You are here: Cookbook > Threat Prevention > Protecting Intranet to Defend Attacks via IPS

Protecting Intranet to Defend Attacks via Intrusion Prevention System

This example introduces how to use Intrusion Prevention System to monitor various network attacks in real time and take appropriate actions (like block) against the attacks according to your configuration.

As shown in the following topology, the device is deployed in the Intranet exit. After enabling and configuring the Intrusion Prevention System, the device will protect Intranet against internet attacks.

Step 1: Installing the Intrusion Prevention System license

1.Select System> License. Under License Request, input all user information. Then send the code to your sales contact. The sales person will get the license and send it back to you.

2.Select Upload License File, Click Browse to select the Intrusion Prevention System license file, and then click OK to upload it.
3.Select System > Device Management>Option, and click Reboot. When it starts again, the installed license will take effect.
Step 2: Enabling Intrusion Prevention System and updating Signature Database
1.Select Object>Intrusion Prevention System>Configuration to view the Intrusion Prevention System function status. If disabled, click Enable and reboot.

2.Select System>Upgrade Management>Signature Database Update. Under IPS Signature Database Update, click Update to update IPS Signature Database to assure its integrity and accuracy.

Step 3: Binding internal and external interfaces to the specified zones

1.Binding internal interface ethernet0/2 to trust. Select Network>Zone, select trust and click Edit to jump to the Zone Configuration dialog.

  • Binding Interface: ethernet0/2
2.Binding internal interface ethernet0/1 to dmz, which can be configured as above.
3.Binding external interface ethernet0/3 to untrust , which can be configured as above.
Step 4: Creating Intrusion Prevention System rules

Users can use the default rule or create a new rule. Select Object>Intrusion Prevention System>Profile, click New to jump to the IPS dialog. This example uses the predef_default rule, which includes all the IPS signatures and the default action is reset.

Step 5: Creating Security Policies.

Security policy: untrust to dmz

By default, the devices will deny all traffic between security zones. This case permits internet and internal hosts to access internal servers. Take the following steps to configure the security policies:

1.Select Policy> Security Policy, click new to jump to the Policy Configuration Dialog. In the Basic tab:

Source:

  • Zone:untrust
  • Address:any

Destination:

  • Zone:dmz
  • Address:any

Others:

  • Service:any
  • Action:Permit

2.In the Protection Tab:

  • IPS:Click the Enable check box .
  • Profile:Select predef_default from the drop-down list

Security policy: trust to dmz

1.Select Policy> Security Policy, click new to jump to the Policy Configuration Dialog. In the Basic tab:

Source:

  • Zone:trust
  • Address:any

Destination:

  • Zone:dmz
  • Address:any

Others:

  • Service:any
  • Action:Permit

2.In the Protection Tab:

  • IPS:Select the Enable check box .
  • Profile:predef_default
Step 6: Viewing the results

After configuring the above steps, the device can protect Intranet against the known attacks. For example: the attacker creates SQL injections to attack the HTTP Server, and visits the URL of ' http://192.168.4.79/ccmcip/xml

directorylist.jsp?n=X'or%20telephonenumber%20like%20''.

The device will display the attack information and block the attack.

Viewing the results from iCenter

1.Select iCenter>Threat, click to add the conditions.

  • Detected by: Intrusion Prevention System
2. The log of Intrusion Prevention System will be displayed. Click the threat name to view the detailed information.
Viewing the results from Threat log

1.Select Monitor>Log>Threat, click to add the conditions.

  • Detected by: Intrusion Prevention System

 

2. The log of Intrusion Prevention System will be displayed. Click the threat name to view the detailed information.