H3C IPS Intrusion Prevention System Web-Based Configuration Manual-5PW102-04-IPS
Configuring Rules for the Policy
Applying an IPS Policy to a Segment
Configuring IPS Policy Shortcut Application
IPS Overview
Intrusion Prevention System (IPS) runs on network trunks. You can configure IPS policies to implement real-time analysis, traffic detection, and execute predefined actions to the abnormal traffics, for example, blocking, isolating or interfering these abnormal traffics to prevent suspicious code from being injected into target hosts and executed.
Configuring IPS
Configuration Task List
Perform the tasks in Table 1-1 to configure IPS policies. The IPS module also provides a shortcut for IPS policy application, facilitating user operations. For details, refer to Configuring IPS Policy Shortcut Application.
Table 1-1 IPS configuration task list
|
Task |
Remarks |
|
Optional Create an IPS policy and copy the rules of an existing policy to the new policy. By default, there is an IPS policy named Attack Policy, which can be modified, copied and applied, but cannot be deleted. |
|
|
Optional Modify the copied rules. You can enable/disable the rules and change their action sets. By default, there are rules in the default IPS policy Attack Policy, which can be modified but cannot be deleted. You can view the contents of the rules on the IPS policy list page. |
|
|
Required Apply the policy to a segment or certain IP addresses on the segment.
Before this step, you need to configure the segments in the page you enter by selecting System Management > Network Management > Segment Configuration. For details, refer to Network Management Configuration. |
|
|
Activating Configurations |
Required Activate all Class B configurations, including the configured policies, rules, and policy applications.
l There are two categories of configurations in the system: Class A and Class B. Class A configurations take effect immediately, while Class B configurations must be activated to take effect. l The Activate button is present on all pages with Class B configurations. Clicking the button on any page will activate all Class B configurations. You are recommended to complete all Class B configurations before clicking the Activate button. |
Creating IPS Policy
Select IPS > Policies from the navigation tree to enter the IPS policy list page, as shown in Figure 1-1. Then, click Add to enter the IPS policy configuration page, as shown in Figure 1-2.
Figure 1-2 IPS policy configuration page
Table 1-2 describes the IPS policy configuration items.
Table 1-2 IPS policy configuration items
|
Item |
Description |
|
Policy Type |
This field displays the type of the policy to be created, that is, Attack Protection Policy. |
|
Name |
Enter a name for the IPS policy |
|
Description |
Enter a description for the policy, for example, the purpose of the policy. |
|
Copy Rules from Specified Policy |
Copy the rules of an existing IPS policy to the new policy
If
you enter the IPS policy configuration page by clicking the |
icon in the IPS policy
list page, this option is not configurable and the name of the source policy
is displayed here.
Return to IPS configuration task list.
Configuring Rules for the Policy
Select IPS > Rules from the navigation tree to enter the IPS rule list page, as shown in Figure 1-3. On the top half of the page, you can select an IPS policy, and modify its name and description. The rules of the selected policy will be displayed on the bottom half of the page, where you can specify conditions to search for rules of interest.
Specify search conditions and click Query to search for rules matching the conditions.
Table 1-3 describes the rule list. You can click any field name of the list to sort the rules by the field.
Table 1-3 IPS rule list description
|
Item |
Description |
|
Attack ID |
ID of the attack that the rule is for. When querying rules, if you enter 0 or leave the field blank, it means all attack IDs. |
|
Name |
Rule name When querying rules, if you enter a string in the Name text box, it means all rules with a name containing the specified string. If you leave the field blank, it means all rule names. |
|
Category |
Attack type that the rule is for. |
|
Level |
Severity level of the attack matching the rule. |
|
Default |
Whether the rule is in default state or has been modified. |
|
Action Set |
Action set applied to attacks matching the rule. |
|
Status |
Whether the rule is enabled or not. |
By selecting the check box before a rule, you can change the action set of the rule and enable/disable the rule as follows:
l To change the action set of the rule, select another action set for the Action Set field, and then click Modify Action Set.
l To enable or disable the rule, click Enable Rule or Disable Rule.
l
To restore the settings of the rule to the
defaults, click Reset Rule or click the 
icon of the rule directly.
You can also click the 
icon of a rule to enter
the IPS rule modification page, where you can enable/disable the rule, change
the action set, and view the details of the rule and the deployment of the IPS policy.
The IPS rule modification page is shown in Figure 1-4.
l The rules of the default IPS policy Attack Policy cannot be modified but can be viewed.
l On the Rule page, you can view the vulnerability’s CVE (Common Vulnerabilities and Exposures), BID (BugTraq ID, which can by queried from http://www.securityfocous.com), and the vulnerability ID numbered by Microsoft. You can click a CVE link, for example http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1216, to access the CVE webpage for the vulnerability details; click a BID link, for example http://www.securityfocus.com/bid/9122, to open a webpage related to the vulnerability.
Figure 1-4 IPS rule modification page
Return to IPS configuration task list.
