Cyberoam IPS

Configuration Guide

Version 10
Version 7

Document Version 10.04.5.0007 - 30/11/2013

Document Version 10.04.4.0028 - 08/10/2013

Version 7

Version 7

Cyberoam IPS Configuration Guide

Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but
is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document.
Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications.
Information is subject to change without notice.

USERS LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License
Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for
Cyberoam UTM Appliances at http://kb.cyberoam.com.

RESTRICTED RIGHTS
Copyright 1999 - 2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower, Off. C.G. Road,
Ahmedabad 380006, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com

Cyberoam IPS Configuration Guide

Contents

Overview ................................................................................................................... 6
IPS ............................................................................................................................. 7
Cyberoam IPS ........................................................................................................... 7
Policy...................................................................................................................... 9
Policy............................................................................................................................ 10

Custom Signature ............................................................................................... 15

Custom Signature ......................................................................................................... 15

Cyberoam IPS Configuration Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower
Off C.G. Road
Ahmedabad 380006
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-26400707
Email: support@cyberoam.com
Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.

Cyberoam IPS Configuration Guide

Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.

Item

Convention

Server

Machine where Cyberoam Software - Server component is

installed
Machine where Cyberoam Software - Client component is
installed
The end user
Username uniquely identifies the user of the system

Client
User
Username
Part titles

Topic titles

Example

Bold and
shaded font
typefaces

Shaded font
typefaces

Report
Introduction

Subtitles

Bold & Black

typefaces

Navigation link

Bold typeface

Group Management Groups Create

it means, to open the required page click on Group
management then on Groups and finally click Create tab

Name of a
particular
parameter /
field / command
button text
Cross
references

Lowercase
italic type

Enter policy name, replace policy name with the specific

name of a policy
Or
Click Name to select where Name denotes command button
text which is to be clicked
refer to Customizing User database Clicking on the link will
open the particular topic

Notes & points

to remember

Bold typeface
between the
black borders
Bold typefaces
between the
black borders

Prerequisites

Hyperlink in
different color

Notation conventions

Note

Prerequisite
Prerequisite details

Cyberoam IPS Configuration Guide

Overview
Welcome to Cyberoams IPS Implementation guide.
Cyberoam is an Identity-based UTM Appliance. Cyberoams solution is purpose-built to meet the
security needs of corporates, government organizations, and educational institutions.
Cyberoams perfect blend of best-of-breed solutions includes user based Firewall, Content filtering,
Anti Virus, Anti Spam, Intrusion Prevention System (IPS), and VPN IPSec and SSL.
Cyberoam provides increased LAN security by providing separate port for connecting to the
publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are
visible to the external world and still have firewall protection.
Cyberoam is a real time Intrusion Prevention System that protects your network from known and
unknown attacks by worms and viruses, hackers and other Internet risks.
Cyberoam appliance at the perimeter of your network analyzes all traffic and prevents attacks from
reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your
mail server or any other attack - it simply does not get through.

Note
Intrusion Prevention System module is a subscription module that needs to be subscribed before use.
Check the features of the module by subscribing the free trial subscription of it.

Cyberoam IPS Configuration Guide

IPS
An IPS system is a type of security management system that gathers and analyzes information
from a network to identify possible security breaches, which include both intrusions - attacks from
outside the organization and misuse - attacks from within the organization.
IPS detects and/or prevents malicious activity such as Denial of Service attacks, port-scans or
even attempts to crack into computers by monitoring network traffic.
To detect such activity, IPS uses signatures. Whenever a matching traffic pattern to signature is
found, IPS triggers the alarm and blocks the traffic from reaching its destination.
Standard IPS allows defining a global policy that can be applied to source-destination
networks/hosts/ports combination. This global policy can be modified or tuned as per the
requirement but cannot be tailored per network or per host.
As global policy is a general policy for all, standard IPSs generate high amount of false positives
and this makes it difficult to pinpoint the host generating malicious traffic or vice versa.
Fine-tuning of the global policy means to disable a set of signatures for all the networks/hosts.
However, this may not be a fit-for-all policy, hence might reduce false positives from one network
while increase from another and may not even detect certain obvious malicious activity.

Note
All the screen shots in the Cyberoam User Guides have been taken from NG series of appliances. The
feature and functionalities however remains unchanged across all Cyberoam appliances.

