cyberoam ips implementation guide-1

Cyberoam IPS Configuration Guide Version 10

Version 7 Version 7 Version 7

Document Version 10.04.4.0028 - 08/10/2013

Document Version 10.04.5.0007 - 30/11/2013

Cyberoam IPS Configuration Guide

2

Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USER’S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.

You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for

Cyberoam UTM Appliances at http://kb.cyberoam.com.

RESTRICTED RIGHTS Copyright 1999 - 2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad – 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640

Web site: www.cyberoam.com

http://www.cyberoam.com/documents/EULA.html

http://kb.cyberoam.com/default.asp?id=487&SID=&Lang=1.

http://www.cyberoam.com/


3

Contents

Overview ................................................................................................................... 6

IPS ............................................................................................................................. 7

Cyberoam IPS ........................................................................................................... 7

Policy ...................................................................................................................... 9 Policy ............................................................................................................................ 10

Custom Signature ............................................................................................... 15 Custom Signature ......................................................................................................... 15


4

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:

Corporate Office

Cyberoam Technologies Pvt. Ltd.

901, Silicon Tower

Off C.G. Road

Ahmedabad 380006

Gujarat, India.

Phone: +91-79-66065606

Fax: +91-79-26407640


Cyberoam contact:

Technical support (Corporate Office): +91-79-26400707

Email: [email protected]


Visit www.cyberoam.com for the regional and latest contact information.


mailto:[email protected]




5

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Server Machine where Cyberoam Software - Server component is installed

Client Machine where Cyberoam Software - Client component is installed

User The end user

Username Username uniquely identifies the user of the system

Part titles Bold and shaded font typefaces Report

Topic titles Shaded font typefaces

Introduction

Subtitles Bold & Black typefaces Notation conventions

Navigation link Bold typeface Group Management Groups Create it means, to open the required page click on Group management then on Groups and finally click Create tab

Name of a particular parameter / field / command button text

Lowercase italic type

Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked

Cross references

Hyperlink in different color

refer to Customizing User database Clicking on the link will open the particular topic

Notes & points to remember

Bold typeface between the black borders

Note

Prerequisites Bold typefaces between the black borders

Prerequisite Prerequisite details


6

Overview

Welcome to Cyberoam’s – IPS Implementation guide.

Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions.

Cyberoam’s perfect blend of best-of-breed solutions includes user based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN – IPSec and SSL.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible to the external world and still have firewall protection.

Cyberoam is a real time Intrusion Prevention System that protects your network from known and unknown attacks by worms and viruses, hackers and other Internet risks.

Cyberoam appliance at the perimeter of your network analyzes all traffic and prevents attacks from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through.

Note Intrusion Prevention System module is a subscription module that needs to be subscribed before use. Check the features of the module by subscribing the free trial subscription of it.


7

IPS

An IPS system is a type of security management system that gathers and analyzes information from a network to identify possible security breaches, which include both intrusions - attacks from outside the organization and misuse - attacks from within the organization.

IPS detects and/or prevents malicious activity such as Denial of Service attacks, port-scans or even attempts to crack into computers by monitoring network traffic.

To detect such activity, IPS uses signatures. Whenever a matching traffic pattern to signature is found, IPS triggers the alarm and blocks the traffic from reaching its destination.

Standard IPS allows defining a global policy that can be applied to source-destination networks/hosts/ports combination. This global policy can be modified or tuned as per the requirement but cannot be tailored per network or per host.

As global policy is a general policy for all, standard IPSs generate high amount of false positives and this makes it difficult to pinpoint the host generating malicious traffic or vice versa.

Fine-tuning of the global policy means to disable a set of signatures for all the networks/hosts. However, this may not be a fit-for-all policy, hence might reduce false positives from one network while increase from another and may not even detect certain obvious malicious activity.

Note All the screen shots in the Cyberoam User Guides have been taken from NG series of appliances. The feature and functionalities however remains unchanged across all Cyberoam appliances.


8

Cyberoam IPS

Cyberoam IPS is a real time Intrusion Prevention System (IPS) that protects your network from known and unknown attacks by worms and viruses, hackers and other internet risks.

Cyberoam appliance at the perimeter of your network analyzes entire traffic and prevents attacks from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through.

IPS consists of a signature engine with a predefined database of signatures and uses signatures to identify the malicious activity on the network. The predefined signatures cannot be modified.

As per your network requirements, appliance allows you to define multiple policies instead of one global policy, to decrease packet latency and reduce false positives.

