Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

Name

Enter a name to identify the Custom IPS Signature.

Protocol

Select IPS protocol from the list.

Available Options:TCPUDPICMPALL

Custom Rule

Specify IPS Signature definition.

Signature definition must begin with a keyword followed by the value enclosed between the double quotes and must end with semicolon (;)

Format: Keyword: "value";

For example, content: "USER JOHN";

If traffic with the content USER JOHN is detected, action defined in the policy will be taken.

Refer to Appendix B – IPS - Custom IPS Pattern Syntax for more details on creating IPS Pattern.

Severity

Select the level of severity from the available options.CriticalMajorModerateMinorWarning

Recommended Action

Specify action to be taken on the selected policy when matching pattern is found.

Available Actions:

Allow Packet - Check each packet before taking action. Drop Packet - Drop packets. Drop Session

- Terminate entire session instead of scanning all the session packets to save resources and avoid getting high number of alerts. Reset - Send TCP reset packet to the originator. Bypass Session -

Scan initial packets only. If the initial packets match the pattern then the rest of the session packets are not scanned and the traffic is allowed to pass.

In all the cases, device generates the log and alerts the Network Administrator.

| Protect | 126

Figure 136: Add Custom IPS Signature

3. Click Save.

DoS & Spoof Prevention

The device provides several security options that cannot be defined by the security policies. This includes protection from several kinds of “Denial of Service attacks”. These attacks disable computers and circumvent security.

A Denial of Service (DoS) attack is a method that hackers use to prevent or deny legitimate users access to a service.

| Protect | 127

DoS attacks are typically executed by sending many request packets to a targeted server (usually Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their goal is not to steal the information but disable or deprive a device or network so that users no longer have access to the network services/resources.

All servers can handle a traffic volume up to a maximum, beyond which they become disabled. Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine and allow permitted network traffic. Best way to protect against the DoS attack is to identify and block such redundant traffic. Below are some DoS settings which can be used for identifying DoS attack:

Packet rate per Source

Total number of connections or packets allowed to a particular user.

Burst rate per Source

Maximum number of packets allowed to a particular user at a given time.

Packet rate per Destination

Total number of connections or packets allowed from a particular user.

Burst rate per Destination

Maximum of packets allowed from a particular user at a given time.

How it works

When the burst rate is crossed, the device considers it as an attack. The device provides DoS attack protection by dropping all the excess packets from the particular source/destination. The device will continue to drop the packets till the attack subsides. Because the device applies threshold value per IP address, traffic from the particular source/ destination will only be dropped while the rest of the network traffic will not be dropped at all.

Time taken to re-allow traffic from the blocked source/destination = time taken to subside the attack + 30 seconds

For example:

Packet rate per source: 100 packets per second

Burst rate per source: 200 packets per second

When the user starts sending requests, initially he will be able to send 200 packets per second but once the 200 packets are received, in the next phase the user will only be able to send 100 packets per second. So in the next phase, if the user sends 150 packets per second, the device will consider it as an attack and drop 50 (150 -100) packets. The device will then only accept traffic from the user 30 seconds after having dropped the packets.

Threshold values

The device uses packet rate and burst rate values as a threshold value to detect DoS attacks. These values depend on various factors like:

• Network bandwidth

• Nature of traffic

• Capacity of servers in the network

These values are applicable to the individual source or destination requests per user/IP address and not globally to the entire network traffic. For example, if the source rate is 2500 packets/minute and the network consists of 100 users then each user is allowed a packet rate of 2500 packets per minute

Configuring high values will degrade the performance and too low values will block the regular requests. Hence it is very important to configure appropriate values for both source and destination IP address.

Spoof Protection General Settings

You can configure a MAC and/or IP address pair entry in the IP-MAC trusted list to improve the security of your network. Using MAC address filtering makes it more difficult for a hacker to guess and use a random MAC address or spoof a MAC address to gain access to your network as the traffic does not even reach your firewall.

Similarly, it is also possible to filter packets based on the IP-MAC pair. It prevents hosts which try to violate trusted

IP-MAC. To make the restriction more granular, you can enable restriction on the zones.

Enable Spoof Prevention

If enabled, the device provides 3 ways to prevent spoofing using an IP-MAC trusted list:

• IP Spoofing – Packets will be dropped if a matching route entry is not available.

• MAC Filter – Packets will be dropped if the MAC addresses are not configured as trusted

MAC.

• IP-MAC Pair Filter – Packets will be dropped if either IP or MAC address does not match with any entry in the IP-MAC trusted list. Packets will be allowed if both IP and MAC address are not defined as an entry in the IP-MAC trusted list.

Restrict Unknown IP on Trusted MAC (Only applicable if Spoof Prevention is enabled)

Enable the option, if you want to drop traffic from any IP address not in the trusted list for the trusted MAC address.

By default, it is disabled. When disabled, traffic from any IP address not in the trusted list will be allowed even if it is coming for the trusted MAC address.

Zone

IP Spoofing

WAN

No

DMZ

Yes

WiFi

Yes

LAN

Yes

Enable at least for one zone.

The device will reverse lookup for the route of the source network and, if not available, packets will be dropped and logged.

Default: disabled for all zones

| Protect | 128

Zone LAN

MAC Filter

Note: To enable

MAC

Filtering, you need to

add

a trusted

MAC address.

it is

If enabled, to be enabled for at least one zone.

Default: disabled for all zones

Yes all the requests from the

MAC address not configured in the trusted list, please make sure

It restricts the access of your network to the external hosts.

As the device will drop to include

MAC addresses of all your internal devices.

WAN

Yes

DMZ

Yes

WiFi

Yes

| Protect | 129

Zone

IP-MAC

Pair Filter

LAN

Yes

• MAC address differs for the trusted

IP address and

• IP address differs for the trusted

MAC address

The device will drop the request considering it as a spoofed request if: it is

If enabled, to be enabled for at least one zone.

Default: disabled for all zones

IP-

MAC pair does not exist in the trusted list.

in the list.

Request is dropped if the

But, the request will be allowed if

IP or

MAC address does not exist at all

WAN

No

DMZ

Yes

WiFi

Yes

| Protect | 130

Figure 137: Spoof Protection General Settings

Spoof Protection Trusted MAC

You can enable MAC address and/or IP address pair filtering to improve security. By enabling filtering, you define the devices that can access your network. It is also possible to import the trusted MAC list through a CSV (Comma

Separated Value) file. When a user attempts to access the network, the device checks the MAC address and/or IP address from the list. User gets access to the network only if the MAC address and/or IP address are in the trusted

MAC list, else the request is rejected.

The Spoof Prevention Trusted MAC section displays a list of all the MAC addresses configured as trusted MAC.

The page also provides options to

add

a new MAC address, update the existing addresses, and

import

the list of addresses.

DoS Settings

Attack definition can be defined both for source and destination.

SYN Flood

SYN Flood is the attack in which large numbers of connections are sent so that the backlog queue overflows. The connection is created when the victim host receives a connection request and allocates some memory resources to it. A SYN flood attack creates so many half-open connections that the system becomes overwhelmed and cannot handle incoming requests any more.

Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.

Select Apply Flag check box to apply the SYN flood definition and control the allowed number of packets.

Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied.

Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied

Click on the link Click Here to view DoS attacks status. You will be redirected to Protect >

Intrusion Prevention > DoS Attacks. Then click SYN Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.

UDP Flood

User Datagram Protocol (UDP) Flood links two systems. It hooks up one system’s UDP charactergenerating service, with another system’s UDP echo service. Once the link is made, the two systems are tied up exchanging a flood of meaningless data.

Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.

Select Apply Flag check box to apply the UDP flood definition and control the allowed number of packets.

| Protect | 131

Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.

Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied

Click on the link Click Here to view DoS attacks status. It will redirect you to Protect > Intrusion

Prevention > DoS Attacks and Click UDP Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.

TCP Flood

TCP attack sends huge amount of TCP packets so that the host/victim computer cannot handle, thereby denying service to legitimate TCP users.

Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.

Select Apply Flag check box to apply the TCP flood definition and control the allowed number of packets.

Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.

Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied

ICMP/ICMPv6 Flood

ICMP/ICMPv6 attack sends huge amounts of packet/traffic so that the protocol implementation of the host/victim computer cannot handle, thereby preventing legitimate packets from getting through to their destination.

Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.

Select Apply Flag check box to apply the ICMP flood definition and control the allowed number of packets.

Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.

Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied

Click on the link Click Here to view DoS attacks status. It will redirect you to Protect > Intrusion

Prevention > DoS Attacks and Click ICMP/ICMPv6 Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.

Dropped Source Routed Packets

Select Apply Flag check box to enable. This will block any source routed connections and prevent any packets with an internal address from entering your network.

Disable ICMP/ICMPv6 Redirect Packet

An ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly weaken the security of the host by causing traffic to flow via another path.

Disable the option to prevent the attacker from forging ICMP redirect packets.

