IDP
See the IDP section for related information on these screens.
Introduction to IDP
An IDP system can detect malicious or suspicious packets and respond instantaneously. It is designed to detect pattern-based attacks.
Host Intrusions
The goal of host-based intrusions is to infiltrate files on an individual computer or server in with the goal of accessing confidential information or destroying information on a computer.
You must install a host IDP directly on the system being protected. It works closely with the operating system, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.
Disadvantages of host IDPs are that you have to install them on each device (that you want to protect) in your network and due to the necessarily tight integration with the host operating system, future operating system upgrades could cause problems.
Network Intrusions
Network-based intrusions have the goal of bringing down a network or networks by attacking computer(s), switch(es), router(s) or modem(s). If a LAN switch is compromised for example, then the whole LAN is compromised. Host-based intrusions may be used to cause network-based intrusions when the goal of the host virus is to propagate attacks on the network, or attack computer/server operating system vulnerabilities with the goal of bringing down the computer/server. Typical "network-based intrusions" are SQL slammer, Blaster, Nimda MyDoom etc.
IDP on the ZyWALL
IDP on the ZyWALL protects against network-based intrusions. See Policy Types for a list of attacks that the ZyWALL can protect against. You can also create your own custom IDP rules.
Signatures
If a packet matches a signature, the action specified by the signature is taken. You can change the default signature actions in the profile screens.
Traffic Directions and Profiles
A zone is a combination of ZyWALL interfaces and VPN connections for security. See the zone chapter for details on zones and the interfaces chapter for details on interfaces. Traffic direction is defined by the zone the traffic is coming from and the zone the traffic is going to.
An IDP profile is a set of IDP rules with configured activation, log and action settings. The ZyWALL comes with default profiles that you can bind to traffic directions. For example, by default, the default LAN_IDP profile is bound to any traffic going to the LAN zone. You could use this to protect your LAN computers.
You can also create your own IDP profiles from base profiles. See Base Profiles for details on base profiles.
Note: You can only bind one profile to one traffic direction.
Configuring IDP General
Use this screen to turn IDP on or off, bind IDP profiles to traffic directions, and view registration and signature information.
Note: You must register in order to use packet inspection signatures. See the Registration screens.
Configuring IDP Bindings
Use this screen to bind an IDP profile to a traffic direction.
Introducing IDP Profiles
An IDP profile is a set of packet inspection signatures.
Packet inspection signatures examine packet content for malicious data. Packet inspection applies to OSI (Open System Interconnection) layer-4 to layer-7 contents. You need to subscribe for IDP service in order to be able to download new signatures.
In general, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior (see ADP for information on anomaly detection).
Base Profiles
The ZyWALL comes with several base profiles. You use base profiles to create new profiles.
The following table describes this screen.
Profile Summary Screen
Use this screen to:
Creating New Profiles
You may want to create a new profile if not all signatures in a base profile are applicable to your network. In this case you should disable non-applicable signatures so as to improve ZyWALL IDP processing efficiency.
You may also find that certain signatures are triggering too many false positives or false negatives. A false positive is when valid traffic is flagged as an attack. A false negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As each network is different, false positives and false negatives are common on initial IDP deployment.
You could create a new `monitor profile' that creates logs but all actions are disabled. Observe the logs over time and try to eliminate the causes of the false alarms. When you're satisfied that they have been reduced to an acceptable level, you could then create an `inline profile' whereby you configure appropriate actions to be taken when a packet matches a signature.
Procedure To Create a New Profile
To create a new profile:
Note: If Internet Explorer opens a warning screen about a script making Internet Explorer run slowly and the computer maybe becoming unresponsive, just click No to continue.
Profiles: Packet Inspection
Packet inspection signatures examine the contents of a packet for malicious data. It operates at layer-4 to layer-7.
