack severity, which can be high, medium, or low.



Describes the target operating system of the attack.


Describes the protocol used by the attack.


Describes the attack type.


Describes the action taken on the packet matching the signature. The action can be:

l  Allow: permits the packet without generating a log.

l  Alert: permits the packet and generates a log.

l  Block: blocks the packet and generates a log.


Briefly describes the attack behavior.


Describes possible consequences of the attack.


Indicates the measures that should be taken on the attack, such as patch installation and software upgrade.


Indicates the attack CVE name and other related information.


The NGFW provides an IPS signature database populated with the predefined signatures of various known attacks. To identify emerging network attacks, the IPS signature database must be kept up-to-date.

For attacks not covered by predefined signatures, you can create user-defined signatures for such attacks. To correctly create a user-defined signature, network administrators must have sufficient knowledge of the vulnerability, the method for exploiting the vulnerability, and the characteristics of the attack packets. Incorrect user-defined signatures may not work or could even interrupt normal services. Therefore, do not configure user-defined signatures unless it is absolutely necessary, you have a good understanding of the vulnerability, and the possible consequences of the user-defined signature to be created.

The configuration of user-defined signatures involve a lot of items, as shown in the following figure.



A user-defined signature can have multiple rules, which are logically ORed. That is, if a packet matches any rule in a signature, the packet matches the signature. A rule can have multiple conditions, which are logically ANDed. That is, if a packet matches must match all the conditions in a rule to match the rule. The following table describes some key configuration items in user-defined signatures.

Configuration Item



Protocol defined in a user-defined signature (protocol used by attack packets)



Applicable scope of signature rules:

l  Packet: each packet.

l  Message: each message.

l  Flow: each data flow, applicable only to TCP-based application-layer protocols.

Sequential Match

Packets are matched against each condition sequentially. A packet must match all conditions in sequence to match the rule.

The Sequential Match option is not recommended because it is too narrow and may be unable to detect some network threats.


Operator items, such as Match, Greater Than, Less Than, Equal To, and Unequal To the value of the field.


Field to be inspected. The value varies with the selected protocol.


Value of the field to be inspected.

When Operator is set to Match, you can use regular expressions and escape characters to describe the characteristics of attack packets. For details on regular expressions and escape characters, refer to the NGFW product documentation.


Signature Filter and Signature Exception

The IPS signature database contains large amounts of signatures. However, not all of them are needed for all services, and the more signatures being used, the more difficult signature tuning will be. Therefore, we can use a signature filter to select the signatures that are frequently used.

A signature filter is a set of signatures that match pre-specified conditions, such as the severity, protocol, and threat type. The signatures applicable to a service are added to the signature filter. The signatures in a signature filter use their default actions unless you configure otherwise.

The actions of predefined signatures in the IPS signature database cannot be modified. However, to address any exceptions, Huawei NGFW supports the configuration of signature exceptions. A signature exception has a higher priority than a signature filter. You can use a signature exception with a different action to override that of a specific predefined signature. For example, if some normal service packets are being blocked by a predefined signature, you can configure the signature as a signature exception and set the action to Allow.

Now we understand the concepts of signature filter and signature exception, let's have a look at the internal intrusion prevention process.



The intrusion prevention process is described as follows:

1. The NGFW first reassembles the IP fragments and TCP flows and then detects attacks that are attempting to evade intrusion prevention. After application protocol identification, the NGFW implements IPS inspection on the traffic of different applications by comparing the packet characteristics with the signatures in the IPS signature database.

2. If a packet matches a signature, the NGFW first checks whether the signature is an exception. If yes, the NGFW takes the action of the signature exception. Otherwise, the process moves to the next step.

3. The NGFW checks whether the signature belongs to a signature filter. If yes, the NGFW takes the action of the signature filter (If the packet matches multiple signatures and the action of the signature filter is set to use the default action, the NGFW performs the strictest action). Otherwise, the process moves to the next step.

4. If the signature matched by the packet is neither an exception nor belongs to any signature filter, the NGFW permits the packet.

Signatures involves a lot of different information so configuring filter signatures may be challenging. To address this, the NGFW provides several signature filters for typical intrusion prevention scenarios. These signature filters have been integrated into the default intrusion prevention profiles and are ready to be referenced in security policies. These default intrusion prevention profiles are listed in the following table.

Profile Name



Application Scenario





Signature action

Defense against attacks targeted at web servers



Network file protocols

Signature action

Defense against attacks targeted at file servers



Signature action

Defense against attacks targeted at DNS servers



Mail protocols

Signature action

Defense against attacks targeted at mail servers


Protocols other than Telnet and TFTP

Signature action

Another firewall is deployed on the network, and the NGFW is inside of the firewall.



Signature action

Another firewall is deployed on the network, and the NGFW is outside of the firewall.


Protocols other than NetBIOS, NFS, SMB, Telnet and TFTP

Signature action

Defense against attacks to the DMZ




The NGFW is deployed in off-line mode to the network as an IDS device, which detects but does not prevent intrusion behavior.



Signature action

The NGFW is deployed in in-line mode to the network as an IPS device.


At last, let's compare intrusion prevention and the antivirus that was introduced in the previous post. Both intrusion prevention and antivirus use signature-based detection, and the detection effectiveness of both features depends on the update of the signature databases. However, intrusion prevention applies to all protocols and focuses on packet content inspection, whereas antivirus applies to specific protocols (such as FTP, HTTP, SMTP, POP3, IMAP, NFS, and SMB) and focuses on file inspection. In terms of virus detection, it is not as in-depth or extensive as the antivirus feature. Intrusion prevention and antivirus features complement each other rather than replace each other.

So far, we have introduced the mechanism of intrusion prevention. In the next post, we will learn how to configure intrusion prevention and provide some examples on configuring pre-defined and user-defined signatures to defend against intrusion behaviors.


To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created May 8, 2018 17:10:04 Helpful(0) Helpful(0)

:) Great
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits