Intrusion Prevention System - How to?

Security Intrusion Prevention
1

Hi Devs,

I have to admit I do not know much about the IPS but I think it is a very good and powerful thing.

First of all I want to mention this post which is a bit old but I think it is still valid.

However, I am a home user and regardless of being interested I am not a firewall expert.
So I did what should not be done I activated a few rules and think this is enough.

First Part: Setup

I simply cannot check every rule there is if it is useful or not. For example:

  1. Read the rule:
    ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability
  2. Interpret:
    It is from the ActiceX panel so it is something with activex for sure.
    Ok it has something to do with Symantec and Calender.
    I think I do not have Symantec on my systems but not sure.
  3. Result:
    Not Activate it.

Is this the proper way evaluating every rule?
The first example was an easy one but what about this one:
ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow
I simply have no idea if it is a threat for me. FTP ok? but EvansFTP?
I could google it but I honestly do not invest that amount of time.
Never the less I would have to do that for every rule I am uncertain.
So, still activating a few rules and thinking it might be correct

Second Part: Maintenance

An example:

  1. Something does not work:
    That is ok. This is not a company so nobody will yell at me for not being able doing stuff.
    And all other persons yeah I do not mind.
    When I have time a look around.
  2. Investigating:
    And there IPS has blocked it. Yeah, it really works!
    It is the rule: ET GAMES Blizzard Web Downloader Install Detected
    So I look into games and find it there. I would be easier to show all rules and just search for it via browser search but its ok. I can live with it.
  3. Deactivating:
    I deactivate the rule it works. Unfortunately I cannot save the config so I have to manually write down which I deactivated so I can activate it later again if I am not using it anymore.

Conclusion

I wonder how experts do that. Do they know all the rules by heart? Is there anywhere a list which I can take as a reference? I think most people would not activate Steam or Blizzard rules but these rules are at least understandable. I want to make the the firewall better by taking full use of the IPS cause it is there and Devs have invested a lot of time that it works. It would be a pity not using it but after all how can I use it and not activating all rules although I do not understand them completely. I am willing to take the risk and adapting them for a long time (like forever). Having a good start without a huge amount of false positive would still be nice.

Thank you for reading the long post.

PS: Since I moved to IPfire (almost 7 years ago) I am still thinking it was/is the best decision.

1 Like
2

Well I use the IPS and it works for me fine.
What I did in following the recommendations from ms is to make my decision on a category base at first. F.e. no ftp rules if they are blocked by the firewall.

That helped me to have an IPS system running with a moderate hit rate and seems to be pretty safe.But I run only standard applications (no games).

3

Hi @ip-mfg ,

Thanks for the feedback.

4

Yes I have the same idea… I’m beginning with IpFire
First I read the explanation of each rule from https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf

After I try to apply one by one which are concerned, for example about malware first and so on
But in parallel I monitor log and CPU usage

BR

5

There is also some info here wiki.ipfire.org - Rule Selection and here blog.ipfire.org - IPS configuration recommendations for IPFire users

1 Like
6

Hi,

Long post warning!

As the blogs posts and general tips for IPS configuration underscore, it’s imperative to understand your network. Also, if you haven’t segmented it yet, do so first. The IPS will control traffic between segments, but keep in mind that this uses more CPU cycles than plain old stateful firewalling. So try to work your way up the OSI model to L7 (where the IPS resides).

A simple example; I have a network with four segments:

  • end-users (PC’s, laptops and mobile devices)
  • IOT (camera’s, smart fridges, drones, etc.)
  • shared services like printers and file shares
  • management LAN (mgmt LAN)

So what is the mgmt LAN? Well basically it’s the network segment on which I will allow access to the mgmt interfaces of my infrastructure components (like the IPFire WUI and possibly SSH access to other infra like switches). This means; I would block everything from all the other networks to the mgmt LAN by default, this would be done at layer 3, costing me fewer resources than detecting if traffic to the mgmt LAN is benign.

Also, in terms of ‘corporate’ policy, why would I allow access to mgmt LAN to anyone other than the administrators? And would I solve this differently, e.g. by using a VPN or dedicated outlets with NAC-rules (MAC whitelist)?

This is all part of understanding your network, what is my end-goal and how will I achieve this?

The other segments should be approached the same way:

  • IOT: who needs access to this segment and does it need internet (probably yes, for updates, but can it be regulated)?
  • end-users: probably needs internet access, but also access to the shared services LAN
  • shared services LAN: needs internet access for updates

As you can see end-users and shared services will need proper regulation to prevent malware from coming in and preventing lateral movement (hosts infecting other hosts). For these segments you should determine what’s IN the network and what rules apply to the devices therein. In theory you should go by the rules one at a time and revisit occasionally. It’s just like your policy (what do you allow, and what not), you should evaluate on a regular basis → you can use the PDCA-cycle as a systematic approach. Note that an IPS does not mean you should be conscious of what you’re running. You [b]should[/d] patch your systems, and decommission everything you don’t use anymore. Decrease the attack surface as much as possible, also employing a systematic approach.

Some examples:

  • For the shared services segment you should control NFS/SMB access and prevent exploits
  • If any of the servers has RDP enabled, activate rules for exploits in the RDP protocol
  • If you have a webserver in your network, protect against exploits in the technology you use (ASP, PHP, NodeJS etc.), but you don’t need those rules for inbound traffic to the end-user devices (probably)

So in short:

  1. Determine which segments should reach one-another at all, and the internet. Deny traffic by default and allow only what’s necessary (for business purposes)
  2. Segments that allow inter-zone traffic should regulate the traffic between them, protecting the assets in them, tune the rules to protect what matters

Yes it requires maintenance, but what doesn’t? :wink: I’d recommend the phased approach from the blog, start by protecting your most critical assets, evaluate and proceed to the next in line.

Monitoring is very important obviously, but this is a different topic altogether imho and requires a write-up and best-practices of its own. Preferably leveraging correlation and machine learning to filter false positives as much as possible (making maintenance less of a drag).

2 Likes