Administrator's Guide

Transcription

1 COMPREHENSIVE INTERNET SECURITY S S So n i c WALL Intrusion Prevention Service Administrator's Guide

2 Table of Contents Preface... 1 Copyright Notice...1 Limited Warranty...1 About this Guide... 3 Guide Conventions... 3 Icons Used in this Guide... 3 SonicWALL Technical Support... 4 North America Telephone Support... 4 International Telephone Support... 4 Intrusion Prevention Service... 5 SonicWALL IPS Features... 5 SonicWALL Deep Packet Inspection... 6 How SonicWALL s Deep Packet Inspection Architecture Works... 7 SonicWALL IPS Terminology...8 SonicWALL IPS Activation...8 mysonicwall.com... 8 Activating SonicWALL IPS... 9 Activating the SonicWALL IPS FREE TRIAL... 9 Security Services>Intrusion Prevention...10 IPS Status IPS Status (SonicOS Standard) IPS Status (SonicOS Enhanced) IPS Settings Enabling IPS Detection and Prevention IPS Signature Groups Log Redundancy Filter IPS Signature Updates...13 Resetting IPS Configuration to Default IPS Policies Displaying Signatures Navigating the IPS Policies Table Searching the Signature Database...15 Editing IPS Signature Settings Overriding Global Detection and Prevention Settings...17 Displaying Comprehensive Information about the Vulnerability Resetting IPS Configuration to Default Managing False Positives IPS Inspection of VPN/Encrypted Traffic Page 1

3 Enabling IPS on Interfaces or Zones...19 Enabling IPS by Interface (SonicOS Standard)...19 Enabling IPS on Zones (SonicOS Enhanced)...19 Enabling IPS on a Zone...20 IPS Logging...21 Protocol and Port Level Alerts and Attacks...22 Attacks Logging Category...23 Legacy Attacks...25 Back Orifice Attack...25 IniKiller Attack...25 IP Spoof...25 Land Attack...25 NetBus Attack...25 NetSpy Attack...25 Ping of Death...25 Port Scan...25 Priority Attack...25 Ripper Attack...25 Senna Spy Attack...26 Smurf Attack...26 Spank Attack...26 Striker Attack...26 SubSeven Attack...26 SYN Flood Attack...26 Stealth Scanning...26 TCP FIN Scan (Probable)...26 TCP XMAS Scan (Probable) Fragments...27 FTP PASV Response Spoof Attack...27 FTP Port Bounce Attack...27 Index...29 Page 2 SonicWALL Intrusion Prevention Service Administrator s Guide

4 Preface Copyright Notice 2004 SonicWALL, Inc. All rights reserved. Under the copyright laws, this manual or the software described within, can not be copied, in whole or part, without the written consent of the manufacturer, except in the normal use of the software to make a backup copy. The same proprietary and copyright notices must be affixed to any permitted copies as were affixed to the original. This exception does not allow copies to be made for others, whether or not sold, but all of the material purchased (with all backup copies) can be sold, given, or loaned to another person. Under the law, copying includes translating into another language or format. SonicWALL is a registered trademark of SonicWALL, Inc. Other product and company names mentioned herein can be trademarks and/or registered trademarks of their respective companies. Specifications and descriptions subject to change without notice. Limited Warranty SonicWALL, Inc. warrants that commencing from the delivery date to Customer (but in any case commencing not more than ninety (90) days after the original shipment by SonicWALL), and continuing for a period of twelve (12) months, that the product will be free from defects in materials and workmanship under normal use. This Limited Warranty is not transferable and applies only to the original end user of the product. SonicWALL and its suppliers' entire liability and Customer's sole and exclusive remedy under this limited warranty will be shipment of a replacement product. At SonicWALL's discretion the replacement product may be of equal or greater functionality and may be of either new or like-new quality. SonicWALL's obligations under this warranty are contingent upon the return of the defective product according to the terms of SonicWALL's then-current Support Services policies. This warranty does not apply if the product has been subjected to abnormal electrical stress, damaged by accident, abuse, misuse or misapplication, or has been modified without the written permission of SonicWALL. Page 1 SonicWALL Intrusion Prevention Service Administrator s Guide

5 DISCLAIMER OF WARRANTY. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, SATISFACTORY QUALITY OR ARISING FROM A COURSE OF DEALING, LAW, USAGE, OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAW. TO THE EXTENT AN IMPLIED WARRANTY CANNOT BE EXCLUDED, SUCH WARRANTY IS LIMITED IN DURATION TO THE WARRANTY PERIOD. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS, AND YOU MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. This disclaimer and exclusion shall apply even if the express warranty set forth above fails of its essential purpose. DISCLAIMER OF LIABILITY. SONICWALL'S SOLE LIABILITY IS THE SHIPMENT OF A REPLACEMENT PRODUCT AS DESCRIBED IN THE ABOVE LIMITED WARRANTY. IN NO EVENT SHALL SONICWALL OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF INFORMATION, OR OTHER PECUNIARY LOSS ARISING OUT OF THE USE OR INABILITY TO USE THE PRODUCT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE HARDWARE OR SOFTWARE EVEN IF SONICWALL OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall SonicWALL or its suppliers' liability to Customer, whether in contract, tort (including negligence), or otherwise, exceed the price paid by Customer. The foregoing limitations shall apply even if the above-stated warranty fails of its essential purpose. BECAUSE SOME STATES OR JURISDICTIONS DO NOT ALLOW LIMITATION OR EXCLUSION OF CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. Page 2 SonicWALL Intrusion Prevention Service Administrator s Guide

6 About this Guide Welcome to the SonicWALL Intrusion Prevention Service Administrator s Guide. This manual provides the information you need to successfully activate, configure, and administer SonicWALL Intrusion Prevention Service. The audience for this guide is administrators that are familiar with the features, functions, and operating characteristics of SonicWALL Internet Security Appliances. SonicWALL Intrusion Prevention Service is available for the SonicWALL TZ 170 and PRO Series (PRO 2040, PRO 3060, and PRO 4060) SonicWALL Internet Security Appliances running SonicOS Standard or Enhanced 2.2 (or higher). Guide Conventions Conventions used in this guide are as follows: Convention Bold Italic Top Level Menu Button>Submenu Item Use Highlights items you can select on the SonicWALL Management Interface. Highlights a value to enter into a field. For example, type in the IP Address field. Indicates a multiple step Management Interface menu choice. For example, Security Services>Content Filter means select Security Services, then select Content Filter. Icons Used in this Guide These special messages refer to noteworthy information, and include a symbol for quick identification: Alert! Important information that cautions about features affecting firewall performance, security features, or causing potential problems with your SonicWALL. Tip! Useful information about security features and configurations on your SonicWALL. Note: Important information on a feature that requires callout for special attention. Page 3

7 SonicWALL Technical Support For timely resolution of technical support questions, visit SonicWALL on the Internet at < Web-based resources are available to help you resolve most technical issues or contact SonicWALL Technical Support. To contact SonicWALL telephone support, see the telephone numbers listed below: North America Telephone Support U.S./Canada or International Telephone Support Australia Austria (0) EMEA - +31(0) France (0) Germany (0) Hong Kong India Italy Japan (0) New Zealand Singapore Spain (0) Switzerland UK - +44(0) Note: Please visit < for the latest technical support telephone numbers. Page 4 SonicWALL Intrusion Prevention Service Administrator s Guide

8 Intrusion Prevention Service SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, , file transfer, Windows services and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits. The extensible signature language used in SonicWALL s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWALL s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or persignature basis to provide maximum flexibility and control false positives. SonicWALL IPS is managed directly from the SonicWALL Security Appliance. Alternatively, SonicWALL Global Management System (SonicWALL GMS) provides global management capabilities that enabled administrators to manage SonicWALL IPS across multiple SonicWALL Security Appliances from a central location. SonicWALL GMS and SonicWALL ViewPoint solutions allow administrator s to create detailed reports based on attack source, destination and type of intrusion, such as Top Intrusions, Destinations Over Time and Intrusions Over Time. Note: SonicWALL Intrusion Prevention Service is available for the SonicWALL TZ 170 and PRO Series (PRO 2040, PRO 3060, and PRO 4060) SonicWALL Internet Security Appliances running SonicOS Standard or Enhanced 2.2 (or higher). SonicWALL offers two versions of SonicWALL IPS for the SonicWALL TZ 170. SonicWALL IPS for TZ 170 and SonicWALL IPS Basic for TZ 170. Designed for small offices, the Basic version does not provide application level signature support for servers. Otherwise, the two versions are the same. SonicWALL IPS Features High Performance Deep Packet Inspection Technology - SonicWALL s Intrusion Prevention Service features a configurable, high-performance Deep Packet Inspection engine that uses parallel searching algorithms on incoming packets through the application layer to deliver increased attack prevention capabilities over those supplied by traditional stateful packet inspection firewall. By performing all of the matching on packets, SonicWALL IPS eliminates the overhead of having to reassemble the data stream. Parallel processing reduces the impact on the processor and maximizes available memory for exceptional performance on SonicWALL appliances. Inter-Zone Intrusion Prevention - SonicWALL IPS provides an additional layer of protection against malicious threats by allowing administrator s to enforce intrusion prevention not only between each network zone and the Internet, but also between internal network zones. This is performed by enabling intrusion prevention on inbound and outbound traffic between trusted zones (SonicOS Enhanced). Extensive Signature Database - SonicWALL IPS utilizes an extensive database of over 1,700 attack and vulnerability signatures written to detect and prevent intrusions, worms, application exploits, as well as peer-to-peer and instant messaging traffic. The SonicWALL Deep Packet Inspection engine can also read signatures written in the popular Snort format, allowing SonicWALL to easily incorporate new signatures as they are published by third parties. SonicWALL maintains a current and robust signature database by incorporating the latest available signatures from thousands of open source developers and by continually developing new signatures for application vulnerabilities that are not immediately available or provided by open source. Dynamically Updated Signature Database - SonicWALL IPS includes automatic signature updates delivered through SonicWALL s Distributed Enforcement Architecture (DEA), providing protection from emerging threats and lowering total cost of ownership. Updates to the signature database are dynamic for SonicWALL firewalls under an active subscription. Page 5

9 Scalable - SonicWALL IPS is a scalable solution for SonicWALL TZ 170 and PRO Series Appliances that secures small, medium and large networks with complete protection from application exploits, worms and malicious traffic. Application Control - SonicWALL IPS provides the ability to prevent Instant Messaging and Peerto-Peer file sharing programs from operating through the firewall, closing a potential backdoor that can be used to compromise the network while also improving employee productivity and conserving Internet bandwidth. Simplified Deployment and Management - SonicWALL IPS allows network administrators to quickly and easily manage the service within minutes. Administrator s can create global policies between security zones and interfaces as well as group attacks by priority, simplifying deployment and management across a distributed network. Granular Policy Management - SonicWALL IPS provides administrators with a range of granular policy tools to enforce IPS on a global, group, or individual signature level to enable more control and reduce the number of false policies. SonicWALL IPS allows also allows administrators to choose between detection, prevention, or both to tailor policies for their specific network environment. Logging and Reporting - SonicWALL IPS offers comprehensive logging of all intrusion attempts with the ability to filter logs based on priority level, enabling administrator s to highlight high priority attacks. Granular reporting based on attack source, destination and type of intrusion is available through SonicWALL ViewPoint and Global Management System. A hyperlink of the intrusion brings up the signature window for further information from the SonicWALL appliance log. Management by Risk Category - SonicWALL IPS allows you to enable/disable detection or prevention based on the priority level of attack through High, Medium, or Low predefined priority groups. Detection Accuracy - SonicWALL IPS detection and prevention accuracy is achieved minimizing both false positives and false negatives. Signatures are written around applications, such as Internet Explorer or SQL Server rather than ports or protocols to ensure that malicious code targeting them are correctly identified and prevented. SonicWALL Deep Packet Inspection Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing the traffic from passing through. Deep Packet Inspection is a technology that allows a SonicWALL Security Appliance to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as well as the information that describes the contents of the packet s payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the SonicWALL Security Appliance, as well as prevent them (i.e. dropping the packet or resetting the TCP connection). SonicWALL s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred. Page 6 SonicWALL Intrusion Prevention Service Administrator s Guide

10 How SonicWALL s Deep Packet Inspection Architecture Works Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion Prevention Service. SonicWALL s Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWALL Distributed Enforcement Architecture. The following steps describe how the SonicWALL Deep Packet Inspection Architecture works: 1. Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits. 2. TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework. 3. Deep Packet Inspection engine preprocessing involves normalization of the packet s payload. For example, a HTTP request may be URL encoded and thus the request is URL decoded in order to perform correct pattern matching on the payload. 4. Deep Packet Inspection engine postprocessors perform actions which may either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection. 5. SonicWALL s Deep Packet Inspection framework supports complete signature matching across the TCP fragments without performing any reassembly (unless the packets are out of order). This results in more efficient use of processor and memory for greater performance. If TCP packets arrive out of order, the SonicWALL IPS engine reassembles them before inspection. However, SonicWALL s IPS framework supports complete signature matching across the TCP fragments without having to perform complete reassembly. SonicWALL s unique reassembly-free matching solution dramatically reduces CPU and memory resource requirements. Page 7

11 SonicWALL IPS Terminology Stateful Packet Inspection - looking at the header of the packet to control access based on port, protocol and IP address. Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. Intrusion Detection - a process of identifying and flagging malicious activity aimed at information technology. False Positive - a falsely identified attack traffic pattern. Intrusion Prevention - finding anomalies and malicious activity in traffic and reacting to it. Snort - an open source network intrusion detection system. SonicWALL IPS includes open-source Snort signatures, as well as signatures from other signature databases, and SonicWALL created signatures. SonicWALL does not use the Snort engine. Signature - code written to detect and prevent intrusions, worms, application exploits, and Peer-to- Peer and Instant Messaging traffic. SonicWALL IPS Activation If you do not have SonicWALL IPS activated on your SonicWALL, you must purchase SonicWALL IPS from a SonicWALL reseller or through your mysonicwall.com account (limited to customers in the USA and Canada). If you do not have SonicWALL IPS installed on your SonicWALL, the Security Services>Intrusion Prevention page indicates an upgrade is required and includes a link to activiate your IPS subscription from the SonicWALL Management Interface or to activate a FREE TRIAL of SonicWALL IPS. Note: You must have SonicOS Standard or Enhanced 2.2 (or higher) to activate SonicWALL IPS, and your SonicWALL must be registered on mysonicwall.com mysonicwall.com delivers a convenient, one-stop resource for registration, activation, and management of your SonicWALL products and services. Your mysonicwall.com account provides a single profile to do the following: Register your SonicWALL Internet Security Appliances Purchase/Activate SonicWALL Security Services and Upgrades Receive SonicWALL firmware and security service updates and alerts Manage (change or delete) your SonicWALL security services Access SonicWALL Technical Support Creating a mysonicwall.com account is easy and free. Simply complete an online registration form. Once your account is created, you can register SonicWALL Internet Security Appliances and activate any SonicWALL Security Services associated with the SonicWALL. Your mysonicwall.com account is accessible from any Internet connection with a Web browser using the HTTPS (Hypertext Transfer Protocol Secure) protocol to protect your sensitive information. You can also access mysonicwall.com license and registration services directly from the SonicWALL management interface for increased ease of use and simplified services activation. If you activated SonicWALL IPS at mysonicwall.com, the SonicWALL IPS activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services>Summary page to update your SonicWALL. Page 8 SonicWALL Intrusion Prevention Service Administrator s Guide

12 Activating SonicWALL IPS If you have an Activation Key for your SonicWALL IPS, follow these steps to activate IPS: 1. Click the SonicWALL IDP Subscription link on the Security Services>Intrusion Prevention page. The mysonicwall.com Login page is displayed. 2. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System>Licenses page is displayed. If your SonicWALL is already registered to your mysonicwall.com account, the System>Licenses page appears after you click the SonicWALL IPS Subscription link. 3. Click Activate or Renew in the Manage Service column in the Manage Services Online table. Type in the Activation Key in the New License Key field and click Submit. Your SonicWALL IPS subscription is activated on your SonicWALL. If you activated the SonicWALL IPS subscription on mysonicwall.com, the SonicWALL IPS activation is automatically enabled on your SonicWALL within 24-hours or you can click the Synchronize button on the Security Services>Summary page to update your SonicWALL. Activating the SonicWALL IPS FREE TRIAL To try a FREE TRIAL of SonicWALL IPS, follow these steps: 1. Click the FREE TRIAL link. The mysonicwall.com Login page is displayed. 2. Enter your mysonicwall.com account username and password in the User Name and Password fields, then click Submit. The System>Licenses page is displayed. If your SonicWALL is already connected to your mysonicwall.com account, the System>Licenses page appears after you click the FREE TRIAL link. 3. Click FREE TRIAL in the Manage Service column in the Manage Services Online table. Your SonicWALL IPS trial subscription is activated on your SonicWALL. Page 9

13 Security Services>Intrusion Prevention The Security Services>Intrusion Prevention provides access to all the settings for configuring IPS on your SonicWALL. IPS Status The IPS Status section provide status information about the IPS signature database and your service expiration date. Signature Database - indicates the signature database has been downloaded to the SonicWALL. Signature Database Last Updated - displays the date and time the signature database was last updated. This is a timestamp for updates to the signature database not updates to the SonicWALL Security Appliance, which automatically checks hourly for new IPS signature updates. IPS Service Expiration Date - displays your SonicWALL IPS expiration date. If your IPS subscription expires, the IPS inspection is stopped and the IPS configuration settings are removed from the SonicWALL. These settings are automatically restored after renewing your IPS license to the previously configured state. IPS Status (SonicOS Standard) If the SonicWALL is running SonicOS Standard, the message Warning: No Interfaces have been IPS enabled. You enable IPS on the SonicWALL interfaces in the IPS Settings section. See Enabling IPS by Interface (SonicOS Standard) on page 19. Page 10 SonicWALL Intrusion Prevention Service Administrator s Guide

14 IPS Status (SonicOS Enhanced) If you re using SonicOS Enhanced, the IPS Status section displays a link to the Network>Zones page for enabling IPS on Zones. See Enabling IPS on Zones (SonicOS Enhanced) on page 19. IPS Settings The IPS Settings section provides configuration options for managing global IPS settings. The Signature Groups table allows you to easily enable intrusion detection and prevention globally for five pre-defined signature groups. Alert! After making any changes in the Signature Groups table, you must click Apply to save your changes. Enabling IPS If your SonicWALL is running SonicOS Standard, check the Enable IPS on Interface checkbox above the Signature Groups table and then click Apply to enable SonicWALL IPS. You can then enable IPS on the WAN, LAN and DMZ interfaces. On the SonicWALL TZ 170, the DMZ interface is labled OPT. If your SonicWALL is running SonicOS Enhanced, check the Enable IPS checkbox and then click Apply. Detection and Prevention SonicWALL IPS provides two methods for managing attack threats: detection and prevention. Intrusion detection just tells you something is wrong, but prevention actually does something about it. If Detect All is enabled for a signature group in the IPS Settings table, the SonicWALL logs and alerts any traffic that matches any signature in the group, but does not take any action against the traffic. The connection proceeds to its intended destination. You view the SonicWALL log on the Log>View page as well as configure how alerts are handled by the SonicWALL in the Log>Automation page. If Prevent All is enabled for a signature group in the IPS Settings table, the SonicWALL automatically drops and resets the connection, to prevent the traffic to reach its destination. Page 11

15 Note: If you select only Prevent All without selecting Detect All, the SonicWALL prevents attacks but does not log signature events. If Detect All and Protect All are both enabled for a signature group in the IPS Settings table, the SonicWALL logs and alerts any traffic that matches any signature in the group, as well as automatically drop and reset the connection, to prevent the traffic to reach its destination. Note: For more information on IPS logging, see IPS Logging on page 21. IPS Signature Groups SonicWALL IPS allows you to enable/disable detection and/or prevention based on the priority level of the attack through High, Medium or Low predefined priority signature groups, as well as Instant Messaging and Peer-to-Peer applications. These predefined signature group categories allow you to manage your risks and reduce false positives. SonicWALL IPS includes the following signature groups: High Priority Attacks - These attacks are the most dangerous to your network. They can take down your entire network or disable servers, such as various Backdoor, DDoS, and DOS attacks. Medium Priority Attacks - These attacks can cause disruption to your network, such as increased network traffic that slows down performance. For example, various DNS, FTP, and Telnet attacks. Low Priority Attacks - These attacks are characterized more as informational events, such as various Scan, RPC, and SMTP attacks. IM (Instant Messaging) Applications - These signatures protect your network from the vulnerabilities of Instant Messaging applications, such as ICQ, MSN, IRC, AIM, Yahoo, and QQ. P2P (Peer-to-Peer) Applications - These signatures protect your network from the vulnerabilities of P2P applications, such as Gnutella, Fastrack, Kazaa, Morpheus, and edonkey. Tip! It s recommended you enable Prevent All for High Priority Attacks and Medium Priority Attacks as minimum intrusion prevention configuration. Within the five signature groups, SonicWALL IPS breaks down attacks into categories spread across the groups. Within the categories are all the IPS signatures. Both categories and signatures change based on new signature updates in response to new forms of attacks. You can display signatures and categories in the IPS Policies table. Log Redundancy Filter The Log Redundancy Filter (seconds) field allows you to define the time in seconds that the same attack is logged as a single entry in the SonicWALL log. Various attacks are often rapidly repeated, which can quickly fill up a log if each attack is logged. The default 60 seconds entry for Low Priority Attacks in the Log Redundancy Filter (seconds) field is recommended because the relatively high volume of these types of signature triggers. You can view and manage the SonicWALL log events by clicking on the Log button in the Management Interface. The Log>View page displays the log contents. Tip! For the more critical High Priority and Medium Priority attacks as well as IM and P2P vulnerability signatures, it s recommended you use the default 0 setting to deal with the threat immediately. Page 12 SonicWALL Intrusion Prevention Service Administrator s Guide