Applying an IPS Policy to a Segment
Select IPS > Segment Policies from the navigation tree to enter the IPS policy application list page, as shown in Figure 1-5. Then, click Add to enter the policy application page, as shown in Figure 1-6.
Figure 1-5 IPS policy application list
Figure 1-6 Policy application page
Table 1-4 describes the configuration items for applying an IPS policy to a segment.
Table 1-4 Configuration items for applying an IPS policy to a segment
|
Item |
Description |
|
|
Segment |
Select the ID of the segment to which you want to apply the IPS policy. Available segments are those configured on the page you enter by selecting System Management > Network Management > Segment Configuration. |
|
|
Policy |
Select the IPS policy to be applied. |
|
|
Direction |
Apply the policy to the inbound direction, outbound direction, or both. |
|
|
Internal Zone |
IP addresses |
Specify the IP addresses to apply the policy to in the internal zone. The policy will apply to all IP addresses that are in the IP addresses list but not in the Excluded IP addressed list. If you leave the lists blank, the policy applies to the whole internal zone. |
|
Excluded IP addresses |
||
|
External Zone |
IP addresses |
Specify the IP addresses to apply the policy to in the external zone. The policy will apply to all IP addresses that are in the IP addresses list but not in the Excluded IP addressed list. If you leave the lists blank, the policy applies to the whole external zone. |
|
Excluded IP addresses |
||
Return to IPS configuration task list.
Configuring IPS Policy Shortcut Application
Select IPS > Fast Application from the navigation tree to enter the IPS policy shortcut application page, as shown in Figure 1-7.
Figure 1-7 IPS policy shortcut application
Table 1-5 describes the configuration items for IPS policy shortcut application.
Table 1-5 Configuration items for IPS policy shortcut application
|
Item |
Description |
|
|
Name |
Enter a name for the IPS policy The policy rules are copied from default IPS policy Attach Policy. |
|
|
Description |
Enter a description for the policy, for example, the purpose of the policy. |
|
|
Rule Details |
Status |
Set the status for a rule category. l Default means to keep the default status of all rules of the category. l Enable means to set the status of all rules of the category to Enable. l Disable means to set the status of all rules of the category to Disable. |
|
Action Set |
Set the action set for a rule category. l Default means to keep the default action set of all rules of the category. l A specific action set applies to all rules of the category. |
|
|
Segment ID |
ID of the segment to which the IPS policy applies Available segments are those configured on the page you enter by selecting System Management > Network Management > Segment Configuration. |
|
|
Internal Zone |
Display the name of the internal zone and port members of the segment. |
|
|
External Zone |
Display the name of the external zone and port members of the segment. |
|
|
Direction |
Apply the policy to the inbound direction, outbound direction, or both. |
|
After the above configurations, click Apply & Activate to activate the configurations, or click Apply to save the configurations, which you can activate later.
IPS Configuration Example
Network requirements
l Apply the policy to the outbound direction of segment 0.
l Create an IPS policy named RD on Device, copy the rules of the default policy Attack Policy, and then modify the rule named 150999021 by enabling the rule and changing the action set to Block+Notify.
Figure 1-8 Network diagram for IPS configuration
Configuration procedure
# Create IPS policy RD.
l Select IPS > Policies from the navigation tree, and then click Add, as shown in Figure 1-9. On the IPS policy configuration page, perform the configurations shown in Figure 1-10.
Figure 1-10 Create an IPS policy
l Enter RD as the policy name.
l Enter IPS policy for RD as the description.
l Select Attack Policy from the Copy Rules from Specified Policy drop-down list.
l Click Apply.
# Find rule 150999021 of IPS policy RD, and modify it.
l After the above configurations, the IPS rule list page appears, with policy RD selected for the Policy drop-down list. Perform the configurations shown in Figure 1-11.
Figure 1-11 Query and modify the rules
l Enter 150999021 as the attack ID.
l Click Query to find the rule numbered 150999021.
l Select the check box before rule 150999021.
l Select Block+Notify as the action set and then click Modify Action Set.
l Click Enable Rule.
# Apply IPS policy RD to segment 0.
l Select IPS > Segment Policies from the navigation tree, and then click Add, as shown in Figure 1-12. Perform the configurations shown in Figure 1-13.
Figure 1-12 IPS policy application list
Figure 1-13 Configure a policy application
l Select segment 0.
l Select RD as the policy.
l Select the Internal zone to External zone for the Direction field.
l Click Apply.
# Activate the configurations.
l After the above configurations, the IPS policy application list appears, as shown in Figure 1-14. Click Activate and confirm your action.
Figure 1-14 Activate configurations
Configuration Guidelines
When performing IPS configurations, note that:
Step1 You cannot delete an IPS policy that has been applied to a segment.
Step2 You cannot delete the system default IPS policy and rules.
Step3 For a packet of a segment, the system can use up to one IPS policy application scheme. If you configure multiple application schemes for a segment, the system will, for each packet to be processed, sort the application schemes matching the packet by IP address scope and use the scheme with the smallest IP address scope for the packet. If two schemes have the same IP address scope, the one configured earlier has a higher priority.
IPS.pdf (719.54 KB)