Intrusion and Anomaly Detection and Prevention (IDP / ADP)
Intrusion and Anomaly Detection identifies threatening traffic, while Intrusion and Anomaly Prevention will drop or block detected traffic flows. Both forms of network security perform packet inspection on Layer 4 through Layer 7 headers to detect network attacks. They differ in how they identify threats.
Intrusion Detection compares traffic patterns called signatures to a database of known threatening signatures. If there is a match, the USG100 can then be configured to act on that traffic. Custom signatures can be created on the USG100, which helps understand the whole concept of a traffic signature.
Figure 7 shows the USG100 custom signature configuration page. As you can see, a custom IDP signature can be created to match traffic specific to a certain Platform (Operating System), Service (protocol), and with user defined values in the Layer 3 (Network Protocol) and Layer 4 (Transport Protocol) headers.
Figure 7: IDP Custom Signature creation
I created a basic custom signature called Cs-reid to match traffic from any operating system using the ICMP service (protocol), and set the action to log the activity. To keep it simple, I didn't specify any parameters in the Layer 3 or 4 headers. Ping uses the ICMP protocol, so I generated a WAN to LAN ping, and was pleased to see my simple signature was matched and generated a log entry as shown in lines 7 and 8 of Figure 8 below.
Figure 8: IDP Custom Signature matched and logged
IDP configuration options are based on profiles and interfaces. Profiles are collections of traffic signatures by protocol, such as IMAP, POP3, SMTP. Profiles also define the action taken on traffic that is detected to be intrusive or abnormal. Actions include logging, logging with an email alert, dropping, or rejecting the traffic. Profiles are then applied on traffic coming from one interface and going to another.
Anomaly Detection also monitors traffic, but looks for abnormal traffic activity based on the protocol. For example, an excessive number of simultaneous TCP SYN messages sent to a large range of TCP ports would be a pattern typical of a port scan, which is a type of network attack that looks for open holes in a firewall.
Intrusion Detection and Anomaly Detection are pretty complex, but fortunately, the USG100 has pre-defined profiles for both. The USG100's IDP configuration includes a profile for LAN and DMZ interfaces. Within those profiles, there are dozens of different signatures defined in 28 different protocols. For example, under TELNET, there is a signature called “TELNET EZsetup account attempt” which will match traffic generated by an attempted login to a telnet server using the username “OutOfBox.”
The IDP feature requires a current subscription in order for the USG100 to be able to access Zyxel's database of packet inspection signatures. As with their Anti-Virus solution, the USG100's IDP solution isn't outsourced, it is provided directly by Zyxel.
ADP patterns are added with firmware updates, which do not require a subscription. Still, the ADP feature has a base profile that detects over 60 types of port scans, sweeps, floods, and HTTP/TCP/UDP/ICMP attacks.
The USG100 has two network application management functions. The first is the Application Layer Gateway (ALG) function, which is useful for managing VoIP and FTP applications. Network Address Translations (NAT) can cause security and connection problems for VoIP and FTP, which can be alleviated in some cases through the use of an ALG. The USG100 ALG has options to enable SIP, H.323 and FTP transformations as shown in Figure 9.
Figure 9: ALG controls
A transformation is essentially changing the information in the application header to use the device's WAN IP address instead of the originating device's LAN IP address. For example, if you're running a SIP device behind the USG100, that device will have a private IP address. That private IP address will be used in the Layer 5 SIP header within the packets sent to a SIP server over the Internet. An example SIP header address will be in the form of firstname.lastname@example.org:5060.
The USG100 will NAT the packets sent from your SIP device to that SIP server. This means the private IP address in the Layer 3 packet header from your SIP device will be changed to the public IP address of the USG100's WAN interface. Enabling SIP transformations means the USG100 will inspect SIP packets and change the private IP address to the USG100's public IP address in the Layer 5 SIP header to match the IP address used in the Layer 3 packet header.
I was able to verify the USG100's SIP transformation capability, using a VoIP phone connected to public VoIP provider. Since I also work for that VoIP provider, I could inspect the SIP registration on our SIP server to see if the SIP headers showed the private IP address on my phone, or had been changed via the USG100's SIP transformation to the public IP address of the USG100's WAN interface.
I've changed the data below to not publicize my IP address or phone numbers. But the Before and After shows the USG100's SIP transformation works. In the line below titled Before, you can see the IP address is a private IP address. This was the address in our SIP server with the USG100's SIP transformation disabled. In the line below titled After, you can see the IP address is a public IP address. This was the address in our SIP server with the USG100's SIP transformation enabled.
The second network application management function on the USG100 is called AppPatrol, or Application Patrol. AppPatrol is a licensed feature on the USG100 that provides the ability to centrally manage applications run over your network. As with the AV and IDP solutions, the USG100 AppPatrol is in-house to Zyxel.
Applications recognized by the USG100 AppPatrol feature include 14 different instant messenger services, 13 different Peer to Peer applications, H323 and SIP signaling for VoIP, 2 streaming application (RTSP and Winamp), plus 5 of the more common network applications including IRC, HTTP, FTP, POP3 and SMTP.
With AppPatrol enabled, the USG100 can control bandwidth utilization by application, block applications, prioritize traffic from specific applications (such as VoIP), and produce real time utilization graphs per application.
To test this function, I set up a rule to drop FTP traffic originating from the LAN1 interface and terminating to the LAN2 interface. I configured my rule to log FTP activity as well. As shown below, the USG100 successfully detected the FTP application traffic and dropped it, performing as expected.