[Dr. WoW Season 2] [No 6] Network Threats May Be Deceptive, But Not for an NGFW---Intrusion Prevention Configuration

Latest reply: May 21, 2018 17:22:55 716 2 1 0

Before we configure intrusion prevention, it is important to remember that intrusion prevention cannot be configured once to protect against all attacks and it may not produce instant results because network threats are always changing. Therefore, we must constantly tune intrusion prevention configurations accordingly.

Below is a general roadmap for tuning intrusion prevention after it has been deployed. You can monitor attack behaviors and analyze threat logs to identify improper defense policies and then adjust the intrusion prevention configuration accordingly, such as modifying the signature filter and updating the IPS signature database. If necessary, we can also configure signature exceptions and user-defined signatures.



Intrusion prevention is an ongoing process and so administrators need to continually pay close attention to network security, monitor and analyze intrusion behaviors on the network, and adjust and optimize intrusion prevention policies.

Logical Relationships Between Intrusion Prevention and Other Features

The intrusion prevention configuration involves multiple functional modules.



The two most important components of intrusion prevention are intrusion prevention profiles and security policies. An intrusion prevention profile defines the signature filter and signature exceptions. A security policy defines the matching conditions (used to identify traffic subject to intrusion prevention inspection) and actions (must be set to permit) in reference to an intrusion prevention profile. Other modules are described as follows:

20180521155643021003.pngSignature databases can be updated to identify more intrusion behaviors. Only predefined signatures can be updated in a database update, user-defined signatures are not. Details on how to update the signature databases will be described in subsequent posts.

20180521155644304004.pngUser-defined signatures can be configured for attacks that cannot be identified by existing predefined signatures.

20180521155644298005.pngThe packet capture function in an intrusion prevention profile can be enabled so that packets with intrusion characteristics can be extracted from threat logs to be further analyzed to get a better understanding of their behaviors.

20180521155645894006.pngThreat logs can be checked to identify the IDs of signatures that falsely block normal traffic and configure such signatures as exceptions so that subsequent normal traffic can be processed according to the exception signature action.

Description of the Web Configuration Page

Below is a snapshot of the web UI for configuring intrusion prevention profiles (the USG6000 V100R001C30SPC100 is used as an example) and describes each configuration item on the UI.



The configuration page of intrusion prevention profiles is divided into three areas.

Area 1 is the basic configuration area. In this area, you can set the profile name, a description, and enable the packet capture function.

Area 2 is the signature filter configuration area. In this area, you can create multiple signature filters. Packets will be matched against them in turn. If a packet matches the signature in a signature filter, the NGFW performs the specified action.

Area 3 is the signature exception configuration area. In this area, you can add signature exceptions and configure their actions.

Examples for Configuring Intrusion Prevention

Now, let's look at some real-world examples.

Using pre-defined signatures to defend against attacks on Internet Explorer

In the following figure, an NGFW is deployed between the PC and the web server. The PC uses Windows operating system and uses Internet Explorer to access the Internet. Both Windows operating system and Internet Explorer are prone to attacks. Therefore, we need to configure intrusion prevention on the NGFW to protect the PC from network attacks.



The following intrusion prevention profile is configured, using the object and operating system attributes to select signatures, and the intrusion prevention profile is referenced in a security policy.



After an intrusion prevention profile is created, it must be committed to make it take effect. To save time, all intrusion prevention profiles are completed before Commit is clicked, committing them all at the same time.

After completing the configuration, the Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815) is used, targeting Internet Explorer in Windows operating systems to verify the effectiveness of the intrusion prevention profiles. The signature for this vulnerability has been included in the predefined signatures in the IPS signature database, and the default signature action is alert.

First, the malicious code that exploits this vulnerability is used to make an HTML file and put the file on the web server. In this way, the web server becomes a malicious web server. Internet Explorer is used to access the web page that contains malicious code and the web page can still be accessed.

The threat logs on the NGFW are then checked and in the access log information we see that the NGFW permits the packets but generates a log, because the action was set to alert. The NGFW is functioning properly.


The configuration script is as follows:


profile type ips name protect_pc

 signature-set name windows

  os windows

  target client

  severity low medium high

  protocol all

  category all



 rule name policy_ips

  source-zone trust

  destination-zone untrust

  source-address mask

  profile ips protect_pc

  action permit



Using user-defined signatures to defend against injection attacks on a web server

In the following figure, an enterprise deploys a web server on the intranet for users on the Internet to access. The web server provides a forum to release product information and communicate with online users and partners. An NGFW is deployed between the Internet and the intranet server. The intrusion prevention function is enabled on the NGFW to protect the web server.



When checking web server security, the enterprise network administrator discovers several suspicious administrator accounts in the forum SQL database and notices that the forum data is often modified. The administrator checks the security bulletins on the forum and finds no information about the vulnerability. After the IPS signature database is upgraded to the latest version, the attack persists. We can infer that the forum program on the web server probably experiences a 0-day vulnerability-based attack.

To ensure web server security without interrupting services, the administrator decides to analyze the attack characteristics and uses a user-defined signature to defend against the attack. The administrator captures packets on the web server. After a period of packet capture, the administrator finds the following suspicious access information.



The analysis on the captured packet shows that the packet is a typical SQL injection attack packet. Due to a bug on the login.asp page of the forum, an attacker can insert an SQL statement into the access request and execute the statement in the database to bypass the security check on the forum. These two exec statements create a new SQL database administrator account for elevation of privilege.

After understanding these attack characteristics, the administrator can create a user-defined signature. First, the basic information about the user-defined signature is set.



Then a user-defined signature rule is configured. A check item is configured in the rule to match the HTTP URI field. The value is login.asp\?id=\d+;exec, where id= is followed by a regular expression, indicating that any integer can match the rule. This check item is used to identify the exec injection attack on the login.asp page in the HTTP request. As long as the URI contains the value, the packet will match the check item.



After an intrusion prevention profile is created, it must be committed to make it take effect. To save time, all intrusion prevention profiles are completed before Commit is clicked, committing them all at the same time.

Then whether the new user-defined signature is contained in the signature filter needs to be checked. In this example, the default profile (corresponding to the default signature filter) is used. In the View Signature Filter Effect dialog box, the name of the user-defined signature is entered. If the user-defined signature is displayed, the user-defined signature is included in the default signature filter.

After the preceding configuration is complete, if the attacker launches an SQL injection attack to the forum again, the NGFW will block the attack and generate a log.



The configuration script is as follows:

ips signature-id 1

 name Anti_SQL_Injection

 protocol HTTP

 target server

 action block

  rule name rule1

   condition 1 field HTTP.URI operate pmatch value login.asp\?id=\d+;exec



 rule name policy_ips

  source-zone untrust

  destination-zone trust

  destination-address mask

  profile ips default

  action permit



The check item provided in this post is very simple and only for illustration purposes. In real-world network environments, when you configure user-defined signatures, carefully analyze attack characteristics, configure precise check items, and tune them repeatedly to avoid service interruptions.


  • x
  • convention:

MVE Created May 21, 2018 10:43:40 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Created May 21, 2018 17:22:55 Helpful(0) Helpful(0)

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits