by RSS Victoria Martin  |  Nov 22, 2014  |  Filed in: Security Q & A

In this entry of the layered security series, we look at layer 3, the network layer.

Title

The network layer

Network layer security focuses on external threats that are able to bypass the firewall layer. Your FortiGate has two main features that deal with these threats: the Intrusion Prevention System (IPS) and Denial of Service (DoS) protection.

What are IPS and DoS protection?

IPS protects your network by actively seeking and blocking external threats before they can reach your network devices. These attacks are able to bypass the firewall because they use authorized protocols and addresses; for example, an attacker could use port 80, which is allowed for HTTP traffic, in an attempt to exploit a vulnerability on one of your network devices or applications. Adding an IPS profile to your security policies protects traffic flow by using signatures to recognize a variety of attacks as the traffic attempts to access the network.

While IPS targets attackers attempting to bypass your firewall, DoS protection deals with Denial of Service attacks, which aim to consume your firewall's resources so that they can't be used by anyone else. On a FortiGate unit, you create a DoS policy and associate it with a specific network interface so that external attacks are blocked from reaching that interface.

How to protect your network

To protect your network you must first enable IPS and DoS protection. With these security features active, you must then maintain a FortiGuard IPS subscription to ensure that they remain up-to-date. As long as you maintain the FortiGuard IPS subscription, you should be able to use one of the default IPS profiles and a basic DoS policy to keep your network safe.

Also consider the following tips to further protect your network:

  • Only use the signatures that apply to your network. For example, you should include signatures that protect software installed on your network devices, but exclude those for other software. This saves the network resources that would otherwise be consumed scanning for attacks that can't affect you.

  • If there is a network device or service that can be accessed from the Internet, block any signatures that correspond to that device or service. For example, if you have a web server, block all signatures related to web servers. Include all applicable signatures, even those of less severity, to avoid leaving any openings.

  • To get the best protection from a DoS policy, determine the appropriate threshold level. A threshold level defines the maximum number of allowed sessions/packets per second.

A DoS policy searches for anomalies in the packets, which can occur even in the absence of an attack. Because of this, setting the threshold automatically to 1 is not the best solution.

To find the best threshold for your network, create a DoS policy, with the action set to Pass, and enable logging. By looking at the logs, you can figure out when normal traffic begins to generate attack reports. Then all you need to do is set the threshold above this value with the appropriate margin for your network.

The anatomy of a custom IPS signature

The FortiGuard signatures database is updated regularly, so you will have sufficient network security using only the aforementioned predefined signatures. However, you can also create custom signatures to protect against attacks that don't have a FortiGuard signature or to block unwanted behavior that is unique to your network.

All custom signatures have the same header: F-SBID( ). Keywords are entered between the brackets to instruct the FortiGate. Each keyword begins with two dashes (--) and ends with a semi-colon (;).

For example, the following signature blocks traffic from PCs running on older Windows operating systems using NT 5 (an operating system kernel that connects applications to the computer's hardware), including Windows XP and Windows Server 2003. Because these operating systems have reached end-of-life, devices using them are more likely to have been compromised to carry out attacks as part of a botnet.

Title

#

Keyword

Value Description

1 attack_id

This number is used by the FortiGate for identification. You can either choose one yourself or let the FortiGate assign it for you. Values must be between 1000 and 9999.

2 name

All signatures require a unique name. In the example, the name clearly indicates the signature's purpose, i.e. blocking web traffic from any computer that uses any version of the Windows NT 5 kernel.

3 pattern

The pattern is what the FortiGate will look for in the traffic. In this case, it will look for packets that contain "Windows NT 5."

4 service

The signature includes a service value to indicate which service will be monitored; in the example, HTTP traffic.

5 protocol

The protocol value TCP is added to avoid unnecessarily scanning UDP and ICMP traffic.

6 no-case

By default, patterns are case sensitive. Adding this value ensures that case sensitivity is ignored, so that "windows nt 5" is also considered a match. Unlike other values, this part of the signature does not require a keyword.

7 flow

This value tells the FortiGate which direction of traffic to monitor.

8 context

This value tells the FortiGate to check the header of the packet for the pattern match.

9 default_action

This tells the FortiGate to drop any traffic that matches the pattern.


These are the core parts of a custom signature. More keywords are available for a variety of functions, which can be found in the Security Profiles Handbook (see the link below).

FortiGate Resources

by RSS Victoria Martin  |  Nov 22, 2014  |  Filed in: Security Q & A