Configuring the IPS Policy

Overview of the IPS Policy

You can enable or disable protection against threats from malicious traffic originating Inbound, Outbound to the organization and across its WAN. You can also configure the service to block the traffic, or monitor without blocking.

Cato's IPS service is comprised of several layers of security including:

  • Reputation Analysis: Protecting against inbound / outbound communication with compromised or malicious resources.

  • Known Vulnerabilities: Protecting against known CVEs, rapidly adapting to incorporate new ones.

  • Anti-Bot: Protecting against outbound traffic to C&C servers based on reputation feeds, and network behavioral analysis.

  • Network Behavioral Analysis: Protecting against inbound / outbound network scans.

  • Protocol Validation: Protecting against invalid packet (conformance to the protocol wise), reducing attack surface from exploits using anomalous traffic.

  • Geo Restriction: Enforce a custom geo-restriction policy to block inbound, outbound, or all traffic to specific countries.

Note

Note: We recommend that you enable TLS inspection so that the IPS service provides the maximum protection for your network.

Machine Learning Modules in the Cato IPS

In addition to static threat feeds, Cato IPS uses machine learning modules to offer real-time protection against certain attack types. The IPS engine uses hundreds of static threat feeds that take known vulnerability patterns and turn them into signatures which are then integrated into the engine. On the other hand, the machine learning heuristic module uses a mixture of known and unknown threat intelligence to determine if something is a threat, and does not rely on the static feeds. These machine learning models identify potentially malicious unknown domains generated by DGA and cybersquatting techniques in real-time.

Why Use Machine Learning Algorithms?

The benefit of using the machine learning model for threat prevention is that DGA and cybersquatting can’t be stopped with just static blacklists, the tactics change at random intervals and new methods of DGA and cybersquatting are used every day. The machine learning algorithms allow us to detect potentially malicious domains in real-time. DGA detects domains that are likely generated by an algorithm (that don’t look like they used regular dictionary words). DGA is used for command and control (C&C) communications, and cybersquatting can be used for phishing attacks.

Part of the Cato machine learning algorithm is a list of known brands that we monitor for the cybersquatting part of the engine, but customers can also have their own list of domains added for monitoring. The DGA machine learning models will run on the DNS protection and IPS engine, but the cybersquatting engine will only be run on the IPS.

When an event occurs, a Signature ID will indicate which model identified the threat, but will not be identifiable from other event fields.

Understanding the IPS Threat Categories

The IPS Categories section provides explanations for the threat types identified by the IPS engine. The section shows all of the Cato-defined IPS threat categories and the number of events triggered for each threat type in the previous seven days.

You can click a number to open the Events screen pre-filtered for the threat type.

Managing IPS Settings

This section explains how to configure the IPS Policy to protect the networks in your account.

IPS_Policy.png

Enabling and Disabling IPS Protection

To enable or disable IPS for your account:

  1. From the navigation menu, click Security > IPS.

  2. Click the slider to enable (green) or disable (gray) the IPS Policy for the account.

  3. Click Save.

Defining IPS Settings

For WAN, Inbound and Outbound traffic, you can define the actions triggered by threat detection and set their alerts. These are the available actions:

  • Block - Blocks the malicious traffic from reaching its destination. When applicable, redirects the user to a dedicated blocking web page.

  • Monitor - Generates events (shown in Monitoring > Events) for the malicious traffic. The traffic then continues to the destination.

Configuring File Protection Options

To configure file protection actions for the IPS policy:

  1. From the navigation menu, click Security > IPS.

  2. Click the Protection Policy tab, and define the settings for each Protection Scope:

    1. In the Protection Scope column, click the traffic type. The Edit panel opens.

    2. In the General section, enable or disable the Protection Scope (green is enabled, grey is disabled).

    3. In the Action section, set the action for traffic that matches an IPS protection.

    4. In the Track section, set the event and email notification options.

      1. Click Event, to generate events for traffic that matches an IPS protection.

      2. Click Email Notification, and set the Frequency that notifications are sent.

        Select the Mailing List of the admins that receive the notifications.

    5. Click Apply.

      The settings for the protection scope are added to the IPS Policy.

  3. Click Save. The IPS Policy is saved.

Configuring IPS Enforcement Options

The Enforcement Options for the IPS policy lets you add an extra level of threat protection for inbound and outbound traffic.

Blocking Newly Registered Domains

For outbound traffic you can configure IPS to automatically block domains that are less than 14 days old. Malware often uses newly registered domains to evade threat protection. The majority of newly registered domains are malicious or suspicious.

To block newly registered domains:

  1. From the navigation menu, click Security > IPS.

  2. From the Inspection Options tab, click Outbound Traffic - Block newly registered domains.

  3. Click Save.

Quarantining Suspicious IP Addresses

The Suspicious IP quarantine feature enables IPS to temporarily block suspicious inbound IP addresses that are aggressively scanning your network. This feature blocks the traffic from these suspicious IP addresses for five minutes.

To quarantine traffic from suspicious IP addresses:

  1. From the navigation menu, click Security > IPS.

  2. From the Enforcement Options tab, click Inbound Traffic - Suspicious IP quarantine.

  3. Click Save.

Defining Geo Restriction Rules

You can define IPS Geo Restriction rules to block traffic to (outbound) or from (inbound) specific countries, or all traffic to the countries defined in the rule.

Note

Note: If you configure a Geo Restriction rule for inbound traffic, this applies also to RPF resources. However, IPS Geo Restriction rules are not applied to traffic from Cato SDP Clients. To block Client connections from specific regions, you can configure rules in the Client Connectivity Policy.

To define a Geo Restriction rule:

  1. From the navigation menu, click Security > IPS.

  2. From the Geo Restriction tab, click New. The Add panel opens.

  3. In the General section, configure the following settings:

    1. Enter a Name for the rule.

    2. Make sure that the rule is enabled (green is enabled, grey is disabled).

    3. Select the traffic direction for this rule: Outbound, Inbound or Both Directions.

  4. In the Countries section, define the countries for this geo restriction rule.

    1. Search for the country, and then select it.

    2. Repeat the previous step for each country that you are adding to this rule.

  5. In the Actions section, set the action and tracking settings for this rule:

    1. Define the action for the rule: Block , Monitor, or Allow (both the Monitor and Allow actions generate events without blocking the traffic).

    2. Click Event, to generate events for traffic that matches an IPS protection.

    3. Click Email Notification, and set the Frequency that notifications are sent.

      Select the Mailing List of the admins that receive the notifications.

  6. Click Apply. The rule is added.

  7. Click Save.

Disabling Geo Restriction Rules

You can temporarily disable geo restriction rules and then re-enable them in the future.

To disable a Geo Restriction rule:

  1. From the navigation menu, click Security > IPS Policy.

  2. In the Geo Restriction tab, click the icon More_icon.png and select Disable.

  3. Click Save. The rule is disabled.

Deleting Geo Restriction Rules

Note

Note: You cannot undo the action to delete a geo restriction rule!

To delete one or more Geo Restriction rules:

  1. From the navigation menu, click Security > IPS Policy.

  2. In the Geo Restriction section, select the one or more rules.

  3. Click the icon More_icon.png and select Delete Rule.

  4. Click Save. The rule is deleted.

Was this article helpful?

5 out of 5 found this helpful

0 comments

Add your comment