Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

Doubts about DoS and where to apply IPS sensor.

Hi ¡¡¡ I have 2 doubts: 

 

1) I have published WEB servers, which are in my DMZ. I have adjusted thresholds and protected them against TCP attacks since they only allow HTTPS traffic. I suppose there is no point in protecting them from other types of attacks DoS (UDP, ICMP etc). On the other hand, my firewall connects to an ISP and receives the public IP on one of its interfaces directly (witouth NAT). Is not the public IP (VIP) to connect to the web servers but is the same internet connection. This interface doesn't have any administrative acces enable (ICMP, HTTP etc are disable). I was wondering if I should protect the interface itself from DoS attacks, but I understand that it is not necessary since I do not have any services enabled. If there is no service enabled, they cannot do a DoS. However, I have monitored the IP of the interface with very low thresholds and if found anomaly alerts come out and I don't understand why it detects them when ports or services that are not open are attacked. Should I protect my firewall interfaces, which do not have any services up, from DoS attacks? Why do attack attempts appear if I monitor them, when they don't have any services up?

 

2)I have another doubt about IPS sensors. I have 2 firewalls between my DMZ. One connects to the internet and the other to my network. All the services that I have published in my dmz are protected with IPS sensors and deep inspection, they are usually Web servers.
On the other hand, all the traffic that enters from the DMZ to the intranet is also protected with IPS in the internal firewall but I wonder if it is necessary. I understand that if there was a worm (for example) on a server in my DMZ it could spread to my intranet if users connect to the infected server and there are no IPS, for example. I also have IPS sensors between my datacenter and user networks. Could you tell me if the use of IPS is correct or should I not use it on my intranet?

 

Thanks ¡¡¡¡

 

1 Solution
AlexC-FTNT
Staff
Staff

1. A DoS attack is the result of an attacker sending an abnormally large amount of network traffic to a target system (your public IP). Regardless of having services enabled or not. Any network traffic the target system receives has to be examined, and then accepted or rejected. Yes, you can attempt to protect your wan interfaces against DoS, but an effective DoS defense must be placed as closer to the attacker as possible (in the ISP firewall).
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/372693/defending-against-dos-attacks

 

2. IPS should be used everywhere as long as there is a risk of compromised hosts connecting to your network, and as long as firewall resources allow it.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

9 REPLIES 9
Anthony_E
Community Manager
Community Manager

Hello fortimaster,

 

Thank you for using the Community Forum.


I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello fortimaster,

 

May I ask you which units and under which version of FortiOS you are using it please?

 

Thanks a lot in advance.

 

Regards,

Anthony-Fortinet Community Team.
fortimaster
Contributor

Fortigate 500E with 6.2.10. Thanks !!!!

Anthony_E
Community Manager
Community Manager

Thank you :)!

 

I have found this document:

 

https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/308620/ips-sensor

 

It explains the IPS sensor for your version.

Does it help?

 

If not, We will find another solution :)!

 

Regards,

Anthony-Fortinet Community Team.
fortimaster

Thanks Anthony, it helps me yes ¡

AlexC-FTNT
Staff
Staff

1. A DoS attack is the result of an attacker sending an abnormally large amount of network traffic to a target system (your public IP). Regardless of having services enabled or not. Any network traffic the target system receives has to be examined, and then accepted or rejected. Yes, you can attempt to protect your wan interfaces against DoS, but an effective DoS defense must be placed as closer to the attacker as possible (in the ISP firewall).
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/372693/defending-against-dos-attacks

 

2. IPS should be used everywhere as long as there is a risk of compromised hosts connecting to your network, and as long as firewall resources allow it.


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
fortimaster
Contributor

I understand that the DoS policy detects any packet that tries to do a DoS regardless of whether that service is allowed on the IP for which you apply the sensor. It's clear for me. But on the other hand I understand that if the IP of a WAN interface does not have any services enabled, it does not make sense to protect it with DoS. In my case I have several IPs, accessible through the WAN interface, which are the ones with published services. That is why I protect those IPs, which are VIPs associated with end servers. Since it is not the same IP that the WAN interface has, I understand that what I am doing is correct.

Let's say that the router has several public IPs routed through the IP that has the WAN interface. But the WAN interface IP is not used for any service. Can you tell me what you think? Thank you very much for your help. 

 

2)About IPS Your answer is very clear to me, it has been very helpful.

 

AlexC-FTNT

Regardless of services enabled or not on the wan interface (and you refer here for public access to this IP), it still sees traffic. It receives traffic from the WAN (at layer2), either wanted or unwanted. So the FortiGate (or any other device) must decide what to do with those packets - whether or not destined to it, a check must be made. DoS attack does not care about a reply for those packets, they simply exist on the physical line to slow/block your access to the internet and to burden your firewall with unwanted packets. If there is no other traffic that passes that interface, sure, no need for the DoS protection, since all the traffic is discarded (not matching any routing).


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
fortimaster
Contributor

Excellent answer, thanks. Actually the traffic to my final servers enters through that interface but not through the IP that the interface has (it is routed through that ip but it is not an IP that has a published service). Therefore, I have protected the IP that is associated with the VIP that ends in the final server, which I understand is correct. And on the other hand, I understand that the DoS sensor monitors certain packets that arrive at an IP, despite the fact that in no way can they drop a service by not having it up.

I think that would be the summary.