Intrusion Prevention System
The documentation describes common scenarios and configurations for the firewall. You can find advanced scenarios and a description of all settings in the official pfSense documentation.
How it works
The Intrusion Prevention System (IPS) is an additional security system included with the Selectel firewall. IPS detects and blocks almost all types of network attacks and sends notifications about them.
In the Selectel firewall, IPS is implemented as a software module based on Snort. The system checks traffic that has already passed firewall filtering. Traffic is checked using regularly updated rules from the Snort development community. You can add your own rules for detecting and blocking network attacks.
Limitations
The IPS on a Selectel firewall does not protect against:
- against application-level (L7) attacks. For protection at this level, use WAF;
- against any non-network attacks, for example, gaining user superuser rights.
Pricing
IPS can be enabled on a Selectel firewall at no extra cost. Only the firewall itself is charged; see the Hardware Firewall Payment Model and Prices guide for more details.
Connect IPS
- Connect to a Selectel firewall.
- Configure the IPS module.
- Add and configure a network interface.
- Configure existing rules.
- Optional: create custom rules.
- Enable IPS on the interface.
1. Connect to a Selectel firewall
-
Open the following page in your browser:
https://<ip_address>:5443Specify
<ip_address>— the IP address of the firewall. -
Enter the username and password provided in the ticket after ordering the firewall. The main page of the graphical interface with the dashboard will open.
2. Configure the IPS module
- In the Services menu, go to the Snort section.
- Open the Global settings tab.
- For repositories with the necessary rules, check the **Click to enable download of ** checkboxes....
- Optional: configure the frequency of update checks for the enabled rule packages in the Rules Update Settings block.
- Optional: perform general configuration in the General Settings block.
- Click Save.
- Open the Updates tab.
- Click Update Rules and download the selected rule repositories.
- Optional: configure other settings.
- Click Save.
3. Add and configure a network interface
-
In the Services menu, go to the Snort section.
-
Open the Snort Interfaces tab.
-
Click + Add.
-
Select the interface on which you want to enable IPS.
-
Optional: to display the IPS log in the general firewall log, in the Alert Settings block, check the Send Alerts to System Log checkbox.
-
In the Block Settings block, check the Block Offenders checkbox.
-
In the IPS Mode field, select the blocking mode:
- Legacy mode — suspicious traffic sources are blocked; some suspicious traffic may reach the system before the block is applied;
- Inline mode — suspicious traffic packets are blocked before they reach the system.
-
Click Save.
-
Optional: to reduce the number of false positives, open the Variables tab and specify the IP addresses and ports of your servers.
4. Configure existing rules
-
In the Services menu, go to the Snort section.
-
Open the Snort Interfaces tab.
-
In the row of the required interface, click .
-
Open the Rules tab.
-
In the Available Rule Categories block, select a category.
-
In the State column, check the rules. If necessary, change the rule state.
-
If you selected Inline mode at step 7 when configuring the module, in the Action column, select a rule action:
- DEFAULT — set the default rule action, usually ALERT;
- ALERT — create a log entry;
- DROP — drop the packet;
- REJECT — drop the packet and send a port unreachable message in response.
-
Click Apply.
5. Create custom rules
- In the Services menu, go to the Snort section.
- Open the Snort Interfaces tab.
- In the row of the required interface, click .
- Open the Rules tab.
- In the Available Rule Categories block, select custom.rules.
- In the Defined Custom Rules block, enter the rules in Snort format. For more details, see the Writing Snort Rules page in the Snort documentation.
- Click Save.
6. Enable IPS on the interface
- In the Services menu, go to the Snort section.
- Open the Snort Interfaces tab.
- In the row of the required interface, click .
- Optional: to view Snort operation logs, go to Services → Snort → the Alerts tab.
- Optional: to view network interface operation logs, go to Services → Snort → in the required interface's row → the Logs tab.