You can enable or disable protection against threats from malicious traffic originating Inbound, Outbound to the organization and across its WAN. You can also configure the service to block the traffic, or monitor without blocking.
Cato's IPS service is comprised of several layers of security including:
-
Reputation Analysis: Protecting against inbound / outbound communication with compromised or malicious resources.
-
Known Vulnerabilities: Protecting against known CVEs, rapidly adapting to incorporate new ones.
-
Anti-Bot: Protecting against outbound traffic to C&C servers based on reputation feeds, and network behavioral analysis.
-
Network Behavioral Analysis: Protecting against inbound / outbound network scans.
-
Protocol Validation: Protecting against invalid packet (conformance to the protocol wise), reducing attack surface from exploits using anomalous traffic.
-
Geo Restriction: Enforce a custom geo-restriction policy to block inbound, outbound, or all traffic to specific countries.
Note
Note: We recommend that you enable TLS inspection so that the IPS service provides the maximum protection for your network.
Machine Learning Modules in the Cato IPS
In addition to static threat feeds, Cato IPS uses machine learning modules to offer real-time protection against certain attack types. The IPS engine uses hundreds of static threat feeds that take known vulnerability patterns and turn them into signatures which are then integrated into the engine. On the other hand, the machine learning heuristic module uses a mixture of known and unknown threat intelligence to determine if something is a threat, and does not rely on the static feeds. These machine learning models identify potentially malicious unknown domains generated by DGA and cybersquatting techniques in real-time.
Why Use Machine Learning Algorithms?
The benefit of using the machine learning model for threat prevention is that DGA and cybersquatting can’t be stopped with just static blacklists, the tactics change at random intervals and new methods of DGA and cybersquatting are used every day. The machine learning algorithms allow us to detect potentially malicious domains in real-time. DGA detects domains that are likely generated by an algorithm (that don’t look like they used regular dictionary words). DGA is used for command and control (C&C) communications, and cybersquatting can be used for phishing attacks.
Part of the Cato machine learning algorithm is a list of known brands that we monitor for the cybersquatting part of the engine, but customers can also have their own list of domains added for monitoring. The DGA machine learning models will run on the DNS protection and IPS engine, but the cybersquatting engine will only be run on the IPS.
When an event occurs, a Signature ID will indicate which model identified the threat, but will not be identifiable from other event fields.
Understanding the IPS Threat Categories
The IPS Categories section provides explanations for the threat types identified by the IPS engine. The section shows all of the Cato-defined IPS threat categories and the number of events triggered for each threat type in the previous seven days.
You can click a number to open the Events screen pre-filtered for the threat type.
This section explains how to configure the IPS Policy to protect the networks in your account.
For WAN, Inbound and Outbound traffic, you can define the actions triggered by threat detection and set their alerts. These are the available actions:
-
Block - Blocks the malicious traffic from reaching its destination. When applicable, redirects the user to a dedicated blocking web page.
-
Monitor - Generates events (shown in Monitoring > Events) for the malicious traffic. The traffic then continues to the destination.
To configure file protection actions for the IPS policy:
-
From the navigation menu, click Security > IPS.
-
Click the Protection Policy tab, and define the settings for each Protection Scope:
-
In the Protection Scope column, click the traffic type. The Edit panel opens.
-
In the General section, enable or disable the Protection Scope (green is enabled, grey is disabled).
-
In the Action section, set the action for traffic that matches an IPS protection.
-
In the Track section, set the event and email notification options.
-
Click Event, to generate events for traffic that matches an IPS protection.
-
Click Email Notification, and set the Frequency that notifications are sent.
Select the Mailing List of the admins that receive the notifications.
-
-
Click Apply.
The settings for the protection scope are added to the IPS Policy.
-
-
Click Save. The IPS Policy is saved.
The Enforcement Options for the IPS policy lets you add an extra level of threat protection for inbound and outbound traffic.
For outbound traffic you can configure IPS to automatically block domains that are less than 14 days old. Malware often uses newly registered domains to evade threat protection. The majority of newly registered domains are malicious or suspicious.
The Suspicious IP quarantine feature enables IPS to temporarily block suspicious inbound IP addresses that are aggressively scanning your network. This feature blocks the traffic from these suspicious IP addresses for five minutes.
You can define IPS Geo Restriction rules to block traffic to (outbound) or from (inbound) specific countries, or all traffic to the countries defined in the rule.
Note
Note: If you configure a Geo Restriction rule for inbound traffic, this applies to all inbound traffic including RPF resources.
To define a Geo Restriction rule:
-
From the navigation menu, click Security > IPS.
-
From the Geo Restriction tab, click New. The Add panel opens.
-
In the General section, configure the following settings:
-
Enter a Name for the rule.
-
Make sure that the rule is enabled (green is enabled, grey is disabled).
-
Select the traffic direction for this rule: Outbound, Inbound or Both Directions.
-
-
In the Countries section, define the countries for this geo restriction rule.
-
Search for the country, and then select it.
-
Repeat the previous step for each country that you are adding to this rule.
-
-
In the Actions section, set the action and tracking settings for this rule:
-
Define the action for the rule: Block , Monitor, or Allow (both the Monitor and Allow actions generate events without blocking the traffic).
-
Click Event, to generate events for traffic that matches an IPS protection.
-
Click Email Notification, and set the Frequency that notifications are sent.
Select the Mailing List of the admins that receive the notifications.
-
-
Click Apply. The rule is added.
-
Click Save.
You can temporarily disable geo restriction rules and then re-enable them in the future.
Note
Note: You cannot undo the action to delete a geo restriction rule!
0 comments
Please sign in to leave a comment.