Cyberoam IPS Configuration Guide

Version 10
Version 7

Document Version 10.04.5.0007 - 30/11/2013

Document Version 10.04.4.0028 - 08/10/2013

Version 7 Version 7

Cyberoam IPS Configuration Guide

Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.

USERS LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances. You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for Cyberoam UTM Appliances at http://kb.cyberoam.com.

RESTRICTED RIGHTS
Copyright 1999 - 2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters
Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com

Cyberoam IPS Configuration Guide Contents

Overview ................................................................................................................... 6 IPS ............................................................................................................................. 7 Cyberoam IPS ........................................................................................................... 7 Policy...................................................................................................................... 9

Policy............................................................................................................................ 10

Custom Signature ............................................................................................... 15

Custom Signature ......................................................................................................... 15

Cyberoam IPS Configuration Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower Off C.G. Road Ahmedabad 380006 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.cyberoam.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: support@cyberoam.com Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.

Cyberoam IPS Configuration Guide

Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.

Item Server Client User Username Part titles

Convention

Example Machine where Cyberoam Software - Server component is installed Machine where Cyberoam Software - Client component is installed The end user Username uniquely identifies the user of the system

Bold and shaded font typefaces

Report
Introduction
Notation conventions
Group Management Groups Create it means, to open the required page click on Group management then on Groups and finally click Create tab Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked refer to Customizing User database Clicking on the link will open the particular topic

Topic titles

Shaded font typefaces

Subtitles

Bold & Black typefaces Bold typeface

Navigation link

Name of a particular parameter / field / command button text Cross references Notes & points to remember Prerequisites

Lowercase italic type

Hyperlink in different color Bold typeface between the black borders Bold typefaces between the black borders

Note

Prerequisite
Prerequisite details

Cyberoam IPS Configuration Guide

Overview
Welcome to Cyberoams IPS Implementation guide. Cyberoam is an Identity-based UTM Appliance. Cyberoams solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions. Cyberoams perfect blend of best-of-breed solutions includes user based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN IPSec and SSL. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible to the external world and still have firewall protection. Cyberoam is a real time Intrusion Prevention System that protects your network from known and unknown attacks by worms and viruses, hackers and other Internet risks. Cyberoam appliance at the perimeter of your network analyzes all traffic and prevents attacks from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through.

Note
Intrusion Prevention System module is a subscription module that needs to be subscribed before use. Check the features of the module by subscribing the free trial subscription of it.

Cyberoam IPS Configuration Guide

IPS
An IPS system is a type of security management system that gathers and analyzes information from a network to identify possible security breaches, which include both intrusions - attacks from outside the organization and misuse - attacks from within the organization. IPS detects and/or prevents malicious activity such as Denial of Service attacks, port-scans or even attempts to crack into computers by monitoring network traffic. To detect such activity, IPS uses signatures. Whenever a matching traffic pattern to signature is found, IPS triggers the alarm and blocks the traffic from reaching its destination. Standard IPS allows defining a global policy that can be applied to source-destination networks/hosts/ports combination. This global policy can be modified or tuned as per the requirement but cannot be tailored per network or per host. As global policy is a general policy for all, standard IPSs generate high amount of false positives and this makes it difficult to pinpoint the host generating malicious traffic or vice versa. Fine-tuning of the global policy means to disable a set of signatures for all the networks/hosts. However, this may not be a fit-for-all policy, hence might reduce false positives from one network while increase from another and may not even detect certain obvious malicious activity.

Note All the screen shots in the Cyberoam User Guides have been taken from NG series of appliances. The feature and functionalities however remains unchanged across all Cyberoam appliances.

Cyberoam IPS Configuration Guide

Cyberoam IPS
Cyberoam IPS is a real time Intrusion Prevention System (IPS) that protects your network from known and unknown attacks by worms and viruses, hackers and other internet risks. Cyberoam appliance at the perimeter of your network analyzes entire traffic and prevents attacks from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through. IPS consists of a signature engine with a predefined database of signatures and uses signatures to identify the malicious activity on the network. The predefined signatures cannot be modified. As per your network requirements, appliance allows you to define multiple policies instead of one global policy, to decrease packet latency and reduce false positives. IPS policy allows you to view predefined signatures and customize the intrusion prevention configuration at the category as well as individual signature level. Categories are signatures grouped together based on the application and protocol vulnerabilities. Appliance instead of providing only a single policy (global) for managing multiple networks/hosts, allows to tailor policy per network/host i.e. allows to define multiple policies for managing multiple networks/hosts. Defining multiple policies instead of a single global policy helps in decreasing packet latency and reducing false positives. To enable the Intrusion Detection and Prevention, apply IPS Policy from Firewall Rule. You can create rule to apply: single policy for all the users/networks different policies for different users/networks or hosts As Firewall Rules control all traffic passing through the appliance and decides whether to allow or drop the connection, IPS rule will be applied to only that traffic/packet which passes through the Firewall.

