Overview
Kerio Control integrates Snort, an intrusion detection and prevention system (IDS/IPS) protecting the firewall and the local network from known network intrusions. A network intrusion is network traffic that impacts the functionality or security of the victim host.
Based on the severity (High, Medium, Low), the Kerio Control IPS can drop and log, log only, and do nothing with the detected intrusions. Log option is generating automatic IPS: Alert entries in the Security logs.
Diagnosis
A typical attribute of intrusions is their apparent legitimacy and it is difficult to uncover such traffic and filter it simply by traffic rules. Let us use Denial of Service intrusion as an example — too many connections are established on a port to use up the system resources of the server application so that no other users can connect. However, the firewall considers this act only as access to an allowed port.
Note: The intrusion prevention system works on all network interfaces in the Internet Interfaces group. It detects and blocks network intrusions coming from the Internet, not from hosts in local networks or VPN clients. The use of NAT is required for IPv4. Intrusion detection is performed before the traffic rules.
Solution
- In the administration interface, go to Configuration > Intrusion Prevention.
- Check Enable Intrusion Prevention.
- Leave Severity levels in the default mode. Kerio Control distinguishes three levels of intrusion severity:
- High severity — Activity where the probability of a malicious intrusion attempt is very high (e.g. Trojan horse network activity).
- Medium severity — A suspicious activity (e.g. traffic by a non-standard protocol on the standard port of another protocol).
- Low severity — Network activity that does not indicate immediate security threat (e.g. port scanning).
- Click the On the Kerio website, you can test these settings link to test the intrusion prevention system for both IPv4 and IPv6. During the test, three fake harmless intrusions of high, middle, and low severity are sent to the IP address of your firewall.
- Click Apply.
IP blacklists
Kerio Control is able to log and block traffic from IP addresses of known intruders (so-called blacklists). Such a method of detection and blocking of intruders is much faster and also less demanding than the detection of the individual intrusion types. However, there are also disadvantages. Blacklists cannot include IP addresses of all possible intruders. Blacklists may also include IP addresses of legitimate clients or servers. Therefore, you can set the same actions for blacklists as for detected intrusions - Log and Drop, Log only or Do nothing.
Automatic updates
For the correct functionality of the intrusion detection system, update databases of known intrusions and intruder IP addresses regularly.
Under normal circumstances there is no reason to disable automatic updates — non-updated databases decrease the effectiveness of the intrusion prevention system.
Note: Automatic updates are incremental. If you need to force a full update, click Shift + Update now.
Important: For database updates, a valid Kerio Control license or a registered trial version is required.
Confirmation
The Security log will report when the firewall identifies and blocks an intrusion.
Log and Drop examples
IPS: Packet drop, severity: High, Rule ID: 1:2018131 ET WORM TheMoon.linksys.router 1, proto:TCP, ip/port:1.1.1.1:49879 (1-1-1-1.xyz.abc.def) -> 192.168.1.1:81
IPS: Packet drop, severity: Blacklist, Rule ID: 1:2500018 ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 10, proto:TCP, ip/port:1.1.1.1:51654 -> 2.2.2.2:19382
Log only
IPS: Alert, severity: Medium, Rule ID: 119:18 http_inspect: WEBROOT DIRECTORY TRAVERSAL, proto:TCP, ip/port:2.2.2.2:59373 -> 1.1.1.1:81
IPS: Alert, severity: Low, Rule ID: 1:2016150 ET INFO Session Traversal Utilities for NAT (STUN Binding Response), proto:UDP, ip/port:nn.nnn.nnn.n:3478 -> 10.0.0.35:53854