IPS
Overview
This chapter introduces packet inspection IPS (Intrusion Prevention System), custom signatures, and updating signatures. An IPS system can detect malicious or suspicious packets and respond instantaneously by rejecting or dropping the packets. The Zyxel Device IPS protects your network against network-based intrusions.
• Use the Security Service > IPS screen (The IPS Screen) to view registration and signature information.
• Use the Security Service > IPS > Allow List screen (The Allow List Screen) to list signatures that will be exempted from IPS inspection.
What You Need To Know
Packet Inspection Signatures
A signature is a pattern of malicious or suspicious packet activity. You can specify an action to be taken if the system matches a stream of data to a malicious signature. You can change the action in the profile screens. Packet inspection examine OSI (Open System Interconnection) layer-4 to layer-7 packet contents for malicious data. Generally, packet inspection signatures are created for known attacks while anomaly detection looks for abnormal behavior.
Rate Based Signatures
While IPS signatures have the Zyxel Device respond instantaneously, Rate Based Signatures are IPS signatures that allow the Zyxel Device to just respond after a number of occurrences (Count) within a certain time period (Period) you set.
Applying Your IPS Configuration
Changes to the Zyxel Device’s IPS settings affect new sessions, but not the sessions that already existed before you applied the new settings.
Before You Begin
Register for a trial IPS license in the Licenses screen. This gives you access to free signature updates. This is important as new signatures are created as new attacks evolve. When the trial license expires, purchase and enter a license key using the same screens to renew the license.
The IPS Screen
An IPS profile is a set of packet inspection signatures.
Use this screen to view signature information.
If a license has expired, you will see a reminder in this screen. You need to renew the license in order to keep using the feature. Click Buy Now to go to Marketplace to purchase a new license. Click See Details to go to the Zyxel web page to find more information on licenses for your Zyxel Device. 
You must register for the IPS signature service (at least the trial) before you can use it. See the Licensing screens. The following table describes the fields in this screen.
label | Description |
|---|---|
General Settings | |
Enable | Click the switch to the right to activate the IPS feature which detects and prevents malicious or suspicious packets and responds instantaneously. |
Statistics | Click the switch to the right to have the Zyxel Device collect IPS statistics. All of the statistics are erased if you restart the Zyxel Device or click Flush Data in Security Statistics > IPS. |
Scan Mode | |
Prevention | Select this to have the Zyxel Device perform a user-specified action when a stream of data matches a malicious signature. |
Detection | Select this to have the Zyxel Device only create a log message when a stream of data matches a malicious signature. |
Query Signatures | |
Name | Type the name or part of the name of the signature(s) you want to find. |
Signature ID | Type the ID or part of the ID of the signature(s) you want to find. |
Advanced Settings | Configure these settings for more advanced queries. |
Severity | Search for signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands. Severe (16): These denote attacks that try to run arbitrary code or gain system privileges. High (8): These denote known serious vulnerabilities or attacks that are probably not false alarms. Medium (4): These denote medium threats, access control attacks or attacks that could be false alarms. Low (2): These denote mild threats or attacks that could be false alarms. Very-Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc. |
Classification | Search for signatures by attack type(s) . |
Platform | Search for signatures created to prevent intrusions targeting specific operating system(s). |
Service | Search for signatures by IPS service group(s). |
Action | Search for signatures by the response the Zyxel Device takes when a packet matches a signature. |
Activation | Search for activated and/or inactivated signatures here. |
Log | Search for signatures by log option here. |
Query Result | The results are displayed in a table showing the Status, SID, Name, Severity, Classification, Platform, Service, Log, and Action criteria as selected in the search. Click the SID column header to sort search results by signature ID. |
Rate Based Signature | IPS signatures identify traffic packets with suspicious malicious patterns. The Zyxel Device can then respond instantaneously according to the action you define. If you do not want the Zyxel Device to respond instantaneously for each suspicious packet detected, use rate based signatures to only respond after a number of occurrences (Count) within a certain time period (Period). See What You Need To Know for more information on rate based signatures. |
Edit | Select an entry and click Edit to modify the entry’s settings. |
Active | To turn on an entry, select it and click Activate. |
Inactive | To turn off an entry, select it and click Inactivate. |
Log | To edit an item’s log option, select it and use the Log icon. Select whether to have the Zyxel Device generate a log (log), log and alert (log alert) or neither (no) when a packet matches a signature. |
Action | To edit what action the Zyxel Device takes when a packet matches a signature, select the entry and use the Action icon. none: Select this action to have the Zyxel Device take no action when a packet matches a signature. drop: Select this action to have the Zyxel Device silently drop a packet that matches a signature. Neither sender nor receiver are notified. reject: Select this action to have the Zyxel Device send a reset to both the sender and receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet. |
# | This is the entry’s index number in the list. |
Status | The activate (light bulb) icon is lit when the entry is active and dimmed when the entry is inactive. |
SID | SID is the signature ID that uniquely identifies a signature. Click the SID header to sort signatures in ascending or descending order. |
Name | This is the name of your rate-based signature. The name is the type of attack the Zyxel Device can identify. |
Severity | This field displays signatures by severity level(s). Hold down the [Ctrl] key if you want to make multiple selections. These are the severities as defined in the Zyxel Device. The number in brackets is the number you use if using commands. Severe (5): These denote attacks that try to run arbitrary code or gain system privileges. High (4): These denote known serious vulnerabilities or attacks that are probably not false alarms. Medium (3): These denote medium threats, access control attacks or attacks that could be false alarms. Low (2): These denote mild threats or attacks that could be false alarms. Very-Low (1): These denote possible attacks caused by traffic such as Ping, trace route, ICMP queries etc. |
Classification | This field displays signatures by attack types . |
Platform | This field displays signatures created to prevent intrusions targeting specific operating system(s). Hold down the [Ctrl] key if you want to make multiple selections. |
Service | This field displays signatures by IPS service group(s). Hold down the [Ctrl] key if you want to make multiple selections. |
Log | This fields displays the log action the Zyxel Device takes when a packet matches a signature. log- The Zyxel Device generates a log. log an alert- The Zyxel Device generates a log and alerts the users. no- The Zyxel Device will neither generate a log nor alert the users. |
Action | This field displays the response the Zyxel Device takes when a packet matches a signature. Hold down the [Ctrl] key if you want to make multiple selections. none: Select this action to have the Zyxel Device take no action when a packet matches a signature. drop: Select this action to have the Zyxel Device silently drop a packet that matches a signature. Neither sender nor receiver are notified. reject: Select this action to have the Zyxel Device send a reset to both the sender and receiver when a packet matches the signature. If it is a TCP attack packet, the Zyxel Device will send a packet with a ‘RST’ flag to the receiver and sender. If it is an ICMP or UDP attack packet, the Zyxel Device will send an ICMP unreachable packet. |
Period (sec) | Type the length of time in seconds the event should occur a Count number of times to trigger an IPS Action. For example, Count is set to 5, and Period is set to 60. If the Zyxel Device detects more than 5 occurrences of malicious traffic in less than 60 seconds, then an IPS Action is triggered. |
Count | Type the number of security events that need to occur within the defined Period in order to trigger an IPS Action. The allowed range is 1 to 300. |
Block Period | This field displays the time period the attacker’s IP will be blocked. Click on the number in this column to set the value from 0 to 86400 seconds. 0 means that the IP will not be blocked. |
Signature Information | The following fields display information on the current signature set that the Zyxel Device is using. |
Current Version | This field displays the IPS signature set version number. This number gets larger as the set is enhanced. |
Update Signatures | Click this link to go to the screen you can use to download signatures from the update server. |
Classifications
This table describes attack Classifications as categorized in the Zyxel Device.
