10-Intrusion Prevention System (IPS)
It's important to understand the difference between an anomaly and an exploit, after looking at the description below — is it Exploit or an Anomaly? These attacks are known, with known patterns that can be matched by IPS, WAF, or antivirus signatures.
Exploit
[DoS Policy Configuration] You can apply DoS protection to four protocols: TCP, UDP, ICMP, and SCTP. And, you can apply four different types of anomaly detection protocol: • A _____ sensor detects a high volume of that specific protocol, or signal in the protocol.
flood
[DoS Policy Configuration] You can apply DoS protection to four protocols: TCP, UDP, ICMP, and SCTP. And, you can apply four different types of anomaly detection protocol: • Source signatures look for large volumes of traffic originating from a ______ IP.
single
[DoS Policy Configuration] You can apply DoS protection to four protocols: TCP, UDP, ICMP, and SCTP. And, you can apply four different types of anomaly detection protocol: • A _____/scan detects probing attempts to map which of the host's ports respond and, therefore, might be vulnerable.
sweep
IPS goes into Fail Open Mode when there is not enough available memory in the IPS socket buffer for new packets. What happens during that state depends on the IPS configuration. If the Fail-Open setting is enabled, some new packets (depending on the system load) will packets pass through without or with packets being inspected?
without
[Example of a Web Attack — Cross Site Scripting] One type of attack is called cross-site scripting (XSS). If a web application isn't sanitizing its inputs and reject JavaScript, does it ends up storing the XSS attack in its database (True/False)? Then, when other clients request the page that reuses that data, the JavaScript is now embedded in the page.
True
Can FortiWeb can installed online (web traffic crossing the device) or offline (device is connected as a one-arm sniffer) (True/False)?
True
Can FortiWeb perform vulnerability scans and penetration tests (True/False)?
True
Can you also configure FortiGate to connect through a web proxy for updates (True)? Usually, clients connecting to a web proxy don't contact the DNS server to resolve names, because it is the web proxy that does it. But, in the case of FortiGuard, FortiGate always requires DNS access, even when connecting through a web proxy.
True
Can you block DoS attacks, by apply a DoS policy on a FortiGate device that is located between attackers and all the resources that you want to protect (True/False)?
True
Can you configure FortiGate to forward web traffic to an external FortiWeb, where the WAF inspection happens (True/False)?
True
Can you use the FortiGuard update debug to monitor update events in real time (True/False)?
True
Cybercriminals, motivated by previously successful high-profile hacks and a highly profitable black market for stolen data, continue to increase both the volume and sophistication of their attacks on organizations (True/False).
True
Do DoS policies not have the ability to assign SSL inspection profiles (True/False)? This is because DoS does not require SSL inspection to maximize it's detection ability, since it does not inspect packet payload. DoS only inspects certain session types and their associated volume.
True
Do Protocol Decoders parse each packet according to the protocol specifications (True/False)?
True
Do some FortiGate models also support offloading IPS pattern matching to CP8 or CP9 content processors (True/False)? NOTE: If the command cp-accel-mode is available under config ips global, then the FortiGate model supports IPS pattern matching acceleration to its CP8 or CP9 processor.
True
Does FortiGuard update the IPS signature database with new signatures (True/False)?
True
Does FortiWeb offer a more complete HTTP protocol understanding and state attack protection (True/False)?
True
Does Today's threat landscape require IPS to block a wider range of threats, while minimizing false positives (True/False)?
True
Does frequent IPS Fail Open events usually indicate that the IPS is not able to keep up with the traffic demands (True/False)? So, try to identify patterns. Has the traffic volume increased recently? Have throughput demands increased? Does fail open trigger at specific times during the day?
True
Does protecting web server requires a different approach because they are subject to other kinds of attacks (True/False)? NOTE: This is where Web Application Firewall (WAF) applies.
True
FortiGuard IPS service updates the IPS signatures most often (True/False)? NOTE: The FortiGuard research team identifies and builds new signatures, just like antivirus signatures. So, if your FortiGuard Services contract expires, you can still use IPS.
True
Half-open connections, Source Addresses, Destination Addresses, Ports and so on.. Are the above resources that a DoS policy can protect (True/False)?
True
IPS Sensor Inspection Sequence Avoid making too many filters, because this increases evaluations and CPU usage (True/False)? Also, avoid making very large signature groups in each filter, which increase RAM usage.
