Quarantine can be used to prevent an infected machine

This preview shows page 130 - 134 out of 173 pages.

Quarantine can be used to prevent an infected machine from spreading worms, or leaking confidentialinformation due to spyware infection.It can also be used to inform the user that something has gonewrong.Traffic matches against a Filter with configured for Block + IPS QuarantineSpyware Filters are a great exampleIPS immediately blocks the malicious flow (due to the block)IPS optionally intercepts web requests redirects to external server or displays Quarantineblock pageIPS optionally blocks other traffic
TippingPoint Administrator TrainingRev 10.5.17129Quarantine Concept (Thresholds)Quarantine actions can also occur at a user-defined threshold. You can configure permit and trustactions to take effect before the threshold is triggered.For example, you can display a Quarantine web page to notify a quarantined user of the problem andprovide instructions for fixing it, or the action may redirect all traffic from the quarantined IP address toa quarantine serve that provides instructions to correct the problem.Define thresholds, where quarantine occurs after “excessive” filter hitsIdeal for failed login attemptsYou configure the threshold that you want traffic to be permitted until the threshold isreachedThreshold is defined by hit count within a certain period
TippingPoint Administrator Training130Rev. 10.5.17Quarantine ConsiderationsBlock immediately or ThresholdIf threshold, how many hits over what time periodWeb Requests: What do you want displayed?Nothing, i.e. just block web requestsRedirect web requests to an external serverHave the IPS display the Quarantine Block pageOther Traffic: Block other non-web traffic?Restrictions / ExceptionsHosts that you do or do not want to be QuarantinedQuarantine AccessAddresses which can be reached by hosts in QuarantineHow do hosts get released from Quarantine?Manual or Automatically (timeout)Which filters should trigger IPS Quarantine?
TippingPoint Administrator TrainingRev 10.5.17131Quarantine Action SetQuarantine SettingsThe IPS examines filter hits by attackers IP address. Hit counts are qualified and accumulated within asliding time window (Period). Quarantine is automatically initiated when the accumulated hit countexceeds the threshold. All qualified hits for a given attacking IP address are accumulated with a singlecounter. If an attacker uses a variety of attacks they all contribute to the same accumulated Hit Count aslong as they have the same action set specified.Web requests from the quarantined host can be blocked, redirected to a specific web server, or have atemplate web page displayed. The web page can be customized to include the name and description ofthe filter causing the quarantine, the description and/or display customized HTML specified by the user.

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 173 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Fall
Professor
NoProfessor
Tags
administrator, TippingPoint Solutions

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture