topic Re: IPS question in General Topics

IPS question

D_TK — Thu, 18 Mar 2021 20:00:53 GMT

Hi - wondering if IPS can prevent this from occurring. We host a few public facing websites behind an R80.40 gateway. Most of the recommended IPS defs are enabled, but we recently got dinged on an external pen test.

This is what the pen tester is able to do (he's referring to the CP gateway as the "WAF"):

"Finding #2 – IP Spoofing Web Application Firewall Bypass – It is still possible to bypass the WAF blocks by adding the “X-Forwarded-For” Header to the POST request and iterating the last octet for 127.0.0.x. Without the “X-Forwarded-For” header, I am blocked after 5 attempts. After adding, I could continue without the WAF hindering me indefinitely."

This is referring to a login screen over https.

Any ideas would be greatly appreciated.. thanks.

Re: IPS question

PhoneBoy — Thu, 18 Mar 2021 20:24:27 GMT

Do you have HTTPS Inspection enabled?
Also when it is dropped after 5 attempts without the XFF header, is a specific IPS protection triggering?

Re: IPS question

D_TK — Thu, 18 Mar 2021 20:48:53 GMT

thanks for the reply - two great questions.

we have the typical MITM https inspection for outgoing traffic, but not for incoming and there is no IPS protection triggered for the pen tester's connection. The web programmer doesn't know of anything in his code (cold fusion) or IIS that would do the 5 attempt lockout.

thank you.

Re: IPS question

PhoneBoy — Thu, 18 Mar 2021 21:54:31 GMT

Until you've enabled HTTPS Inspection for inbound traffic to the relevant server, there's really nothing for us to do here as we cannot see the XFF header, much less take any action upon it.

Re: IPS question

D_TK — Fri, 19 Mar 2021 03:46:52 GMT

Thanks - that's what i figured, but wanted to ask. So....I imported the cert for this site, and created an inbound inspection rule to that server with me as the only source for testing. on just the home page about ten sql injection prevents were triggered just because file names had an "or" in it. Here's an example

The server sql-injection setting is "low" - does this seem crazy aggressive?

Re: IPS question

PhoneBoy — Fri, 19 Mar 2021 21:19:27 GMT

The "Low" in this case refers to performance impact of the protection.

Re: IPS question

Timothy_Hall — Sun, 21 Mar 2021 13:47:45 GMT

Just to follow up on what Phoneboy said, the Performance Impact rating specifies how enabling that particular signature will impact SecureXL acceleration on the firewall. Here is a rough guide taken my my IPS Immersion self-guided video series:

The Performance Impact rating specifies the level of CPU processing overhead for the gateway enforcing this protection. Gaia embedded appliances (models 1200R–1500) or smaller Check Point gateway appliances will be much more heavily impacted by High and Critical–level IPS Protections than larger gateways.

• Critical – 100% of traffic subject to inspection by this Protection is ineligible for acceleration by SecureXL and will take the slowpath (F2F) through a R80.10 or earlier gateway. (We will cover IPS performance extensively in Module 10)
• High – Traffic inspected by this Protection will be inspected ~50% in the non–accelerated slowpath (F2F) and CPASXL path, and ~50% in the partially–accelerated Medium Path (PXL).
• Medium – 100% of traffic subject to inspection by this Protection will be handled in the partially–accelerated Medium Path (PXL) on the gateway.
• Very Low/Low – Protection is fully accelerated in the fastpath by SecureXL.