Security_Services_idpSummary2
Security Services > Intrusion Prevention Service
SonicWALL Intrusion Prevention Service (SonicWALL IPS) delivers a configurable, high performance Deep Packet Inspection engine for extended protection of key network services such as Web, e-mail, file transfer, Windows services and DNS. SonicWALL IPS is designed to protect against application vulnerabilities as well as worms, Trojans, and peer-to-peer, spyware and backdoor exploits. The extensible signature language used in SonicWALL’s Deep Packet Inspection engine also provides proactive defense against newly discovered application and protocol vulnerabilities. SonicWALL IPS offloads the costly and time-consuming burden of maintaining and updating signatures for new hacker attacks through SonicWALL’s industry-leading Distributed Enforcement Architecture (DEA). Signature granularity allows SonicWALL IPS to detect and prevent attacks based on a global, attack group, or per-signature basis to provide maximum flexibility and control false positives.
Topics:
• SonicWALL Deep Packet Inspection
• SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Activation
• Setting Up SonicWALL Intrusion Prevention Service Protection
• Security Services > Intrusion Prevention
SonicWALL Deep Packet Inspection
Deep Packet Inspection looks at the data portion of the packet. The Deep Packet Inspection technology includes intrusion detection and intrusion prevention. Intrusion detection finds anomalies in the traffic and alerts the administrator. Intrusion prevention finds the anomalies in the traffic and reacts to it, preventing the traffic from passing through.
Deep Packet Inspection is a technology that allows a SonicWALL Security Appliance to classify passing traffic based on rules. These rules include information about layer 3 and layer 4 content of the packet as well as the information that describes the contents of the packet’s payload, including the application data (for example, an FTP session, an HTTP Web browser session, or even a middleware database connection). This technology allows the administrator to detect and log intrusions that pass through the SonicWALL Security Appliance, as well as prevent them (i.e. dropping the packet or resetting the TCP connection). SonicWALL’s Deep Packet Inspection technology also correctly handles TCP fragmented byte stream inspection as if no TCP fragmentation has occurred.
How SonicWALL’s Deep Packet Inspection Works
Deep Packet Inspection technology enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities. This is the technology behind SonicWALL Intrusion Prevention Service. SonicWALL’s Deep Packet Inspection technology enables dynamic signature updates pushed from the SonicWALL Distributed Enforcement Architecture.
The following steps describe how the SonicWALL Deep Packet Inspection Architecture works:
1. Pattern Definition Language Interpreter uses signatures that can be written to detect and prevent against known and unknown protocols, applications and exploits.
2. TCP packets arriving out-of-order are reassembled by the Deep Packet Inspection framework.
3. Deep Packet Inspection engine preprocessing involves normalization of the packet’s payload. For example, a HTTP request may be URL encoded and thus the request is URL decoded in order to perform correct pattern matching on the payload.
4. Deep Packet Inspection engine postprocessors perform actions which may either simply pass the packet without modification, or could drop a packet or could even reset a TCP connection.
5. SonicWALL’s Deep Packet Inspection framework supports complete signature matching across the TCP fragments without performing any reassembly (unless the packets are out of order). This results in more efficient use of processor and memory for greater performance.
• Stateful Packet Inspection - looking at the header of the packet to control access based on port, protocol, and IP address.
• Deep Packet Inspection - looking at the data portion of the packet. Enables the firewall to investigate farther into the protocol to examine information at the application layer and defend against attacks targeting application vulnerabilities.
• Intrusion Detection - a process of identifying and flagging malicious activity aimed at information technology.
• False Positive - a falsely identified attack traffic pattern.
• Intrusion Prevention - finding anomalies and malicious activity in traffic and reacting to it.
• Signature - code written to detect and prevent intrusions, worms, application exploits, and Peer-to-Peer and Instant Messaging traffic.
SonicWALL Gateway Anti-Virus, Anti-Spyware, and IPS Activation
If you do not have SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service installed on your SonicWALL security appliance, the Security Services > Intrusion Prevention page indicates an upgrade is required and includes a link to activate it from your SonicWALL security appliance management interface. To activate a SonicWALL Gateway Anti-Virus, Anit-Spyware, and Intrusion Prevention Service on your SonicWALL security appliance, you need to purchase a SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service license
• From a SonicWALL reseller
• Through your mysonicwall.com account (limited to customers in the USA and Canada).
Tip If your SonicWALL security appliance is connected to the Internet and registered at mysonicwall.com, you can activate a 30-day FREE TRIAL of SonicWALL Gateway Anti-Virus, SonicWALL Anti-Spyware, and SonicWALL Intrusion Prevention Service separately from the Security Services > Gateway Anti-Virus, Security Services > Anti-Spyware, and Security Services > Intrusion Prevention pages in the management interface.
Because SonicWALL Intrusion Prevention Service is part of the unified SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, you will receive a single License Keyset to activate all three services on your SonicWALL security appliance.
You must activate the SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service license from the Security Services > Intrusion Prevention page first. Once you have activated Intrusion Prevention Service, you can then activate SonicWALL Gateway Anti-Virus and SonicWALL Anti-Spyware.
If you have an License Keyset for SonicWALL Gateway Anti-Virus, Anti-Spyware, and Intrusion Prevention Service, you can activate your license in these ways:
• Through mysonicwall.com.
The activation is automatically enabled on your SonicWALL security appliance within 24-hours or you can click the Synchronize button on the Security Services > Summary page to immediately update your SonicWALL security appliance.
• Go to the System > Licenses page to activate your license, as described in the Manually Activating, Upgrading, or Renewing for Closed Environments.
Note Manual upgrade of the encrypted License Keyset is only for Closed Environments. If your SonicWALL security appliance is connected to the Internet, it is recommended you use the automatic registration and Security Services upgrade features of your appliance.
Setting Up SonicWALL Intrusion Prevention Service Protection
Activating the SonicWALL Intrusion Prevention Service license on your SonicWALL security appliance does not automatically enable the protection. After activating your Intrusion Prevention Service license, you must enable and configure SonicWALL IPS on the SonicWALL management interface before intrusion prevention policies are applied to your network traffic.
To configure SonicWALL Intrusion Prevention Service to begin protecting your network, you need to perform the following steps:
1. Navigate to the Security Services > Intrusion Prevention page.
2. Enable SonicWALL Intrusion Prevention Service by clicking on the Enable IPS checkbox in the IPS Global Settings section.
3. Specify the action for signature group classes (High Priority Attacks, Medium Priority Attacks, and Low Priority Attacks) in the Signature Groups table.
• Prevent All - select to prevent all attacks.
Note You must specify a Prevent All action in for at least one priority attack class the Signature Groups table to activate intrusion prevention on the SonicWALL security appliance. Leaving no Prevent All action checked means no intrusion prevention will occur on the SonicWALL security appliance.
Selecting the Prevent All and Detect All check boxes for High Priority Attacks and Medium Priority Attacks protects your network against the most dangerous and disruptive attacks.
• Detect All - select to detect all attacks.
• Log Redundancy Filter (seconds) -
4. Optionally, create an IPS Exclusion List by clicking the Configure IPS Settings button.
The IPS Config View window displays. Click the Add button to enter the to/from IP address to be excluded from Intrusion Prevention Service Protection in the Add IPS Range Entry window.
5. Click the Accept button to enable the Intrusion Prevention Service.
6. Enable SonicWALL GAV on zones in the Network > Zones page, as described in the Adding and Configuring Zones. Select the Enable IPS checkbox.
You can enforce SonicWALL IPS not only between each network zone and the WAN, but also between internal zones. For example, enabling SonicWALL IPS on the LAN zone enforces anti-virus protection on all incoming and outgoing LAN traffic.You also enable SonicWALL IPS protection for new zones you create on the Network > Zones page. Clicking the Add button displays the Add Zone window, which includes the same settings as the Edit Zone window.