Policy Custom Signature

Cyberoam IPS Configuration Guide

Policy
IPS consists of a signature engine with a predefined set of signatures. Signatures are the patterns that are known to be harmful. IPS compares traffic to these signatures and responds at a high rate of speed if it finds a match. Signatures included within the Cyberoam are not modifiable. Category Signatures are organized in categories such as DNS, Finger, P2P, DDoS, and others. These signature categories are listed in the policy. You configure these categories to change the prevention and/or detection settings. To perform Intrusion Prevention and Detection, you need to enable IPS services for each category i.e. you will be able to configure attack threats for individual signature only if an IPS service for the category is Enabled. Each IPS Policy contains a set of signatures that Cyberoam searches for, and logs, blocks and allows to: Enable or disable category from IPS protection. Enable or disable individual signature in a category to tailor IPS protection based on your network environment. Define an action to be taken when the matching traffic pattern is found. Cyberoam can either detect or drop the connection. In either of the case, Cyberoam generates the log and alerts the Network Administrator. IPS provides five actions for managing attack threats: (action if signature matches) Allow Packet Cyberoam allows the packet to its intended destination. Drop Packet Cyberoam drops the packets, if detects any traffic that matches the signature. Drop Session Cyberoam drops the entire session, if detects any traffic that matches the signature. Reset Cyberoam resets entire session, if detects any traffic that matches the signature. Bypass Session Cyberoam allows all the session packets, if detects any traffic that matches the signature. In packet-based actions, Cyberoam checks each packet before taking the action while for sessionbased action, only the first packet is checked and the action is taken. In case of Reset, TCP reset packet is sent to the originator. In all the cases, Cyberoam generates the log and alerts the Network Administrator. To save resources and avoid latency, set action as Bypass Session or Allow Session as in this, if the initial packets match the signature then the rest of the session packets will not be scanned at all. To avoid getting high number of Alerts and save resources, set action as Drop session as in this, if Cyberoam identifies attack in the initial packets then Cyberoam will terminate the entire session instead of scanning all the session packets.

Policy

Cyberoam IPS Configuration Guide

Policy
Policy tab allows you to view IPS signatures and configure the handling of signatures by category or on a signature-by-signature basis. Create and deploy IPS policies to block malicious or suspicious traffic and increase security and productivity. Cyberoam provides following pre-defined policies, which can be used directly or modified as per your requirement: generalpolicy lantowan strict policy lantowan general policy dmzpolicy To configure IPS Policies, go to IPS Policy Policy. You can: Add View Edit Click the Edit icon in the Manage column against the IPS Policy to be modified. Edit IPS Policy is displayed in a new window, which has the same parameters as the Add IPS Policy window. Enable/Disable Individual Signature Click the Edit icon in the Manage column against the IPS Policy in which the signature matching is to be enabled or disabled. Search the signature category or click Category name under which the signature is included. Change the action for the required signature. Delete Click the Delete icon in the Manage column against an IPS Policy to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the IPS Policy. To delete multiple IPS Policies, select them and click the Delete button.

Manage Policies

Screen Manage IPS Policies

10

Cyberoam IPS Configuration Guide

Screen Element Add Button Name Description Edit Icon Delete Button

Description Add a new IPS Policy. Displays a name of the IPS Policy. Displays description for IPS Policy. Edit the IPS Policy. Delete the IPS Policy. Alternately, click the Delete icon against the policy to be deleted. Table Manage IPS Policies screen elements

11

Cyberoam IPS Configuration Guide

IPS Policy Parameters

To add or edit IPS policies, go to IPS Policy Policy. Click Add Button to add a new policy or Edit Icon to modify the details of the policy. IPS Policy Parameters are given below.

