With IPFire 2.23 - Core Update 131, IPFire employs Suricata as an IPS which is secure and fast. It is possible to analyse multiple Gigabit per second on a fast system and search for any malicious traffic.
Since Core Update 169 multiple providers have been able to be selected.
How does it work?
In IPFire, the IPS supplements the packet filter by not only being able to classify traffic by IP address, protocol and port, but can also look into the packet. By decoding protocols like DNS, HTTP and many more, it can gather additional knowledge about the traffic and identify any unexpected behaviour.
Packets are being passed through the IPS before they are being sent to the firewall engine. However, the Location Block is working in front of the IPS. If a packet is considered malicious it will be dropped by the IPS.
The configuration of the IPS has a couple of different steps. On the main page, the system can be enabled or disabled.
At least one network zone has to be selected. All traffic coming from, or going to that zone is being passed to the IPS and being filtered. Traffic of deselected zones is passing through the firewall without scanning.
Initially this table will be empty. Press the "Add provider" button and the following page will be shown.
Here you can use the drop down box to select a provider.
Automatic updates and/or Monitor traffic only can be defined per provider.
If the ruleset is a subscription based system then the Subscription code provided with the ruleset should be entered into the box that will appear.
Then press the "Add" button and you will be taken back to the Ruleset settings page with the chosen provider now listed. Further providers can be selected by pressing the "Add provider" button again.
Monitor traffic only Mode
Traffic can also just be analysed, but the IPS will not take any action if a packet is considered dangerous. It will be logged, but will pass into the network.
This is useful for debugging rulesets and when you are not sure if you are not accidentally over-blocking.
In case of constant false-positives, hosts can be whitelisted. They will no longer be blocked when they are on this list.
As well as hosts, networks (including subnet mask) can be whitelisted, too.
The ruleset is one of the most important parts in an IPS. It defines what is being scanned and what can be found. They basically work like signatures of a virus scanner. Therefore they have to be kept up to date, too.
To make selections of the rules to be activated, press the "Customize ruleset" button. This will take you to a page containing a single list of all the available rules from the selected providers.
After selecting all desired rulesets press the "Apply" button and these will be applied and made active in the IPS.
The following links provide more information on the rulesets and rule selection.
A deep analysis of traffic requires a lot of resources in terms of CPU and memory. Read more about what resources are needed for which environment.
What is an Intrusion Prevention System (IPS)?
An IPS can take action if an intrusion has been detected. An Intrusion Prevention System (IPS), also known as Intrusion Detection and Prevention System (IDPS), is a program or security appliance that monitors network or system activities for malicious activity and log information about this activity, report it and attempt to block or stop it.
IPFire features a Network-based Intrusion Prevention System capabilities.
- Suricata User Guide
- IPFire Community post - baselining IPS
- The Snort Cookbook
- Overview of the Emergingthreats.net Community Rules
- FAQ to the Emergingthreats.net Community Rules
- ET Category Descriptions (PDF)
- The CIArmy list (blacklist)
- Open Threat Intelligence
- Mailing list for updates to the Emerging Threats
- SpamHaus DROP list
- IPFire Blog article - IPS configuration recommendations for IPFire users
- Suricata support forum