Policy Type | Description |
|---|---|
Any | Any attack includes all other kinds of attacks that are not specified in the policy such as password, spoof, hijack, phishing, and close-in. |
Misc | Miscellaneous attacks takes advantage of vulnerable computer networks and web servers by forcing cache servers or web browsers into disclosing user-specific information that might be sensitive and confidential. The most common type of Misc. attacks are HTTP Response Smuggling, HTTP Response Splitting and JSON Hijacking. |
Web-Attacks | Web attacks refer to attacks on web servers such as IIS (Internet Information Services). |
Buffer Overflow | A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. The excess information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Intruders could run codes in the overflow buffer region to obtain control of the system, install a backdoor or use the victim to launch attacks on other devices. |
Backdoor/Trojan Horse | A backdoor (also called a trapdoor) is hidden software or a hardware mechanism that can be triggered to gain access to a program, online service or an entire computer system. A Trojan horse is a harmful program that is hidden inside apparently harmless programs or data. Although a virus, a worm and a Trojan are different types of attacks, they can be blended into one attack. For example, W32/Blaster and W32/Sasser are blended attacks that feature a combination of a worm and a Trojan. |
Access Control | Access control refers to procedures and controls that limit or detect access. Access control attacks try to bypass validation checks in order to access network resources such as servers, directories, and files. |
P2P | Peer-to-peer (P2P) is where computing devices link directly to each other and can directly initiate communication with each other; they do not need an intermediary. A device can be both the client and the server. In the Zyxel Device, P2P refers to peer-to-peer applications such as e-Mule, e-Donkey, BitTorrent, iMesh, etc. |
IM | IM (Instant Messenger) refers to chat applications. Chat is real-time, text-based communication between two or more users via networks-connected computers. After you enter a chat (or chat room), any room member can type a message that will appear on the monitors of all the other participants. |
Virus/Worm | A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a program that is designed to copy itself from one computer to another on a network. A worm’s uncontrolled replication consumes system resources, thus slowing or stopping other tasks. |
BotNet | A Botnet is a number of Internet computers that have been set up to forward transmissions including spam or viruses to other computers on the Internet though their owners are unaware of it. It is also a collection of Internet-connected programs communicating with other similar programs in order to perform tasks and participate in distributed Denial-Of-Service attacks. |
DoS-DDoS | The goal of Denial of Service (DoS) attacks is not to steal information, but to disable a device or network on the Internet. A Distributed Denial of Service (DDoS) attack is one in which multiple compromised systems attack a single target, thereby causing denial of service for users of the targeted system. |
Scan | A scan describes the action of searching a network for an exposed service. An attack may then occur once a vulnerability has been found. Scans occur on several network levels. A network scan occurs at layer-3. For example, an attacker looks for network devices such as a router or server running in an IP network. A scan on a protocol is commonly referred to as a layer-4 scan. For example, once an attacker has found a live end system, he looks for open ports. A scan on a service is commonly referred to a layer-7 scan. For example, once an attacker has found an open port, say port 80 on a server, he determines that it is a HTTP service run by some web server application. He then uses a web vulnerability scanner (for example, Nikto) to look for documented vulnerabilities. |
File Transfer | File transfer is a protocol to transfer files over the Internet. An attack may then occur if you’re transferring files over an unsecured connection. Personal data stored in the files uploaded can also be easily accessed by attackers if these files are not encrypted. |
Mail | A Mail or email bombing attack involves sending several thousand identical messages to an electronic mailbox in order to overflow it, making it unusable. |
Stream Media | A Stream Media attack occurs when a malicious network node downloads an overwhelming amount of media stream data that could potentially exhaust the entire system. This method allows users to send small requests messages that result in the streaming of large media objects, providing an opportunity for malicious users to exhaust resources in the system with little effort expended on their part. |
Tunnel | A Tunneling attack involves sending IPv6 traffic over IPv4, slipping viruses, worms and spyware through the network using secret tunnels. This method infiltrates standard security measures through IPv6 tunnels, passing through IPv4 undetected. An external signal then triggers the malware to spring to life and wreak havoc from inside the network. |
ACL | This attack is a violation of an ACL (Access Control List) rule. These are packet filter rules that check source, destination IP addresses / ports, and routing information in the packet. |
IPS Service Groups
An IPS service group is a set of related packet inspection signatures.
WEB_PHP | WEB_MISC | WEB_IIS | WEB_FRONTPAGE |
WEB_CGI | WEB_ATTACKS | TFTP | TELNET |
SQL | SNMP | SMTP | RSERVICES |
RPC | POP3 | POP2 | P2P |
ORACLE | NNTP | NETBIOS | MYSQL |
MISC_EXPLOIT | MISC_DDOS | MISC_BACKDOOR | MISC |
IMAP | IM | ICMP | FTP |
FINGER | DNS | n/a |
The Allow List Screen
Use this screen to exempt packets with these signatures from IPS inspection. The Zyxel Device will exclude incoming packets with the listed signature(s) from being intercepted and inspected.
Use Add to put a new item in the list or Edit to change an existing one or Remove to delete an existing entry.
The following table describes the fields in this screen.
LABEL | Description |
|---|---|
Rule Summary | |
Add | Click this to create a new entry. |
Edit | Select an entry and click this to be able to modify it. |
Remove | Select an entry and click this to delete it. |
# | This is the entry’s index number in the list. |
Signature ID | This field displays the signature ID of this entry. |
Signature Name | This field displays the signature name of this entry. |
The Zyxel Device IPS protects your network against network-based intrusions.