Screen Add IPS Policy

12

Cyberoam IPS Configuration Guide Screen Element Name Description Category Name Description Specify a name to identify the IPS Policy. Provide IPS Policy description. Enable or Disable the categories from the list of default categories to include or exclude them in the policy. By default, all the categories are enabled. Enable to include the category for detection and/or prevention. If the Category is enabled for detection and/or prevention, Cyberoam provides maximum granularity by allowing you to change the prevention and detection settings of individual signature within the category. Disable to exclude the category from detection and/or prevention. Excluding the category is same as not implementing IPS for the particular category. Table Add IPS Policy screen elements

13

Cyberoam IPS Configuration Guide

Enable/Disable Signature
Go to IPS Policy Policy and click on the policy in which the signature is to be enabled or disabled. Click category to view the list of signatures group under the category and define the action to be taken when the matching traffic pattern is detected.

Screen Enable/Disable Individual Signature Screen Element Enable Signature ID Signature Name Recommended Action Description Check against the category to enable the policy. Displays a Unique Signature ID. Displays a name got Signature The recommended action is set by Cyberoam and cannot be modified. It is the default action that will be taken by

14

Cyberoam IPS Configuration Guide Cyberoam when matching traffic pattern is detected. Actions You can define global action for all the signatures included in the category or define the action for the individual signature in the category. To set the global action, select action against Set Common Action else select action against the individual signature. Available Options: Allow Packet Drop Packet Drop Session Reset Bypass Session If global action is configured, action is taken when the traffic matching any of the signatures included in the category is detected. Table Enable/Disable Individual Signature screen elements

Custom Signature
Custom Signatures provide the flexibility to customize IPS for diverse network environments. Predefined signatures included in Cyberoam cover common attacks while Custom Signatures protect your network from uncommon attacks that are due to the use of proprietary server, custom protocol, or specialized applications used in the corporate network. Custom Signature

Custom Signature
Create Custom Signature for proprietary server, custom protocol, or specialized applications used in the corporate network and protect your network. To create and manage Custom IPS Signatures, go to IPS Custom Signature Custom Signature. You can: Add View Edit Click the Edit icon in the Manage column against the Custom Signature to be modified. Edit Custom Signature window is displayed which has the same parameters as the Add Custom Signature window. Delete Click the Delete icon in the Manage column against a Custom Signature to be deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the Custom Signature. To delete multiple Custom Signatures, select them and click the Delete button.

15

Cyberoam IPS Configuration Guide

Manage Custom Signatures

To manage Custom IPS Signatures, go to IPS Custom Signature Custom Signature.

Screen Manage Custom Signatures Screen Element Add Button Name Edit Icon Delete Button Description Add a new Custom Signature. Displays name of the Custom Signature. Edit the Custom Signature. Delete the Custom Signature. Table Manage Custom Signatures screen elements

16

Cyberoam IPS Configuration Guide

Custom Signature Parameters

To add Custom IPS Signatures, go to IPS Custom Signature Custom Signature.

Screen Add Custom Signature Screen Element Name Protocol Custom Rule Description Specify a name to identify the Custom Signature. Select signature protocol from the list. Specify signature definition. Signature definition must begin with a keyword followed by the value enclosed between the double quotes and must end with semicolon (;) Format: Keyword:value; For example, content:USER JOHN; If traffic with the content USER JOHN is detected, action defined in the policy will be taken. Refer to Appendix B IPS - Custom Signature Syntax for more details on creating signature. Severity Select the level of severity from the available options.

17

Cyberoam IPS Configuration Guide Available Options: Critical Major Moderate Minor Warning Action Action allows to configure Action that should be taken for the selected policy when matching pattern is found. All the default and custom policies are displayed and available for configuration. Select policy to be applied and configure action to taken for the policy when matching pattern is found. Select Default Mode policy when you want to configure same action for all the IPS policies. Override the action configured in Default Mode policy by selecting action for policy. Available Actions: Allow Packet In this case Appliance checks each packet before taking action. Drop Packet In this case Appliance does not check each packet before taking action. Drop Session When Action Drop Session is set, the entire session is terminated instead of scanning all the session packets to save resources and avoid getting high number of alerts. Reset In case of Reset, TCP reset packet is sent to the originator. Bypass Session When Action Bypass Session or Allow Session is set, only initial packets are matched to save resources and avoid latency.

In all the cases, Cyberoam generates the log and alerts the Network Administrator. Table Add Custom Signature screen elements

18