Intrusion Prevention System (IPS)

With IPFire 2.23 - Core Update 131, IPFire employs Suricata as an IPS which is secure and fast. It is possible to analyse multiple Gigabit per second on a fast system and search for any malicious traffic.

How does it work?

In IPFire, the IPS supplements the packet filter by not only being able to classify traffic by IP address, protocol and port, but can also look into the packet. By decoding protocols like DNS, HTTP and many more, it can gather additional knowledge about the traffic and identify any unexpected behaviour.

Packets are being passed through the IPS before they are being sent to the firewall engine. However, the Location Block is working in front of the IPS. If a packet is considered malicious it will be dropped by the IPS.

Configuration

The configuration of the IPS has a couple of different steps. On the main page, the system can be enabled or disabled.

At least one network zone has to be selected. All traffic coming from, or going to that zone is being passed to the IPS and being filtered. Traffic of deselected zones is passing through the firewall without scanning.

Monitor Only Mode

Traffic can also just be analysed, but the IPS will not take any action if a packet is considered dangerous. It will be logged, but will pass into the network.

This is useful for debugging rulesets and when you are not sure if you are not accidentally over-blocking.

Whitelisting Hosts

In case of constant false-positives, hosts can be whitelisted. They will no longer be blocked when they are on this list.

As well as hosts, networks (including subnet mask) can be whitelisted, too.

Rulesets

The ruleset is one of the most important parts in an IPS. It defines what is being scanned and what can be found. They basically work like signatures of a virus scanner. Therefore they have to be kept up to date, too.

• Rulesets
• Rule Selection

Performance Considerations

A deep analysis of traffic requires a lot of resources in terms of CPU and memory. Read more about what resources are needed for which environment.

FAQ

What is an Intrusion Prevention System (IPS)?

An IPS can take action if an intrusion has been detected. An Intrusion Prevention System (IPS), also known as Intrusion Detection and Prevention System (IDPS), is a program or security appliance that monitors network or system activities for malicious activity and log information about this activity, report it and attempt to block or stop it.

IPFire features a Network-based Intrusion Prevention System capabilities.

Further Reading

• Suricata User Guide
• IPFire Community post - baselining IPS
• The Snort Cookbook
• Overview of the Emergingthreats.net Community Rules
• FAQ to the Emergingthreats.net Community Rules
• ET Category Descriptions (PDF)
• The CIArmy list (blacklist)
• Open Threat Intelligence
• Mailing list for updates to the Emerging Threats
• SpamHaus DROP list
• IPFire Blog article - IPS configuration recommendations for IPFire users
• Suricata support forum