16 Note: See the Administrator s Guide for your SonicWALL for more information on the managing the SonicWALL log. IPS Signature Updates By default, the SonicWALL Security Appliance running SonicWALL IPS automatically checks the SonicWALL signature servers once an hour. There is no need for an administrator to constantly check for new signature updates. You can also manually update your SonicWALL IPS database at any time by clicking the Update IPS Signature Database button located at the bottom left corner of the Signature Groups table in the IPS Settings section. SonicWALL IPS signature updates are secured. The SonicWALL Security Appliance must first authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement Architecture licensing registration. The signature request is transported through HTTPS, along with full server certificate verification. Note: Signature Database Timestamp displays the last update to the SonicWALL IPS signature database, not the last update to your SonicWALL. Resetting IPS Configuration to Default Clicking the Reset IPS Settings and Policies button resets all the SonicWALL IPS settings to the default global settings. It removes all custom IPS signature settings you created in the Edit IPS Signature window as well as reset global Prevent All and Detect All settings and Log Redundancy Filter (seconds) settings. Page 13

17 IPS Policies The IPS Policies section of the Security Services>Intrusion Prevention page allows you to view the entire contents of the signature database and override the SonicWALL IPS Global Settings for each signature, as defined in the Signature Groups table. You can enable or disable detection and prevention for each individual signature. All the entries displayed in the IPS Polices section are from the IPS signature database downloaded to your SonicWALL. Alert! Use caution when changing the global settings for individual attack signatures because they override the global settings, which may result in creating vulnerabilities. Note: You cannot create custom signatures in SonicWALL IPS. Note: Signature groups and individual signature entries in the database change over time in response to new threats. Page 14 SonicWALL Intrusion Prevention Service Administrator s Guide

18 Displaying Signatures You can display the signatures in a variety of views using the View Style menus. The Category menu allows you to display specific signature categories, such as BACKDOOR, DDOS, and WEB-ATTACKS. For example, selecting BACKDOOR displays the all the signatures from the BACKDOOR category. Selecting All categories from the Category menu displays all of the signatures by category. The Priority menu allows you to specify All the signatures associated with the category, or display only signatures that fall within the High Priority Attacks, Medium Priority Attacks, and Low Priority Attacks signature groups. The IPS Policies table displays the following information about each attack signature entry: Signature/Attack Name - The name of the attack signature. ID - The SonicWALL database ID number of signature. Detect - A check mark in this column indicates Detect is enabled. Prevent - A check mark in this column indicates Prevent is enabled. Priority - Defines the attack signature as Low, Medium, or High as defined for the Signature Groups table. Configure - Clicking the Notepad icon in this column displays the Edit IPS Signature window, which allows you to define a different action from the global settings for the specific signature. Navigating the IPS Policies Table The IPS signatures are displayed fifty to a page in the IPS Policies Table. The Items field displays the table number of the first signature. If your displaying the first page of a signature table, the entry might be Items 1 to 50 (of 58). Use the navigation buttons to navigate the table. Searching the Signature Database You can search the signature database by entering the signature ID number on the Lookup Signature ID field, then clicking the Edit (Notepad) icon. The Edit IPS Signature window is displayed with the signature information. Note: You must know the signature ID to use Signature ID field. Page 15

19 Editing IPS Signature Settings Clicking the Notepad icon in the Configure column displays the Edit IPS Signature window for the specific signature, which allows you to define a different action from the global settings for the specific signature. In the Edit IPS Signature window, you can override the global Detect All and Prevent All settings, as defined in the Signature Groups table. For example, if Prevent All and Detect All are disabled for Low Priority Attacks in the Signature Groups table, all Low entries are listed as Disabled in the Edit IPS Signature window. Note: You cannot import your own customized signatures into SonicWALL IPS. Alert! Use caution when overriding global High Priority Attacks and Medium Priority Attack signature behaviors because you can create vulnerabilities. If you make changes and want to restore the default global signature settings, click the Reset IPS Configuration to Default. Page 16 SonicWALL Intrusion Prevention Service Administrator s Guide

20 Overriding Global Detection and Prevention Settings To overirde global detection and prevention attributes, follow these steps: 1. In the IPS Policies table, clicking the Notepad icon in the Configure column displays the Edit IPS Signature window. 2. If you want to change the default global setting for Detection, select Enable or Disable from the Detection menu. 3. If you want to change the default global setting for Prevention, select Enable or Disable from the Prevention menu. 4. If you want to change the default global settings for both detection and prevention, select Enable or Disable from the Detection and Prevention menu. 5. Click OK to save your changes. Displaying Comprehensive Information about the Vulnerability In the Edit IPS Signature window, clicking on the here link in Note: Click here for comprehensive information regarding this vulnerability, displays a SonicALERT page that provides detailed information about the attack. Resetting IPS Configuration to Default Clicking the Reset IPS Settings & Policies button in the IPS Settings section, removes all custom IPS signature settings you created in the Edit IPS Signature window as well as reset global Prevent All and Detect All settings and Log Redundancy Filter (seconds) settings. Page 17

21 Managing False Positives A false positive is a traffic pattern that is falsely identified as an attack traffic pattern. You can control false positives in SonicWALL IPS using a variety of methods. Click on the log message link for the signature in the Log>View page, which displays the the Edit IPS Signature window. You can then disable the signature detection and/or enable prevention. Disable Detect All for the Low Priority Attacks signature group. Search the signature database by entering the signature ID number on the Lookup Signature ID field, then clicking the Edit (Notepad) icon. The Edit IPS Signature window is displayed with the signature information. You can then disable the signature detection and/or enable prevention. IPS Inspection of VPN/Encrypted Traffic You can enforce intrusion prevention on traffic coming in to your networks from VPN tunnels at the point of entry for the unencrypted data from the VPN tunnel. SonicWALL IPS cannot perform inspection on any in encrypted traffic in transit through the SonicWALL. However, the SonicWALL can perform IPS inspection on any VPN tunnel that terminates directly on the SonicWALl Security Appliance. SonicWALL IPS can inspect traffic as it goes into the tunnel and/or when the traffic comes out of the tunnel. For example, if the VPN tunnel terminates and begins on the LAN, IPS can inspect the traffic before and/or after it enters the VPN tunnel. If you re using SonicOS Enhanced, you cannot enforce IPS on the VPN Zone itself, but you can enforce IPS on traffic coming into your networks from VPN tunnels at the Zone point of entry for the unencrypted traffic. If a VPN tunnel terminates at the LAN zone, enabling IPS on the LAN zone enforces intrusion prevention as the data is unencrypted before entering the LAN zone. Page 18 SonicWALL Intrusion Prevention Service Administrator s Guide