Profile > Group View Screen
Anti-X > IDP > Profile > Group View
LABEL Description Name This is the name of the profile. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive. These are valid, unique profile names:MyProfilemYProfileMymy12_3-4These are invalid profile names:1mYProfileMy ProfileMyProfile?Whatalongprofilename123456789012 Switch to query view Click this button to go to a screen where you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions. Service Click the + sign next to a service group to expand it. A service group is a group of related IDP signatures. Message This is the name of the signature. SID This is the signature ID (identification) number that uniquely identifies a ZyWALL signature. Severity These are the severities as defined in the ZyWALL. The number in brackets is the number you use if using commands.Severe (5): These denote attacks that try to run arbitrary code or gain system privileges.High (4): These denote known serious vulnerabilities or attacks that are probably not false alarms.Medium (3): These denote medium threats, access control attacks or attacks that could be false alarms.Low (2): These denote mild threats or attacks that could be false alarms.Very Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc. Policy Type This is the attack type as defined on the ZyWALL. See Policy Types for a description of each type. Activation Click the icon to enable or disable a signature or group of signatures. Log These are the log options:original setting: Select this option to return each log option within a service group to its previously saved configuration.no: Select this option on an individual signature or a complete service group to have the ZyWALL create no log when a packet matches a signature(s).log: Select this option on an individual signature or a complete service group to have the ZyWALL create a log when a packet matches a signature(s).log alert: An alert is an e-mailed log for more serious events that may need more immediate attention. Select this option to have the ZyWALL send an alert when a packet matches a signature(s). Action Select what action the ZyWALL should take when a packet matches a signature here.original setting: Select this action to return each signature in a service group to its previously saved configuration.none: Select this action on an individual signature or a complete service group to have the ZyWALL take no action when a packet matches the signature(s).drop: Select this action on an individual signature or a complete service group to have the ZyWALL silently drop a packet that matches the signature(s). Neither sender nor receiver are notified.reject-sender: Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to the sender when a packet matches the signature. If it is a TCP attack packet, the ZyWALL will send a packet with a `RST' flag. If it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP unreachable packet.reject-receiver: Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to the receiver when a packet matches the signature. If it is a TCP attack packet, the ZyWALL will send a packet with an a `RST' flag. If it is an ICMP or UDP attack packet, the ZyWALL will do nothing.reject-both: Select this action on an individual signature or a complete service group to have the ZyWALL send a reset to both the sender and receiver when a packet matches the signature. If it is a TCP attack packet, the ZyWALL will send a packet with a `RST' flag to the receiver and sender. If it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP unreachable packet. OK A profile consists of three separate screens. If you want to configure just one screen for an IDP profile, click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. Cancel Click Cancel to return to the profile summary page without saving any changes. Save If you want to configure more than one screen for an IDP profile, click Save to save the configuration to the ZyWALL, but remain in the same page. You may then go to another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.
Policy Types
This section describes IDP policy types, also known as attack types, as categorized in the ZyWALL. You may refer to these types when categorizing your own custom rules.
IDP Service Groups
An IDP service group is a set of related packet inspection signatures.
Logs and actions applied to a service group apply to all signatures within that group. If you select original setting for service group logs and/or actions, all signatures within that group are returned to their last-saved settings.
Profile > Query View Screen
In the query view screen, you can search for signatures by criteria such as name, ID, severity, attack type, vulnerable attack platforms, service category, log options or actions.
Anti-X > IDP > Profile: Query View
LABEL Description Name This is the name of the profile that you created in the IDP > Profiles > Packet Inspection group view screen. Switch to group view Click this button to go to the IDP profile group view screen where IDP signatures are grouped by service and you can configure activation, logs and/or actions. Query Signatures Select the criteria on which to perform the search. Search all custom signatures Select this check box to search for signatures you created or imported in the Custom Signature screen. You can search by name or ID. If the name and ID fields are left blank, then all custom signatures are displayed. Name Type the name or part of the name of the signature(s) you want to find. Signature ID Type the ID or part of the ID of the signature(s) you want to find. Severity Search for signatures by severity level(s) (see Anti-X > IDP > Profile > Group View). Hold down the [Ctrl] key if you want to make multiple selections. Attack Type Search for signatures by attack type(s) (see Policy Types). Attack types are known as policy types in the group view screen. Hold down the [Ctrl] key if you want to make multiple selections. Platform Search for signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections. Service Search for signatures by IDP service group(s). See IDP Service Groups for group details. Hold down the [Ctrl] key if you want to make multiple selections. Action Search for signatures by the response the ZyWALL takes when a packet matches a signature. See Anti-X > IDP > Profile > Group View for action details. Hold down the [Ctrl] key if you want to make multiple selections. Activation Search for enabled and/or disabled signatures here. Log Search for signatures by log option here. See Anti-X > IDP > Profile > Group View for option details. Search Click this button to begin the search. The results display at the bottom of the screen. Results may be spread over several pages depending on how broad the search criteria selected were. The tighter the criteria selected, the fewer the signatures returned. Query Result The results are displayed in a table showing the SID, Name, Severity, Attack Type, Platform, Service, Activation, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by signature ID. Total IDP: This displays the total number of signatures found in your search. IDP per page Select the number of signatures you want to appear per page here. Page x of x This is the number of the page of entries currently displayed and the total number of pages of entries. Type a page number to go to or use the arrows to navigate the pages of entries. OK Click OK to save your settings to the ZyWALL, complete the profile and return to the profile summary page. Cancel Click Cancel to return to the profile summary page without saving any changes. Save Click Save to save the configuration to the ZyWALL, but remain in the same page. You may then go to the another profile screen (tab) in order to complete the profile. Click OK in the final profile screen to complete the profile.
