Intrusion prevention system
Principle of operation
The IPS (Intrusion Prevention System) is an optional security system within the Selectel firewall. IPS detects, blocks and alerts you to almost all types of network attacks.
Selectel IPS is implemented as a Snort-based software module in the Selectel firewall. The system inspects traffic that has already been filtered on the firewall.Regularly updated rules from the Snort development community are used to inspect traffic. You can add your own rules for detecting and blocking network attacks.
Limitations
IPS on the Selectel firewall does not protect:
- from attacks on application logic (L7). Use WAF Curator for protection at this level;
- against any non-network attacks, such as user super rights.
Cost
You can connect IPS on Selectel firewall for free.Only the firewall is paid for, more details in the article Hardware Firewall Payment Model and Pricing.
Connect IPS
- Connect to the Selectel firewall.
- Configure the IPS module.
- Add and configure the network interface.
- Customize existing rules.
- Optional: create your own rules.
- Enable IPS on the interface.
1. Connect to a Selectel firewall
-
Open the page in your browser:
https://<ip_address>:5443
Specify
<ip_address>
— The IP address of the firewall. -
Enter the login and password you received in the ticket after ordering the firewall. The main page of the GUI with the dashboard opens.
2. Configure the IPS module
- From the Services menu, go to the Snort section.
- Open the Global settings tab.
- For repositories with the desired rules, check the boxes Click to enable download of .....
- Optional: configure the update check intervals for enabled rule packs in the Rules Update Settings block.
- Optional: make general settings in the General Settings block.
- Click Save.
- Open the Updates tab.
- Click Update Rules and download the selected rule repositories.
- Optional: make the other settings.
- Click Save.
3. Add and configure the network interface
-
From the Services menu, go to the Snort section.
-
Open the Snort Interfaces tab.
-
Press + Add.
-
Select the interface on which you want to enable IPS.
-
Optional: To have the IPS log displayed in the overall firewall log, in the Alert Settings block, check the Send Alerts to System Log checkbox .
-
In the Block Settings block, check the Block Offenders checkbox.
-
In the IPS Mode field, select the lock mode:
- Legacy mode — sources of suspicious traffic are blocked, some amount of suspicious traffic may enter the system before it is blocked;
- Inline mode — blocks suspicious traffic packets from entering the system.
-
Click Save.
-
Optional: to reduce false positives, open the Variables tab and specify the IP addresses and ports of your servers.
4. Customize existing rules
-
From the Services menu, go to the Snort section.
-
Open the Snort Interfaces tab.
-
In the row of the desired interface, click .
-
Open the Rules tab.
-
In the Available Rule Categories block, select a category.
-
In the State column, check the rules. If necessary, change the state of the rule.
-
If you selected Inline mode when configuring the module in step 7, select the rule action in the Action column:
- DEFAULT — set the default action of the rule, usually ALERT;
- ALERT — create a log entry;
- DROP — discard the package;
- REJECT — discard the packet and send a port unavailability message in response.
-
Click Apply.
5. Create your own rules
- From the Services menu, go to the Snort section.
- Open the Snort Interfaces tab.
- In the row of the desired interface, click .
- Open the Rules tab.
- In the Available Rule Categories block, select custom.rules.
- In the Defined Custom Rules box, enter the text of the rules in Snort format. For more information, see the Writing Snort Rules article in the Snort documentation.
- Click Save.
6. Enable IPS on the interface
- From the Services menu, go to the Snort section.
- Open the Snort Interfaces tab.
- In the row of the desired interface, click .
- Optional: to view Snort logs, go to Services → Snort → Alerts tab.
- Optional: to view the logs of a network interface, go to Services → Snort → in the row of the desired interface → Logs tab.