IPS Project

• Scope of the project is to implement protection for the

most critical part of Vaillant Network
• Servers that are exposed to the outside network are
attractive target since they can serve as an entry point
for a hackers to enter into organization if they manage
to exploit vulnerability.
• Once in the network bad guy can masquerade itself
and perform requests on behalf of the bridged system.
• There are several locations that have DMZ server
exposure
First part of the project
• Create a logical site diagram that illustrate each Network within the site and DMZ service
exposure.
• Install IPS license on each location that is in project scope.
• Communicate with Local ITs in China, Ukraine and Turkey and advise them to order the correct Licenses
since they have special treatments.
• Describe licenses in CMDB+ and make sure that monitoring rules take place – notifications when license
is about to expire.
• Update signature database on the firewalls to receive latest threats available from FortiGuard
Network.
• Enable auto-push option to receive new updates as soon as they are released from FortiGuard cloud.
• Adjust the default IPS profile by changing action to Monitor (Essentially IDS)
• Install the profile on every policy that is related with access from the outside for firewalls in
scope.
Second part of the project

• Collect IPS data

• All Firewalls are sending their logs to FortiAnalyzer appliance as per
requirements defined in CRxxxx
• FortiAnalyzer is forwarding everything it receives from its managed devices
towards SIEM
• Two weeks data gathering period after last IPS profile installation.
• Configure IPS report to be executed on regular basis.
• Automation: Connect FortiAnalyzer system with mail server, so the system
can send report to intended recipients every time when its executed.
Third part of the project
• Data analysis and fine tunning
• Verify top 5 noise generators. (top 5 most triggered signatures)
• Who is triggering those signatures ?
• Is it a single source?
• Is this legitimate traffic ?
• Provide packet example to customer which triggered the signature and wait for feedback.

• False positives
• In case they are confirmed create exceptions from the signature triggered by
legitimate sources.
• True positives