22 Enabling IPS on Interfaces or Zones Depending on whether your SonicWALL is running SonicOS Enhanced 2.2 (or higher) or SonicOS Standard 2.2 (or higher), you can apply IPS protection to selected Interfaces or Zones. When you enable IPS on an Interface or Zone, IPS operates on traffic bi-directionally (ingress and egress). Enabling IPS by Interface (SonicOS Standard) If your SonicWALL is running SonicOS Standard, the Security Services>Intrusion Prevention page allows you to enable IPS on the available interfaces listed in IPS Settings section above the Signature Groups table. You can enable IPS on the WAN, LAN and DMZ interfaces in Enable IPS on Interface. On the SonicWALL TZ 170, the DMZ interface is labled OPT. Enabling IPS on Zones (SonicOS Enhanced) If your SonicWALL is running SonicOS Enhanced with multiple interfaces, SonicWALL IPS allows you to enforce intrusion prevention not only between each network zone and the Internet, but also between internal network zones. For example, enabling IPS on the LAN zone enforces intrusion prevention on all incoming and outgoing LAN traffic. In the IPS Status section of the Security Services>Intruston Prevention Service page, click the Network>Zones link to access the Network>Zones page. You apply SonicWALL IPS to a Zone listed on the Network>Zones page. Page 19

23 Enabling IPS on a Zone Note: You cannot enforce IPS on the VPN zone but you can enforce intrusion prevention on traffic coming into your networks from VPN tunnels at the point of entry for the unencrypted data from the VPN tunnel. If a VPN tunnel terminates at the LAN zone, enabling IPS on the LAN zone enforces intrusion prevention as the data is unencrypted before entering the LAN zone. To enable IPS for a Zone, follow these steps: 1. Select the Network>Zone page. 2. Click the Notepad icon in the Configure column for the Zone you want in the Zone Settings table. The Edit Zone window is displayed. 3. To enable ISP for the Zone, check Enable IPS. 4. Click OK. A check mark appears under the IPS column or the Zone in the Zone Settings table. To disable IPS for a Zone, uncheck the Enable IPS setting in the Edit Zone window, then click OK. Page 20 SonicWALL Intrusion Prevention Service Administrator s Guide

24 IPS Logging If you selected Detect All for any of the signature groups in the Signature Groups table on the Security Services>Intrusion Prevention page, any log entries associated with the signature group is displayed on the Log>View page. Clicking on the IPS Detection Alert or IPS Prevention Alert link in the Message column of the Log displays the Edit IPS Signature window, allowing you to customize the Detection and Prevention settings. Page 21

25 Protocol and Port Level Alerts and Attacks Prior to the introduction of SonicWALL Intrusion Prevention Service (IPS), SonicWALL Security Appliances provided automatic attack protection against well known exploits. The majority of these legacy attacks were identified by telltale IP or TCP/UDP characteristics, and recognition was limited to a set of fixed layer 3 and layer 4 values. As the breadth and sophistication of attacks evolved, it s become essential to dig deeper into the traffic, and to develop the sort of adaptability that could keep pace with the new threats. All SonicWALL Security Appliances, even those running SonicWALL IPS, continue to recognize these legacy port and protocol types of attacks. The current behavior on all SonicWALL Security Appliances devices is to automatically and holistically prevent these legacy attacks, meaning that it is not possible to disable prevention of these attacks either individually or globally. If a signature is listed in the Log>View page generated from legacy attacks, when you click on the link in the Message column, the SonicWALL help page is displayed with a description of the signature. You cannot deactivate or customize these signatures. Page 22 SonicWALL Intrusion Prevention Service Administrator s Guide

26 Attacks Logging Category By enabling the Log Category Attacks on the logging configuration page, the following events (logcatattack) will be logged: # Name SNMP Trap Text Description 22 logstrpingofdeathblocked 501 Ping of death dropped 23 logstripspoofdetected 502 IP spoof dropped 25 logstrpossiblesynflood 503 SYN flood attack dropped 27 logstrlandattack 505 Land attack dropped 30 logstrwrongadminpasswd 560 Administrator login denied 35 logstradminlogindisabled 506 Administrator login denied from [value] 66 logstrlogunknownspi 507 Unknown IPSec SPI 67 logstrlogipsecauthfailure 508 IPSec Authentication Failed 68 logstrlogipsecdecryptfailure 509 IPSec Decryption Failed 70 logstrlogillegalipsecpeer 510 IPSec packet from or to an illegal host 72 logstrnetbusdropped 511 NetBus attack dropped 73 logstrbackorificedropped 512 Back Orifice attack dropped 74 logstrnetspydropped 513 Net Spy attack dropped 75 logstrsub7dropped 514 Sub Seven attack dropped 76 logstrripperdropped 515 Ripper attack dropped 77 logstrstrikerdropped 516 Striker attack dropped 78 logstrsennaspydropped 517 Senna Spy attack dropped 79 logstrprioritydropped 518 Priority attack dropped 80 logstrinikillerdropped 519 Ini Killer attack dropped 81 logstrsmurfdropped 520 Smurf Amplification attack dropped 82 logstrportscanpossible 521 Possible port scan dropped 83 logstrportscanprobable 522 Probable port scan dropped 159 logstravexpiredmsg 526 Received AV Alert: Your SonicWALL Network Anti-Virus subscription has expired. [value] 165 logstrforbiddenattdisabled 527 Forbidden attachment disabled 177 logstrtcpfinscandropped 528 Probable TCP FIN scan dropped 178 logstrtcpxmasscandropped 529 Probable TCP XMAS scan dropped 179 logstrtcpnullscandropped 530 Probable TCP NULL scan dropped 180 logstrreplaydetected 531 IPSEC Replay Detected Page 23

