Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_TK
Contributor

IPS question

Jump to solution

Hi - wondering if IPS can prevent this from occurring.  We host a few public facing websites behind an R80.40 gateway.  Most of the recommended IPS defs are enabled, but we recently got dinged on an external pen test.

This is what the pen tester is able to do (he's referring to the CP gateway as the "WAF"):

"Finding #2 – IP Spoofing Web Application Firewall Bypass – It is still possible to bypass the WAF blocks by adding the “X-Forwarded-For” Header to the POST request and iterating the last octet for 127.0.0.x. Without the “X-Forwarded-For” header, I am blocked after 5 attempts. After adding, I could continue without the WAF hindering me indefinitely."

This is referring to a login screen over https.

Any ideas would be greatly appreciated..  thanks.

 

maskedImage.jpg

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Until you've enabled HTTPS Inspection for inbound traffic to the relevant server, there's really nothing for us to do here as we cannot see the XFF header, much less take any action upon it. 

View solution in original post

6 Replies
PhoneBoy
Admin
Admin

Do you have HTTPS Inspection enabled?
Also when it is dropped after 5 attempts without the XFF header, is a specific IPS protection triggering?

D_TK
Contributor

thanks for the reply - two great questions.

we have the typical MITM https inspection for outgoing traffic, but not for incoming and there is no IPS protection triggered for the pen tester's connection.  The web programmer doesn't know of anything in his code (cold fusion) or IIS that would do the 5 attempt lockout.

 

thank you.

0 Kudos
PhoneBoy
Admin
Admin

Until you've enabled HTTPS Inspection for inbound traffic to the relevant server, there's really nothing for us to do here as we cannot see the XFF header, much less take any action upon it. 

View solution in original post

D_TK
Contributor

Thanks - that's what i figured, but wanted to ask.  So....I imported the cert for this site, and created an inbound inspection rule to that server with me as the only source for testing.  on just the home page about ten sql injection prevents were triggered just because file names had an "or" in it.  Here's an example

maskedImage.jpg

The server sql-injection setting is "low" - does this seem crazy aggressive?

0 Kudos
PhoneBoy
Admin
Admin

The "Low" in this case refers to performance impact of the protection.

0 Kudos
Timothy_Hall
Champion
Champion

Just to follow up on what Phoneboy said, the Performance Impact rating specifies how enabling that particular signature will impact SecureXL acceleration on the firewall.  Here is a rough guide taken my my IPS Immersion self-guided video series:

 

The Performance Impact rating specifies the level of CPU processing overhead for the gateway enforcing this protection. Gaia embedded appliances (models 1200R–1500) or smaller Check Point gateway appliances will be much more heavily impacted by High and Critical–level IPS Protections than larger gateways.


Critical – 100% of traffic subject to inspection by this Protection is ineligible for acceleration by SecureXL and will take the slowpath (F2F) through a R80.10 or earlier gateway. (We will cover IPS performance extensively in Module 10)
High – Traffic inspected by this Protection will be inspected ~50% in the non–accelerated slowpath (F2F) and CPASXL path, and ~50% in the partially–accelerated Medium Path (PXL).
Medium – 100% of traffic subject to inspection by this Protection will be handled in the partially–accelerated Medium Path (PXL) on the gateway.
Very Low/Low – Protection is fully accelerated in the fastpath by SecureXL.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos