Solved: Re: Multiple IPS policies

Antonio Macia · ‎11-14-2020

Hi,

What are the benefits (if any) of having a different IPS policy for incoming traffic to internal servers and another for outgoing traffic focused on users? What is the best practice, keep a single policy for both scenarios that simplify the operations or two for more granular rules control?

Regards.

Aref Alsouqi · ‎11-14-2020

You welcome. That's right and that's the way how I would do it. Regarding the flow direction, that will be judged by the enabled snort rules inside the IPS policy, some of them they would match the traffic from inside to outside, others from outside to inside, and others any to any. Take this rule as an example please:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”SERVER-APACHE Apache HTTP Server mod_http2 denial of service attempt”; flow:to_server,established; content:”|01 00 00 00 00 01|”; content:”|09 01 00 00 00 01|”; within:50; content:”|09 01 00 00 00 01|”; within:25; content:”|09 01 00 00 00 01|”; within:25; metadata:service http; reference:cve,2016-8740; classtype:denial-of-service; sid:41688; rev:1; gid:1; )

This rule will match the traffic coming from an IP address falling within the EXTERNAL_NET variable, destined to an IP within the HOME_NET variable destined to a port defined in the HTTP_PORTS variable. This means that this rule won't match the traffic sourced from the HOME_NET destined to the EXTERNAL_NET on HTTP ports. From the ACP perspective, you just apply the IPS policy and variable sets to the rules you want them to be inspected, and the actions taken will be based on what is configured on the IPS policy.

Regarding setting up the variable sets, they are very important, and there is a gotcha I wrote about in this post on my blog:

https://bluenetsec.com/snort-home_net-and-external_net-variables/

View solution in original post

Aref Alsouqi · ‎11-14-2020

You would need one single IPS policy where inside of it you would have multiple rules. Based on the ports, protocols, traffic flow etc, the IPS policy rule will be matched and its actions will be applied. What we typically do, we enable the IPS policy, selecting the base line policy, defining our variable sets, and start tuning up the IPS policy rules. Some times we might also want to rely on Cisco recommendations which is a great feature that I use for many of our customers. This feature will allow the FTD to learn about your environment, and then coming up with a suggestion list of rule/signatures that would be required to protect your environment, discarding any unrelated rules/signatures.

Antonio Macia · ‎11-14-2020

Thank you Aref.

So basically you recommend a single IPS policy with multiple layers based on the FTD recommendations + manual rule tuning, triggered on the ACP rules that we need. In this case, triggering the policy from an outside-to-inside ACP rule will catch the incoming threats and on the the hand, outgoing threats from compromised hosts would be detected by another ACP rule in the inside-to-outside direction, is that correct?

Aref Alsouqi · ‎11-14-2020

You welcome. That's right and that's the way how I would do it. Regarding the flow direction, that will be judged by the enabled snort rules inside the IPS policy, some of them they would match the traffic from inside to outside, others from outside to inside, and others any to any. Take this rule as an example please:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”SERVER-APACHE Apache HTTP Server mod_http2 denial of service attempt”; flow:to_server,established; content:”|01 00 00 00 00 01|”; content:”|09 01 00 00 00 01|”; within:50; content:”|09 01 00 00 00 01|”; within:25; content:”|09 01 00 00 00 01|”; within:25; metadata:service http; reference:cve,2016-8740; classtype:denial-of-service; sid:41688; rev:1; gid:1; )

This rule will match the traffic coming from an IP address falling within the EXTERNAL_NET variable, destined to an IP within the HOME_NET variable destined to a port defined in the HTTP_PORTS variable. This means that this rule won't match the traffic sourced from the HOME_NET destined to the EXTERNAL_NET on HTTP ports. From the ACP perspective, you just apply the IPS policy and variable sets to the rules you want them to be inspected, and the actions taken will be based on what is configured on the IPS policy.

Regarding setting up the variable sets, they are very important, and there is a gotcha I wrote about in this post on my blog:

https://bluenetsec.com/snort-home_net-and-external_net-variables/

HQuest · ‎11-14-2020

A single policy would make all packets thru a single list of verifications, which may catch more threats, may generate false positives or may slow down the overall processing because of the time spent going thru the entire list.

Multiple policies would spread the packets across different lists, which may catch less threats, may have lesser false positives or may not slow down as much the overall packet processing since the list is smaller.

Ultimately it all depends on how inclusive each IPS policy is, the device size/capacity to handle all policies, how busy your interfaces are and how sensitive/secure your environment requirements are. Which is why it is common to see a single firewall doing it all with one IPS policy, but also multi-level firewall deployments with many (multi-vendor) firewalls dedicated to single functions.

Unfortunately, there is no single "one size fits all" solution when we are talking security: both single and multi policies are best practices.