Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Intrusion Prevention System (IPS) in CSO

Intrusion prevention system (IPS) signatures are used to monitor and prevent intrusions. IPS compares traffic against signatures of known threats and blocks traffic when a threat is detected.

CSO provides predefined IPS signatures, IPS signature static groups, and IPS signature dynamic groups that you can use in IPS or exempt rules in an IPS profile. However, you cannot modify the predefined signatures and groups. CSO also lets you add customized IPS signatures, static groups, and dynamic groups

CSO also provides predefined IPS profiles that contain predefined IPS rules, both of which can’t be modified. You can add customized profiles and add IPS or exempt rules to the profiles. You enable intrusion detection by referencing an IPS profile in a firewall policy intent and deploying the firewall policy.

Explanation of Procedure

The high-level workflow to configure IPS is as follows:

  1. On to the IPS Signatures page (Configuration > IPS > IPS Signatures in Customer Portal), and review the predefined IPS signatures, signature static groups, and signature dynamic groups to determine if you need to use customized signatures, static groups, or dynamic groups. You can create customized signatures, static groups, or dynamic groups in two ways:
    • Clone a predefined IPS signature, static group, or dynamic group and then modify the cloned signature, static group, or dynamic group.

    • Add a customized signature, static group, or dynamic group by specifying the parameters from scratch.

    For more information, seeAbout the IPS Signatures Page in the CSO Customer Portal User Guide (available on the CSO Documentation page).

  2. Go to the IPS Profiles page (Configuration > IPS > IPS Profiles in Customer Portal), and review the predefined IPS profiles to determine if you need to use customized IPS profiles and customized rules. You can create customized IPS profiles and rules in two ways:
  3. Use the IPS profile in a firewall policy intent and deploy the firewall policy. See Add and Deploy Firewall Policies.

Add IPS Profiles

Contrail Service Orchestration (CSO) contains predefined intrusion prevention system (IPS) profiles that you can use. You can also add customized IPS profiles from the Create IPS Profile page.

To add a customized IPS profile:

  1. Select Configuration > IPS > IPS Profiles.

    The IPS Profiles page appears.

  2. Click the add (+) icon.

    The Create IPS Profile page appears.

  3. Complete the configuration according to the guidelines in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.

  4. Click OK.

    You are returned to the IPS Profiles page and a confirmation message is displayed indicating that the IPS profile is added.

After you add an IPS profile, you can add one or more IPS or exempt rules to the profile, and then use the IPS profile in a firewall policy intent.

Table 1: Create IPS Profile Settings

Setting

Guideline

Name

Enter a unique name for the IPS profile that is a string of alphanumeric characters and some special characters (colon, hyphen, period, and underscore). No spaces are allowed and the maximum length is 255 characters.

Description

Enter a description for the IPS profile; the maximum length is 255 characters.

Add IPS or Exempt Rules to IPS Profiles

An IPS rule is used to protect your network from attacks by using attack objects to detect known and unknown attacks, based on stateful signature and protocol anomalies. In contrast, an exempt rule works in conjunction with an IPS rule to prevent unnecessary alarms from being generated. If traffic matches an IPS rule, the system attempts to match the traffic against the exempt rules before performing the action specified.

You can add intrusion prevention system (IPS) rules or exempt rules only to customized IPS profiles.

To add an IPS rule or an exempt rule to a customized IPS profile:

  1. Select Configuration > IPS > IPS Profiles.

    The IPS Profiles page appears.

  2. Click IPS-Profile-Name for the profile for which you want to add a rule.

    The IPS-Profile-Name page appears.

  3. You can add IPS rules and exempt rules from this page:
    • To add an IPS rule:

      1. Select Create > IPS Rule.

        The parameters for an IPS rule appear inline at the top of the page.

      2. Complete the configuration according to the guidelines in Table 2.

        Note:

        Fields marked with an asterisk (*) are mandatory.

      3. Click Save.

        The IPS rule is added and a confirmation message appears at the top of the page.

    • To add an exempt rule:

      1. Select Create > Exempt Rule.

        The parameters for an exempt rule appear inline at the top of the page.

      2. For exempt rules, you can configure only the following fields:

        • Rule Name

        • Description

        • IPS Signatures

        See Table 2 for an explanation of these fields.

      3. Click Save.

        The exempt rule is added and a confirmation message appears at the top of the page.

After adding IPS and exempt rules, you can use the IPS profile in a firewall policy intent and deploy the firewall policy, which deploys the IPS and exempt rules associated with the IPS profile.

Table 2: Add IPS Rule Settings

Setting

Guideline

[Name]

CSO generates a unique IPS rule name by default. You can modify the name if needed.

The name must begin with an alphanumeric character and can contain alphanumeric characters and some special characters (colons, hyphens, forward slashes, periods, and underscores); 63-character maximum.

[Description]

Enter a description for the IPS rule.

IPS Signatures

You can add one or more IPS signatures and IPS signature static and dynamic groups to be associated with the rule:

  1. Click inside the text box with the + icon.

    A list of IPS signatures and IPS signature static and dynamic groups appears.

  2. (Optional) Enter a search term and press Enter to filter the list of items displayed.

  3. Click a list item to add it to the IPS signatures and IPS signature static or dynamic groups associated with the rule.

  4. (Optional) Repeat the preceding step to add more signatures, static groups, and dynamic groups.

  5. Click the View more results link to view the full list of IPS signatures and IPS signature static and dynamic groups. The full list is displayed in the End Points panel on the right.

    To add one or more signatures, static groups, or dynamic groups:

    1. Mouse over a list item and select the check box that appears.

    2. Repeat the preceding step for the other signatures, static groups, or dynamic groups that you want to add.

    3. Click the check mark icon ( ✓ ) at the top of the End Points panel, and select Signatures.

      The signatures, static groups, or dynamic groups that you selected are added and displayed in the IPS Signatures field.

