New Member

Question

SSL VPN Portal IPS Sensor

Forum|Forum|11 years ago
July 22, 2014
8 replies
13591 views

I' m wondering if anyone applies IPS protection to the policy that enables the SSL VPN portal to work ? I have created custom IPS profiles to protect say Microsoft web servers in my network but should i have create an IPS profile to protect the SSL VPN portal ? I would say it would be a good thing to do but as I' m not exactly sure what platforms are running here i.e i' m assuming linux OS ? Apache web server ? Any ideas or experience would be much appreciated ! Cheers Rob

emnoc

New Member

Protect the SSLVPN portal from what would be my 1st question? brute-force login fails ? layer3 or 4 flooding? fwiw; I think the daemon is lite version of apache but what version not sure. For the tunnel-mode you can apply a IPS profile on the ssl.root to inside-server with ease. But I have never actually done this or seen a need for this. I guess it wouldn' t hurt.

rob_cartAuthor

New Member

thanks for the reply emnoc, yeah i' d say protect it from any external possible threat (i' m no security expert btw).....i would assume as its a web interface potentially accessible from anywhere on the internet an IPS profile would be a good idea. I was thinking to put this on the wan to internal policy i.e. not the ssl.root to internal policy required for tunnel mode which you mentioned earlier. Thanks for the assistance and as i say i' m not security expert so appreciate your advise.

emnoc

New Member

I don' t if you can protect it in that fashion. You don' t need a policy install to have SSLVPN enable. So how would apply the IPS profile ? To a local-in policy maybe I don' t recall a option for apply a IPS sensor directly for traffic directed at the fortigate. Somebody correct me if I' m wrong.

Warren_Olson_FTNT

Staff

I think you' d be better off just applying a DoS policy to the external interface.

emnoc

New Member

Still you have the same issues. A DoS-policy goes against a fwpolicy. A fwpolicy has a srcint and dstint. For traffic flooding directly to a SSLVPN host a external interfaces, I don' t how you could apply any IPS/DOS protection. If you have a unix host, you can demonstrate this with a simple ping -f against a interface or better hping a synflood to the webportal page. Now how would you apply a signature or policy to protect against this?

netmin

New Member

I am wondering whether the portal could be used on a loopback interface and a VIP from the external interface pointing to it.

AtiT

New Member

netmin I managed to set up the firewall rules to do VIP to looback interface and from that loopback interface to set a firewall rule to some other interface with sslvpn action. It is working.

rob_cartAuthor

New Member

thanks for all the input guys

FortiAdam

New Member

Did none of you have to utilize an interface policy to block heartbleed? This is as simple as creating an interface policy for the interface that your SSL VPN is listening on and applying the IPS sensor that you want. There are plenty of options on interface policies that will help you control and inspect the traffic.

netmin

New Member

Afaik, an interface policy did/does not perform deep inspection on SSL traffic and malicious hb request detection is a tls record layer pattern matching ips signature, isn' t it? I think it is worth, at least to us, following up on / evaluating the VIP->loopback variant, as already used by AtiT, also to present the portal on a different IP.

FortiAdam

New Member

Well it was the official work around that Fortinet posted so I hope it was sufficient. I confirmed via multiple methods that the SSL VPN portal was no longer vulnerable to heartbleed after applying the interface policy with the appropriate IPS sensor. At the bottom of the page here is where you can find a brief mention of this: http://www.fortiguard.com/advisory/FG-IR-14-011/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded