Intrusion prevention system
Working principle
An IPS, or Intrusion Prevention System, is an optional security system within a firewall. The system is capable of detecting and alerting on almost all types of network attacks, as well as blocking detected attacks.
In Selectel firewall IPS is implemented as a Snort-based software module. Checks traffic that has already passed firewall filtering. Regularly updated rules from the Snort development community are used to inspect traffic, and you can also add your own rules to detect and block network attacks.
Restrictions
IPS on the Selectel firewall does not protect against the following types of attacks:
- application logic attacks (L7). For protection at this level, use WAF Qrator;
- any non-network attacks, such as obtaining user super rights.
Cost
You can connect IPS on a Selectel firewall for free. Only the firewall is payable, see Hardware Firewall Payment Model and Pricing for details.
Connect IPS
- Ensure that you order a Selectel firewall and access the GUI.
- Configure the IPS module.
- Add and configure network interface.
- Configure existing rules.
- Optional: create your own rules.
- Enable IPS on interface.
Configure the IPS module
- In the GUI main menu, go to Services → Snort.
- Open the Global settings tab.
- Select the repositories from which you want to use the rules by checking the Click to enable download of ... checkboxes.
- Optional: set the settings in the Rules Update Settings and General Settings blocks.
- Press Save.
- Open the Updates tab.
- To download the selected rule repositories, click Update Rules.
- Optional: set the settings on the other tabs.
Add and configure the network interface
-
In the GUI main menu, go to Services → Snort.
-
Open the Snort Interfaces tab.
-
Press + Add.
-
Select the interface on which you want to enable IPS.
-
Optional: To display the IPS log in the overall firewall log, in the Alert Settings block, check the Send Alerts to System Log checkbox.
-
In the Block Settings box, check the Block Offenders checkbox.
-
Select the lock mode (IPS Mode):
- Legacy mode — suspicious traffic sources are blocked, some amount of suspicious traffic may enter the system until blocked;
- Inline mode — suspicious traffic packets are blocked without entering the system.
-
Optional: specify settings in other blocks on the page.
-
Press Save.
-
Optional: to reduce false positives, go to the Variables tab and specify the IP addresses and ports of your servers.
Customize existing rules
-
In GUI in the main menu, go to Services → Snort.
-
Open the Snort Interfaces tab.
-
In the row of the desired interface, click .
-
Open the Rules tab.
-
Check if the rules from the selected categories are enabled. In the Available Rule Categories block select a category, in the State column check/set the required state for the desired rules.
-
If when configuring the module you selected Inline mode, in the Action column, change the action of the rule:
- DEFAULT — sets the default action of the rule, usually ALERT;
- ALERT — create a log entry;
- DROP — discard package;
- REJECT — discard the packet and send a port unavailability message in response.
-
Press Apply.
Create your own rules
- In GUI in the main menu, go to Services → Snort.
- Open the Snort Interfaces tab.
- In the row of the desired interface, click .
- Open the Rules tab.
- In the Available Rule Categories block, select custom.rules.
- In the Defined Custom Rules block, enter the text of the rules in Snort format.
- Press Save.
Enable IPS on the interface
-
In the GUI main menu, go to Services → Snort.
-
Open the Snort Interfaces tab.
-
In the row of the desired interface, click . IPS will start working, logs will be displayed:
- in the general Snort logs (Services → Snort → Alerts tab);
- in the interface logs (Services → Snort → in the line of the required interface → Logs tab).
-
Optional: To disable IPS on an interface, in the row of the desired interface, click .