Vulnerabilities provide a short description of the event that has matched. Vulnerability
information is included in dynamic update packages, so all Situations provided by Stonesoft that are related to a known vulnerability are linked to a Vulnerability element. When you create your own Situations, you can associate them with an existing Vulnerability or a custom Vulnerability element.
You can add up to four references to public vulnerability databases to your custom Vulnerabilities (CVE/BID/MS/TA). System vulnerabilities can have an unlimited number of references to any reference system, and can have multiple references to the same reference system. The reference information is also shown in the Logs view.
Using Situations
Situations are used for defining what you want to detect with the Inspection rules. Situations are generally used for detecting harmful, unwanted, or otherwise interesting patterns in traffic. The Situations supplied by Stonesoft in dynamic update packages concentrate on known
vulnerabilities and exploits. The new Situations that you define may detect other patterns, such as a certain URL or file being accessed.
Although the general workflow requires ensuring that a Situation you want to use is included in the Firewall policy, you may often not actually insert the Situation into the rule, but use a Tag or Situation Type element instead to represent a whole group of Situations.
Note – If a Tag or Situation Type you add to a Situation is in use in some IPS policy, the new Situation is automatically included in the policy when you save the Situation, and the IPS components start matching traffic to the Situation when you refresh the policy.
Example of Custom Situations
The example in this section illustrates a common use for Situations in StoneGate and the general steps on how the scenario is configured.
Detecting the Use of Forbidden Software
Company A has a firewall that inspects all outgoing Web traffic against the Inspection rules. The use of instant messaging clients across the Internet is forbidden in the company. The firewall’s Inspection rules are set to detect and log Situations with the Instant Messaging Tag.
The company’s administrators have found out that some of the internal users have started chatting using a new little-known instant messaging client that does not have a default Situation yet. The communications seem to be standard HTTP directly from client to client. The
administrators find one distinctive characteristic in the software: when launched, the software in question always connects to a particular address to check for updates using HTTP.
The administrators:
1. Create a new custom Situation element with the name “Software X”.
2. Add the HTTP Request URI Context to the Situation and type in a regular expression that contains the address they want the Situation to find using the StoneGate regular
expression syntax (see Regular Expression Syntax (page 297)).
3. Add the default system Tag Instant Messaging to the Situation.
4. Refresh the firewall’s policy.
5. Open the Logs view and filter the view using the “Software X” Situation as the filtering criteria.
6. See which computers use the forbidden software and take action to remove the software from the computers shown in the logs.
C HA PT E R 19
A PPLICATIONS
Application elements collect together combinations of identified characteristics and detected events in traffic to dynamically identify traffic related to the use of a particular application.
The following sections are included:
Overview to Applications (page 170)
Configuration of Applications (page 170)
Examples of Applications (page 172)
Overview to Applications
Applications are elements that provide a way to dynamically identify traffic patterns related to the use of a particular application. Applications allow you to more flexibly identify traffic beyond specifying a network protocol and ports for TCP and UDP traffic with a Service element.
Matching is done based on the payload in the packets, making it possible to identify the protocol even when non-standard ports are used. Applications first identify the protocol, and then a protocol-specific pattern matching context is applied to identify the applications.
Configuration of Applications
No configuration is required to be able to use Applications in Access rules. There are several predefined Application elements available that define the criteria for matching commonly-used applications. Creating new Applications or duplicating existing elements is not recommended. If you need to override the settings of a predefined Application, you can edit the Service Definition of the rule in which you use the Application.
Default Elements
Application Type elements define general categories of applications. One Application Type can be associated with each Application. Application Types are predefined, and you cannot create new Application Types.
Tags help you to create simpler policies with less effort. Tag elements represent all Applications that are associated with that Tag. For example, the Media Tag includes several web-based image, music, and video applications. Several Tags can be associated with each Application.
TLS Match elements define matching criteria for the use of the TLS (transport layer security) protocol in traffic. When a connection that uses the TLS protocol is detected, the server certificate for the connection is compared to the TLS Match in the Application definition. TLS connections are allowed only to sites that have trusted certificates that meet the following criteria:
•The certificate domain name must match the domain name in the TLS Match element.
•The certificate must be signed by a valid certificate authority.
•The certificate must be valid (not expired or revoked).
The predefined elements are imported and updated from dynamic update packages. This means that the set of elements available in your system changes whenever you update your system with new definitions. The Release Notes of each dynamic update package list the new elements that the update introduces to your system. If your Management Server can connect to the Stonesoft website, you can view the Release Notes directly through the Management Client.
Configuration Workflow
The following sections provide an overview to the configuration tasks. Detailed step-by-step instructions can be found in the Online Help of the Management Client and the Administrator’s Guide PDF.