Intrusion Detection and Prevention System

The intrusion detection and prevention system (IDPS) enables identification of malicious activity within the network or coming from the Internet. It focuses on threat detection, logging, and prevention as well as reporting.

Security problems are detected using heuristics rules and signature analysis for known attacks. The IDPS monitors and blocks these attacks in real time. Some possible preventive measures are connection termination, blocking the source address, network administrator notification, and logging.

The rule and signature database, maintained and updated by the UserGate development team, is provided to the holders of the corresponding license. You can also create and add to the database customized IDPS signatures. They use the UASL language to define the characteristic features of network vulnerabilities. For each signature, you can individually configure an action to take, logging, and saving to a PCAP file as well as enable/disable the signature. For more details on IDPS signatures, see the section IDPS Signatures.

Using flexible filters, you can add signature groups to IDPS profiles. One profile can include multiple filters at once. The administrator can create the desired number of IDPS profiles to protect various services. For more details on IDPS profiles, see the section IDPS Profiles.

To activate the Intrusion Detection and Prevention System, an IDPS profile is added to an allow rule of the Firewall. In this case, both forward and return packets are analyzed according to the conditions in the filter, regardless of where the connection is established from. When signatures from such a profile are encountered, the action configured in the profile will be taken, and a corresponding entry will be made in the IDPS Log, if the logging option has been enabled.

To get started with the IDPS, follow these steps:

Name

Description

Step 1. Create the desired IDPS Profiles.

An IDPS profile is a set of signatures relevant for protecting certain services.

IDPS profiles are created as described in the IDPS Profiles section. Using flexible filters, you can add signature groups from a library to a profile. Along with stock signatures, pre-created custom IDPS Signatures can be added to a profile.

It is recommended to limit the number of signatures in the profile only to those that are necessary for protecting the service. For example, to protect a service that uses the TCP protocol, you should not add signatures developed for UDP. A large number of signatures increases the traffic processing time and CPU load

Step 2. Add pre-created IDPS profiles to a firewall rule.

An IDPS profile It can only be used in Firewall rules that allow traffic.

Both forward and return packets are analyzed according to the conditions in the filter, regardless of where the connection is established from. When signatures from the profile are encountered, the action configured for them is taken.