An Intrusion Detection System (short: IDS) is a program or a framework supposed to detect, analyze and block network attacks. It does not replace a packet filter (which is enabled in IPFire by default, see Firewall Documentation), but can eliminate some disadvantages of it.
There are basically two types of IDSs: Host-based Intrusion Detection Systems (short: HIDS), which are running on a single computer, and Network-based Intrusion Detection Systems (short: NIDS). A NIDS is able to protect a complete network and is normally running on a firewall, gateway or dedicated server. Needless to say, the IDS IPFire uses is network-based.
A packet filter, as mentioned above, can be compared to a gateman: He/She/It has only limited information about a network packet (or a visitor, to follow the example), such as source, destination, type and a few more. An Intrusion Detection System, however, is more like a security guard, who is able to inspect the visitor for arms or spy tools. Further, the security guard has access to lists of wanted and other documents.
So, an IDS is able to detect harmful network packets because of their content, or because the source appears in some blacklists, or because the network traffic looks like an attack. A packet filter (normally) is unable to operate at this level. Again, IDS and packet filter cannot replace each other, they are both important to provide a good level of network security.
The IDS used by IPFire is called
snort (its homepage can be found here). It
uses so-called rules, which are aggregated in rule databases and can be downloaded from certain web sites. These rules contain patterns or blacklisted IPs and are named in order to provide a better
overview of their functionality.
There are four rule sources available:
Of course, there are some negative aspects when running an IDS. Some of them are quite annoying, but not critical, some might prevent you from setting up the IDS on IPFire.
Enough chit chat, let's set up the IDS.
First, open the WebIF and go to “Services|Intrusion Dectection”; the page is not a very big deal at this moment since the IDS is not running.
Second, choose the network interfaces you want the IDS to be active on. Usually, you might at least enable it for the RED interface since it should protect you against attacks from the internet. But also internal networks, such as GREEN and BLUE, can be monitored.
The more networks you check, the more system resources will be later needed for the IDS. Further, the rules you will activate in the next step will affect all activated networks.
Hit “Save” after you made your choice.
Choose the rule database you want to use from the dropdown box and enter the registration code in the input field, if necessary. Again, hit “save” for the changes to take effect.
Then, download the rule database by clicking at “download new ruleset”. This procedure may take a while; the actual speed depends from your internet connection speed and the clock speed of your CPU.
This part is the most difficult one: You need to choose which rules should be active.
This decision depends on the needs of your network (active services, used protocols, type of network, …) and your personal gut feeling. Please refer to the homepage of your rule source to get further information about the purpose of some rule categories.
Some rules are based on blacklists – such as the CIArmy list – and indicate that a certain IP has a bad reputation for whatever reason. This does not necessarily mean that it was really attacking your firewall, in case it appears in the log files, unless of course, it triggered some other rules. Nevertheless, it is usually safe to use IDS rules based on blocklists since they are very conservative most of the time, making blocking a legitimate IP address very unlikely.
We cannot give you any advice here.
Select the rules you want to be active by clicking at the checkbox. After that, hit the “update” button at the end of the web page. The IDS will restart now to apply the changes.
Again, please make sure to install and activate the Guardian Add-On, too.