IPS Anti-Virus Configuration Example

(1)

Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/14

IPS Anti-Virus Configuration Example

Keywords: IPS, AV

Abstract: This document presents a configuration example for the AV feature of the IPS devices.

Acronyms:

Acronym Full spelling

IPS Intrusion Prevention System

(2)

Feature Overview

The Intrusion Prevention System (IPS) runs on the important links of networks in inline mode or bypass mode.

The anti-virus (AV) module is a very important module of the IPS devices. It supports analyzing traffic, logging events, and blocking packets with viruses on the network, protecting hosts on the network against viruses. Usually, upon detecting a packet with viruses, the feature blocks the packet to prevent virus infection, logs the event, and sends a report to the network administrator. You can configure policies to implement realtime traffic analysis, traffic detection, and automatic tackling of problems. In addition, you can also view the virus intrusion trend of the network through AV reports. The AV feature provides a virus signature package with tens of thousands of virus signatures and supports signature package update, allowing you to deploy the up-to-date signature package to IPS devices in time.

Application Scenarios

With the popularity and globalization of networks, more and more viruses are emerging and threatening the security of networks.

An IPS device is usually deployed on a network in inline mode to identify and block virus intrusions from the Internet to hosts on the network.

All traffic from the Internet to the internal network will undergo the virus inspection of the IPS device. Once a worm, backdoor program, Trojan horse, or phishing attack is detected, the AV module will issue an alarm, log the AV event, and take actions in response.

Configuration Guidelines

None.

Configuration Example

Network Requirements

(4)

Figure 1 Network diagram for anti-virus configuration

Internet Router LAN PC1 PC2 IPS SecCenter (IPS Manager) Switch

Configuration Considerations

When configuring the AV feature, you need to: 1) Configure the AV policy to be applied to the link.

2) Configure rules for inspecting packets selectively and blocking infected packets. 3) Activate the configurations.

After completing the above operations, infected packets will be blocked and logged by the AV module. You can view the logs and the virus intrusion trend through virus reports.

Configuration Procedures

Logging In to the Web Interface

The IPS devices support web-based management and are configured with Web login information by default. The following are the default Web login information:

z Username: admin

z Password: admin

z IP address of the management interface: 192.168.1.1/24

If the Web login information of an IPS device has been changed, you need to use the up-to-date login information to log in to the device; otherwise, you can use the default Web login information. To use the default Web login information to log in to the IPS device, follow these steps:

1) Connect the PC to the IPS device

(5)

2) Configure an IP address for the network interface of the PC

Configure an IP address on subnet 192.168.1.0/24 (except for 192.168.1.1) for the network interface of the PC, for example, 192.168.1.2. This is to ensure that the PC can communicate with the IPS device.

3) Launch the Web browser and enter the login information

On the PC, launch the IE browser (it is recommended to use Internet Explorer 6.0 SP2 or later), and then type https://192.168.1.1 in the address bar and press the Enter key. The Web interface login page of the IPS device appears, as shown in Figure 2.

Click the language link on the page to select a language for the Web interface, type the username (admin), password (admin), and verification code, and then click Login to log in to the web interface.

Figure 2 Log in to the Web interface

Creating a Security Zone

Select System Management > Network Management > Security Zone from the navigation tree to enter the security zone management page, as shown in Figure 3.

(6)

Click Add to enter the page for adding a security zone, as shown in Figure 4.

Figure 4 Add a security zone

Create internal zone in and add port g-ethernet0/0/0 to the zone, as shown in Figure 5.

Figure 5 Assign interface g-ethernet0/0/0 to the internal zone

(7)

Figure 6 Assign interface g-ethernet0/0/1 to the external zone

Figure 7 Security zones created

Adding a Segment

Select System Management > Network Management > Segment Configuration from the navigation tree to enter the segment management page, as shown in Figure 8.

Figure 8 Segment management page

Click Add Segment to enter the page for adding a segment and add a segment (segment 0 in this example) to connect the internal network and the external network, as shown in Figure 9. Figure 10

(8)

Figure 9 Add a segment

Figure 10 Segment management page with the newly added segment

Configuring the AV Segment Policy

Select Anti-Virus > Segment Policies from the navigation tree to enter the segment policy management page, as shown in Figure 11.

Figure 11 Create a segment

(9)

Figure 12 Create an AV segment policy

The number of internal zone IP address and internal zone excluded IP address veries with device models.

Select the default AV policy Anti-Virus Policy, select Both for the Direction field, and then click

Apply to create the AV segment policy and jump to the segment policy management page, as shown

in Figure 13.

(10)

Modifying AV Rules

Click the policy name link Anti-Virus in Figure 13 to enter the AV rule management page. You can see tens of rules.

Figure 14 AV rule list

Each rule is against a type of virus. Enabling all rules will consume a lot of system resources and reduce the system performance greatly. Therefore, some rules are disabled by default. You can enable some rules as required to inspect packets for the corresponding viruses and block the infected packets.

(11)

Figure 15 Modify AV rules

(12)

Figure 16 Two AV rules have been modified

You can also select the Modify all matched rules option at the bottom of the AV rule list page and then click Enable Rule to enable all rules.

Activating the Configurations

Click Activate at the bottom of the AV rule list page to activate the above configurations.

Figure 17 Confirm the operation

Saving Configurations

To ensure that the above configurations can survive reboots, select System Management > Device

(13)

Figure 18 Save configurations

Verifying the Configurations

When packets carrying Backdoor virus or Email-Worm virus reach the device, the device will detect the viruses, block the traffic, and log the events. Selecting Log Management > Virus Logs > Recent

Logs from the navigation tree, you can see the logs shown in Figure 19.

Figure 19 Blocked virus intrusions

Selecting Reports > Virus Report > Virus Report from the navigation tree, you can view the virus information of the network during a specified period of time. Specify the report type, virus name, virus type, action, time range, and segment, and click Query.

Figure 20 Query virus information

(14)

Figure 21 View the virus report

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

IPS Anti-Virus Configuration Example