2 Replies Latest reply on Feb 28, 2011 5:21 PM by CrazyDonJuan

    New Port Based policy block all http request from remote site

      Hi all,

                 I am new to the IPS product, and I have a M1250 for a few months now. But I am still asking whether the box is doing its job!!! So have decided to implement a port based policy on the BOX, as per below. This policy was meant only for DOS attack as I was seeing HIGH TCP-UDP PACKET log in the realtime threat analyser. However, after I enable this Policy, I have http access to any device in one of our branch connected via a private LINK. From the policy generated by the IPS, I can't see anything that may block https request or response. For now, only the port mentioned in the policy are insude, there nothing connected to other ports of the IPS. See attached doc for screen print of the configuration.

       


      1. 1A/1B --> Connected to the Internet (Connected to my IPS)

      Action:                           "Customize DoS Policy for Interface: /ENG/DDOUG/IPS Settings/DOUG-IPS-Sensor/1A-1B"
      DoS Learning Attack:              "Outbound TCP OTX Segment Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound UDP Packet Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound ICMP Packet Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound IP Fragment Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound TCP RST Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound Non-TCP-UDP-ICMP Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound TCP SYN or FIN Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound ICMP Echo Request or Reply Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"


      1. Sensor Dos respond to the Inside network(2A/2B)

      tion:                           "Customize DoS Policy for Interface: /ENG/DDOUG/IPS Settings/DOUG-IPS-Sensor/2A-2B"
      DoS Learning Attack:              "Outbound TCP OTX Segment Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Disabled"
          Auto. Ack.:                   "Customized, Enabled"
          Syslog:                       "Customized, Enabled"
      DoS Learning Attack:              "Outbound UDP Packet Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Syslog:                       "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound ICMP Packet Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Attack Severity:              "Customized, 7 (High)"
          Email:                        "Customized, Enabled"
          Syslog:                       "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound IP Fragment Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Syslog:                       "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound TCP RST Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Auto. Ack.:                   "Customized, Enabled"
          Syslog:                       "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound Non-TCP-UDP-ICMP Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Syslog:                       "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound TCP SYN or FIN Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Email:                        "Customized, Enabled"
          Syslog:                       "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"
      DoS Learning Attack:              "Outbound ICMP Echo Request or Reply Volume Too High"
          Enable Alert:                 "Customized, Enabled"
          Attack Severity:              "Customized, 7 (High)"
          Email:                        "Customized, Enabled"
          Auto. Ack.:                   "Customized, Disabled"
          Syslog:                       "Customized, Enabled"
          Block Attack (Drop Packets):  "Customized, Enabled"

      3. Enable HTTP scanning inbound/outbound in 1A/1B and 2A/2B()

       

       

      Any helps will be appreciated

       

      Thanks,

       

      Crazy

        • 1. New Port Based policy block all http request from remote site
          SGROSSEN

          Little confused about this.  Not sure if you are trying to just implement a DOS policy without any alert, or are having problems detecting HTTP response

           

          If it is the later, have you confirmed HTTP response scanning is enabled?   Enabing this might help get things straighened out.

          This is disabled by default, so check the NSM for that.  It has moved around depending on your version, but it should be under IPS Settings and either Advanced Scanning, or IPS Sensor

          • 2. New Port Based policy block all http request from remote site

            Hi SGROSSEN,

                                           Thanks for your reply, i really appreciate. Yes, effectivelly I did have HTTP Scanning enable on the paire of ports face my remote sites. Once, I removed HTTP scanning thing back to normal. In fact almost, I still have issue with the same remote site where  user in the centrale site can't access an application on remote site. Let me try to explain.

             

            Usaully, this is app(iMonitor/iBuilder) is on a remote server where every body access the server and log on into the app from there, server locate at the remote site. Nowe, a few guys have installed the apps into their computer! With the IPS into the layer 2 mode, they open up the app and log in fine. But when I put the Box in the normal IPS mode, when click on the icon of the app, it prompts you to enter your credential. Once you enter the credential, it trying to log you in....you can sit anw wait for hours and never final log you  in...

             

            As a temp fix, i revert the IPS to the default IPS policy rules. But I want to enable back my defy policies as it filter best my network. Should you need more elaboration, please let me know.

             

            Thanks and best regards,

             

            Thanks,

             

            Crazy