Introducing IDP Custom Signatures
Create custom signatures for new attacks or attacks peculiar to your network. Custom signatures can also be saved to/from your computer so as to share with others.
You need some knowledge of packet headers and attack types to create your own custom signatures.
IP Packet Header
These are the fields in an Internet Protocol (IP) version 4 packet header.
Configuring Custom Signatures
Select Anti-X > IDP > Custom Signatures. The first screen shows a summary of all custom signatures created. Click the SID or Name heading to sort. Click the Add icon to create a new signature or click the Edit icon to edit an existing signature. You can delete signatures here or save them to your computer.
Note: The ZyWALL checks all signatures and continues searching even after a match is found. If two or more rules have conflicting actions for the same packet, then the ZYWALL applies the more restrictive action (reject-both, reject-receiver or reject-sender, drop, none in this order). If a packet matches a rule for reject-receiver and it also matches a rule for reject-sender, then the ZyWALL will reject-both.
Creating or Editing a Custom Signature
A packet must match all items you configure in this screen before it matches the signature. The more specific your signature (including packet contents), then the fewer false positives the signature will trigger.
Try to write signatures that target a vulnerability, for example a certain type of traffic on certain operating systems, instead of a specific exploit.
Anti-X > IDP > Custom Signatures > Add/Edit
LABEL Description Name Type the name of your custom signature. You may use 1-31 alphanumeric characters, underscores(_), or dashes (-), but the first character cannot be a number. This value is case-sensitive.Duplicate names can exist but it is advisable to use unique signature names that give some hint as to intent of the signature and the type of attack it is supposed to prevent. Refer to (but do not copy) the packet inspection signature names for hints on creating a naming convention. Signature ID A signature ID is automatically created when you click the Add icon to create a new signature. You can edit the ID to create a new one (in the 9000000 to 9999999 range), but you cannot use one that already exists. You may want to do that if you want to order custom signatures by SID. Information Use the following fields to set general information about the signature as denoted below. Severity The severity level denotes how serious the intrusion is. Categorize the seriousness of the intrusion here. See Anti-X > IDP > Profile > Group View as a reference. Platform Some intrusions target specific operating systems only. Select the operating systems that the intrusion targets, that is, the operating systems you want to protect from this intrusion. SGI refers to Silicon Graphics Incorporated, who manufactures multi-user Unix workstations that run the IRIX operating system (SGI's version of UNIX). A router is an example of a network device. Service Select the IDP service group that the intrusion exploits or targets. See IDP Service Groups for a list of IDP service groups. The custom signature then appears in that group in the IDP > Profile > Packet Inspection screen Policy Type Categorize the type of intrusion here. See Policy Types as a reference. Frequency Recurring packets of the same type may indicate an attack. Use the following field to indicate how many packets per how many seconds constitute an intrusion Threshold Select Threshold and then type how many packets (that meet the criteria in this signature) per how many seconds constitute an intrusion. Header Options Network Protocol Configure signatures for IP version 4. Type Of Service Type of service in an IP header is used to specify levels of speed and/or reliability. Some intrusions use an invalid Type Of Service number. Select the check box, then select Equal or Not-Equal and then type in a number. Identification The identification field in a datagram uniquely identifies the datagram. If a datagram is fragmented, it contains a value that identifies the datagram to which the fragment belongs. Some intrusions use an invalid Identification number. Select the check box and then type in the invalid number that the intrusion uses. Fragmentation A fragmentation flag identifies whether the IP datagram should be fragmented, not fragmented or is a reserved bit. Some intrusions can be identified by this flag. Select the check box and then select the flag that the intrusion uses. Fragmentation Offset When an IP datagram is fragmented, it is reassembled at the final destination. The fragmentation offset identifies where the fragment belongs in a set of fragments. Some intrusions use an invalid Fragmentation Offset number. Select the check box, select Equal, Smaller or Greater and then type in a number Time to Live Time to Live is a counter that decrements every time it passes through a router. When it reaches zero, the datagram is discarded. Usually it's used to set an upper limit on the number of routers a datagram can pass through. Some intrusions can be identified by the number in this field. Select the check box, select Equal, Smaller or Greater and then type in a number. IP Options IP options is a variable-length list of IP options for a datagram that define IP Security Option, IP Stream Identifier, (security and handling restrictions for the military), Record Route (have each router record its IP address), Loose Source Routing (specifies a list of IP addresses that must be traversed by the datagram), Strict Source Routing (specifies a list of IP addresses that must ONLY be traversed by the datagram), Timestamp (have each router record its IP address and time), End of IP List and No IP Options. IP Options can help identify some