Endpoint Protection

 View Only
  • 1.  What is the priority of firewall policy, IPS and customized IPS?

    Posted Dec 06, 2012 03:53 AM

    I am testing customized IPS to drop some traffic.

    there is a software using UDP to send login info to server, and if UDP is blocked, then it uses TCP to send login info.

    I can block UDP port it uses because it is not a common port, but the tcp ports 80/443 it uses which can not be blocked.

    and  it is not a good solution to block the server's DNS name or IP, because the server list always changes.

    so i think if i can use customized IPS to drop the login info package.

    and I do succeed to drop TCP package but fail to drop UDP package.

    my test:

    If I use default firewall policy, and apply customized IPS, the software can login.

    If I use default firewall policy but just add a BLOCK ALL UDP rule ahead Allow ALL APPS rule, and apply customized IPS, then the software fail to login.  and i can see in IPS logs that drop the TCP login info package.

    so i am confused what is the priority of firewall policy, IPS and customized IPS? 

    if firewall policy is higher, customized IPS will do nothing.

    if customized IPS is higher, i should be able to see in IPS logs that drop UDP and TCP package.

    my customized IPS are:

    ------------------------------

    rule udp, dest=(xxxx),msg="DROP XXX UDP LOGIN",content="\x01\x01\x01"

    rule tcp, dest=(80,443),msg="DROP XXX TCP LOGIN",regexpcontent="\x01\x01\x01" (58,3)

    ------------------------------

    so if there is someone can give me an answer?

    thanks in advanced.

     



  • 2.  RE: What is the priority of firewall policy, IPS and customized IPS?
    Best Answer

    Posted Dec 06, 2012 07:42 AM

    Check this KB article:

    About the firewall rule, firewall setting, and intrusion prevention processing order

    https://www.symantec.com/business/support/index?page=content&id=HOWTO81187



  • 3.  RE: What is the priority of firewall policy, IPS and customized IPS?

    Posted Dec 06, 2012 08:28 AM

    THANKS..

    Ok. Now I know that custom IPS is the first priority.

    so is there anything wrong with my custom IPS setting?  why it can not drop my UDP package as i want?



  • 4.  RE: What is the priority of firewall policy, IPS and customized IPS?

    Posted Dec 06, 2012 09:03 AM

    What version are you running?



  • 5.  RE: What is the priority of firewall policy, IPS and customized IPS?

    Posted Dec 06, 2012 08:03 PM

    SEP12.1



  • 6.  RE: What is the priority of firewall policy, IPS and customized IPS?

    Posted Dec 06, 2012 09:09 PM

    After I remove "content" from my UDP custom IPS, it works.

    So I think I did not get the right data segment of UDP package to drop.