wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:ips:start

Intrusion Prevention System (IPS)

With IPFire 2.23 - Core Update 131, IPFire employs Suricata as an IPS which is secure and fast. It is possible to analyse multiple Gigabit per second on a fast system and search for any malicious traffic.

How does it work?

In IPFire, the IPS supplements the packet filter by not only being able to classify traffic by IP address, protocol and port, but can also look into the packet. By decoding protocols like DNS, HTTP and many more, it can gather additional knowledge about the traffic and identify any unexpected behaviour.

Packets are being passed through the IPS before they are being sent to the firewall engine. However, the GeoIP is working in front of the IPS. If a packet is considered malicious it will be dropped by the IPS.

An IPS is only effective if it has been tuned for your network. Once configuration on this page is complete, you should follow the steps on the Rule Selection page.

Configuration

The configuration of the IPS has a couple of different steps. On the main page, the system can be enabled or disabled.

At least one network zone has to be selected. All traffic coming from, or going to that zone is being passed to the IPS and being filtered. Traffic of deselected zones is passing through the firewall without scanning.

Monitor Only Mode

Traffic can also just be analysed, but the IPS will not take any action if a packet is considered dangerous. It will be logged, but will pass into the network.

This is useful for debugging rulesets and when you are not sure if you are not accidentally overblocking.

Whitelisting Hosts

In case of constant false-positives, hosts can be whitelisted. They will no longer be blocked when they are on this list.

As well as hosts, networks (including subnet mask) can be whitelisted, too.

Rulesets

The ruleset is one of the most important parts in an IPS. It defines what is being scanned and what can be found. They basically work like signatures of a virus scanner. Therefore they have to be kept up to date, too.

Performance Considerations

A deep analysis of traffic requires a lot of resources in terms of CPU and memory. Read more about what resources are needed for which environment.

FAQ

What is an Intrusion Prevention System?

An Intrusion Detection System (IDS) is a program or a framework supposed to analyze network traffic and to detect a certain attacks. It does not replace a packet filter (which is enabled in IPFire by default, see Firewall Documentation) but can eliminate some limitations of it.

There are basically two types of IDSs: Host-based Intrusion Detection Systems (HIDS), which are running on a single computer, and Network-based Intrusion Detection Systems (NIDS). A NIDS is able to protect a complete network and traditionally is running on a firewall, gateway or dedicated server.

An second classification can be done by the taken action, if any intrusion has been detected. A typical IDS or NIDS reports and logs malicious activity but does not perform any kind of action against it. An Intrusion Prevention System (IPS), also known as Intrusion Detection and Prevention System (IDPS), is a program or security appliance that monitors network or system activities for malicious activity and log information about this activity, report it and attempt to block or stop it.

IPFire features a Network-based Intrusion Prevention System capabilities.

Further Reading

configuration/firewall/ips/start.txt · Last modified: 2019/06/08 11:25 by dnl