Greetings! Welcome to the seventh lesson of the course . On we got acquainted with such security profiles as Web Filtering, Application Control and HTTPS inspection. In this lesson, we will continue our acquaintance with security profiles. First, we will get acquainted with the theoretical aspects of the operation of the antivirus and intrusion prevention system, and then we will consider the work of these security profiles in practice.
Let's start with the antivirus. First, let's discuss the technologies that FortiGate uses to detect viruses:
Antivirus scanning is the simplest and fastest method of detecting viruses. It detects viruses that fully match the signatures contained in the anti-virus database.
Grayware Scan or Unwanted Program Scan - This technology detects unwanted programs that are installed without the knowledge or consent of the user. Technically, these programs are not viruses. Usually they come bundled with other programs, but when installed they negatively affect the system, which is why they are classified as malware. Often such programs can be detected using simple grayware signatures from the FortiGuard research base.
Heuristic scanning - this technology is based on probabilities, so its use can cause false positives effects, but it can also detect zero day viruses. Zero day viruses are new viruses that have not yet been investigated, and there are no signatures yet that could detect them. Heuristic scanning is not enabled by default, it must be enabled on the command line.
If all antivirus features are enabled, FortiGate applies them in the following order: antivirus scan, grayware scan, heuristic scan.
FortiGate can use several anti-virus databases, depending on the tasks:
- Regular anti-virus database (Normal) - is contained in all models of FortiGate'ov. It includes signatures for viruses that have been discovered in recent months. This is the smallest anti-virus database, so when using it, scanning is the fastest. However, this database cannot detect all known viruses.
- Extended (Extend) - this base is supported by most FortiGate models. It can be used to detect viruses that are no longer active. Many platforms are still vulnerable to these viruses. Also, these viruses can bring problems in the future.
- And the last, extreme base (Extreme) - is used in infrastructures where a high level of security is required. It can detect all known viruses, including viruses that target legacy operating systems that are currently not widely distributed. This type of signature database is also not supported by all FortiGate models.
There is also a compact signature database designed for fast scanning. We will talk about it a little later.
You can update anti-virus databases using different methods.
The first method is Push Update - it allows you to update the databases as soon as the FortiGuard research base releases an update. This is useful for infrastructures that require a high level of security, as FortiGate will receive urgent updates as soon as they become available.
The second method is to set a schedule. This way you can check for updates every hour, day, or week. That is, here the time range is set at your discretion.
These methods can be used together.
But you need to keep in mind that in order for updates to be made, you must enable the antivirus profile for at least one firewall policy. Otherwise, updates will not be made.
You can also download updates from the Fortinet support site and then manually upload them to FortiGate.
Consider scanning modes. There are only three of them - Full Mode in Flow Based mode, Quick Mode in Flow Based mode, and Full Mode in proxy mode. Let's start with Full Mode in Flow mode.
Let's say the user wants to download a file. He sends a request. The server starts sending him the packets that make up the file. The user immediately receives these packets. But before passing these packets to the user, FortiGate caches them. After FortiGate receives the last packet, it starts scanning the file. At this time, the last packet is queued and not transmitted to the user. If the file does not contain viruses, the last packet is sent to the user. If a virus is detected, FortiGate breaks the connection with the user.
The second scan mode available in Flow Based is Quick Mode. It uses a compact signature database that contains fewer signatures than a regular signature database. It also has some limitations compared to Full Mode:
- It cannot send files to the sandbox
- It cannot use heuristic analysis
- It also cannot use packages related to mobile malware.
- Some entry level models do not support this mode.
Quick mode also checks traffic for viruses, worms, Trojans and malware, but without buffering. This provides better performance, but at the same time, the probability of detecting a virus is reduced.
In Proxy mode, the only scanning mode available is Full Mode. With such a scan, FortiGate first stores the entire file on its own (unless, of course, the allowable file size for scanning is exceeded). The client must wait for the scan to complete. If a virus is detected during the scan, the user will be notified immediately. Since FortiGate saves the entire file first and then scans it, this can take quite a long time. because of this, it is possible for the client to end the connection before receiving the file due to a long delay.
The figure below provides a comparison table for scanning modes - it will help you determine which type of scan is right for your tasks. Configuring and checking the performance of the antivirus are considered in practice in the video at the end of the article.
Let's move on to the second part of the lesson - the intrusion prevention system. But in order to start studying IPS, you need to understand the difference between exploits and anomalies, as well as understand what mechanisms FortiGate uses to protect against them.
Exploits are known attacks, with specific patterns, that can be detected using IPS, WAF, or antivirus signatures.
Anomalies are unusual behavior on the network, such as an unusually high amount of traffic or more than usual CPU consumption. Anomalies should be monitored because they may be signs of a new, as yet unexplored attack. Anomalies are usually detected using behavioral analysis - the so-called rate-based signatures and DoS policies.
As a result, IPS on FortiGate uses signature bases to detect known attacks, and Rate-Based signatures and DoS policies to detect various anomalies.
By default, an initial set of IPS signatures is included with every version of the FortiGate operating system. With updates, FortiGate receives new signatures. Thus IPS remains effective against new exploits. The FortiGuard service updates the IPS signatures quite frequently.
An important point that applies to both IPS and antivirus is that if your licenses have expired, you can still use the latest signatures you received. But getting new ones without licenses will not work. Therefore, the absence of licenses is highly undesirable - when new attacks appear, you will not be able to protect yourself with old signatures.
IPS signature databases are divided into regular and extended ones. The regular database contains signatures for common attacks that very rarely or never cause false positives. The default action for most of these signatures is a block.
The expanded database contains additional attack signatures that have a significant impact on system performance or that cannot be blocked due to their special nature. Due to the size of this base, it is not available for FortiGate models with small disk or RAM. But for highly secure environments, you may need to use an extended base.
IPS setup and verification is also covered in the video below.
In the next lesson, we will look at working with users. In order not to miss it, stay tuned for updates on the following channels:
Source: habr.com