Introducing IPFire's new Intrusion Prevention System

by Michael Tremer, March 26, 2019

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

With the next IPFire release, we are going to release huge changes to our Intrusion Detection System. Those bring packet analysis that IPFire does to a new level and we are very excited to tell you more about it in this announcement!

A lesson in history

Snort has been the de-factor Intrusion Detection System (IDS) for years. It started out a long time ago as a Host Intrusion Detection System and over time, features for analysing passing traffic have been added, too. Within its means, it was working perfectly inside of IPFire. During its lifetime, radical redesign never happened. It is only able to run on one processor core at a time and has some other limitations which make it slow and difficult to use.

Suricata is the new kid on the block. Having been around for years now, too, and being started to overcome the shortcomings of Snort, it has a much more modern design and great new features. All in all, it is much better than Snort and therefore the IPFire developers have decided to migrate to it.

Actions instead of listening

One of the biggest changes we are now introducing is that the IDS will no longer just listen to traffic by default. Snort used to analyse a copy of every packet on the network. While it has been scanning it, it was passed on into the network. Any alarms that were raised had to be processed from a log file and potentially created iptables rules that blocked the host where the malicious packet came from. That leaves a tiny chance to an attacker to talk to a host on the network he wants to attack.

Suricata takes the packet, analyses it first, and when it has passed all checks, it is being sent onward. Therefore, it is very easy for Suricata to be an Intrusion Prevention System, too. If the packet has failed the tests, it is just being dropped and alert is logged - leaving no chance to even send a single packet to the internal network.

Because of that, we have renamed it on the IPFire Web UI and call it "Intrusion Prevention System". After all, that is what we all want: Preventing attacks, not just finding out about them and doing nothing. When we have found an attacker, we want to do something against it.

Alternatively, Suricata can operate in a "monitoring only" mode which is helpful for testing rulesets and which is what will automatically be enabled when you have been a user of Snort before.

Performance & Automatic Rule Updates

Since suricata is holding on to every packet until it is declared safe, this adds some delay to forwarding the packet. In reality this is not noticeable as long as the hardware is powerful enough.

In the last Core Update we have already shipped a couple of performance tuning changes that allow suricata to process more data. To make maximum use of your hardware, it uses all processor cores at the same time and analyses packets concurrently - unlike Snort which could only use one processor core at the same time.

Rules will also now automatically be updated daily or weekly. Having the latest ruleset allows to detect latest attack vectors and malicious traffic efficiently.

The work has been spearheaded by Stefan Schantl, but many days of work of the whole team has gone into this project over the last six months. Although on the surface this looks like small changes, this makes IPFire a much more powerful firewall.

Instead of filtering packets by IP address and port - which is highly important though - the new IPS can now look deep into the packets and detect malicious traffic easily. Spyware, malware, viruses as well as SQL injection attacks on web servers and so on are now stopped. With our performance improvements and on top of the IPFire OS, this runs well in large networks where highest security is required.

To support us doing this, please donate.

This is still not ready for prime-time, yet. We have run many tests, but of course any extra feedback that we can get on throughput, ease of use, or finding any bugs that we might have overlooked is helpful.

Help us testing

Suricata is available in the latest nightly builds.

To get in touch with the developers, sign up to our development mailing list and report any bugs that you find to our bugtracker.