Device Configuration : Protect : Intrusion Prevention : IPS Policies
IPS Policies
The IPS page displays the list of all the pre-defined and custom IPS policies.
The device is a real time Intrusion Prevention System (IPS) system that protects your network from known and unknown attacks by worms and viruses, hackers and other Internet risks.
The device at the perimeter of your network analyzes entire traffic and prevents attacks from reaching your network. Whether it is a worm, a suspicious web request, a hacker targeting your mail server or any other attack - it simply does not get through.
IPS consists of a signature engine with a predefined set of signatures. Signatures are the patterns that are known to be harmful. IPS compares traffic to these signatures and responds at a high rate of speed if it finds a match. Signatures included within the device are not editable.
As per your network requirements, device allows you to define multiple policies instead of one global policy, to decrease packet latency and reduce the false positives.
IPS policy allows you to view predefined signatures and customize the intrusion prevention configuration at the category as well as individual signature level. Categories are signatures grouped together based on the application and protocol vulnerabilities.
The device instead of providing only a single policy (global) for managing multiple networks/hosts, allows to tailor policy per network/host i.e. allows to define multiple policies for managing multiple networks/hosts.
To enable the Intrusion Prevention System, apply IPS policy from Security Policies. You can create rule to apply:
single policy for all the users/networks
different policies for different users/networks or hosts
As Security Policies control all traffic passing through the device and decide whether to allow or drop the connection, IPS rule will be applied to only that traffic/packet which passes through Firewall.
Category
Signatures are organized in categories such as DNS, Finger, P2P, DDOS, and others. These signature categories are listed in the policy. You can configure these categories to change the prevention and/or detection settings. To perform Intrusion Prevention, you need to enable IPS services for each category i.e. you will be able to configure attack threats for individual signature only if an IPS service for the category is “Enabled”.
Each IPS policy contains a set of signatures that device searches for, logs, blocks and allows to:
Enable or disable category from IPS protection.
Enable or disable individual signature in a category to tailor IPS protection based on your network environment.
Define an action to be taken when the matching traffic pattern is found. Device can either detect or drop the connection. In either of the case, device generates the log and alerts the Network Administrator.
IPS provides six actions for managing attack threats: (action if signature matches)
Allow Packet - Allows the packet to its intended destination.
Drop Packet - Drops packets if detects any traffic that matches the signature.
Disable - Disables the signature, if it detects any traffic that matches the signature.
Drop Session - Drops the entire session if detects any traffic that matches the signature.
Reset - Resets entire session if detects any traffic that matches the signature.
Bypass Session - Allows the entire session if detects any traffic that matches the signature.
In packet-based actions, the device checks each packet before taking an action while for session-based action, only the first packet is checked and an action is taken. In case of Reset, TCP reset packet is sent to the originator. In all the cases, the device generates the log and alerts the Network Administrator.
To save resources and avoid latency, set action as “Bypass Session” as in this, if the initial packets match the signature then the rest of the session packets will not be scanned at all.
To avoid getting high number of Alerts and save resources, set action as “Drop session” as in this, if the device identifies attack in the initial packets then it will terminate the entire session instead of scanning all the session packets.
The page provides option to add a new policy, configure the handling of signatures by category or on a signature-by-signature basis, or delete the policy.
The device provides following pre-defined policies. You can directly use policies 1 to 6 without any modifications while policies 7 to 10 can either be used directly or, can be modified as per your requirements:
1. DMZ TO LAN
2. DMZ TO WAN
3. LAN TO DMZ
4. LAN TO WAN
5. WAN TO DMZ
6. WAN TO LAN
7. generalpolicy
8. lantowan strict policy
9. lantowan general policy
10. dmzpolicy