Intrusion Prevention System

The FortiGuard Intrusion Prevention Service provides Fortinet customers with the latest defenses against stealthy network-level threats. It uses a customizable database of more than 8000+ known threats to enable FortiGate appliances to stop attacks that evade conventional firewall defenses. It also provides behavior-based heuristics, enabling the system to recognize threats for which no signature has yet been developed.

The combination of known and unknown threat prevention enables FortiGate systems to stop the most damaging attacks at the network border regardless of whether the network is a wired, wireless, partner extranet, or branch office network connection. IPS signature updates are provided quickly via the global FortiGuard distribution network.

FortiGuard IPS Event Name's Severity Level is mainly based on the ratings set forth by the Common Vulnerability Scoring System (CVSS). The CVSS is a vendor-neutral, industry standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.

FortiOS IPS uses Protocol Decoders and Anomaly Detection assistance to assemble packets that looks suspicious or nonconforming sessions that resemble known attacks and are non-compliant with RFC. The IPS engine uses the provided signatures which are based on severity level of an IPS signature, the target device (client or server) and the Operating System (BSD, Linux, MacOS, Solaris, Windows, and 'Other').

There is also Rate based signature detection to protect against application DoS and brute force attacks, along with custom signature creation and IP reputation. Actions that can be taken include Monitor, Block, Reset and Quarantine along with packet capture for any signature hit.

L3 and L4 anomalies applied at an interface level for things like sync, SCTP, ICMP floods, port scans, source and destination sessions are there too.

IPS security profiles are configured on traffic policies. Thus if a traffic policy exists for inbound communications from the Internet and an IPS security profile is assigned to it then the traffic is inspected. If the question asks the order of inspection (firewall first, then IPS), the traffic must match a policy before it is inspected by any IPS security profile attached to that traffic policy. If the traffic matches no policy, it is dropped. If a match occurs and there is an IPS security profile assigned to it, then it is scanned.

Approximately 70 new signatures are released on a weekly basis and downloaded to either the FortiGate devices or a FortiManager console.

All FortiGuard IPS Service Updates can be viewed in detail at www.fortiguard.com/updates/ips

Custom IPS Signatures are supported. The application control and IPS signatures provide coverage for most applications and network vulnerabilities. You can extend the coverage by adding custom application signatures and custom IPS signatures.

Each packet is a capable of having the header and payload inspected. The size of the inspection (how many bytes in each packet header/payload) is configurable.

Both TCP and UDP are covered under IPS anomaly and IPS engine scans.