7. Enable the following services:
• Gateway Anti-Virus, as described in Setting Up SonicWALL Gateway Anti-Virus Protection
• Anti-Spyware, as described in Setting Up SonicWALL Anti-Spyware Service Protection
Security Services > Intrusion Prevention
The Security Services > Intrusion Prevention page is divided into three sections:
The IPS Status section displays status information on the state of the signature database and your SonicWALL IPS license.
The IPS Status section displays the following information:
• Signature Database indicates whether the signature database is being downloaded, has been downloaded, or needs to be downloaded. The signature database is updated automatically about once an hour, but you can update it manually, as described in Updating IPS Signatures.
• Signature Database Timestamp displays the last update to the IPS signature database, not the last update to your SonicWALL security appliance.
• Last Checked indicates the last time the SonicWALL security appliance checked the signature database for updates. The SonicWALL security appliance automatically attempts to synchronize the database on startup, and once every hour.
• IPS Service Expiration Date indicates the date when the IPS service expires. If your IPS subscription expires, the SonicWALL IPS inspection is stopped and the IPS configuration settings are removed from the SonicWALL security appliance. These settings are automatically restored after renewing your IPS license to the previously configured state.
• Note: Enable the Intrusion Prevention Service per zone from the Network > Zones page displays the Network > Zones page for applying IPS on zones when you click on the Network > Zones link.
Note Refer to Setting Up SonicWALL Intrusion Prevention Service Protection for instructions on applying IPS protection to zones.
By default, the SonicWALL security appliance running IPS automatically checks the SonicWALL signature servers once an hour. There is no need to constantly check for new signature updates. You can also manually update your IPS database at any time by clicking the Update button located in the IPS Status section.
IPS signature updates are secured. The SonicWALL security appliance must first authenticate itself with a pre-shared secret, created during the SonicWALL Distributed Enforcement Architecture licensing registration. The signature request is transported through HTTPS, along with full server certificate verification.
The IPS Global Settings section provides the key settings for enabling SonicWALL IPS on your SonicWALL security appliance, as described in the Setting Up SonicWALL Intrusion Prevention Service Protection.
The IPS Policies section allows you to view SonicWALL IPS signatures and configure the handling of signatures by category groups or on a signature by signature basis. Categories are signatures grouped together based on the type of attack.
Viewing the IPS Policy Signatures
Topics:
• Category
• Priority
Note You can sort the signatures by category in ascending or descending order.
• All categories - select All categories from the Category drop-dead menu.
To view or change the IPS category settings for a particular category, click the Edit icon in the Configure column for that category. The Edit IPS Category window displays.
Use Global Setting refers to the values selected in the IPS Global Settings section. The other values reflect how you set up the SonicWALL Intrusion Prevention Service, as described in Setting Up SonicWALL Intrusion Prevention Service Protection.
• All signatures - select All signatures from the Category dropdown menu.
To view or change the IPS signature settings for a particular signature, click the Edit icon in the Configure column for that signature. The Edit IPS Signature window displays. The values reflect how you set up the SonicWALL Intrusion Prevention Service for the signature’s category, as described in Setting Up SonicWALL Intrusion Prevention Service Protection.
• Signatures within an individual category - select a category from the Category drop-down menu.
To view or change the IPS signature settings for a particular signature, click the Edit icon in the Configure column for that signature. The Edit IPS Signature window displays. The values reflect how you set up the SonicWALL Intrusion Prevention Service for the signature’s category, as described in Setting Up SonicWALL Intrusion Prevention Service Protection.
Select a priority from the Priority drop-down menu.
• All
• High
• Medium
• Low
To view or change the IPS signature settings for a particular signature, enter the signature ID in the Lookup Signature ID field and then click the Edit icon. The Edit IPS Signature window displays. The values reflect how you set up the SonicWALL Intrusion Prevention Service for the signature’s category, as described in Setting Up SonicWALL Intrusion Prevention Service Protection.