Archived
TD0325: Inline mode for Signature-based IPS policies
Publication Date
2018.05.21
Protection Profiles
EP_IPS_V2.11
Other References
IPS_SBD_EXT.1.5
Issue Description
IPS_SBD_EXT.1.5 requires that the product must allow traffic flow or drop the traffic flow in inline mode. This is only possible if the inspection, detection, and drop are performed by signature rule in inline mode (i.e., hardware is designed to always drop malicious attacks). Resolution
IPS_SBD_EXT.1.5 SFR is replaced with below and its Application Note is unchanged: IPS_SBD_EXT.1.5 The TSF shall allow the following operations to be associated with signature-based IPS policies: · In any mode, for any sensor interface: [selection: o allow the traffic flow; o send a TCP reset to the source address of the offending traffic; o send a TCP reset to the destination address of the offending traffic; o send an ICMP [selection: host, destination, port] unreachable message; o trigger a non-TOE network device to block the offending traffic pattern] · In inline mode: o block/drop the traffic flow; o and [selection: § allow all traffic flow; § allow the traffic flow with following exceptions: [assignment: malicious traffic such as but not limited to IPS_EXT.1.3 and IPS_EXT.1.4 if always dropped]; § modify and forward packets before they pass through the TOE]. Justification
The intent of IPS_SBD_EXT.1.5 is for rules when creating new signatures. This was not intended for signatures automatically before traffic reaches the signature detection engine. |