ADP

See the ADP section in the Configuration Overview chapter for related information on these screens.

Introduction to ADP

An ADP system can detect malicious or suspicious packets and respond instantaneously. It can detect:

Host Intrusions

The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.

You must install a host ADP directly on the system being protected. It works closely with the operating system, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.

Disadvantages of host ADPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems.

Network Intrusions

Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/server. Typical "network-based intrusions" are SQL slammer, Blaster, Nimda MyDoom etc.

ADP on the ZyWALL

ADP on the ZyWALL protects against network-based intrusions. See Profiles: Traffic Anomaly and Profiles: Protocol Anomaly for more on the kinds of attacks that the ZyWALL can protect against. You can also create your own custom ADP rules.

Traffic Directions and Profiles

A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.

An anomaly profile is a set of ADP rules with configured activation, log and action settings. The ZyWALL comes with default profiles that you can bind to traffic directions. For example, by default, the default LAN_ADP profile is bound to any traffic going to the LAN zone. You could use this to protect your LAN computers.

You can also create your own ADP profiles from base profiles. See Base Profiles for details on base profiles.

Note: You can only bind one profile to one traffic direction.

Configuring ADP General

Use this screen to turn anomaly detection on or off and bind anomaly profiles to traffic directions.

Anti-X > ADP > General  

label
Description
General Setup
 
Enable Anomaly Detection
Select this check box to enable traffic anomaly and protocol anomaly detection.
Bindings
Use this list to specify which anomaly profile the ZyWALL uses for traffic flowing in a specific direction.
Priority
This is this binding's rank in the list of anomaly profile to traffic direction bindings. The list is applied in order of priority.
From, To
This is the direction of travel of packets to which an anomaly profile is bound.

Note: Depending on your network topology and traffic load, binding every packet direction to an anomaly profile may affect the ZyWALL's performance.

From LAN To LAN means packets traveling from a computer on one LAN subnet to a computer on another LAN subnet via the ZyWALL's LAN zone interfaces. The ZyWALL does not check packets traveling from a LAN computer to another LAN computer on the same subnet.
From WAN To WAN means packets that come in from the WAN zone and the ZyWALL routes back out through the WAN zone.
Anomaly Profile
An anomaly profile is a set of anomaly rules with configured activation, log and action settings. This field shows which anomaly profile is bound to which traffic direction.
(Icons)
Click the Add icon in the heading row to add a new first entry.
The Active icon displays whether the entry is enabled or not. Click it to activate or deactivate the entry.
Click the Edit icon to go to the screen where you can edit the entry.
Click the Add icon in an entry to add an entry below the current entry.
Click the Remove icon to delete an existing entry from the ZyWALL. A window displays asking you to confirm that you want to delete the entry. Note that subsequent entries move up by one when you take this action.
In a numbered list, click the Move to N icon to display a field to type an index number for where you want to put that entry and press [ENTER] to move the entry to the number that you typed. For example, if you type 6, the entry you are moving becomes number 6 and the previous entry 6 (if there is one) gets pushed up (or down) one.
The ordering of your entries is important as they are applied in order of their numbering.
Apply
Click Apply to save your changes.
Reset
Click Reset to start configuring this screen again.

Configuring Anomaly Profile Bindings

Use this screen to bind an anomaly profile to a traffic direction.

Anti-X > ADP > General > Add  

label
Description
Enable
Select this check box to turn on this anomaly profile to traffic direction binding.
From
Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
Use the From field to specify the zone from which the traffic is coming.
Select ZyWALL to specify traffic coming from the ZyWALL itself.
To
Use the To field to specify the zone to which the traffic is going.
Select ZyWALL to specify traffic destined for the ZyWALL itself.
ADP Profile
An ADP profile is a set of ADP rules with configured activation, log and action settings. Select an ADP profile to bind to the entry's traffic direction. Configure the ADP profiles in the ADP profile screens.
OK
Click OK to save your changes.
Cancel
Click Cancel to exit this screen without saving your changes.

Introducing ADP Profiles

An ADP profile is a set of traffic anomaly rules and protocol anomaly rules.

Anomaly detection is in general effective against abnormal behavior while packet inspection signatures are created for known attacks (see IDP for information on packet inspection).

Base Profiles

The ZyWALL comes with several base profiles. You use base profiles to create new profiles.

These are the default base profiles at the time of writing

Base Profiles  

Base Profile
Description
all
All traffic anomaly and protocol anomaly rules are enabled. Rules with a high or severe severity level (greater than three) generate log alerts and cause packets that trigger them to be dropped. Rules with a very low, low or medium severity level (less than or equal to three) generate logs (not log alerts) and no action is taken on packets that trigger them.
none
All traffic anomaly and protocol anomaly rules are disabled. No logs are generated nor actions are taken.

Profile Summary Screen

Use this screen to:

Anti-X > ADP > Profile 

LABEL
Description
Name
This is the name of the profile you created.
Base Profile
This is the base profile from which the profile was created.
(Icons)
Click the Add icon in the column header to create a new profile. A pop-up screen displays requiring you to choose a base profile from which to create the new profile.
Click an Edit icon to edit an existing profile.
Click a Remove icon to delete an existing profile.

Creating New Profiles

You may want to create a new profile if not all rules in a base profile are applicable to your network. In this case you should disable non-applicable rules so as to improve ZyWALL ADP processing efficiency.

You may also find that certain rules are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As each network is different, false positives and false negatives are common on initial ADP deployment.

You could create a new `monitor profile' that creates logs but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you're satisfied that they have been reduced to an acceptable level, you could then create an `inline profile' whereby you configure appropriate actions to be taken when a packet matches a rule.

Procedure To Create a New Profile

To create a new profile:

Profiles: Traffic Anomaly

The traffic anomaly screen is the second screen in an ADP profile. Traffic anomaly detection looks for abnormal behavior such as scan or flooding attempts. Select Anti-X > ADP > Profile > Traffic Anomaly. If you made changes to other screens belonging to this profile, make sure you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab.

Port Scanning

An attacker scans device(s) to determine what types of network protocols or services a device supports. One of the most common port scanning tools in use today is Nmap.

Many connection attempts to different ports (services) may indicate a port scan. These are some port scan types:

An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the remote computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP (Interior Gateway Protocol). Determining these additional protocols can help reveal if the destination device is a workstation, a printer, or a router.

Decoy Port Scans

Decoy port scans are scans where the attacker has spoofed the source address. These are some decoy scan types:

Distributed Port Scans

Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple hosts query one host for open services. This may be used to evade intrusion detection. These are distributed port scan types:

Port Sweeps

Many different connection attempts to the same port (service) may indicate a port sweep, that is, they are one-to-many port scans. One host scans a single port on multiple hosts. This may occur when a new exploit comes out and the attacker is looking for a specific service. These are some port sweep types:

Filtered Port Scans

A filtered port scan may indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such as NAT routers, may trigger these alerts if they send out many connection attempts within a very small amount of time. These are some filtered port scan examples.

  • TCP Filtered Portscan
  • UDP Filtered Portscan
  • IP Filtered Portscan
  • TCP Filtered Decoy Portscan
  • UDP Filtered Decoy Portscan
  • IP Filtered Decoy Portscan
  • TCP Filtered Portsweep
  • UDP Filtered Portsweep
  • IP Filtered Portsweep
  • ICMP Filtered Portsweep
  • TCP Filtered Distributed Portscan
  • UDP Filtered Distributed Portscan
  • IP Filtered Distributed Portscan
   

Flood Detection

Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible.

ICMP Flood Attack

An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up.

Smurf

A smurf attacker (A) floods a router (B) with Internet Control Message Protocol (ICMP) echo request packets (pings) with the destination IP address of each packet as the broadcast address of the network. The router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request and response traffic.

TCP SYN Flood Attack

Usually a client starts a session by sending a SYN (synchronize) packet to a server. The receiver returns an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established.

A SYN flood attack is when an attacker sends a series of SYN packets. Each packet causes the receiver to reply with a SYN-ACK response. The receiver then waits for the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes back or when an internal timer ends the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for other users.

LAND Attack

In a LAND attack, hackers flood SYN packets into a network with a spoofed source IP address of the network itself. This makes it appear as if the computers in the network sent the packets to themselves, so the network is unavailable while they try to respond to themselves.

UDP Flood Attack

UDP is a connection-less protocol and it does not require any connection setup procedure to transfer data. A UDP flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down.

