The IPS (Intrusion Prevention System) functionality is capable of immediately inspecting network packets for signs of attacks or intrusions.
Also, it immediately blocks harmful network packet attacks from infiltrating the internal network or from internal sources attacking external ones.
•Why do we need IPS?
For example, SQL Slammer employs a “buffer overflow” attack.
Because the firewall has opened the SQL communication port, external parties can access the internal SQL Server.
Attackers then utilize code for buffer overflow attacks to compromise the internal SQL server and steal desired data.
A Stateful Inspection firewall can examine the content of communication protocols ranging from Layer 2 to Layer 4 of the OSI model.
The commonly inspected and controlled elements include
Source IP Address, Destination IP Address, Source Port Number, Destination Port Number, and Flag Fields.
•How IPS works?
The IPS examines content corresponding to Layers 4 to 7 of the OSI model, checking for malicious attack programs or viruses concealed within the TCP/IP communication protocols.
After detailed content inspecting, characteristic codes that meet specific conditions are flagged. Upon detection, the IPS promptly blocks packets, preventing these malicious packets from passing through the firewall.
The difference between IPS and a firewall lies in IPS’s capability to conduct content or behavior inspection. The effectiveness of an IPS depends on the breadth and speed of updates to its signature database.
In other words, the more features in the IPS’s database, the greater its ability to identify abnormal content or network behavior.
However, increasing inspection also requires stronger computational capacity, which may potentially slow down network speeds.
Typically, IPS signature databases are categorized into three levels of severity: high, medium, and low. Administrators then decide which to allow or block based on these levels, considering the actual network environment and the computational capabilities of the machines.
In small to medium-sized network architectures, IPS devices usually only need to have a complete signature database for high and medium threats (such as virus, Trojans, etc.).
To ensure the normal operation of IPS, please follow these steps:
1. In the “IPS settings,” create a group and specify whether to block or log problematic signatures within the group.
2. In the “Policy”, select the source/destination IP address, then apply the pre-established group.
When administrators apply various signatures in IPS, they may block legitimate network packets by mistake. Thus, what was originally intended to enhance security with IPS might lead to network congestion or disruption.
To prevent such occurrences, NG-UTM categorizes all IPS events into three risk levels: high, medium, and low. Control actions are divided into blocking and logging.
Administrators can initially enable logging and then configure blocking mechanisms based on actual requirements.
The newly configured IPS filtering settings will appear in the list based on the group name, mode, and content.
Click on enables to add IPS:
【Group Name】: The name of the IPS group, which can be any combination of text, such as “High Risk Blocking.”
【Mode】: Basic or Advanced mode. Basic mode categorizes based on the risk level of the signatures, while Advanced mode categorizes based on the type of signatures.
·Basic Mode
Categorized by risk level into high, medium, and low grades, these number in parentheses represent the quantity of signatures within that level. Click on to view detailed signature names.
You can choose the action (log/block) for each level individually.
Upon confirmation, the selected classification will expand to display the detailed signature names within that category. You can either check the entire category or individually select actions (log/block) for each signature.
Each IPS blocking event is recorded for administrators to review.
Today IPS Log **displays records from midnight (00:00) until the time of accessing this interface. Administrators can also search IPS protection records in**IPS Log Search based on specified criteria.
Each record includes the time of the event such as IPS type, signature name, source/destination IP address, protocol, source/destination port, action taken by NG-UTM, and the risk level of the category.
enables to add IPS:
to view detailed signature names.