Default: enabled

ARP Hardening

If enabled, the device will send an ARP reply only if the destination IP address is a local address configured on the incoming interface and both the sender and destination IP address are in the same subnet.

| Protect | 132

Figure 138: DoS Settings

DoS Bypass Rule

The device allows to bypass the DoS rule in case you are sure that the specified source will not be used for flooding or the device ignores flooding coming from the specified source. By default, VPN zone traffic is also subjected to

DoS inspection. You can also bypass DoS inspection of the traffic coming from certain hosts of the VPN zone.

The DoS Bypass Rule section displays a list of all the bypass rule.

Add a Trusted MAC Address

This page allows you to add a trusted MAC address.

1. Go to Protect > Intrusion Prevention > DoS & Spoof Protectionand click Add under the Spoof Protection

Trusted MAC section.

2. Enter trusted MAC address details.

MAC Address

Specify a MAC address to be added to the Trusted MAC list.

IPv4 Address

Specify an IPv4 address that is to be bound to the MAC address. Packets will be rejected if either

MAC or IPv4 address does not match.

Available Options:Static – Specify an IP Address to be bound to the MAC address. Packets will be rejected if either MAC or IP address does not match. Multiple IP addresses separated by comma can be provided.DHCP – MAC address will be bound to the IP address leased by the device DHCP server as and when the IP is leased. Entry will be updated automatically when the leased IP address is updated.

To unbind the IPv4 address, select None.

IPv6 Address

Specify an IPv6 address that is to be bound to the MAC address. Packets will be rejected if either

MAC or IPv6 address does not match.

Available Options:Static – Specify an IP Address to be bound to the MAC address. Packets will be rejected if either MAC or IP address does not match. Multiple IP addresses separated by comma can be provided.DHCP – MAC address will be bound to the IP address leased by the device DHCP server as and when the IP is leased. Entry will be updated automatically when the leased IP address is updated.

To unbind the IPv6 address, select None.

| Protect | 133

Figure 139: Add Trusted MAC

3. Click Save.

Import Trusted MAC Addresses

Instead of adding the trusted entries individually, the device provides a facility to import the trusted list from a CSV

(Comma Separated Value) file.

The format for the CSV file should be as follows:

1. First row of the CSV file has to be the header row: MAC address, IP association, IP address.

2. The rest of the rows are values corresponding to the header fields .

3. Blank rows will be ignored.

4. An error message is displayed only for invalid rows.

5. Format of values:

• Compulsory fields: MAC address and IP association.

• Optional fields: IP address.

• IP association must be Static or DHCP or None.

• For Static IP association, IP address must be available.

• For None/DHCP type of IP association, IP address is not required.

• For invalid MAC/IP address or IP association entry will be discarded.

• Use comma to insert multiple static IP addresses.

1. Go to Protect > Intrusion Prevention > DoS & Spoof Protectionand click Import under the Spoof Protection

Trusted MAC section to import a CSV file.

2. Browse trusted MAC address file.

Trusted MAC Address File

To choose a CSV file, click the file selection button against Trusted MAC Address File.

3. Click Upload File to upload CSV file.

Figure 140: Import Trusted MAC Address CSV File

Create a DoS Bypass Rule

This page allows you to create a DoS bypass rule.

| Protect | 134

1. Go to Protect > Intrusion Prevention > DoS & Spoof Protection and click Add under the DoS Bypass Rule section.

2. Enter bypass rule details.

IP Family

Select the IP family of the traffic to be bypassed.

Source IP/Netmask (available only if selected IP Family is IPv4)

Specify the source IP/Netmask.

Specify * if you want to bypass entire network.

Destination IP/Netmask (available only if selected IP Family is IPv4)

Specify the destination IP/Netmask.

Specify * if you want to bypass entire network.

Source IP/Prefix (available only if selected IP Family is IPv6)

Specify the source IP/prefix.

Specify * if you want to bypass entire network.

Destination IP/Prefix (available only if selected IP Family is IPv6)

Specify the destination IP/prefix.

Specify * if you want to bypass entire network.

Protocol

Select the protocol whose traffic is to be bypassed if generated from the specified source to destination.

Available Options:TCPUDPICMPAll Protocols

For example, if you select TCP protocol then DoS rules will not be applied on the TCP traffic from the specified source to destination.

Source Port

Specify port number for the source.

Specify * if you want to bypass entire network.

Destination Port

Specify port number for the destination.

Specify * if you want to bypass entire network.

| Protect | 135

Figure 141: Add DoS Bypass Rule

3. Click Save.