The Intrusion Prevention System is only effective if you enable appropriate rules.
The more rules which are activated, the more likely you could find an intruder. However more rules means that you are more likely to see false-positive alerts and the more load put on IPFire. If IPFire is under high load, from processing many complex rules, it may affect the performance of your network.
Choosing rulesets and rules requires you to have a good understanding of your network. It is very helpful, but not required, to be familiar with historic security vulnerabilities (especially those which were given fancy names, like Heartbleed and EternalBlue) and aware of penetration testing tools (like Metasploit).
This is not a simple process and it will take some time to come up with appropriate configuration to suit your needs.
Selecting the right rules takes a scientific approach: experimenting, time and frequent monitoring. When rules are activated they need to be investigated. This procedure explains how you can tune your IPS to ensure it performs well on your network.
!fixme add a flow chart diagram here!
In order to select the right rules for your network you need to understand the systems and applications on it.
IPFire has a variety of rulesets to choose from. Some are more optimised protecting towards servers in Data Centres, while others have rules to detect malware on client computers and mobile devices. Selecting a ruleset and rules requires detailed knowledge of the systems and applications used on your network.
It may be wise to enable “Monitor traffic only” mode when starting out if you find IPS rules are regularly causing legitimate traffic to be blocked. When time has passed and you have tuned your rules you should select “Enable Intrusion Prevention System” in the UI.
Never enable all rules in a category. This will slow down your network and will generate manyfalse-positive alerts.
When first enabling a new category of rules carefully read the name of all the rules which are enabled by default and check that they won't prevent legitimate traffic on your network
Regularly check the IPFire IPS Log Viewer for activated rules and very high CPU usage.
If you are not certain what rules to use have a professional consultant advise you on how to best protect your network.
Although an IPS is designed to provide automated protection, it is of limited benefit unless activated rules are investigated!
This is a brief list of some categories these rules come in:
These are designed to catch the results of a successful attack. If a host is already infected, it will stop it from reaching out to their command and control servers and block attacks from known compromised hosts on the Internet.
These are rules that block access from and to resources that are currently malicious but won't be for a longer time.
These are to mitigate any Denial-of-Service attacks on your network or block whole address ranges that are known to be malicious.
There is groups of rules that are not necessarily malicious, but might be unsuitable for certain environments. Examples are gaming, P2P and chat protocols, and pornography.
Made to detect if someone is trying to collect data about your network.
These rules scan traffic for exploits for certain operating systems, browser types or other applications. Should be enabled when you have client computers on your network.
The protocol rules work for clients and servers and try to detect if an attack is run by exploiting a vulnerability in a protocol.
These are there to protect your servers. There might be different categories for web, mail and others. You will only need them if you are hosting a server locally.
These rules might only be effective when they have access to the plaintext protocol. That means that HTTPS connections cannot be scanned, but if the TLS termination is happening on the firewall itself, it would have access to the unencrypted HTTP stream.
Not necessarily malicious again, but there to detect transferring certain file types which can be blocked.