27 193 logstrfakecertfound 532 Fraudulent Microsoft certificate found; access denied 229 logstrdhcpripspoof 533 IP spoof detected on packet to Central Gateway, packet dropped 248 logstrforbiddenattdeleted 534 Forbidden attachment deleted 329 logstruserloginlockout 561 User login failure rate exceeded - logins from user IP address denied 437 logstrdroppedmsgpartial 550 fragment dropped 482 logstravexpirationwarningmsg 552 Received AV Alert: Your SonicWALL Network Anti-Virus subscription will expire in 7 days. [value] 489 logstrcfsexpirationwarningmsg 562 Received CFS Alert: Your SonicWALL Content Filtering subscription will expire in 7 days. 490 logstrcfsexpirationmsg 563 Received CFS Alert: Your SonicWALL Content Filtering subscription has expired. 491 logstrmafiaexpirationwarningmsg 564 Received Filter Alert: Your SonicWALL Filtering subscription will expire in 7 days. 492 logstrmafiaexpirationmsg 565 Received Filter Alert: Your SonicWALL Filtering subscription has expired. 516 logstrlogikeproposaladdrwithout- DefGw 553 IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route 522 logstrmalformedippacket 554 Malformed IP packet dropped. 527 logstrftpportbounceattack 555 FTP: PORT bounce attack dropped. 528 logstrftppasvbounceattack 556 FTP: PASV response bounce attack dropped. 538 logstrftpdataport 557 FTP: Data connection from non default port dropped 580 logstrtcpsynfindropped 558 TCP Syn/Fin packet dropped 583 logstruserlogindisabled 559 User login disabled from [value] 591 logstrmaxfaileddials 566 Maximum sequential failed dial attempts (10) to a single dial-up number: [value] 592 logstr30mindialdelay 567 Regulatory requirements prohibit [value] from being re-dialed for 30 minutes 606 logstrspankattackdropped 568 Spank attack multicast packet dropped 608 logstridpdetectionalert 569 IPS Detection Alert: [value] 609 logstridppreventionalert 570 IPS Prevention Alert: [value] 614 logstridpexpiredmsg 571 Received IPS Alert: Your SonicWALL Intrusion Prevention (IDP) subscription has expired. 662 logstrnonsptrafficdropped 572 Drop Wlan traffic from non SonicPoint devcies Page 24 SonicWALL Intrusion Prevention Service Administrator s Guide

28 Legacy Attacks Back Orifice Attack Back Orifice is a trojan attack that, once executed on a remote computer, will allow an attacker to perform illicit activities such as capturing screenshots or keyboard commands, performing file transfers, or installing applications. Back Orifice communicates over TCP port IniKiller Attack IniKiller is a trojan attack that allows an attacker to destroy.ini files on a remote computer communicating over TCP port IP Spoof An IP Spoof is an intrusion attempt in which a hacker attempts to send TCP/IP packets using the address of another computer. This can be used to access a protected network by using an IP address of a machine on the protected network. The SonicWALL recognizes this as an intrusion attempt and drops these packets. An IP spoof alert on the log often indicates a SonicWALL misconfiguration; if you see an IP spoof alert, make sure that all IP addresses on the LAN, WAN, and DMZ are correct. This can also occur if an IP address on the LAN does not fall within the LAN subnet. Land Attack A Land Attack is an attempt to slow down a computer or network connection. In a Land Attack, a packet is sent with identical source and destination IP addresses which match an IP address of a computer on the network. Because this is theoretically impossible, Windows goes into an infinite loop trying to resolve these illegal connections, causing the whole network performance to be degraded. NetBus Attack NetBus is a trojan attack for Windows 95/98/NT that, once executed on a remote computer, will allow an attacker to perform illicit activities such as opening and closing the CD-ROM, starting applications, showing different messages or even redirecting a web browser to a specific URL on the Internet. NetBus attacks occur on TCP ports and NetSpy Attack NetSpy is a trojan attack that allows an attacker to perform illicit activities on a remote computer communicating over TCP port Ping of Death A ping of death is a denial of service attack that attempts to crash your system by sending a fragmented IP packet. IP does not allow single packets to exceed bytes, but the fragments themselves can add up to more than that. Since this is a theoretically impossible condition, operating systems crash when they receive this data. A ping of death attack can be launched from older versions of Windows-newer versions of Windows prevent users from sending these packets. Port Scan A Port Scan indicates that someone may be scanning your system to identify open ports. Sometimes this is done in preparation for a future attack or to identify whether you have rules which allow a service susceptible to attack. A false positive may occur if an application or user is legitimately connecting to several ports. To determine whether this is likely, look at the port to see if it is an expected port number. Priority Attack Priority is a trojan attack that allows an attacker to perform illicit activities on a remote computer communicating over TCP port Ripper Attack Ripper is a trojan attack that allows an attacker to steal passwords from a remote computer communicating over TCP port Page 25

