Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

IPS Core Protections and HTTPS Inspection

Jump to solution

Hi all,
I've been reading up on a few great posts by @HeikoAnkenbrand about "R80.x Security Gateway Architecture". One thing I didn't quite catch though, is if "IPS Core Protections" is usable with "HTTPS Inspection". More specifically, I'm having the four "HTTP ..."-protections in mind.

My guess is, it isn't.

I did a quick test.
I set up a server with both http- and https-sites.
Configured the host object as a Web Server and added port 443 to the Wed Server configuration
Configured inbound HTTPS Inspection to the https-site.
Everything works as expected.

To test if the Core Protections works with HTTPS Inspection  I then added a header and a value to "HTTP Header Patterns" and then used curl to access the sites and adding the specific header and value. Accessing the http-site resulted in a Prevent-event in the log as expected. However... when accessing the https-site the request wasn't prevented and only inspection-events are posted in the log.

If that's correct, can any one explain why, or direct me to a good source that explains this? OR is it because "HTTPS Inspection" only supports the following blades: Application Control, URL Filtering, IPS, Anti-Virus, Anti-Bot, Threat Emulation, Data Loss Prevention (DLP) and the "Core Protections" is handled by the Firewall-blade? 

Thanks

Tobias

2 Solutions

Accepted Solutions
Highlighted

Hi @Tobias_C,

The 39 core ips protections are processed differently on the gateway as the threat cloud protections.
Here are only 4 protectios, which affect HTTP:
- HTTP Header Patterns
- HTTP Header Spoofing
- HTTP Response Status Message Concealment
- HTTP URL Patterns

core.png

As far as I know, these protections are not intercepted via CPAS (https Interseption)  and PSL so they should not be detected in https traffic. But here I am not 100% sure. Only the thread cloud ips signatures would be intercepted via CPAS and would be sent to PSL. More to CPAS and PSL read here R80.x - Security Gateway Architecture (Logical Packet Flow) or here R80.x - Security Gateway Architecture (Content Inspection).

From technical reasons, the core ips protections are still installed as part of "Access Control" even with R80.x gateways. The threat cloud ips protections are still installed as part of "Threat Prevention " even with R80.x gateways.

Best Regards
Heiko

 

View solution in original post

Tags (1)
Highlighted
Champion
Champion

The 39 IPS Core Protections are strange beasties for sure, and exist in what I call a "no-man's land" between Access Control and Threat Prevention.  My guess is that the Core Protections are applied as part of Stateful Inspection in the Access Control policy on packets and their contents, but *before* they are able to be decrypted by HTTPS Inspection.  This is probably why you didn't detect your HTTP header pattern inside HTTPS-Inspected traffic.  I'm pretty sure this limitation would not apply to traffic coming out of a VPN as decryption of the packet happens very early in the chain sequences of processing, while HTTPS Inspection (which relatively speaking is a much newer feature than IPSec VPN) happens much later.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com

View solution in original post

2 Replies
Highlighted

Hi @Tobias_C,

The 39 core ips protections are processed differently on the gateway as the threat cloud protections.
Here are only 4 protectios, which affect HTTP:
- HTTP Header Patterns
- HTTP Header Spoofing
- HTTP Response Status Message Concealment
- HTTP URL Patterns

core.png

As far as I know, these protections are not intercepted via CPAS (https Interseption)  and PSL so they should not be detected in https traffic. But here I am not 100% sure. Only the thread cloud ips signatures would be intercepted via CPAS and would be sent to PSL. More to CPAS and PSL read here R80.x - Security Gateway Architecture (Logical Packet Flow) or here R80.x - Security Gateway Architecture (Content Inspection).

From technical reasons, the core ips protections are still installed as part of "Access Control" even with R80.x gateways. The threat cloud ips protections are still installed as part of "Threat Prevention " even with R80.x gateways.

Best Regards
Heiko

 

View solution in original post

Tags (1)
Highlighted
Champion
Champion

The 39 IPS Core Protections are strange beasties for sure, and exist in what I call a "no-man's land" between Access Control and Threat Prevention.  My guess is that the Core Protections are applied as part of Stateful Inspection in the Access Control policy on packets and their contents, but *before* they are able to be decrypted by HTTPS Inspection.  This is probably why you didn't detect your HTTP header pattern inside HTTPS-Inspected traffic.  I'm pretty sure this limitation would not apply to traffic coming out of a VPN as decryption of the packet happens very early in the chain sequences of processing, while HTTPS Inspection (which relatively speaking is a much newer feature than IPSec VPN) happens much later.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com

View solution in original post