Overview

Kerio Control integrates Snort, an intrusion detection and prevention system (IDS/IPS) protecting the firewall and the local network from known network intrusions. A network intrusion is network traffic that impacts the functionality or security of the victim-host.

A typical attribute of intrusions is their apparent legitimacy and it is difficult to uncover such traffic and filter it simply by traffic rules. Let us use Denial of Service intrusion as an example — too many connections are established on a port to use up the system resources of the server application so that no other users can connect. However, the firewall considers this act only as access to an allowed port. 

Notes:

The intrusion prevention system works on all network interfaces in the Internet Interfaces group. It detects and blocks network intrusions coming from the Internet, not from hosts in local networks or VPN clients. Use of NAT is required for IPv4. Intrusion detection is performed before the traffic rules. 

Step-By-Step Guide

1. In the administration interface, go to Configuration > Intrusion Prevention.
2. Check Enable Intrusion Prevention.
3. Leave Severity levels in the default mode. Kerio Control distinguishes three levels of intrusion severity:
   • High severity — Activity where the probability of a malicious intrusion attempt is very high (e.g. Trojan horse network activity).
   • Medium severity — A suspicious activity (e.g. traffic by a non-standard protocol on the standard port of another protocol).
   • Low severity — Network activity that does not indicate immediate security threat (e.g. port scanning).
4. Click the On the Kerio website, you can test these settings link to test the intrusion prevention system for both IPv4 and IPv6. During the test, three fake harmless intrusions of high, middle, and low severity are sent to the IP address of your firewall.
   
5. Click Apply.

IP blacklists

Kerio Control is able to log and block traffic from IP addresses of known intruders (so-called blacklists). Such a method of detection and blocking of intruders is much faster and also less demanding than detection of the individual intrusion types. However, there are also disadvantages. Blacklists cannot include IP addresses of all possible intruders. Blacklists may also include IP addresses of legitimate clients or servers. Therefore, you can set the same actions for blacklists as for detected intrusions.

Automatic updates

For correct functionality of the intrusion detection system, update databases of known intrusions and intruder IP addresses regularly.

Under normal circumstances there is no reason to disable automatic updates — non-updated databases decrease the effectiveness of the intrusion prevention system.

Confirmation

The Security log will report when the firewall identifies and blocks an intrusion.

Related Articles: Configuring Traffic Rules