No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding IPS

Understanding IPS

Concepts

Before understanding IPS, you need to understand functions of the IPS signature database, IPS signature, and Security Center Platform.
  • IPS signature database: An IPS signature database invented by Huawei after analyzing various common intrusion behaviors. The IPS signature database defines the characteristics of various common intrusion behaviors, and assigns a unique intrusion behavior ID to each kind of intrusion behavior. After being loaded with the IPS signature database, the device can identify intrusion behaviors defined in the database.
  • Security Center Platform: The domain name is sec.huawei.com. A server provided by Huawei to offer upgrade services of the IPS signature database for customers who purchase a license. For information about IPS signature database upgrade, see IPS Signature Database Upgrade.
  • IPS signature:

    The IPS signature is used to describe the characteristics of the intrusion behavior on the network. The device can detect and defend against attacks from the intrusion behavior by comparing packet contents with IPS signatures.

    IPS signatures include predefined signatures and user-defined signatures.

    • Predefined signatures

      Predefined signatures are a large number of signatures that are predefined by the system. A predefined signature presets the default action of the signature as blocking or alarm. Administrators can prevent or block intrusion behaviors based on the predefined signatures.

      The device is loaded with the IPS signature database before delivery. To identify the latest intrusion behaviors in real time, you can purchase and activate a license. The IPS signature database updates on time. You can continuously obtain the latest IPS signature database from the Security Center Platform to ensure timely response to new intrusion behaviors.

    • User-defined signatures

      User-defined signatures are created by the administrator according to the characteristics of intrusion behaviors. The administrator creates such signatures in the following scenarios:
      • When the administrator wants to reject or record a certain behavior that is not included in predefined signatures. For example, when the administrator wants to forbid staff to transmit executable files (which are prone to virus) but the executable file forbidden behavior is not defined in the predefined signatures, the administrator can create a signature according to the behavior characteristics, set the action to block, and import the created signature to the configuration file.
      • When the network is undergoing an attack but the IPS signature database has not been updated, the administrator can create a signature for the attack according to the attack characteristics. After the IPS signature database is updated, the created signature takes effect.
You can use the signature filter to manage user-defined signatures, and use the exception signatures to manage user-defined signatures and IPS signatures.
  • Signature filter

    A large number of signatures flood the signature database after updates. By analyzing the features of common threats, you can summarize signatures that contain these features and add these signatures to a signature filter.

    A collection of signatures that meet specified filtering conditions. Filtering conditions of the signature filter include the signature category, target, protocol, severity, and operating system. Only signatures that meet all filtering conditions can be added to the signature filter. For example, if only HTTP packets need to be defended against, you can only configure the HTTP protocol as the filtering condition. Then the signature that meets the filtering condition is added to the signature filter.

    The action of a signature filter can be Block, Alert, or Default (use the default actions of signatures). The action of a signature filter has a higher priority than the default actions of signatures in the filter.

    Signature filters configured earlier have higher priorities. If two signature filters in one security profile contain the same signature, packets matching the signature are processed according to the signature filter configured earlier.

  • Exception signature

    To facilitate management, the signature filter filters signatures in batches. If administrators need to configure actions for some signatures different from actions of the signature filter, they can add the signatures to exception signatures and configure actions for the signatures independently. For example, when detecting an attack through logs, the administrator can add the signature that matches the attack to exception signatures and configure a block action for the signature.

    The action of a signature exception can be Block, Alert, Allow.

    The action of a signature exception has a higher priority than that of a signature filter. If a signature matches a signature exception and a signature filter, the action of the signature exception takes effect.

    For example, the actions for a batch of signatures in the signature filter are block. Then the device blocks an R&D software requested by an employee. The log indicates that the R&D software matches a signature in the signature filter and is blocked because of false positive. In such cases, add the signature as an exception and set the action to Allow.

IPS Signature Database Upgrade

The IPS signature database supports incremental online upgrade. Services are not affected during the online upgrade. After the IPS signature database is upgraded, the system automatically switches the IPS signature database version, and the device does not need to be restarted. If an error occurs during the IPS signature database upgrade and causes an upgrade failure, the system automatically rolls back to the previous IPS signature database version, and normal services are not affected.

To ensure timely response to new intrusion behaviors, the IPS signature database on the Security Center Platform updates in real time. You can use the Security Center Platform upgrade method or local upgrade method to obtain the latest IPS signature database upgrade package from the Security Center Platform, achieving the best protection effect against intrusions.

  • Online upgrade:
    • If the device can access the Security Center Platform, you can upgrade through the Security Center Platform.
    • If the device cannot access the Security Center Platform, and the internal upgrade server can access, you can upgrade through the internal server.

      You can use the internal upgrade server to connect to the Security Center Platform to obtain the IPS signature database, and use the internal upgrade server to upload the upgrade file to the device for the IPS signature database upgrade.

    You can upgrade online periodically or immediately.
    • Scheduled upgrade: You only need to specify a fixed time for scheduled upgrade. The IPS signature database can update automatically and timely. To avoid upgrade failure caused by bad network conditions, you are advised to set the upgrade time to a time when network traffic is low.
    • Immediate upgrade: When administrators detect new attacks on the network and the configured upgrade time is not reached, the upgrade is performed immediately so that the device can defend against new attacks.
  • Local upgrade: When the device cannot be connected to the Security Center Platform through the network, you can log in to the Security Center Platform to download the latest IPS signature database upgrade package, save the package to a local PC, and then upload the upgrade file to the device through FTP, TFTP, or web to upgrade the IPS signature database.

Traffic Processing Flow

An intrusion prevention profile contains multiple signature filters and exception signatures.

Figure 7-6 shows the relationship between signatures, signature filters, and exception signatures. In this example, a01, a02, and a03 are predefined signatures. a04 is a user-defined signature. Two signature filters are configured in the profile. Signature filter 1 filters signatures a01 and a02 whose protocol set is set to HTTP and other filtering conditions are set to condition A. The action for signature filter 1 is set to the default action for signatures. Signature filter 2 filters a03 and a04 whose protocol set is set to HTTP or UDP and other filtering conditions are set to condition B. The action for signature filter 2 is set to alert. Besides, two exception signatures are configured in the profile. In exception signature 1, set the action for a02 to alert. In exception signature 2, set the action for a04 to block.

The actual action for a signature is jointly determined by the default action for the signature, action for the signature filter, and action for the exception signature. For details, see Actual action in Figure 7-6.

Figure 7-6  Relationship between signatures, signature filters, and exception signatures

When a data flow matches the intrusion prevention profile, the device sends the data flow to the intrusion prevention module to match the signatures referenced by the profile one by one. Figure 7-7 shows the traffic processing flow.

Figure 7-7  Traffic processing flow

NOTE:

When a packet matches multiple signatures, the actual action for the packet is as follows:

  • If the actions for all the matched signatures are Alert, the action for the packet is Alert.
  • If the action for any matched signature is Block, the action for the packet is Block.

When a data flow matches multiple signature filters, the action for the signature filter with the highest priority is performed on the data flow.

Using signatures in Figure 7-6 as an example, assume that a packet matches signature a02 in exception signature 1. According to the processing flow, the action for exception signature 1 is Alert, not Block. Then the packet continues to match the signature filter. Assume that the packet matches signature a04 in signature filter 2. The action for signature filter 2 is Block. Then the actual action for the packet is Block. That is, the device discards the packet.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 136082

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next