Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 486 / 944 Scroll up to view Page 481 - 485

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

486

30.5

Creating New Profiles

You may want to create a new profile if not all signatures in a base profile are

applicable to your network. In this case you should disable non-applicable

signatures so as to improve ZyWALL IDP processing efficiency.

You may also find that certain signatures are triggering too many false positives or

false negatives. A false positive is when valid traffic is flagged as an attack. A false

negative is when invalid traffic is wrongly allowed to pass through the ZyWALL. As

each network is different, false positives and false negatives are common on initial

IDP deployment.

You could create a new ‘monitor profile’ that creates logs but all actions are

disabled. Observe the logs over time and try to eliminate the causes of the false

alarms. When you’re satisfied that they have been reduced to an acceptable level,

you could then create an ‘inline profile’ whereby you configure appropriate actions

to be taken when a packet matches a signature.

30.5.1

Procedure To Create a New Profile

To create a new profile:

1

Click the

Add

icon in the

Configuration > Anti-X > IDP > Profile

screen to

display a pop-up screen allowing you to choose a base profile.

2

Select a base profile (see

Table 143 on page 484

) and then click

OK

to go to the

profile details screen.

Note: If Internet Explorer opens a warning screen about a script making Internet

Explorer run slowly and the computer maybe becoming unresponsive, just click

No

to continue.

3

Type a new profile name

4

Enable or disable individual signatures.

5

Edit the default log options and actions.

Name

This is the name of the profile you created.

Base Profile

This is the base profile from which the profile was created.

Table 144

Configuration > Anti-X > IDP > Profile (continued)

LABEL

DESCRIPTION

Page 487 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

487

30.6

Profiles: Packet Inspection

Select

Configuration > Anti-X > IDP > Profile

and then add a new or edit an

existing profile select. Packet inspection signatures examine the contents of a

packet for malicious data. It operates at layer-4 to layer-7.

30.6.1

Profile > Group View Screen

Figure 291

Configuration > Anti-X > IDP > Profile > Edit: Group View

Page 488 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

488

The following table describes the fields in this screen.

Table 145

Configuration > Anti-X > IDP > Profile > Group View

LABEL

DESCRIPTION

Name

This is the name of the profile. You may use 1-31 alphanumeric

characters, underscores(

_

), or dashes (-), but the first character cannot

be a number. This value is case-sensitive. These are valid, unique profile

names:

MyProfile

mYProfile

Mymy12_3-4

These are invalid profile names:

1mYProfile

My Profile

MyProfile?

Whatalongprofilename123456789012

Switch to

query view

Click this button to go to a screen where you can search for signatures by

criteria such as name, ID, severity, attack type, vulnerable attack

platforms, service category, log options or actions.

Activate

To turn on an entry, select it and click

Activate

.

Inactivate

To turn off an entry, select it and click

Inactivate

.

Log

To edit an item’s log option, select it and use the

Log

icon. These are the

log options:

no

: Select this option on an individual signature or a complete service

group to have the ZyWALL create no log when a packet matches a

signature(s).

log

: Select this option on an individual signature or a complete service

group to have the ZyWALL create a log when a packet matches a

signature(s).

log alert

: An alert is an e-mailed log for more serious events that may

need more immediate attention. Select this option to have the ZyWALL

send an alert when a packet matches a signature(s).

Page 489 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

489

Action

To edit what action the ZyWALL takes when a packet matches a signature,

select the signature and use the

Action

icon.

none

: Select this action on an individual signature or a complete service

group to have the ZyWALL take no action when a packet matches the

signature(s).

drop

: Select this action on an individual signature or a complete service

group to have the ZyWALL silently drop a packet that matches the

signature(s). Neither sender nor receiver are notified.

reject-sender

: Select this action on an individual signature or a complete

service group to have the ZyWALL send a reset to the sender when a

packet matches the signature. If it is a TCP attack packet, the ZyWALL will

send a packet with a ‘RST’ flag. If it is an ICMP or UDP attack packet, the

ZyWALL will send an ICMP unreachable packet.