Profile > Traffic Anomaly Screen

ADP > Profile > Traffic Anomaly 

LABEL
Description
Name
This is the name of the ADP profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
Scan/Flood Detection
 
Name
This is the name of the traffic anomaly rule. Click the Name column heading to sort in ascending or descending order according to the rule name.
Sensitivity
(Scan detection only.) Select a sensitivity level so as to reduce false positives in your network. If you choose low sensitivity, then scan thresholds and sample times are set low, so you will have fewer logs and false positives; however some traffic anomaly attacks may not be detected.
If you choose high sensitivity, then scan thresholds and sample times are set high, so most traffic anomaly attacks will be detected; however you will have more logs and false positives.
Block Period
Specify for how many seconds the ZyWALL blocks all packets from being sent to the victim (destination) of a detected anomaly attack.
Activation
Click the icon to enable or disable a rule or group of rules.
Log
Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule.
Action
Select what the ZyWALL should do when a packet matches a rule.
none: The ZyWALL takes no action when a packet matches the signature(s).
block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified.
Threshold
For flood detection you can set the number of detected flood packets per second that causes the ZyWALL to take the configured action.
OK
Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
Click Save to save the configuration to the ZyWALL but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.

Profiles: Protocol Anomaly

Protocol anomaly is the third screen in an ADP profile. Protocol anomaly (PA) rules check for protocol compliance against the relevant RFC (Request for Comments).

Protocol anomaly detection includes HTTP Inspection, TCP Decoder, UDP Decoder and ICMP Decoder where each category reflects the packet type inspected.

Protocol anomaly rules may be updated when you upload new firmware.

HTTP Inspection and TCP/UDP/ICMP Decoders

The following table gives some information on the HTTP inspection, TCP decoder, UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.

HTTP Inspection and TCP/UDP/ICMP Decoders 

LABEL
Description
HTTP Inspection
 
APACHE-WHITESPACE ATTACK
This rule deals with non-RFC standard of tab for a space delimiter. Apache uses this, so if you have an Apache server, you need to enable this option.
ASCII-ENCODING ATTACK
This rule can detect attacks where malicious attackers use ASCII-encoding to encode attack strings. Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server.
BARE-BYTE-UNICODING-ENCODING ATTACK
Bare byte encoding uses non-ASCII characters as valid values in decoding UTF-8 values. This is NOT in the HTTP standard, as all non-ASCII values have to be encoded with a %. Bare byte encoding allows the user to emulate an IIS server and interpret non-standard encodings correctly.
BASE36-ENCODING ATTACK
This is a rule to decode base36-encoded characters. This rule can detect attacks where malicious attackers use base36-encoding to encode attack strings. Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server.
DIRECTORY-TRAVERSAL ATTACK
This rule normalizes directory traversals and self-referential directories. So, "/abc/this_is_not_a_real_dir/../xyz" get normalized to "/abc/xyz". Also, "/abc/./xyz" gets normalized to "/abc/xyz". If a user wants to configure an alert, then specify "yes", otherwise "no". This alert may give false positives since some web sites refer to files using directory traversals.
DOUBLE-ENCODING ATTACK
This rule is IIS specific. IIS does two passes through the request URI, doing decodes in each one. In the first pass, IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is done. In the second pass ASCII, bare byte, and %u encodings are done.
IIS-BACKSLASH-EVASION ATTACK
This is an IIS emulation rule that normalizes backslashes to slashes. Therefore, a request-URI of "/abc\xyz" gets normalized to "/abc/xyz".
IIS-UNICODE-CODEPOINT-ENCODING ATTACK
This rule can detect attacks which send attack strings containing non-ASCII characters encoded by IIS Unicode. IIS Unicode encoding references the unicode.map file. Attackers may use this method to bypass system parameter checks in order to get information or privileges from a web server.
MULTI-SLASH-ENCODING ATTACK
This rule normalizes multiple slashes in a row, so something like: "abc/////////xyz" get normalized to "abc/xyz".
NON-RFC-DEFINED-CHAR ATTACK
This rule lets you receive a log or alert if certain non-RFC characters are used in a request URI. For instance, you may want to know if there are NULL bytes in the request-URI.
NON-RFC-HTTP-DELIMITER ATTACK
This is when a newline "\n" character is detected as a delimiter. This is non-standard but is accepted by both Apache and IIS web servers.
OVERSIZE-CHUNK-ENCODING ATTACK
This rule is an anomaly detector for abnormally large chunk sizes. This picks up the apache chunk encoding exploits and may also be triggered on HTTP tunneling that uses chunk encoding.
OVERSIZE-REQUEST-URI-DIRECTORY ATTACK
This rule takes a non-zero positive integer as an argument. The argument specifies the max character directory length for URL directory. If a URL directory is larger than this argument size, an alert is generated. A good argument value is 300 characters. This should limit the alerts to IDS evasion type attacks, like whisker.
SELF-DIRECTORY-TRAVERSAL ATTACK
This rule normalizes self-referential directories. So, "/abc/./xyz" gets normalized to "/abc/xyz".
U-ENCODING ATTACK
This rule emulates the IIS %u encoding scheme. The %u encoding scheme starts with a %u followed by 4 characters, like %uXXXX. The XXXX is a hex encoded value that correlates to an IIS unicode codepoint. This is an ASCII value. An ASCII character is encoded like, %u002f = /, %u002e = ., etc.
UTF-8-ENCODING ATTACK
The UTF-8 decode rule decodes standard UTF-8 unicode sequences that are in the URI. This abides by the unicode standard and only uses % encoding. Apache uses this standard, so for any Apache servers, make sure you have this option turned on. When this rule is enabled, ASCII decoding is also enabled to enforce correct functioning.
WEBROOT-DIRECTORY-TRAVERSAL ATTACK
This is when a directory traversal traverses past the web server root directory. This generates much fewer false positives than the directory option, because it doesn't alert on directory traversals that stay within the web server directory structure. It only alerts when the directory traversals go past the web server root directory, which is associated with certain web attacks.
TCP Decoder
 
BAD-LENGTH-OPTIONS ATTACK
This is when a TCP packet is sent where the TCP option length field is not the same as what it actually is or is 0. This may cause some applications to crash.
EXPERIMENTAL-OPTIONS ATTACK
This is when a TCP packet is sent which contains non-RFC-complaint options. This may cause some applications to crash.
OBSOLETE-OPTIONS ATTACK
This is when a TCP packet is sent which contains obsolete RFC options.
OVERSIZE-OFFSET ATTACK
This is when a TCP packet is sent where the TCP data offset is larger than the payload.
TRUNCATED-OPTIONS ATTACK
This is when a TCP packet is sent which doesn't have enough data to read. This could mean the packet was truncated.
TTCP-DETECTED ATTACK
T/TCP provides a way of bypassing the standard three-way handshake found in TCP, thus speeding up transactions. However, this could lead to unauthorized access to the system by spoofing connections.
UNDERSIZE-LEN ATTACK
This is when a TCP packet is sent which has a TCP datagram length of less than 20 bytes. This may cause some applications to crash.
UNDERSIZE-OFFSET ATTACK
This is when a TCP packet is sent which has a TCP header length of less than 20 bytes.This may cause some applications to crash.
UDP Decoder
 
OVERSIZE-LEN ATTACK
This is when a UDP packet is sent which has a UDP length field of greater than the actual packet length. This may cause some applications to crash.
TRUNCATED-HEADER ATTACK
This is when a UDP packet is sent which has a UDP datagram length of less the UDP header length. This may cause some applications to crash.
UNDERSIZE-LEN ATTACK
This is when a UDP packet is sent which has a UDP length field of less than 8 bytes. This may cause some applications to crash.
ICMP Decoder
 
TRUNCATED-ADDRESS-HEADER ATTACK
This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP address header length. This may cause some applications to crash.
TRUNCATED-HEADER ATTACK
This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP header length. This may cause some applications to crash.
TRUNCATED-TIMESTAMP-HEADER ATTACK
This is when an ICMP packet is sent which has an ICMP datagram length of less than the ICMP Time Stamp header length. This may cause some applications to crash.

Protocol Anomaly Configuration

ADP > Profile > Protocol Anomaly 

LABEL
Description
Name
This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:
MyProfile
mYProfile
Mymy12_3-4
These are invalid profile names:
1mYProfile
My Profile
MyProfile?
Whatalongprofilename123456789012
HTTP Inspection/TCP Decoder/UDP Decoder/ICMP Decoder
Name
This is the name of the protocol anomaly rule. Click the Name column heading to sort in ascending or descending order according to the protocol anomaly rule name.
Activation
Click the icon to enable or disable a rule or group of rules.
Log
Select whether to have the ZyWALL generate a log (log), log and alert (log alert) or neither (no) when traffic matches this anomaly rule.
Action
Select what the ZyWALL should do when a packet matches a rule.
none: The ZyWALL takes no action when a packet matches the signature(s).
block: The ZyWALL silently drops packets that matches the rule. Neither sender nor receiver are notified.
OK
Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page.
Cancel
Click Cancel to return to the profile summary page without saving any changes.
Save
Click Save to save the configuration to the ZyWALL but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.