Application Protection is a set of filter categories that defend against exploits that target applications and operating systems of workstations and servers on a network. These filters include a variety of attack protection and security policy filters used to detect attacks targeting resources on your network. Malicious attacks may probe your network for vulnerabilities, available ports and hosts, and network accessible applications. Application Protection filters defend your network by providing a device with threat assessment, detection, and management instructions.
Through the Profiles screen, you can tune filters to meet the needs of your enterprise. You can modify a filter or add an exception to a filter. You also can alter the system response to an attack filter by editing the action set, changing how or when contacts are notified, or even disabling the filter.
These filters block traffic depending on the configured actions for a filter. You can set these actions to the entire category of filters or override specific filters to perform a different set of actions. See ”Action Sets” on page 70.
Application Protection Filters are a category of filters that protect your network from malicious attacks that seek to find and exploit vulnerabilities in your network. These filters are enabled by default on your HP TippingPoint system and shield against invasive attacks.
Application Protection filters include the following categories:
• Exploits, page 95 — Category of filters that protect against known exploits of software components.
• Reconnaissance, page 95 — Category of filters that detect and block reconnaissance scans of your network.
• Security Policy, page 96 — Category of filters that require deployment knowledge and/or operational policy.
• Vulnerabilities, page 96 — Category of filters that protect against attackers looking for vulnerabilities in a network.
• IM, Peer to Peer, and Streaming Media— Category of filters that protect potentially vulnerable software of the network such as operating systems. See the following for more information:
• ”Instant Messaging”
• ”Peer to Peer”
• ”Streaming Media”
The Profiles > Inspection Profiles > Default > Application Filters screen displays the following filter information:
Column Definition
State Indicates whether the filter is currently enabled, disabled, or invalid.
Name Name of the filter. Double-click the filter entry to view and configure filter details.
Control Level at which the action set is defined for the attack filter.
Action Set Action set that is performed when the filter is triggered. See ”Action Sets” on page 70.
Category Filter category.
AFC Indicates whether Adaptive Filter Configuration (AFC) is enabled. See ”Adaptive Filter Configuration (AFC)” for more information.
Locked Indicates the lock status of the filter.
Exception Indicates whether there is an exception set.
Severity Indicates the potential consequences of traffic that matches the filter. See Digital Vaccines, page 116.
You can right-click on entries in the filter list and do the following:
• Copy — Copy selected rows or cell value.
• Export to File — Save selected rows or all rows as a TXT or CSV file.
• Find — Search for a filter using a keyword.
• Edit — Edit a selected filter.
• Copy Filter Settings — Copy action, AFC, exception, or all settings to the clipboard.
• Paste Filter Settings — Paste copied action, AFC, exception, or all settings from the clipboard.
• Add Exception — Create a new exception.
• View Related Events — Display any events relating to the filter.
• Change Lock — Change locked status.
• Change Inherited Settings — Change inherited settings option.
• ThreatLinQ — Obtain ThreatLinQ filter information.
• Table Properties — View and change the order, visibility. sorting, and aggregation properties of table columns.
NOTE: If you receive errors or have issues editing and saving filters and exceptions due to exceeded limits, see ”SMS Error Messages” on page 311.
Application Filter Categories Exploits
Exploits are attacks against a network using weaknesses in software such as operating systems and applications. These attacks usually take the form of intrusion attempts and attempts to destroy or capture data. These filters seek to protect software from malicious attacks across a network by detecting and blocking the request.
The two most common methods for exploiting software include email and Web browsing. All Web browsers and many email clients have powerful capabilities that access applications and operating systems. Attackers can create attachments that scan for and exploit this software.
Reconnaissance
Reconnaissance filters protect your system against malicious traffic that scans your network for vulnerabilities. These filters constantly monitor incoming traffic, looking for any sign of network
reconnaissance. These attacks probe your system, seeking any weakness that can be exploited by attacks.
In effect, the attacks attempt to perform reconnaissance of your network to report its strengths and weaknesses for further attacks.
NOTE: By default, Reconnaissance filters are either disabled or set to Block/Notify. To enable these filters or modify their category settings, see ”View and Edit Application Filter Details” on page 97.
Attackers may try to scan a network for available ports or try to infiltrate a host system through its ports and software. These attacks provide entry points for introducing malicious code to further enact attacks through your host and ports. Scan and sweep attacks can consist of multiple probe attacks in large amounts, sending numerous requests for access and information at once. Scans and sweeps filters protect against scan attacks and possible exceeded threshold limits against your ports and hosts.
Scan and sweep filters constantly analyze traffic across several sessions and packets against potential scan and sweep attacks against a network. As a result, the Block action setting functions differently for these filters. If the Block action is configured with TCP Reset functions, the TCP Reset does not occur as the network traffic is not tied to a single network flow. In addition, a Block action will cause the source address to be blocked in future network flows.
NOTE: Scan and sweep filters are not affected by restrictions and exceptions in the shared settings for Application Protection filters. When you create exceptions and apply-only settings in the shared settings, they only affect Vulnerability Probing filters.
