[fw-wiz] fortigate firewall IPS capabilities

From: Maarten Hartsuijker (secfocusNOSPAM_at_jizzle.net)
Date: 10/25/04

  • Next message: Christine Kronberg: "Re: [fw-wiz] Increase in SSH Probing" 
    To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 25 Oct 2004 12:07:04 +0200 (CEST)

    I have been performing some basic tests of the IPS capabilities of our
    fortigate v2.80 - MR5. I started out testing the device's portscan
    protection rules but have so far been unable to prevent the portscans from
    being succesfull. From the logs, I notice that the fortigate detects the
    scan, but allows it anyway.
    I tested the device using the following scenario:
    1. I opened all the ports between 2 fortigate interfaces
    2. I configured all IPS options related to portscans. I enabled them and
    set the action to drop (and in other tests "clear session" and "drop
    session")
    3. I created my own profile ("maarten"), configured it to follow IPS rules
    and attached it to the firewall policy that allows sessions betweed the
    wan1 and internal ports.
    4. I enabled logging, so I would be able to follow the device's reponse
    === scantop === fortigate === victim (host with ports listening on 22/TCP
    and 8080/TCP)
    When scanning my victim using nmap, all open ports are reported acurately.
    It seems like the fortigate is not blocking my portscan, like you would
    expect from an IPS....
    ====================================================
    NMAP and SYSLOG output:
    ====================================================
    Starting nmap 3.70 ( http://www.insecure.org/nmap ) at 2004-10-25 10:18 W.
    Europ
    Interesting ports on 192.168.1.1:
    (The 65533 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    22/tcp open ssh
    8080/tcp open http-proxy
    Nmap run completed -- 1 IP address (1 host up) scanned in 654.401 seconds

    ====================================================
    The fortigate logs:
    Oct 25 10:17:33 FG.CORP.LAN date=2004-10-25 time=10:12:21
    device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
    pri=alert attack_id=100663398 src=172.16.152.162 dst=192.168.1.1
    src_port=58020 dst_port=44993 src_int=n/a dst_int=n/a status=dropped
    proto=6 service=44993/tcp msg="anomaly: portscan, 1001 > threshold 1000,
    repeated 67 times[Reference: http://www.fortinet.com/ids/ID100663398]"
    Oct 25 10:17:35 FG.CORP.LAN date=2004-10-25 time=10:12:23
    device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
    pri=alert attack_id=100663402 src=172.16.152.162 dst=192.168.1.1
    src_port=58020 dst_port=48556 src_int=n/a dst_int=n/a status=detected
    proto=6 service=48556/tcp msg="anomaly: tcp_src_session, 2001 > threshold
    2000, repeated 67 times[Reference:
    http://www.fortinet.com/ids/ID100663402]"
    Oct 25 10:17:49 FG.CORP.LAN date=2004-10-25 time=10:12:37
    device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
    pri=alert attack_id=100663409 src=172.16.152.162 dst=192.168.1.1
    src_port=58020 dst_port=53739 src_int=n/a dst_int=n/a status=detected
    proto=6 service=53739/tcp msg="anomaly: tcp_dst_session, 5001 > threshold
    5000, repeated 3434 times[Reference:
    http://www.fortinet.com/ids/ID100663409]"
    Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
    device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
    pri=notice vd=root SN=10561 duration=20 rule=7 policyid=7 proto=554/tcp
    service=554/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
    dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
    rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=554 vpn=n/a
    tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
    Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
    device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
    pri=notice vd=root SN=10562 duration=20 rule=7 policyid=7 proto=dns
    service=dns status=accept src=172.16.152.162 srcname=172.16.152.162
    dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
    rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=53 vpn=n/a
    tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
    Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
    device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
    pri=notice vd=root SN=10567 duration=20 rule=7 policyid=7 proto=3389/tcp
    service=3389/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
    dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
    rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=3389 vpn=n/a
    tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
    Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
    device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
    pri=notice vd=root SN=10568 duration=20 rule=7 policyid=7 proto=389/tcp
    service=389/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
    dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
    rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=389 vpn=n/a
    tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
    =========================================================
    As you can see, the fortigate firewall/IPS detects the anomaly, but still
    allows the portscan to continue. There is no IPS response that blocks the
    entire portscan. I had a tcpdump running on my victim to see if maybe port
    22 and 8080 had been scanned before the threhold of the rules had been
    met. However, this did not seem to be the case. tcpdump reported a probe
    of port 8080 over a minute after the fortigate first detected the scan.

    I was wondering if any of you have noticed the same behaviour on your
    fortigates, or if you have different test results. I have included some
    details of my configuration below.

    Kind regards, Maarten Hartsuijker

    Version:Fortigate-60 2.80,build250,040914
    ids-db:2.139(10/19/2004 15:14)

    config ips group "scan"
            config rule "Nmap.TCP"
                set action drop (tried "clear session" and "drop session"
    options as well)
            end
            config rule "SYNScan.Portscan"
                set action drop (tried "clear session" and "drop session"
    options as well)
            end
    end

    config ips anomaly "portscan"
        set action drop (tried "clear session" and "drop session" options as
    well)
        set threshold "1000"
    end
    config ips anomaly "syn_flood"
        set threshold "2000"
    end

    config firewall profile
        .......
        edit "maarten"
            set imap fragmail
            set pop3 fragmail
            set smtp fragmail
            set ips signature anomaly
        next
    end
    config firewall policy
        ...
        edit 2
            set srcintf "internal"
            set dstintf "dmz"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ANY"
            set profile_status enable
            set profile "maarten"
        next
        ...
    end

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Christine Kronberg: "Re: [fw-wiz] Increase in SSH Probing"