Scribd Logo
Unggah

Selamat datang di Scribd!

  • FortiGate IPS: Detect and Block Malicious Activity

    Diunggah oleh

    lsalazma
    180 tayangan18 halaman
    FortiOS IPS offers a wide range of tools so that you can monitor and block malicious activity. These tools are predefined signatures, protocol decoders, custom signature entries, packet logging, and IPS sensors. The unit does not process network traffic. Instead a FortiGate interface operates in sniffer mode and is connected to a spanning or mirrored port of a switch.

    Deskripsi Asli:

    Judul Asli

    FortiGate IPS

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PPTX, PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    FortiOS IPS offers a wide range of tools so that you can monitor and block malicious activity. These tools are predefined signatures, protocol decoders, custom signature entries, packet logging, and IPS sensors. The unit does not process network traffic. Instead a FortiGate interface operates in sniffer mode and is connected to a spanning or mirrored port of a switch.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PPTX, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    180 tayangan18 halaman

    FortiGate IPS: Detect and Block Malicious Activity

    Diunggah oleh

    lsalazma
    FortiOS IPS offers a wide range of tools so that you can monitor and block malicious activity. These tools are predefined signatures, protocol decoders, custom signature entries, packet logging, and IPS sensors. The unit does not process network traffic. Instead a FortiGate interface operates in sniffer mode and is connected to a spanning or mirrored port of a switch.

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PPTX, PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 18

    FortiOS 4.

    0:
    IDS/IPS


    FortiGate IPS
    The FortiGate IPS detects intrusions by using attack signatures for known
    intrusion methods, and detects anomalies in network traffic to identify
    new or unknown intrusions. Not only can the IPS detect and log attacks,
    but users can choose actions to take on the session when an attack is
    detected.

    FortiOS IPS offers a wide range of tools so that you can monitor and
    block malicious activity. These tools are predefined signatures, out-of-
    band mode (or one-arm IPS mode), protocol decoders, custom signature
    entries, packet logging, and IPS sensors.

    FortiGate IDS (one-arm IPS mode)
    FortiOS IPS is operating as an
    Intrusion Detection System (IDS)
    detecting attacks and reporting them,
    but not taking any action against
    them.
    The unit does not process network
    traffic. Instead a FortiGate interface
    operates in sniffer mode and is
    connected to a spanning or mirrored
    port of a switch that processes all of
    the traffic to be analyzed.
    FortiGate IPS General Overview
    The FortiGate IPS is composed of several
    tools that can be used to monitor and block
    malicious activity:

    Predefined signatures
    Custom Signatures
    Protocol Decoders

    FortiGate IPS General Overview
    Predefined Signatures:
    Predefined signatures are provided to
    FortiOS through the FortiGuard network.

    These signatures are used to detect
    attacks and FortiOS supports more than
    4000 attack signatures, that can detect
    everything, from attacks against
    unpatched operating system
    vulnerabilities to invalid checksums in
    UDP packets.

    FortiGate IPS General Overview
    Custom Signatures:

    Custom signatures provide the ability to customize
    the FortiGate IPS Engine to meet diverse network
    environments.

    Custom signatures can be developed to protect
    specialized environments or custom applications.



    FortiGate IPS General Overview
    Protocol decoders:

    Before examining network traffic, the IPS
    engine uses protocol decoders to identify each
    protocol appearing in the traffic.

    Attacks are protocol-specific, so your FortiGate
    unit conserves resources by looking for attacks
    only in the protocols used to transmit them. Ex:
    the FortiGate will only examine HTTP traffic for
    the presence of a signature describing an
    HTTP attack.


    FortiGate IPS General Overview
    Protocol decoders:




    FortiGate IPS Engine
    Once the protocol decoders separate the
    network traffic by protocol, the IPS engine
    examines the network traffic for the attack
    signatures.

    IPS sensors
    The IPS engine does not examine network
    traffic for all signatures, however. You must
    first create an IPS sensor and specify which
    signatures are included. Add signatures to
    sensors individually using signature entries,
    or in groups using IPS filters.

    FortiGate IPS filters
    A filter is a collection of signature attributes that you
    specify. The signatures that have all of the
    attributes specified in a filter are included in the IPS
    filter.

    Ex: if your FortiGate unit protects a Linux server
    running the Apache web server software, you could
    create a new filter to protect it. By
    setting OS to Linux, and Application to Apache, the
    filter will include only the signatures that apply to
    both Linux and Apache. If you wanted to scan for all
    the Linux signatures and all the Apache signatures,
    you would create two filters, one for each.
    FortiGate IPS Tuning




    Network Design Considerations:

    Trusted vs Non-Trusted Networks
    Number of Protected Segments
    Physical Media (Copper or Fiber)
    Operating Systems / Databases / Applications
    Traffic Distribution

    Reduce the number of signatures that will be used to analyze traffic that
    will never represent an issue. i.e. Analyze traffic from a network segment
    that has only Windows Server with Signatures for Linux.

    FortiGate IPS Tuning
    Network Design Considerations:

    Trusted vs Non-Trusted Networks
    Apply IPS Sensors to networks with non-encrypted information.
    Never apply IPS Sensors that you are not willing to monitor or tune.
    Try to enforce IPS
    Inspection to important
    traffic
    (Consider FW vs IPS
    Performance)
    FortiGate IPS Tuning
    Network Design Considerations:

    Number of Protected Segments

    Try to define IPS Sensors for each network segment you
    are willing to inspect.
    As every network segment is different, each IPS Sensor
    should be different.
    FortiGate IPS Tuning
    Network Design Considerations:

    Operating Systems/Applications/Databases

    Tune IPS Sensor according to the operating system being protected.
    FortiGate IPS Tuning
    Network Design Considerations:

    Operating Systems/Applications/Databases

    Tune IPS Sensor according to the Application/Database being
    protected.
    FortiGuard Intrusion Prevention
    Service
    Provides to customers with the latest
    defenses against stealthy network-
    level threats. It uses a customizable
    database of more than 4000 known
    threats to enable FortiGate and
    FortiWiFi appliances.

    It also provides behavior-based
    heuristics, enabling the system to
    recognize threats for which no
    signature has yet been developed.
    General Configuration Steps
    1. Create an IPS sensor.

    2. Add filters and/or predefined signatures
    and custom signatures to the sensor.

    3. Select a security policy or create a new
    one.

    4. In the security policy, turn on IPS, and
    choose the IPS sensor from the list.

    For More Information
    http://kb.fortinet.com
    (Knowledge base)

    http://docs.fortinet.com/fos50hlp/50/index.html
    (Handbook)

    http://docs.fortinet.com/cb/fortigate-cookbook.pdf
    (Cookbook)

    http://www.fortiguard.com/

    Anda mungkin juga menyukai