The Scans/Sweeps Filters appear at the bottom of the Reconnaissance listings in the List pane. To view these filters, use the scroll bar to scroll to the bottom of the listings.
Security Policy
Security Policy filters act as attack and policy filters. As attack filters, these filters compare packet contents with recognizable header or data content in the attack along with the protocol, service, and the operating system or software the attack affects. These attack filters require deployment knowledge and/or
operational policy. The Threat Management Center (TMC) develops these filters.
NOTE: Security Policy filter recommended settings are set to disabled by default. Configuring Security Policy filters requires knowledge of the installation network configuration. To enable these filters or modify their category settings, see ”Create or Edit a Security Filter Profile Restriction” on page 93.
These filters detect traffic that may or may not be malicious that may meet one of the following criteria:
• Different in its format or content from standard business practice
• Aimed at specific software or operating systems
• Contrary to your company security policies
When enabled, these filters may generate false attack alerts depending on your network or application environment. For example, false alerts could be caused by the following:
• Custom or legacy software that uses standard protocols in non-standard ways
• Attacks on applications or operating systems that you do not have installed
• Activities that could be benign or malicious depending on where they originate
You can enable, disable, or create exceptions to these filters according to the requirements for your environment.
CAUTION: Scan your network hosts before disabling or creating exceptions to specific attack protection filters. Some operating systems install default services which may be vulnerable to attack. If you disable or add an exception to a filter that protects a service that you do not know about, you may increase your network vulnerability.
You can right-click on entries in the filter list and do the following:
• Edit — Edit a selected filter
• New Exception — Create a custom filter exception
• View Action Set — View the action set properties for the selected filter
• View Related Events — Display the related events for the filter in the Events screen
• Find — Search for a filter using a keyword
• Search — Search for a filter with advanced criteria options Vulnerabilities
Attackers generally look for vulnerabilities in a network. Writing malicious code, they try to find the weak points in a network security system to bypass filters and reach data and services. These attackers seek to use intrusion methods against areas such as software back-doors and poorly protected hosts and ports.
Vulnerability scanning checks for all potential methods that an attacker could use to infiltrate a network and system.
Vulnerabilities filters protect these possible points of entry in a network, detecting and blocking attempted intrusions. These filters protect vulnerable components of a computer system or network by analyzing and blocking traffic seeking these points of entry. The filters constantly scan for possible intrusions points, giving a warning when a vulnerability is found or when malicious attacks occur.
As security threats are recognized, the Threat Management Center (TMC) creates and releases filter updates to protect potentially vulnerable systems.
Peer to Peer
Peer-to-peer protocols are primarily used to share music and video files, and essentially turn a personal computer into a file server which makes its resources as well as those of its host network available to the peer-to-peer community. Performance Protection filters allow you to shield traffic associated with these kinds of file-sharing protocols.
NOTE: All peer-to-peer filters are user-activated and must be enabled to block peer-to-peer traffic.
Instant Messaging
Instant Messaging is a real-time, text-based communication between two or more people using computers that are connected over a network such as the Internet.
Streaming Media
Streaming media refers to a type of media that is delivered over a computer network. Protocols include:
• Unicast — sends a separate copy of the media stream from the client to each client.
• Multicast — sends a single copy of the media stream over any given network connection and must be implemented in network routers and servers.
Adaptive Filter Configuration (AFC)
On rare occurrences, the system can experience extreme load conditions due to filter failure and traffic congestion, causing a device to enter High Availability (HA) mode. The device continues inspecting traffic, but traffic inspection can slow down processing. To prevent such a scenario from causing the device to enter HA state, the SMS uses adaptive filtering to disable the filters that are the likely cause of traffic congestion.
Application filters allow you to enable or disable adaptive filtering. If you do not want a filter to be subject to adaptive filtering, you can disable the adaptive filtering option. You can also edit the Adaptive Filter Configuration (AFC) Settings for Device Configuration to modify the device-wide adaptive filter
configuration. The AFC is under the AFC section of the Device Configuration. For more information, see
”Adaptive Filtering” on page 184.
NOTE: If a filter is disabled on a device due to adaptive filtering, the current state of the filter is displayed on the Events screen for the device (e.g., All Devices > [device] > Events).
View and Edit Application Filter Details
1. In the navigation pane, expand Profiles > Inspection Profiles > Default and select Application Filters.
The Application Filters screen displays.
2. Select the type of filter by double clicking to expand the section:
3. Double click on the filter you want to view or edit to open the Edit Filter wizard.
4. View the filter settings and make any changes as required.
5. To see the filter details including detailed description of the filter, select Filter Details from the wizard navigation pane.
6. If you made changes to the filter, click Distribute to distribute the filter to managed devices or click OK to save the changes for distribution later.
Edit the State or Action Set for Application Filter Category Settings
1. In the navigation pane, expand Profiles > Inspection Profiles > Default and select Application Filters.
The Application Filters screen displays.
2. Click Edit for the category you want to edit.
3. In the Edit Category Settings dialog you can:
• Change the State (enabled or disabled)
• Choose the Action Set from the Action Sets created in the Shared Settings > Action Sets section.
4. Click OK.