An Intrusion Detection System (IDS) is a program or a framework supposed to detect, analyse and block network attacks. It does not replace a packet filter (which is enabled in IPFire by default, see Firewall Documentation) but can eliminate some limitations of it.
There are basically two types of IDSs: Host-based Intrusion Detection Systems (HIDS), which are running on a single computer, and Network-based Intrusion Detection Systems (NIDS). A NIDS is able to protect a complete network and is normally running on a firewall, gateway or dedicated server. IPFire features a NIDS.
A packet filter can be compared to a doorman: It has only limited information about a network packet, such as; source, destination and type. However, an Intrusion Detection System is more like a security guard, who is able to inspect the visitor for arms or spy tools. Further, the security guard has access to lists of wanted and other documents.
So an IDS is able to detect harmful network packets because of their content, because the source address appears in a blacklist or because the network traffic looks like a known attack. A packet filter (normally) is unable to operate at this level. Again, IDS and packet filter cannot replace each other, they are both important to provide a good level of network security.
The IDS used by IPFire is called Snort. Snort uses rules, which are combined in rule databases and can be downloaded from certain web sites. These rules contain patterns or blacklisted IPs.
There are four rule sources available:
There are some negative aspects when running an IDS. Most are not critical but some could prevent you from setting up the IDS on IPFire.
First, open the WebUI and go to “Services|Intrusion Detection”; the page is not a very big deal at this moment since the IDS is not running.
Second, choose the network interfaces you want the IDS to be active on. Usually, you might at least enable it for the RED interface since it should protect you against attacks from the internet. But also internal networks, such as GREEN and BLUE, can be monitored.
The more networks you check, the more system resources will be later needed for the IDS. Further, the rules you will activate in the next step will affect all activated networks.
Hit “Save” after you made your choice.
Choose the rule database you want to use from the dropdown box and enter the registration code in the input field, if necessary. Again, hit “save” for the changes to take effect.
Then, download the rule database by clicking at “download new ruleset”. This procedure may take a while; the actual speed depends from your internet connection speed and the clock speed of your CPU.
This part is the most difficult: You need to choose which rules should be active.
This decision depends on the needs of your network (like operating systems in use, active services, protocols in use). Please refer to the homepage of your rule source to get further information about the purpose of some rule categories;
Some rules are based on blacklists (such as the Emerging Threats CIArmy list) and indicate that a certain IP has a bad reputation for some reason. This does not necessarily mean that it attacked your firewall, in case it appears in the log files, unless it triggered some other rules. Nevertheless, it is usually safe to use IDS rules based on blocklists since they are very conservative most of the time, making blocking a legitimate IP address very unlikely.
We cannot give you any advice here.
Select the rules you want to be active by clicking at the checkbox. After that, hit the “update” button at the end of the web page. The IDS will restart now to apply the changes.
It is highly recommended that you also install and activate the Guardian Add-On