Actions

Select the action to be taken when the monitored traffic matches the attack objects specified in the rules:

  • No Action—No action is taken. Use this action to only generate logs for some traffic.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

  • Drop Connection—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address.

  • Close Client and Server—Closes the connection and sends a TCP reset (RST) packet to both the client and the server.

  • Close Client—Closes the connection and sends an RST packet to the client, but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server, but not to the client.

  • Recommended—Uses the action that Juniper Networks recommends when that attack is detected. All predefined attack objects have a default action associated with them.

  • DiffServ Marking—Assigns the specified differentiated services code point (DSCP) value to the packet in an attack and pass the packet on normally.

    When you select DiffServ Marking, you must enter a DSCP value as follows:

    1. Click the Code Point: Vaule hyperlink.

      The Code Point page appears.

    2. In the Code Point field, enter a DSCP value from 0 through 63.

    3. Click OK.

      You are returned to the previous page; the value that you entered is displayed

Additional Actions

In addition to the IPS action, you can configure one or more additional actions.

Notifications

When attacks are detected, you can choose to log the attack, create log records with attack information, and send that information to the log server.

To configure notifications:

  1. Click the Notification link.

    The Notification page appears.

  2. Complete the configuration according to the guidelines shown in Table 3.

  3. Click OK.

    You are returned to the previous page. A gear icon next to the Notification link indicates that you have configured notification settings.

IP Action

When attacks are detected, you can configure actions that you want IPS to take against future connections that use the same IP address.

To configure IP actions:

  1. Click the IP Action link.

    The IP Action page appears.

  2. Complete the configuration according to the guidelines shown in Table 4.

  3. Click OK.

    You are returned to the previous page. A gear icon next to the IP Action link indicates that you have configured IP action settings.

[Additional actions]

When attacks are detected, you can configure additional actions that you want CSO to take.

To configure additional actions:

  1. Click the Additional link.

    The Additional page appears.

  2. Complete the configuration according to the guidelines shown in Table 5.

  3. Click OK.

    You are returned to the previous page. A gear icon next to the Additional link indicates that you have configured additional settings.

Table 3: Notification Settings

Setting

Guideline

Attack Logging

Click the toggle button to enable an attack to be logged when it is detected. By default, attack logging is disabled.

Alert Flag

If you enabled attack logging, click the toggle button to enable an alert flag to be set in the attack log. This field is disabled by default.

Log Packets

Click the toggle button to enable the logging of packets when an attack is detected. When you enable this field, the Packets Before, Packets After, or Post Window Timeout fields appear and you must specify at least one field.

By default, packets are not logged when an attack is detected.

In response to a rule match, you can capture the packets received before and after the attack for further offline analysis of attacker behavior. You can configure the number of pre-attack and post-attack packets to be captured for this attack, and limit the duration of post-attack packet capture by specifying a timeout value.

Packets Before

Specify the number of packets received before an attack that should be captured for further analysis of the behavior of the attack.

Range: 1 through 255.

Packets After

Specify the number of packets received after an attack that should be captured for further analysis of attacker behavior.

Range: 1 through 255.

Post Window Timeout

Specify a time limit (in seconds) for capturing packets received after an attack. No packets are captured after the specified timeout has elapsed.

Range: 1 through 1800.

Table 4: IP Action Settings

Setting

Guideline

IP Action

Select the action to be taken on future connections that use the same IP address:

Note:

If there is an IP action match with more than one rule, then the most severe IP action of all the matched rules is applied. In decreasing order of severity, the actions are block, close, and notify.

  • None—Do not take any action, which is the default seting. This is similar to if you did not configure the IP action.

  • IP Notify—Don’t take any action on future traffic but log the event.

  • IP Close—Close future connections of new sessions that match the IP address by sending RST packets to the client and server.

  • IP Block—Block future connections of any session that matches the IP address.

IP Target

Specify how the traffic should be matched for the configured IP actions:

  • None—Do not match any traffic.

  • Destination Address—Match traffic based on the destination IP address of the attack traffic.

  • Service—For TCP and UDP, match traffic based on the source IP address, source port, destination IP address, and destination port of the attack traffic.

  • Source Address—Match traffic based on the source IP address of the attack traffic.

  • Source Zone—Match traffic based on the source zone of the attack traffic.

  • Source Zone Address—Match traffic based on the source zone and source IP address of the attack traffic.

  • Zone Service—Match traffic based on the source zone, destination IP address, destination port, and protocol of the attack traffic.

Refresh Timeout

Click the toggle button to enable the refresh of the IP action timeout (that you specify in the Timeout Value field) if future traffic matches the IP actions configured. This setting is disabled by default.

Timeout Value

Configure the time (in seconds) that you want the IP action to remain in effect. For example, if you configure a timeout of 3600 seconds (1 hour) and traffic matches the IP actions configured, the IP action remains in effect for 1 hour.

Range: 0 through 64,800 seconds.

Log Taken

Click the toggle button to enable the logging of information about the IP action against the traffic that matches a rule. This setting is disabled by default.

Log Creation

Click the toggle button to enable the generation of an event when the IP action filter is triggered. This setting is disabled by default.

Table 5: Additional Settings

Setting

Guideline

Severity

Select a severity level *None, Critical, Info, Major, Minor, Warning) to override the inherited attack severity in the rules.

The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems.

Terminal

Click the toggle button to enable the marking of the IPS rule as terminal. When a terminal rule is matched, the device stops matching for the rest of the rules in that IPS profile. the generation of an event when the IP action filter is triggered. This setting is disabled by default.