Cyberoam IPS Configuration Guide

Cyberoam IPS
Cyberoam IPS is a real time Intrusion Prevention System (IPS) that protects your network from
known and unknown attacks by worms and viruses, hackers and other internet risks.
Cyberoam appliance at the perimeter of your network analyzes entire traffic and prevents attacks
from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting
your mail server or any other attack - it simply does not get through.
IPS consists of a signature engine with a predefined database of signatures and uses signatures
to identify the malicious activity on the network. The predefined signatures cannot be modified.
As per your network requirements, appliance allows you to define multiple policies instead of one
global policy, to decrease packet latency and reduce false positives.
IPS policy allows you to view predefined signatures and customize the intrusion prevention
configuration at the category as well as individual signature level. Categories are signatures
grouped together based on the application and protocol vulnerabilities.
Appliance instead of providing only a single policy (global) for managing multiple networks/hosts,
allows to tailor policy per network/host i.e. allows to define multiple policies for managing multiple
networks/hosts. Defining multiple policies instead of a single global policy helps in decreasing
packet latency and reducing false positives.
To enable the Intrusion Detection and Prevention, apply IPS Policy from Firewall Rule. You can
create rule to apply:
single policy for all the users/networks
different policies for different users/networks or hosts
As Firewall Rules control all traffic passing through the appliance and decides whether to allow or
drop the connection, IPS rule will be applied to only that traffic/packet which passes through the
Firewall.

Policy
Custom Signature

Cyberoam IPS Configuration Guide

Policy
IPS consists of a signature engine with a predefined set of signatures. Signatures are the patterns
that are known to be harmful. IPS compares traffic to these signatures and responds at a high rate
of speed if it finds a match. Signatures included within the Cyberoam are not modifiable.
Category
Signatures are organized in categories such as DNS, Finger, P2P, DDoS, and others. These
signature categories are listed in the policy. You configure these categories to change the
prevention and/or detection settings. To perform Intrusion Prevention and Detection, you need to
enable IPS services for each category i.e. you will be able to configure attack threats for individual
signature only if an IPS service for the category is Enabled.
Each IPS Policy contains a set of signatures that Cyberoam searches for, and logs, blocks and
allows to:
Enable or disable category from IPS protection.
Enable or disable individual signature in a category to tailor IPS protection based on your
network environment.
Define an action to be taken when the matching traffic pattern is found. Cyberoam can either
detect or drop the connection. In either of the case, Cyberoam generates the log and alerts
the Network Administrator.
IPS provides five actions for managing attack threats: (action if signature matches)
Allow Packet Cyberoam allows the packet to its intended destination.
Drop Packet Cyberoam drops the packets, if detects any traffic that matches the signature.
Drop Session Cyberoam drops the entire session, if detects any traffic that matches the
signature.
Reset Cyberoam resets entire session, if detects any traffic that matches the signature.
Bypass Session Cyberoam allows all the session packets, if detects any traffic that
matches the signature.
In packet-based actions, Cyberoam checks each packet before taking the action while for sessionbased action, only the first packet is checked and the action is taken. In case of Reset, TCP reset
packet is sent to the originator. In all the cases, Cyberoam generates the log and alerts the
Network Administrator.
To save resources and avoid latency, set action as Bypass Session or Allow Session as in this,
if the initial packets match the signature then the rest of the session packets will not be scanned at
all.
To avoid getting high number of Alerts and save resources, set action as Drop session as in this,
if Cyberoam identifies attack in the initial packets then Cyberoam will terminate the entire session
instead of scanning all the session packets.

Policy

Cyberoam IPS Configuration Guide

Policy
Policy tab allows you to view IPS signatures and configure the handling of signatures by category
or on a signature-by-signature basis.
Create and deploy IPS policies to block malicious or suspicious traffic and increase security and
productivity.
Cyberoam provides following pre-defined policies, which can be used directly or modified as per
your requirement:
generalpolicy
lantowan strict policy
lantowan general policy
dmzpolicy
To configure IPS Policies, go to IPS Policy Policy. You can:
Add
View
Edit Click the Edit icon
in the Manage column against the IPS Policy to be modified. Edit
IPS Policy is displayed in a new window, which has the same parameters as the Add IPS
Policy window.
Enable/Disable Individual Signature Click the Edit icon
in the Manage column against
the IPS Policy in which the signature matching is to be enabled or disabled. Search the
signature category or click Category name under which the signature is included. Change the
action for the required signature.
Delete Click the Delete icon
in the Manage column against an IPS Policy to be deleted.
A dialog box is displayed asking you to confirm the deletion. Click OK to delete the IPS Policy.
To delete multiple IPS Policies, select them
and click the Delete button.

Manage Policies

Screen Manage IPS Policies

10

Cyberoam IPS Configuration Guide

Screen Element

Description

Add Button

Add a new IPS Policy.

Name

Displays a name of the IPS Policy.

Description

Displays description for IPS Policy.

Edit Icon

Edit the IPS Policy.

Delete Button

Delete the IPS Policy.

Alternately, click the Delete icon against the policy to be
deleted.
Table Manage IPS Policies screen elements

11

Cyberoam IPS Configuration Guide

IPS Policy Parameters

To add or edit IPS policies, go to IPS Policy Policy. Click Add Button to add a new policy
or Edit Icon to modify the details of the policy. IPS Policy Parameters are given below.

