Intrusion prevention system
Principle of operation
The IPS (Intrusion Prevention System) is an optional security system within the Selectel firewall. IPS detects, blocks, and alerts you to almost all types of network attacks.
In the Selectel firewall, IPS is implemented as a Snort-based software module. The system checks the traffic that has already passed firewall filtering. Regularly updated rules from the Snort development community are used to inspect traffic. You can add your own rules to detect and block network attacks.
Limitations
IPS on the Selectel firewall does not protect:
- from attacks on application logic (L7). For protection at this level, use WAF Curator;
- against any non-network attacks, such as user super rights.
Cost
You can connect IPS on a Selectel firewall for free. You only have to pay for the firewall, see the article for more details Hardware firewall payment and pricing model.
Connect IPS
- Connect to the Selectel firewall.
- Configure the IPS module.
- Add and configure the network interface.
- Customize existing rules.
- Optional: create your own rules.
- Enable IPS on the interface.
1. Connect to the Selectel firewall
-
Open the page in your browser:
https://<ip_address>:5443Specify
<ip_address>— The IP address of the firewall. -
Enter the username and password received in the ticket after the firewall order. The main page of the GUI with the dashboard will open.
2. Configure the IPS module
- On the menu Services go to Snort.
- Open the tab Global settings.
- For repositories with the desired rules, check the checkboxes Click to enable download of ....
- Optional: configure the update check intervals for enabled rule packets in the block Rules Update Settings.
- Optional: make general settings in the block General Settings.
- Click Save.
- Open the tab Updates.
- Click Update Rules and download the selected rule repositories.
- Optional: make the other settings.
- Click Save.
3. Add and configure the network interface
-
On the menu Services go to Snort.
-
Open the tab Snort Interfaces.
-
Click + Add.
-
Select the interface on which you want to enable IPS.
-
Optional: have the IPS log displayed in the overall firewall log, in the block Alert Settings check the box Send Alerts to System Log.
-
In the block Block Settings check the box Block Offenders.
-
In the field IPS Mode select the lock mode:
- Legacy mode — sources of suspicious traffic are blocked, some amount of suspicious traffic may enter the system before it is blocked;
- Inline mode — suspicious traffic packets are blocked without entering the system.
-
Click Save.
-
Optional: to reduce the number of false positives, open the tab Variables and specify the IP addresses and ports of your servers.
4. Customize existing rules
-
On the menu Services go to Snort.
-
Open the tab Snort Interfaces.
-
In the row of the desired interface, click .
-
Open the tab Rules.
-
In the block Available Rule Categories select a category.
-
In the column State check the rules. If necessary, change the state of the rule.
-
If at module configuration in step 7 you selected the mode Inline modein the column Action select a rule action:
- DEFAULT — set the default action of the rule, usually ALERT;
- ALERT — to create a log entry;
- DROP — throw the bag away;
- REJECT — discard the packet and send a port unavailability message in response.
-
Click Apply.
5. Create your own rules
- On the menu Services go to Snort.
- Open the tab Snort Interfaces.
- In the row of the desired interface, click .
- Open the tab Rules.
- In the block Available Rule Categories select custom.rules.
- In the block Defined Custom Rules enter the text of the rules in Snort format. Read more in the article Writing Snort Rules Snort documentation.
- Click Save.
6. Enable IPS on the interface
- On the menu Services go to Snort.
- Open the tab Snort Interfaces.
- In the row of the desired interface, click .
- Optional: to view the Snort logs, go to Services → Snort → tab Alerts.
- Optional: To view the logs of the network interface, go to the section Services → Snort → in the row of the desired interface → tab Logs.