Vulnerabilities provide a short description of the event that has matched. Vulnerability
information is included in dynamic update packages, so all Situations provided by Stonesoft that are related to a known vulnerability are linked to a Vulnerability element. When you create your own Situations, you can associate them with an existing Vulnerability or a custom Vulnerability element.
You can add up to four references to public vulnerability databases to your custom Vulnerabilities (CVE/BID/MS/TA). System vulnerabilities can have an unlimited number of
Note – With the exception of whitelisted URLS in URL Filtering, Situations are identified only by the element name. Avoid matching the same pattern in different Situation elements. Situations with duplicate patterns can make the policy difficult to read and manage.
Note – If a Tag or Situation Type you add to a Situation is in use in some Inspection Policy, the new Situation is automatically included in the policy when you save the Situation, and the engines start matching traffic to the Situation when you refresh the policy.
Using Situations
Situations are used for defining what you want to detect with the Inspection Policy. Situations are generally used for:
•Detecting malicious patterns in traffic. The Situations supplied by Stonesoft in dynamic update packages concentrate on such known vulnerabilities and exploits.
•Reducing the number of alert and log entries you receive (using Correlation Situations).
•Detecting some other traffic patterns that you want to record. For example, you may be interested in the use of certain applications.
Although the general workflow requires ensuring that a Situation you want to use is included in the Inspection Policy, you may often not actually insert the Situation into the rule, but use a Tag or Situation Type element instead to represent a whole group of Situations.
Example of Custom Situations
The example in this section illustrates a common use for Situations and the general steps on how the scenario is configured.
Detecting the Use of Forbidden Software
Company A has a Firewall that inspects all outgoing web traffic against the Inspection Policy. The use of instant messaging clients across the Internet is forbidden in the company. The Inspection Policy is set to detect and log Situations with the Instant Messaging Tag.
The company’s administrators have found out that some of the internal users have started chatting using a new little-known instant messaging client that does not have a default Situation yet. The communications seem to be standard HTTP directly from client to client. The
administrators find one distinctive characteristic in the software: when launched, the software in question always connects to a particular address to check for updates using HTTP.
The administrators:
1. Create a new custom Situation element with the name “Software X”.
2. Add the HTTP Request URI Context to the Situation and type in a regular expression that contains the address they want the Situation to find using the Stonesoft regular
expression syntax (see Regular Expression Syntax (page 345)). 3. Add the default system Tag Instant Messaging to the Situation. 4. Refresh the Firewall’s policy.
5. Open the Logs view and filter the view using the “Software X” Situation as the filtering criteria.
6. See which computers use the forbidden software and take action to remove the software from the computers shown in the logs.
CHA PT E R 20
APPLICATIONS
Application elements collect together combinations of identified characteristics and detected events in traffic to dynamically identify traffic related to the use of a particular application. The following sections are included:
Overview to Applications (page 190)
Configuration of Applications (page 190)
Overview to Applications
Applications are elements that provide a way to dynamically identify traffic patterns related to the use of a particular application. Applications allow you to more flexibly identify traffic beyond specifying a network protocol and ports for TCP and UDP traffic with a Service element.
Matching is done based on the payload in the packets, making it possible to identify the protocol even when non-standard ports are used. Applications first identify the protocol, and then a protocol-specific pattern matching context is applied to identify the applications.
Configuration of Applications
No configuration is required to be able to use Applications in Access rules. There are several predefined Application elements available that define the criteria for matching commonly-used applications. Creating new Applications or duplicating existing elements is not recommended. If you need to override the settings of a predefined Application, you can edit the Service Definition of the rule in which you use the Application.
Default Elements
Application Type elements define general categories of applications. One Application Type can be associated with each Application. Application Types are predefined, and you cannot create new Application Types.
Tags help you to create simpler policies with less effort. Tag elements represent all Applications that are associated with that Tag. For example, the Media Tag includes several web-based image, music, and video applications. Several Tags can be associated with each Application.
TLS Match elements define matching criteria for the use of the TLS (transport layer security) protocol in traffic. When a connection that uses the TLS protocol is detected, the server certificate for the connection is compared to the TLS Match in the Application definition. TLS connections are allowed only to sites that have trusted certificates that meet the following criteria:
•The certificate domain name must match the domain name in the TLS Match element.
•The certificate must be signed by a valid certificate authority.
•The certificate must be valid (not expired or revoked).
The predefined elements are imported and updated from dynamic update packages. This means that the set of elements available in your system changes whenever you update your system with new definitions. The Release Notes of each dynamic update package list the new elements that the update introduces to your system. If your Management Server can connect to the Stonesoft web site, you can view the Release Notes directly through the Management Client.
Configuration Workflow
The following sections provide an overview to the configuration tasks. Detailed step-by-step instructions can be found in the Management Client Online Help and the Stonesoft
Administrator’s Guide.