intrusions. Select the check box, then select an item from the list box that the intrusion uses Same IP Select the check box for the signature to check for packets that have the same source and destination IP addresses. Transport Protocol The following fields vary depending on whether you choose TCP, UDP or ICMP. Transport Protocol: TCP Port Select the check box and then enter the source and destination TCP port numbers that will trigger this signature. Flow If selected, the signature only applies to certain directions of the traffic flow and only to clients or servers. Select Flow and then select the identifying options.Established: The signature only checks for established TCP connectionsStateless: The signature is triggered regardless of the state of the stream processor (this is useful for packets that are designed to cause devices to crash)To Client: The signature only checks for server responses from A to B.To Server: The signature only checks for client requests from B to A.From Client:.The signature only checks for client requests from B to A.From Servers: The signature only checks for server responses from A to B.No Stream: The signature does not check rebuilt stream packets.Only Stream: The signature only checks rebuilt stream packets. Flags Select what TCP flag bits the signature should check. Sequence Number Use this field to check for a specific TCP sequence number. Ack Number Use this field to check for a specific TCP acknowledgement number. Window Size Use this field to check for a specific TCP window size. Transport Protocol: UDP Port Select the check box and then enter the source and destination UDP port numbers that will trigger this signature. Transport Protocol: ICMP Type Use this field to check for a specific ICMP type value. Code Use this field to check for a specific ICMP code value. ID Use this field to check for a specific ICMP ID value. This is useful for covert channel programs that use static ICMP fields when they communicate. Sequence Number Use this field to check for a specific ICMP sequence number. This is useful for covert channel programs that use static ICMP fields when they communicate. Payload Options The longer a payload option is, the more exact the match, the faster the signature processing. Therefore, if possible, it is recommended to have at least one payload option in your signature. Payload Size This field may be used to check for abnormally sized packets or for detecting buffer overflows.Select the check box, then select Equal, Smaller or Greater and then type the payload size.Stream rebuilt packets are not checked regardless of the size of the payload. Offset This field specifies where to start searching for a pattern within a packet. For example, an offset of 5 would start looking for the specified pattern after the first five bytes of the payload. Content Type the content that the signature should search for in the packet payload. Hexadecimal code entered between pipes is converted to ASCII. For example, you could represent the ampersand as either & or |26| (26 is the hexadecimal code for the ampersand). Case-insensitive Select this check box if content casing does NOT matter. Decode as URI A Uniform Resource Identifier (URI) is a string of characters for identifying an abstract or physical resource (RFC 2396). A resource can be anything that has identity, for example, an electronic document, an image, a service ("today's weather report for Taiwan"), a collection of other resources. An identifier is an object that can act as a reference to something that has identity. Example URIs are:ftp://ftp.is.co.za/rfc/rfc1808.txt; ftp scheme for File Transfer Protocol serviceshttp://www.math.uio.no/faq/compression-faq/part1.html; http scheme for Hypertext Transfer Protocol servicesmailto:mduerst@ifi.unizh.ch; mailto scheme for electronic mail addressestelnet://melvyl.ucop.edu/; telnet scheme for interactive services via the TELNET ProtocolSelect this check box for the signature to search for normalized URI fields. This means that if you are writing signatures that includes normalized content, such as %2 for directory traversals, these signatures will not be triggered because the content is normalized out of the URI buffer.For example, the URI:/scripts/..%c0%af../winnt/system32/cmd.exe?/c+verwill get normalized into:/winnt/system32/cmd.exe?/c+ver OK Click this button to save your changes to the ZyWALL and return to the summary screen. Cancel Click this button to return to the summary screen without saving any changes.
Applying Custom Signatures
After you create your custom signature, it becomes available in the IDP service group category in the IDP > Profile > Packet Inspection screen. Custom signatures have an SID from 9000000 to 9999999.
You can activate the signature, configure what action to take when a packet matches it and if it should generate a log or alert in a profile. Then bind the profile to a zone.
Verifying Custom Signatures
You should configure the signature to create a log when an `attack packet' matches the signature. (You may also want to configure an alert if the attack is more serious and needs more immediate attention.) After you apply the signature to a zone, you can see if it works by checking the logs (Maintenance > Logs > View Log).
All IDP signatures come under the IDP category. The Priority column shows warn for signatures that are configured to generate a log only. It shows critical for signatures that are configured to generate a log and alert. count is the number of attacks that occurred at that time. The Note column displays ACCESS FORWARD when no action is configured for the signature. It displays ACCESS DENIED if you configure the signature action to drop the packet. The destination port is the service port (NetBIOS in this case) that the attack tries to exploit.