wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


en:configuration:services:ids

Intrusion Detection System

What is it?

An Intrusion Detection System (short: IDS) is a program or a framework supposed to detect, analyze and block network attacks. It does not replace a packet filter (which is enabled in IPFire by default, see Firewall Documentation), but can eliminate some disadvantages of it.

There are basically two types of IDSs: Host-based Intrusion Detection Systems (short: HIDS), which are running on a single computer, and Network-based Intrusion Detection Systems (short: NIDS). A NIDS is able to protect a complete network and is normally running on a firewall, gateway or dedicated server. Needless to say, the IDS IPFire uses is network-based.

How does it work?

A packet filter, as mentioned above, can be compared to a gateman: He/She/It has only limited information about a network packet (or a visitor, to follow the example), such as source, destination, type and a few more. An Intrusion Detection System, however, is more like a security guard, who is able to inspect the visitor for arms or spy tools. Further, the security guard has access to lists of wanted and other documents.

So, an IDS is able to detect harmful network packets because of their content, or because the source appears in some blacklists, or because the network traffic looks like an attack. A packet filter (normally) is unable to operate at this level. Again, IDS and packet filter cannot replace each other, they are both important to provide a good level of network security.

The IDS used by IPFire is called snort (its homepage can be found here). It uses so-called rules, which are aggregated in rule databases and can be downloaded from certain web sites. These rules contain patterns or blacklisted IPs and are named in order to provide a better overview of their functionality.

What rules are there?

There are four rule sources available:

  1. Emergingthreats.net Community Rules – They are free and community-maintained rules (further information) and cover scanning activities, attack patterns agains various protocols, blacklists and more. No registration is required to use those rules.
  2. Snort/VRT GPLv2 Community Rules – These are free and GPL licenced snort rules. Usually, the quality is good. Accoding to the Snort blog, no registration is required.
  3. Sourcefire VRT rules for registered users – These rules are usually more than 30 days old and can be used for free. Registration is required. Usually, the quality of these rules is a bit better than these of the Emergingthreats.net Community Rules.
  4. Sourcefire VRT rules with subscription – Same as above, but they are chargeable and more current. These might be useful in productive environment, where you need reliable and up-to-date IDS rules.

Disadvantages of an IDS

Of course, there are some negative aspects when running an IDS. Some of them are quite annoying, but not critical, some might prevent you from setting up the IDS on IPFire.

  1. An active IDS requires a lot of system resources, such as RAM and CPU load. In general, 2 GByte of RAM and a fast CPU (few faster cores are better than many slow ones) should be there if you want or need an IDS.
  2. Until Core Update 100, the IDS was not running on ARM devices because of a bug. Please make sure to run the latest version of IPFire available.
  3. It is strongly recommended to install and use the Guardian Add-On if you are running an IDS. The Add-On automatically blocks IP addresses which behave strange and trigger IDS alerts. Without it, your IDS is without any effect since it only reports problems, but does not potect your network because attackers can just carry on.
  4. At the moment, the rule database cannot be updated automatically, so you'll need to check for and install rule updates manually, e.g. every 14 days.
  5. An IDS is not a magic bullet. Please use this guide to make your firewall system stronger against attacks: IPFire Security hardening

Now for the practice

Enough chit chat, let's set up the IDS.

Choose the networks your IDS should protect

First, open the WebIF and go to “Services|Intrusion Dectection”; the page is not a very big deal at this moment since the IDS is not running.

Second, choose the network interfaces you want the IDS to be active on. Usually, you might at least enable it for the RED interface since it should protect you against attacks from the internet. But also internal networks, such as GREEN and BLUE, can be monitored.

The more networks you check, the more system resources will be later needed for the IDS. Further, the rules you will activate in the next step will affect all activated networks.

Hit “Save” after you made your choice.

FIXME add the guardian part here

Download the rule database

Choose the rule database you want to use from the dropdown box and enter the registration code in the input field, if necessary. Again, hit “save” for the changes to take effect.

Then, download the rule database by clicking at “download new ruleset”. This procedure may take a while; the actual speed depends from your internet connection speed and the clock speed of your CPU.

Choose rules

This part is the most difficult one: You need to choose which rules should be active.

This decision depends on the needs of your network (active services, used protocols, type of network, …) and your personal gut feeling. Please refer to the homepage of your rule source to get further information about the purpose of some rule categories.

We cannot give you any advice here.

Select the rules you want to be active by clicking at the checkbox. After that, hit the “update” button at the end of the web page. The IDS will restart now to apply the changes.

Again, please make sure to install and activate the Guardian Add-On, too.

Further readings

Translations of this page?:
en/configuration/services/ids.txt · Last modified: 2016/07/21 17:09 by twilson