True
IPS Sensor Inspection Sequence In the event of a false-positive outbreak, can you add the triggered signature as an individual signature and set the action to Monitor (True/False)? This will allow you to monitor the signature events using IPS logs, while investigating the false-positive issue.
True
IPS Sensor Inspection Sequence When the IPS engine compares traffic with the signatures in each filter, order matters (True/False)? The rules are similar to firewall policy matching: the engine evaluates the filters at the top of the list first, and applies the first match. The engine skips subsequent filters.
True
IPS — Components The IPS engine is responsible for most of the features shown in this lesson: IPS and protocol decoders. Is it also responsible for application control, flow-based antivirus protection, web filtering, email filtering, and flow- based DLP in one-arm sniffer mode (True/False)?
True
If Fail-Open setting is disabled, will new packets be dropped (True/False)?
True
If the CPU use remains high after enabling IPS bypass mode, it usually indicates a problem in the IPS engine, that you must report to Fortinet's support team. Can You disable the IPS engine completely using option 2 (True/False)? If you wish to restore IPS inspection of traffic after you finish troubleshooting, use option 5 again.
True
If the traffic doesn't conform to the specification—if, for example, it sends malformed or invalid commands to your servers—then the Protocol Decoder detects the error (True/False)?
True
If there are high-CPU use problems caused by the IPS, can you use the 'diagnose test application ipsmonitor' command with option 5 to isolate where the problem might be (True/False)? Option 5 enables IPS bypass mode. In this mode, the IPS engine is still running, but it is not inspecting traffic. If the CPU use decreases after that, it usually indicates that the volume of traffic being inspected is too high for that FortiGate model.
True
If you enabled security events logging in the firewall policies that apply IPS, you can view IPS events by clicking Log & Report > Intrusion Prevention (True/False)? The Intrusion Prevention log menu appears only if FortiGate has matched attack attempts with IPS signatures.
True
If you need to restart the IPS, can you use option 99 to guarantee that all the IPS-related processes restart properly (True/False)?
True
If you think some traffic should be blocked, but is passing through the policy, you should change the Log Allowed Traffic method to All Sessions (True/False)? NOTE: This will log all traffic processed by that firewall policy, and not just the traffic that is blocked by the security profiles. This can help you in identifying false negative events.
True
In most cases, is FortiWeb installed as a standalone device, usually located between FortiGate and the protected web servers (True/False)?
True
In the event of a false-positive detection, should you first determine which signature is generating them (True/False)? You should also verify that the traffic is hitting the correct policy and IPS sensor.
True
Is DoS filtering done early in the packet handling process, which is handled by the kernel (True/False)?
True
Is FortiWeb a specialized WAF device (True/False)? For environments where the protection of web services is critical, you can complement a FortiGate with a FortiWeb device.
True
Is High-bandwidth usage only one type of DoS attack (True/False)? Many sophisticated DoS attacks, such as Slowloris, don't require high bandwidth.
True
Is IPS not a set-and-forget implementation (True/False)? You must monitor logs regularly for anomalous traffic patterns, and adjust your IPS profile configuration based on your observations. You should also audit your internal resources regularly to identify if certain vulnerabilities are still applicable to your organization.
True
Is it also important to consider the direction of the traffic (True/False)? There are many IPS signatures that apply only to clients, and many signatures that apply only to servers. Create IPS sensors specific to the resources you want to protect. This will make sure that FortiGate is not scanning traffic with irrelevant signatures.
True
Is it sometimes necessary to exempt specific source or destination IP addresses from specific signatures (True/False)?
True
Is one component of a WAF profile, WAF signatures (True/False)? WAF signatures work in the same way as IPS signatures. FortiGate can act on the traffic that matches any of them. Some WAF signatures are categorized as extended. They are more likely to cause false positives, but are sometimes required in high-security environments.
True
Is the WAF feature available only in proxy inspection mode (True/False)?
True
Is the goal of a DoS attack to overwhelm the target—to consume resources until the target can't respond to legitimate traffic (True/False)?
True
Organizations are under continuous attacks, is that why we use IPS (True/False)?
True
Should you also evaluate applicable threats (True/False)? If your organization runs only Windows, there is no need to scan for Mac OS vulnerabilities.
True
Should you create IPS profiles specific for the type of traffic being inspected, and disable IPS profiles on policies that don't need them (True/False)?
