Hangzhou H3C Technologies Co., Ltd. www.h3c.com 1/12
IPS Attack Protection Configuration Example
Keywords: IPSAbstract: This document presents a configuration example for the attack protection feature of the IPS
devices.
Acronyms:
Acronym Full spelling
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 2/12
Table of Contents
Feature Overview··· 3 Application Scenarios ··· 3 Configuration Guidelines··· 3 Configuration Example ··· 3 Network Requirements··· 3 Configuration Considerations··· 4 Configuration Procedures ··· 4Logging In to the Web Interface ··· 4
Creating a Security Zone··· 5
Adding a Segment ··· 7
Configuring an IPS Segment Policy ··· 8
Modifying Rules of the Policy ··· 9
Activating Configurations··· 10
Saving Configurations ··· 11
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 3/12
Feature Overview
The Intrusion Prevention System (IPS) devices are deployed at the network backbone in inline mode. The attack protection module is a very important module of the IPS devices. With this module, the IPS devices can monitor and analyze traffic in real time, block abnormal packets automatically, protecting hosts against suspicious programs. You can configure IPS policies to monitor and analyze traffic in real time, and take corresponding actions accordingly, and you can view the attack reports to get an idea of the attack trend.
Thousands of common attack signatures have been defined on the IPS devices, and the attack signatures definition can be updated automatically, so that the intrusion protection system can always use the up-to-date attack signatures definition.
Application Scenarios
With the popularity of network technologies and the development of attack tools, network attacks are more likely to happen.
An IPS device is usually deployed in inline mode, so that it can identify and block attacks from the Internet to the internal users, such as attacks targeting the system vulnerabilities and attacks using worms and spyware.
All traffic from the Internet to the internal network has to pass the IPS device. Once detecting an attack behavior, such as worm, backdoor, Trojan horse, spyware, suspicious program, or Phishing, the IPS module will immediately block the attack, quarantine the attack source, log the event, and notify the network administrator of the event.
Configuration Guidelines
None.
Configuration Example
Network Requirements
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 4/12
Figure 1 Network diagram for IPS configuration
Configuration Considerations
1) To configure the attack protection feature, you need to configure an IPS policy and then the rules to be used to detect and block the attacks.
2) After configuring the attack protection feature, you need to activate the configuration. Then, once detecting attack traffic on the link, the IPS device will block the attack, and you can view the corresponding record in the attack logs and view the attack trend in a period in the attack report.
Configuration Procedures
Logging In to the Web Interface
The IPS devices support web-based management and are configured with Web login information by default. The following are the default Web login information:
z Username: admin
z Password: admin
z IP address of the management interface: 192.168.1.1/24
If the Web login information of an IPS device has been changed, you need to use the up-to-date login information to log in to the device; otherwise, you can use the default Web login information. To use the default Web login information to log in to the IPS device, follow these steps:
1) Connect the PC to the IPS device
Use a crossover Ethernet cable to connect the network interface of the PC to the management interface of the IPS device.
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 5/12
Configure an IP address on subnet 192.168.1.0/24 (except for 192.168.1.1) for the network interface of the PC, for example, 192.168.1.2. This is to ensure that the PC can communicate with the IPS device.
3) Launch the Web browser and enter the login information
On the PC, launch the IE browser (it is recommended to use Internet Explorer 6.0 SP2 or later), and then type https://192.168.1.1 in the address bar and press the Enter key. The Web interface login page of the IPS device appears, as shown in Figure 2.
Click the language link on the page to select a language for the Web interface, type the username (admin), password (admin), and verification code, and then click Login to log in to the web interface.
Figure 2 Log in to the Web interface
Creating a Security Zone
Select System Management > Network Management > Security Zone from the navigation tree to enter the security zone management page, as shown in Figure 3.
Figure 3 Security zone management page
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 6/12
Figure 4 Add a security zone
Create internal zone in and add port g-ethernet0/0/0 to the zone, as shown in Figure 5.
Figure 5 Assign interface g-ethernet0/0/0 to the internal zone
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 7/12
Figure 6 Assign interface g-ethernet0/0/1 to the external zone
Figure 7 Security zones created
Adding a Segment
Select System Management > Network Management > Segment Configuration from the navigation tree to enter the segment management page, as shown in Figure 8.
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 8/12
Click Add Segment to enter the page for adding a segment and add a segment (segment 0 in this example) to connect the internal network and the external network, as shown in Figure 9. Figure 10
shows the newly added segment on the segment list.
Figure 9 Add a segment
Figure 10 Segment management page with the newly added segment
Configuring an IPS Segment Policy
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 9/12
Figure 11 Configure an IPS segment policy
After the above configuration, select IPS > Segment Policies from the navigation tree to enter the segment policy management page, as shown in Figure 12. You can see that the newly added policy
ips is on the list.
Figure 12 Newly added segment policy on the policy list
Modifying Rules of the Policy
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 10/12
Figure 13 Modify IPS rules
Select Modify all matched rules at the bottom of the page and click Enable Rule. All the rules will be enabled. Select Modify all matched rules, select Block+Notify from the Action Set drop-down list, and then click Modify Action Set. All backdoor attacks will be blocked and logged.
To detect and block all categories of attacks, select -- (means all categories) from the Category drop-down list and click Query. All rules of the policy will be displayed. Modify the rules as needed.
Activating Configurations
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 11/12
Figure 14 Confirm the operation
Saving Configurations
To ensure that the above configurations can survive reboots, select System Management > Device
Management > Configuration Maintenance from the navigation tree and then in the Save Current Configuration area, click Save to save the current configurations.
Figure 15 Save configurations
Verifying the Configurations
When there are backdoor attacks from the external network to PCs in the internal network, the IPS device can block and log the attacks. You can see attack prevention information like those in Figure 16 on the page you enter by selecting Log Management > Attack Logs > Recent Logs.
Figure 16 Blocked attacks
Select Reports > Attack Report > Attack Report from the navigation to enter the page shown as
Figure 17. Select the report type, attack ID, severity level, action, time range, and segment and click
Query. You can see the attack information recorded in the specified period of time, as shown in
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 12/12
Figure 17 Query the attacks
Figure 18 View the attack report
Copyright © 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C
Technologies Co., Ltd.