reject-receiver

: Select this action on an individual signature or a

complete service group to have the ZyWALL send a reset to the receiver

when a packet matches the signature. If it is a TCP attack packet, the

ZyWALL will send a packet with an a ‘RST’ flag. If it is an ICMP or UDP

attack packet, the ZyWALL will do nothing.

reject-both

: Select this action on an individual signature or a complete

service group to have the ZyWALL send a reset to both the sender and

receiver when a packet matches the signature. If it is a TCP attack packet,

the ZyWALL will send a packet with a ‘RST’ flag to the receiver and sender.

If it is an ICMP or UDP attack packet, the ZyWALL will send an ICMP

unreachable packet.

#

This is the entry’s index number in the list.

Status

The activate (light bulb) icon is lit when the entry is active and dimmed

when the entry is inactive.

Service

Click the + sign next to a service group to expand it. A service group is a

group of related IDP signatures.

Message

This is the name of the signature.

SID

This is the signature ID (identification) number that uniquely identifies a

ZyWALL signature.

Severity

These are the severities as defined in the ZyWALL. The number in brackets

is the number you use if using commands.

Severe

(5): These denote attacks that try to run arbitrary code or gain

system privileges.

High

(4): These denote known serious vulnerabilities or attacks that are

probably not false alarms.

Medium

(3): These denote medium threats, access control attacks or

attacks that could be false alarms.

Low

(2): These denote mild threats or attacks that could be false alarms.

Very Low

(1): These denote possible attacks caused by traffic such as

Ping, trace route, ICMP queries etc.

Policy Type

This is the attack type as defined on the ZyWALL. See

Table 146 on page

490

for a description of each type.

Table 145

Configuration > Anti-X > IDP > Profile > Group View (continued)

LABEL

DESCRIPTION

Page 490 / 944

Chapter 30 IDP

ZyWALL USG 50 User’s Guide

490

30.6.2

Policy Types

This section describes IDP policy types, also known as attack types, as categorized

in the ZyWALL. You may refer to these types when categorizing your own custom

rules.

Log

These are the log options. To edit this, select an item and use the

Log

icon.

Action

This is the action the ZyWALL should take when a packet matches a

signature here. To edit this, select an item and use the

Action

icon.

OK

A profile consists of three separate screens. If you want to configure just

one screen for an IDP profile, click

OK

to save your settings to the

ZyWALL, complete the profile and return to the profile summary page.

Cancel

Click

Cancel

to return to the profile summary page without saving any

changes.

Save

If you want to configure more than one screen for an IDP profile, click

Save

to save the configuration to the ZyWALL, but remain in the same

page. You may then go to another profile screen (tab) in order to complete

the profile. Click

OK

in the final profile screen to complete the profile.

Table 145

Configuration > Anti-X > IDP > Profile > Group View (continued)

LABEL

DESCRIPTION

Table 146

Policy Types

POLICY TYPE

DESCRIPTION

P2P

Peer-to-peer (P2P) is where computing devices link directly to each

other and can directly initiate communication with each other; they

do not need an intermediary. A device can be both the client and the

server. In the ZyWALL, P2P refers to peer-to-peer applications such

as e-Mule, e-Donkey, BitTorrent, iMesh, etc.

IM

IM (Instant Messenger) refers to chat applications. Chat is real-time,

text-based communication between two or more users via networks-

connected computers. After you enter a chat (or chat room), any

room member can type a message that will appear on the monitors of

all the other participants.

SPAM

Spam is unsolicited “junk” e-mail sent to large numbers of people to

promote products or services.

DoS/DDoS

The goal of Denial of Service (DoS) attacks is not to steal

information, but to disable a device or network on the Internet.

A Distributed Denial of Service (DDoS) attack is one in which multiple

compromised systems attack a single target, thereby causing denial

of service for users of the targeted system.

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share