8.6. Intrusion Detection and Prevention System

The intrusion detection and prevention system (IDPS) enables identification of malicious activity within the network or coming from the Internet. It focuses on threat detection, logging, and prevention as well as reporting. Security problems are detected using heuristics rules and signature analysis for known attacks. The rule and signature database, maintained and updated by the UserGate development team, is provided to the holders of the corresponding license. The IDPS monitors and blocks these attacks in real time. Some possible preventive measures are connection termination, network administrator notification, and logging.

To get started with the IDPS, follow these steps:

Task

Description

Step 1. Create the desired IPS profiles.

An IPS profile is a set of signatures relevant for protecting certain services. The administrator can create the desired number of IPS profiles to protect various services. It is recommended to limit the number of signatures in the profile only to those that are necessary for protecting the service. For example, to protect a service that uses the TCP protocol, you should not add signatures developed for UDP. A large number of signatures increases the traffic processing time and CPU load.

Step 2. Create the desired IDPS rules.

IDPS rules define the actions to be applied to the selected traffic type that will be checked by the IDPS module according to the assigned IPS profile.

To configure IPS profiles, go to the Libraries --> IPS profiles section, create a profile, and add the desired signatures to it. IPS signatures, maintained and constantly updated by the UserGate developer team, are provided on a subscription basis. Each signature has the following fields:

Name

Description

Signature

The name of the signature.

Threat level

The signature's risk on a 5-point scale.

Protocol

The protocol for which this signature is developed:

  • IP.

  • ICMP.

  • TCP.

  • UDP.

Signature operating system

The operating system for which this signature is developed.

Category

A signature category is a group of signatures that have common parameters. The list of categories (can be extended):

  • adware pup.

  • attack_response: signatures that specify responses to known network attacks.

  • coinminer: downloading, installation, and runtime activity of known miners.

  • dns: known DNS vulnerabilities.

  • dos: known signatures of denial-of-service (DoS) attacks.

  • exploit: signatures of known exploits.

  • ftp: known FTP vulnerabilities.

  • imap: known IMAP vulnerabilities.

  • info: potential data leaks.

  • ldap: known LDAP vulnerabilities.

  • malware: downloading, installation, and runtime activity of known malware.

  • misc: other known signatures.

  • netbios: known NetBIOS protocol vulnerabilities.

  • phishing: signatures of known phishing attacks.

  • pop3: known POP3 protocol vulnerabilities.

  • rpc: known RPC protocol vulnerabilities.

  • scada: known SCADA protocol vulnerabilities.

  • scan: signatures of attempts to scan the network for known applications.

  • shellcode: signatures specifying known attempts at launching shells.

  • smtp: known SMTP protocol vulnerabilities.

  • snmp: known SNMP protocol vulnerabilities.

  • sql: known SQL vulnerabilities.

  • telnet: known attempts at cracking via the telnet protocol.

  • tftp: known TFTP protocol vulnerabilities.

  • user_agents: signatures of suspicious useragents.

  • voip: known VoIP protocol vulnerabilities.

  • web_client: signatures of known attempts at cracking various web clients, such as Adobe Flash Player.

  • web_server: signatures specifying known attempts at cracking various web servers.

  • web_specific_apps: signatures specifying known attempts at cracking various web applications.

  • worm: signatures specifying network activity of known network worms.

Class type

The signature class determines the attack type that is detected using this signature. In addition, it determines the general events that are not related o the attack but can be relevant in certain cases; e.g., detecting the establishment of a TCP session. The following classes are supported:

  • arbitrary-code-execution: attempt to run arbitrary code.

  • attempted-admin: attempt to obtain administrative privileges.

  • attempted-dos: attempt to launch a Denial-of-Service (DoS) attack.

  • attempted-recon: attempt to launch an attack aimed at leaking data.

  • attempted-user: attempt to obtain user privileges.

  • bad-unknown: potentially unwanted traffic.

  • command-and-control: attempt to communicate with a C&C center.

  • default-login-attempt: attempt to log in with the default username/password.

  • denial-of-service: Denial-of-Service attack detected.

  • exploit-kit: exploit kit detected.

  • misc-activity: other activity.

  • misc-attack: attack detected.

  • shellcode-detect: shell code detected.

  • string-detect: suspicious string detected.

  • suspicious-login: attempt to log in using a suspicious username.

  • trojan-activity: network Trojan detected.

  • web-application-attack: web application attack detected.

Description

A detailed description of the signature.

When adding signatures to an IPS profile, the administrator has the flexibility to filter signatures; for example, to select only those that have a very high risk, use TCP protocol, and belong to the category "botcc" and class "all".

IDPS rules define the type of traffic to which the IPS profile is used and the action that the IDPS module should take when a signature is triggered (triggering of signatures includes access to traffic logging). Packet capture is configured in the UserGate --> General settings --> PCAP settings section. PCAP files are available for download and viewing in the IDPS log.

Note

The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note

The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Note

If there are no rules created, the IDPS does not analyze traffic or protect against threats.

To configure IDPS rules, go to the Security policies --> Intrusion prevention section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Action

The options are as follows:

  • Allow: do not block traffic.

  • Log: log without blocking.

  • Reset: block and log.

Source

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Destination

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Service

The service type, such as HTTP, DNS, or other.

Profiles

The list of IPS profiles that will be used as the source of signatures for this IDPS rule.

IPS profiles are set for the rules that use the Reset and Log actions. An IPS profile cannot be set for an allowing rule; this implementation provides a way to configure exceptions for a specific traffic type.

Exclusion profiles

The list of IPS profiles providing signatures to be excluded from those defined in the profiles specified in the IPS profiles section. Exclusion profiles can only be used in the rules that use the Reset and Log actions.

This capability makes it possible to use centrally-provided signature profiles (e.g. the UserGate default profile) that cannot be edited by the administrator, but to exclude a number of signatures that are redundant or cause false triggers.