29 Senna Spy Attack Senna Spy is a trojan attack that allows an attacker to perform illicit activities on a remote computer communicating over UDP port Smurf Attack A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group of machines on the Internet with the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer or network. This alert indicates that somebody is attempting to use your network as a smurf amplifier. Broadcasts on the local segment can sometimes trigger false Smurf Attack alerts. Spank Attack An attempt to exploit certain IP stacks, and to create a denial or service attack by sending a packet with a spoofed multicast source address to which the client will attempt to respond. Striker Attack Striker is a trojan attack that allows an attacker to crash remote Windows PC s communicating over TCP port SubSeven Attack SubSeven is a trojan attack that allows an attacker to perform illicit activities on a remote computer communicating over TCP ports 1234, 6776, 6711 and This trojan is particularly dangerous and can send an IRC chat message to notify the hacker that the system is up and running. SYN Flood Attack A SYN Flood is a denial of service attempt in which TCP connection requests are sent faster than the system can process them. This causes the memory to fill up, forcing the new connections to be ignored. This detection triggers whenever a large number of SYN packets are seen in a short period of time. There are cases when it will trigger incorrectly, producing a false positive. For example, if a busy website becomes unavailable for a few minutes, then is brought back online, this event triggers because of the connections waiting for the system to become available. Stealth Scanning Stealth scanning is used by intruders to discover what ports are listening on a machine without being detected. A TCP FIN, or Stealth FIN, scan will send a FIN packet to each port. A Xmas Tree scan uses packets with the FIN, URG, and PUSH flags set. A Null scan will send packets with no TCP flags set. TCP FIN Scan (Probable) TCP FIN scanning attempts to exploit the behavior of some TCP stacks wherein closed ports (on the target) reply to FIN packets (from the scanner) with a RST, while open ports simply ignore the packet. TCP XMAS Scan (Probable) A TCP XMAS tree scan sets the FIN, URG and PSH flags in the TCP header. On some TCP stacks, if the port on the target is closed and receives the XMAS scan, it will responds with a RST. Page 26 SonicWALL Intrusion Prevention Service Administrator s Guide

30 Fragments fragments are messages with the MIME Content-Type of message/partial. Partial s can be a security threat, allowing viruses to escape undetected by virus scanners while fragmented. The virus becomes fully functional once reassembled on the client. FTP PASV Response Spoof Attack FTP PASV response packets can be spoofed to allow an attacker to establish arbitrary TCP connections to FTP servers or clients located behind some firewalls. FTP Port Bounce Attack A means of exploiting a weakness in older FTP server wherein the PORT command could be used to force the FTP server to connect to a target host for malicious purposes. Page 27

31 Page 28 SonicWALL Intrusion Prevention Service Administrator s Guide

32 Index A Activating IPS FREE TRIAL 9 Activating Signature Groups 12 Application Control 6 Attacks Logging Category 23 C Category Menu 15 D Deep Packet Inspection 6, 8 Deep Packet Inspection Architecture 7 Detect All 11 Detection Accuracy 6 Distributed Enforcement Architecture (DEA) 5 Dynamic Signature Updates 5 E Edit IPS Signature 16 Edit IPS Signature Window 15 Enabling IPS by Zones (SonicOS Enhanced) 19 Enabling IPS on a Zone 20 Enabling IPS on Interfaces (SonicOS Standard) 19 Enabling IPS on Interfaces or Zones 19 Enabling IPS on Zones (SonicOS Enhanced) 19 F False Positive 8 False Positives 6 G Granular Policy Management 6 H High Priority Attacks 12 I Interfaces 19 Inter-Zone Intrusion Prevention 5 Intrusion Detection 8 Intrusion Prevention page 10 Intrusion Prevention Service Features 5 Overview 5 IPS Activation 8 IPS Inspection of VPN/Encrypted Traffic 18 IPS Logging 21 IPS Policies 12, 14 IPS Policies table 15 IPS Service Expiration Date 10 IPS Settings 11 IPS Signature Updates 18 IPS Status 10 IPS Status (SonicOS Enhanced) 11 IPS Status (SonicOS Standard) 10 IPS Terminology 8 Items Field 15 L Legacy Attacks 22, 25 Back Orifice Attack 25 Fragments 27 FTP PASV Response Spoof Attack 27 FTP Port Bounce Attack 27 IniKiller Attack 25 IP Spoof 25 Land Attack 25 NetBus Attack 25 NetSpy Attack 25 Ping of Death 25 Port Scan 25 Priority Attack 25 Ripper Attack 25 Senna Spy Attack 26 Smurf Attack 26 Spank Attack 26 Stealth Scanning 26 Striker Attack 26 SubSeven Attack 26 SYN Flood Attack 26 TCP FIN Scan (Probable) 26 TCP XMAS Scan (Probable) 26 Log Redundancy Filter 12 Log View 11 Log>Automation 11 Logging and Reporting 6 Lookup Signature ID 15 M Management by Risk Category 6 Managing False Positives 18 mysonicwall.com 8 N Navigating the IPS Policies Table 15 O Overriding Global IPS Detection and Prevention Attributes 17 P Prevent All 11 R Reset IPS Settings & Policies 17 Reset IPS Settings and Policies 13 Restoring Default IPS Settings 17 S Searching the Signature Database 15 Signature 8 Signature Database 5, 10 Signature Database Last Updated 10 Signature Groups 11 High Priority Attacks 12 Instant Messaging Applications 12 Page 29

33 Low Priority Attacks 12 Medium Priority Attacks 12 Peer-to-Peer Applications 12 Prevent All 11 Snort 8 SonicALERT page 17 Stateful Packet Inspection 8 V View Style Menu 15 VPN/Encrypted Traffic 18 Z Zones 19 Page 30 SonicWALL Intrusion Prevention Service Administrator s Guide

34 SonicWALL,Inc Borregas Avenue Sunnyvale,CA T: F: SonicWALL, I n c. SonicWALL is a registered trademark of SonicWALL, I n c. Other product and company names mentioned herein may be t rademarks and/ or registered trademarks of their respective companies. Specifications and descriptions subject to change with out notice. P/ N Rev A 04/ 04