IPS policy allows you to view predefined signatures and customize the intrusion prevention configuration at the category as well as individual signature level. Categories are signatures grouped together based on the application and protocol vulnerabilities.

Appliance instead of providing only a single policy (global) for managing multiple networks/hosts, allows to tailor policy per network/host i.e. allows to define multiple policies for managing multiple networks/hosts. Defining multiple policies instead of a single global policy helps in decreasing packet latency and reducing false positives.

To enable the Intrusion Detection and Prevention, apply IPS Policy from Firewall Rule. You can create rule to apply:

single policy for all the users/networks

different policies for different users/networks or hosts

As Firewall Rules control all traffic passing through the appliance and decides whether to allow or drop the connection, IPS rule will be applied to only that traffic/packet which passes through the Firewall.

Policy

Custom Signature


9

Policy

IPS consists of a signature engine with a predefined set of signatures. Signatures are the patterns that are known to be harmful. IPS compares traffic to these signatures and responds at a high rate of speed if it finds a match. Signatures included within the Cyberoam are not modifiable.

Category

Signatures are organized in categories such as DNS, Finger, P2P, DDoS, and others. These signature categories are listed in the policy. You configure these categories to change the prevention and/or detection settings. To perform Intrusion Prevention and Detection, you need to enable IPS services for each category i.e. you will be able to configure attack threats for individual signature only if an IPS service for the category is “Enabled”.

Each IPS Policy contains a set of signatures that Cyberoam searches for, and logs, blocks and allows to:

Enable or disable category from IPS protection.

Enable or disable individual signature in a category to tailor IPS protection based on your network environment.

Define an action to be taken when the matching traffic pattern is found. Cyberoam can either detect or drop the connection. In either of the case, Cyberoam generates the log and alerts the Network Administrator.

IPS provides five actions for managing attack threats: (action if signature matches)

Allow Packet – Cyberoam allows the packet to its intended destination.

Drop Packet – Cyberoam drops the packets, if detects any traffic that matches the signature.

Drop Session – Cyberoam drops the entire session, if detects any traffic that matches the signature.

Reset – Cyberoam resets entire session, if detects any traffic that matches the signature.

Bypass Session – Cyberoam allows all the session packets, if detects any traffic that matches the signature.

In packet-based actions, Cyberoam checks each packet before taking the action while for session-based action, only the first packet is checked and the action is taken. In case of Reset, TCP reset packet is sent to the originator. In all the cases, Cyberoam generates the log and alerts the Network Administrator.

To save resources and avoid latency, set action as “Bypass Session” or “Allow Session” as in this, if the initial packets match the signature then the rest of the session packets will not be scanned at all.

To avoid getting high number of Alerts and save resources, set action as “Drop session” as in this, if Cyberoam identifies attack in the initial packets then Cyberoam will terminate the entire session instead of scanning all the session packets.

Policy


10

Policy

“Policy” tab allows you to view IPS signatures and configure the handling of signatures by category or on a signature-by-signature basis.

Create and deploy IPS policies to block malicious or suspicious traffic and increase security and productivity.

Cyberoam provides following pre-defined policies, which can be used directly or modified as per your requirement:

generalpolicy

lantowan strict policy

lantowan general policy

dmzpolicy

To configure IPS Policies, go to IPS Policy Policy. You can:

Add

View

Edit – Click the Edit icon in the Manage column against the IPS Policy to be modified. Edit IPS Policy is displayed in a new window, which has the same parameters as the Add IPS Policy window.

Enable/Disable Individual Signature – Click the Edit icon in the Manage column against the IPS Policy in which the signature matching is to be enabled or disabled. Search the signature category or click Category name under which the signature is included. Change the action for the required signature.

Delete – Click the Delete icon in the Manage column against an IPS Policy to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the IPS Policy.

To delete multiple IPS Policies, select them and click the Delete button.

Manage Policies

Screen – Manage IPS Policies


11

Screen Element Description

Add Button Add a new IPS Policy.

Name Displays a name of the IPS Policy.

Description Displays description for IPS Policy.

Edit Icon Edit the IPS Policy.

Delete Button Delete the IPS Policy.

Alternately, click the Delete icon against the policy to be deleted.

Table – Manage IPS Policies screen elements


12

IPS Policy Parameters

To add or edit IPS policies, go to IPS Policy Policy. Click Add Button to add a new policy or Edit Icon to modify the details of the policy. IPS Policy Parameters are given below.

Screen – Add IPS Policy


13


Name Specify a name to identify the IPS Policy.