True
Some Protocol Decoders require a port number specification (configured in the CLI), but usually, the protocol is automatically detected (True/False)?
True
The IPS signature database is divided into the regular and extended databases. The extended signature database contains additional signatures for attacks that cause a significant performance impact, or don't support blocking because of their nature. In fact, because of its size, the extended database is not available for FortiGate models with a smaller disk or RAM (True/False)? But, for high-security networks, you might be required to enable the extended signatures database.
True
The IPS signature database is divided into the regular and extended databases. The regular signature database contains signatures for common attacks whose signatures cause rare or no false positives (True/False)? It's a smaller database, and its default action is to block the detected attack.
True
There are two ways to add predefined signatures to an IPS sensor. One way is to select the signatures individually (True/False)? After you select a signature in the list, the signature is added to the sensor with its default action. NOTE: Then, you can right-click the signature and change the action.
True
There are two ways to add predefined signatures to an IPS sensor. The second way to add a signature to a sensor is using filters (True/False)? FortiGate will add all the signatures that match the filters.
True
To apply an IPS sensor, you must enable IPS and then select the sensor in a firewall policy (True/False)? By default, FortiGate logs all security events. This means you can see any traffic that is being blocked by IPS.
True
Unless a protocol specification or RFC changes (which doesn't happen very often), protocol decoders are rarely updated (True/False)? The IPS engine itself changes more frequently, but still not often.
True
You can also add rate-based signatures to block specific traffic when the threshold is exceeded during the configured time period (True/False)? You should apply rate-based signatures only to protocols you actually use. Then, configure Block Duration to block malicious clients for extended periods.
True
You can configure IP exemptions on individual signatures only. Can each signature have multiple exemptions (True/False)?
True
You must use an SSL inspection profile if you want to get the maximum benefit from your IPS and WAF features (True/False)? For example — when applied to inbound traffic, it will be able to apply IPS and WAF inspection on encrypted traffic reliably, because FortiGate will be able to decrypt encrypted sessions and inspect all parts of the packet.
True
You should check the last update timestamp regularly. Can you verify the timestamp in the GUI (True/False)? If there is any indication that the IPS definitions are not updating, you should investigate.
True
You should review IPS logs frequently. The logs are an invaluable source of information about the kinds of attacks that are being targeted at your network (True/False)? This will help you develop action plans and focus on specific events, for example, patching a critical vulnerability.
True
[DoS Policy Configuration] The threshold for flood, sweep, and scan sensors are defined as the maximum number of sessions or packets per second. The threshold for source and destination sensors are defined as concurrent sessions. Could thresholds that are too high exhaust your resources before the DoS policies trigger (True/False)?
True
[DoS Policy Configuration] The threshold for flood, sweep, and scan sensors are defined as the maximum number of sessions or packets per second. The threshold for source and destination sensors are defined as concurrent sessions. Could thresholds that are too low cause FortiGate to drop normal traffic (True/False)?
True
[DoS Policy Configuration] When you implement DoS for the first time, if you don't have an accurate baseline for your network, you should be careful not to completely block network services (True/False)?
True
After FortiGate downloads a FortiGuard IPS package, new signatures appear in the signature list. When configuring FortiGate, you can change the Action setting for each sensor that uses a signature. The default action setting is often correct, except in the following cases: • Your software vendor releases a security patch. Continuing to scan for exploits will waste FortiGate resources.
Vendor Issue
It's important to understand the difference between an anomaly and an exploit, after looking at the description below — is it Exploit or an Anomaly? These are unusual behaviors in the network, such as higher-than-usual CPU usage or network traffic. They must be detected and monitored (and, in some cases, blocked or mitigated) because they can be the symptoms of a new, never-seen-before attack. They are usually better detected by behavioral analysis, such as rate-based IPS signatures, DoS policies, and protocol constraints inspection.
Anomaly
Many organizations encourage ____ and flexible working environments, which has led to the explosion of anytime, anywhere data consumption. This consumption increases the risk that sensitive data will be exposed to unauthorized access outside corporate boundaries.
BYOD
After FortiGate downloads a FortiGuard IPS package, new signatures appear in the signature list. When configuring FortiGate, you can change the Action setting for each sensor that uses a signature. The default action setting is often correct, except in the following cases: • Your network has a custom application with traffic that inadvertently triggers an IPS signature. You can disable the setting until you notify Fortinet so that the FortiGuard team can modify the signature to avoid false positives.
Custom Application
[Types of DoS Attacks] What best describes the DoS Attack Below (ICMP Sweep, Distributed DoS, TYP SYN Flood, or TCP Port Scan)? This attack has many of the same characteristics as an individual DoS attack, but the main difference is that multiple devices are all attacking one destination at the same time.
Distributed DoS
[Types of DoS Attacks] What best describes the DoS Attack Below (ICMP Sweep, Distributed DoS, TYP SYN Flood, or TCP Port Scan)? However attackers can use this attack to probe a network for valid routes and responsive hosts. By doing this attack, the attacker can gain information about your network before crafting more serious exploits.
ICMP Sweep
[Types of DoS Attacks] What best describes the DoS Attack Below (ICMP Sweep, Distributed DoS, TYP SYN Flood, or TCP Port Scan)? Attackers use port scanning to determine which ports are active on a system. The attacker sends TCP SYN requests to varying destination ports. Based on the replies, the attacker can map out which services are running on the system, and then proceed to exploit those services.
TCP Port Scan
[Types of DoS Attacks] What best describes the DoS Attack Below (ICMP Sweep, Distributed DoS, TYP SYN Flood, or TCP Port Scan)? Malicious clients continue to send more SYN packets, half-opening more connections, until the server's connection table becomes full. Once the server's table is full, it can't accept more connections and begins to ignore all new clients.
TCP SYN Flood
[Example of a Web Attack — Cross Site Scripting] One type of attack is called cross-site scripting (XSS). Can JavaScript do many things with a page, including rewriting the whole page and making its own requests (True/False)? This is the basic mechanism of asynchronous JavaScript and XML (AJAX) apps. In this case, XSS causes innocent clients to transmit to a different server that is controlled by the attacker. This could, for example, transmit credit card information or passwords from an HTTP form to the attacker.
True
After you configure a WAF profile, is it assigned to one or more firewall policies (True/False)?
True
After you have verified what signature is generating and traffic is hitting the correct policy and IPS sensor, should you gather samples of the traffic (True/False)? Use the Packet Logging action on the signature. Provide the traffic samples and the matching IPS logs to the FortiGuard team for further investigation.
True
After you select the filters or signatures you want to add, right-click the filter or signature, and then select the action. If you select Packet Logging, FortiGate saves a copy of the packet that matches the signature.
True
After you select the filters or signatures you want to add, right-click the filter or signature, and then select the action. Quarantine allows you to quarantine the attacker's IP address for a set duration. You can set the quarantine duration to any number of days, hours, or minutes.
True
After you select the filters or signatures you want to add, right-click the filter or signature, and then select the action. Select Pass to allow traffic to continue to its destination. Select Monitor to allow traffic to continue to its destination and log the activity. Select Block to silently drop traffic matching any of the signatures included in the filter. Select Reset to generate a TCP RST packet whenever the signature is triggered.
True
Are FortiGate IPS update requests sent to update.fortiguard.net on TCP port 443 (True/False)?
True
Are some FortiGate features meant to protect clients, not servers (True/False)?
True
Before you implement IPS, you must analyze the needs of your network. Will enabling the default profiles across all policies quickly cause issues, the least of which are false positives (True/False)? Performing unnecessary inspections on all network traffic can cause high resource utilization which can hamper FortiGate's ability to process regular traffic.
True
Can FortiGate models that support a feature called NTurbo offload IPS processing to NP4, NP6, or SoC3 processors (True/False)? NOTE: If the command np-accel-mode is available under config system global, then the FortiGate model supports NTurbo.
True
Can FortiWeb also rewrite the HTTP packets, and route traffic based on the HTTP content (True/False)?
True
[Example of a Web Attack — SQL Injection] Just like an XSS attack, the root cause of a SQL injection is that the web application doesn't sanitize input. If the attacker enters a SQL query into an input such as an HTML form, does the web app simply accepts it, and pass it along to the database engine, which accidentally runs the query (True/False)?
True
[Example of a Web Attack — SQL Injection] Can the SQL language do anything to the data (True/False)? For example, download the table of users so that the attacker can run a password cracker; add new entries for new administrator log in attempts; or modify log in attempts, blocking administrators from logging in.
True