Screen Add IPS Policy

12

Cyberoam IPS Configuration Guide

Screen Element

Description

Name

Specify a name to identify the IPS Policy.

Description

Provide IPS Policy description.

Category Name

Enable or Disable the categories from the list of default

categories to include or exclude them in the policy. By
default, all the categories are enabled.
Enable to include the category for detection and/or
prevention. If the Category is enabled for detection and/or
prevention, Cyberoam provides maximum granularity by
allowing you to change the prevention and detection
settings of individual signature within the category.
Disable to exclude the category from detection and/or
prevention. Excluding the category is same as not
implementing IPS for the particular category.
Table Add IPS Policy screen elements

13

Cyberoam IPS Configuration Guide

Enable/Disable Signature
Go to IPS Policy Policy and click on the policy in which the signature is to be enabled or
disabled.
Click category to view the list of signatures group under the category and define the action to be
taken when the matching traffic pattern is detected.

Screen Enable/Disable Individual Signature

Screen Element

Description

Enable

Check against the category to enable the policy.

Signature ID

Displays a Unique Signature ID.

Signature Name

Displays a name got Signature

Recommended Action

The recommended action is set by Cyberoam and cannot

be modified. It is the default action that will be taken by

14

Cyberoam IPS Configuration Guide

Cyberoam when matching traffic pattern is detected.
Actions

You can define global action for all the signatures included
in the category or define the action for the individual
signature in the category.
To set the global action, select action against Set
Common Action else select action against the individual
signature.
Available Options:
Allow Packet
Drop Packet
Drop Session
Reset
Bypass Session
If global action is configured, action is taken when the
traffic matching any of the signatures included in the
category is detected.
Table Enable/Disable Individual Signature screen elements

Custom Signature
Custom Signatures provide the flexibility to customize IPS for diverse network environments.
Predefined signatures included in Cyberoam cover common attacks while Custom Signatures
protect your network from uncommon attacks that are due to the use of proprietary server, custom
protocol, or specialized applications used in the corporate network.
Custom Signature

Custom Signature
Create Custom Signature for proprietary server, custom protocol, or specialized applications used
in the corporate network and protect your network.
To create and manage Custom IPS Signatures, go to IPS Custom Signature Custom
Signature. You can:
Add
View
Edit Click the Edit icon
in the Manage column against the Custom Signature to be
modified. Edit Custom Signature window is displayed which has the same parameters as the
Add Custom Signature window.
Delete Click the Delete icon
in the Manage column against a Custom Signature to be
deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the
Custom Signature. To delete multiple Custom Signatures, select them
and click the Delete
button.

15

Cyberoam IPS Configuration Guide

Manage Custom Signatures

To manage Custom IPS Signatures, go to IPS Custom Signature Custom
Signature.

Screen Manage Custom Signatures

Screen Element

Description

Add Button

Add a new Custom Signature.

Name

Displays name of the Custom Signature.

Edit Icon

Edit the Custom Signature.

Delete Button

Delete the Custom Signature.

Table Manage Custom Signatures screen elements

16

Cyberoam IPS Configuration Guide

Custom Signature Parameters

To add Custom IPS Signatures, go to IPS Custom Signature Custom Signature.

Screen Add Custom Signature

Screen Element

Description

Name

Specify a name to identify the Custom Signature.

Protocol

Select signature protocol from the list.

Custom Rule

Specify signature definition.

Signature definition must begin with a keyword followed by
the value enclosed between the double quotes and must
end with semicolon (;)
Format: Keyword:value;
For example, content:USER JOHN;
If traffic with the content USER JOHN is detected, action
defined in the policy will be taken.
Refer to Appendix B IPS - Custom Signature Syntax for
more details on creating signature.

Severity

Select the level of severity from the available options.

17

Cyberoam IPS Configuration Guide

Available Options:
Critical
Major
Moderate
Minor
Warning
Action

Action allows to configure Action that should be taken for

the selected policy when matching pattern is found. All the
default and custom policies are displayed and available for
configuration.
Select policy to be applied and configure action to taken for
the policy when matching pattern is found.
Select Default Mode policy when you want to configure
same action for all the IPS policies. Override the action
configured in Default Mode policy by selecting action for
policy.
Available Actions:

Allow Packet In this case Appliance checks each

packet before taking action.

Drop Packet In this case Appliance does not check

each packet before taking action.

Drop Session When Action Drop Session is set, the

entire session is terminated instead of scanning all the
session packets to save resources and avoid getting
high number of alerts.

Reset In case of Reset, TCP reset packet is sent to

the originator.

Bypass Session When Action Bypass Session or

Allow Session is set, only initial packets are matched
to save resources and avoid latency.

In all the cases, Cyberoam generates the log and alerts the
Network Administrator.
Table Add Custom Signature screen elements

18