Description Provide IPS Policy description.

Category Name Enable or Disable the categories from the list of default categories to include or exclude them in the policy. By default, all the categories are enabled.

Enable to include the category for detection and/or prevention. If the Category is enabled for detection and/or prevention, Cyberoam provides maximum granularity by allowing you to change the prevention and detection settings of individual signature within the category.

Disable to exclude the category from detection and/or prevention. Excluding the category is same as not implementing IPS for the particular category.

Table – Add IPS Policy screen elements


14

Enable/Disable Signature

Go to IPS Policy Policy and click on the policy in which the signature is to be enabled or disabled.

Click category to view the list of signatures group under the category and define the action to be taken when the matching traffic pattern is detected.

Screen – Enable/Disable Individual Signature


Enable Check against the category to enable the policy.

Signature ID Displays a Unique Signature ID.

Signature Name Displays a name got Signature

Recommended Action The recommended action is set by Cyberoam and cannot be modified. It is the default action that will be taken by


15

Cyberoam when matching traffic pattern is detected.

Actions You can define global action for all the signatures included in the category or define the action for the individual signature in the category.

To set the global action, select action against “Set Common Action” else select action against the individual signature.

Available Options:

Allow Packet

Drop Packet

Drop Session

Reset

Bypass Session

If global action is configured, action is taken when the traffic matching any of the signatures included in the category is detected.

Table – Enable/Disable Individual Signature screen elements

Custom Signature

Custom Signatures provide the flexibility to customize IPS for diverse network environments. Predefined signatures included in Cyberoam cover common attacks while Custom Signatures protect your network from uncommon attacks that are due to the use of proprietary server, custom protocol, or specialized applications used in the corporate network.

Custom Signature

Custom Signature

Create Custom Signature for proprietary server, custom protocol, or specialized applications used in the corporate network and protect your network.

To create and manage Custom IPS Signatures, go to IPS Custom Signature Custom

Signature. You can:

Add

View

Edit – Click the Edit icon in the Manage column against the Custom Signature to be modified. Edit Custom Signature window is displayed which has the same parameters as the Add Custom Signature window.

Delete – Click the Delete icon in the Manage column against a Custom Signature to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the

Custom Signature. To delete multiple Custom Signatures, select them and click the Delete button.


16

Manage Custom Signatures

To manage Custom IPS Signatures, go to IPS Custom Signature Custom

Signature.

Screen – Manage Custom Signatures


Add Button Add a new Custom Signature.

Name Displays name of the Custom Signature.

Edit Icon Edit the Custom Signature.

Delete Button Delete the Custom Signature.

Table – Manage Custom Signatures screen elements


17

Custom Signature Parameters

To add Custom IPS Signatures, go to IPS Custom Signature Custom Signature.

Screen – Add Custom Signature


Name Specify a name to identify the Custom Signature.

Protocol Select signature protocol from the list.

Custom Rule Specify signature definition.

Signature definition must begin with a keyword followed by the value enclosed between the double quotes and must end with semicolon (;)

Format: Keyword:”value”;

For example, content:”USER JOHN”;

If traffic with the content USER JOHN is detected, action defined in the policy will be taken.

Refer to Appendix B – IPS - Custom Signature Syntax for more details on creating signature.

Severity Select the level of severity from the available options.


18

Available Options:

Critical

Major

Moderate

Minor

Warning

Action “Action” allows to configure Action that should be taken for the selected policy when matching pattern is found. All the default and custom policies are displayed and available for configuration.

Select policy to be applied and configure action to taken for the policy when matching pattern is found.

Select Default Mode policy when you want to configure same action for all the IPS policies. Override the action configured in Default Mode policy by selecting action for policy.

Available Actions:

Allow Packet – In this case Appliance checks each packet before taking action.

Drop Packet – In this case Appliance does not check each packet before taking action.

Drop Session – When Action “Drop Session” is set, the entire session is terminated instead of scanning all the session packets to save resources and avoid getting high number of alerts.

Reset – In case of Reset, TCP reset packet is sent to the originator.

Bypass Session – When Action “Bypass Session” or “Allow Session” is set, only initial packets are matched to save resources and avoid latency.

In all the cases, Cyberoam generates the log and alerts the Network Administrator.

Table – Add Custom Signature screen elements

cyberoam ips implementation guide-1

Documents

cyberoam contact

cyberoam logo

cyberoam utm appliances

document version

warranty policy

web site

road ahmedabad

latest contact information